Jump to content

Darren Kitchen

Root Admin
  • Posts

    4,887
  • Joined

  • Days Won

    247

Everything posted by Darren Kitchen

  1. Richard — In the past, we only offered DHL as an option for International orders. They're very fast, however they do not handle duties for our customer. That becomes their responsibility at time of border crossing. Because of this, we have implemented another shipping option for our International customers — Passport. They collect duties up front. It's a pretty smooth service, however it isn't as fast as DHL. They aren't a traditional carrier in their own right, rather a brokerage service that acts on your behalf for customs clearance. On the backend, packages are sent via UPU. If you aren't familiar with the Universal Postal Union (UPU), it's is a global postal network that facilitates international mail services. It works closely with the United Nations, and coordinates with each member countries postal service. As an example, when a package is shipped via UPU from the United States to the United Kingdom — it originates its journey with the United States Postal Service (USPS). Once it crosses the border and clears customs (something Passport facilitates for you) it will be handed over to the Royal Mail. Because multiple agencies are involved, tracking may take some time to update — and it won't be as fast as the DHL option that doesn't include customs brokerage. It's a tradeoff, but after having offered it for several years we've found it to be a reliable, economical choice, albeit slower. As the face of, and lead hacker behind Hak5, I have put a tremendous amount of effort into implementing systems that will ensure a smooth customer experience. Everything from customs brokerage to shipping services to package insurance to fraud mitigation to the support agents who are empowered to see that you have a successful and satisfactory transaction. It's my personal goal to make sure that when you order from us, it's a seamless experience. We have a process in place to deal with every potential edge case when an inevitable snafu does arrive, should you reach out. I've checked our support ticket system for any email from your r*@c*.com email address, however none have been found. We typically address tickets in 1-2 business days, so I advise contacting us at https://hak5.org/contact or visiting https://support.hak5.org if you still need assistance. We'd be happy to help. Best, Darren
  2. I was unable to find a support ticket with the email address you have listed on your forums account. Perhaps it went to our older system? Please keep a lookout for an email from us with RMA details for your WiFi Pineapple exhibiting the malfunctioning EMMC behavior. It will be coming from support@hak5.customerdesk.io
  3. Apple keeps changing the behavior in macOS. I can verify that this is working as expected on my Catalina mac, but agree it's also failing on my Monterey mac. I haven't tested Big Sur or Ventura. Thankfully the detection is all done in DuckyScript and extensions are versioned for this very reason, so we'll just need to test and update the extension. I wish it weren't such a moving target — but I'm glad we made the architectural choices to not hardcode values or bake detection into the firmware, which means we have a ton of flexibility to adapt as the environment changes. There are at least two potential vectors for macOS detection that I can think of off the top of my head which could be added to the extension: lack of scroll lock state reply (doesn't exist on mac) or brief press vs hold of capslock (macos requires ~100ms "hold" of capslock to enable, whereas every other system treats it the same as any ordinary key).
  4. Which version of macOS is being detected as Linux?
  5. Official answer: Use a MicroSD card — not a Micro SDHC, SDXC or SDUC card. That means 2 GB and under. Unofficial (I'm a hacker) answer: As long as the file system is FAT (FAT/VFAT or FAT32) as opposed to other common formats like exFAT, NTFS EXT4, etc — it should work, albeit with a potential performance hit*. *The larger the partition (and the more files/directories) the longer it will take to be read — both from the perspective of the USB Rubber Ducky itself (reading inject.bin, seed.bin or writing loot.bin) but also to the target, enumerating the USB "Flash Disk" when using the command ATTACKMODE STORAGE. As an example, I've formatted a 200 GB SanDisk Ultra MicroSDXC card with the FAT32 file system and loaded it with a very simple "Hello World" payload: ATTACKMODE HID STORAGE DELAY 1000 STRING Hello, World! And it injected the keystrokes within a second of attaching it to the target — however the target (a Windows 10 PC in this case) took over a minute to recognize the USB drive in Explorer.
  6. It's telling that a quick Google search for "Android keyboard shortcuts" yields a 12 year old CNET article as the first result... https://www.google.com/search?q=android+keyboard+shortcuts I recall at some point in my security research rabbit hole finding an official source, but a quick look is coming up short. As is the fragmented Android ecosystem. I'd link to the common articles that spell out the keyboard shortcuts various people "have found" — but you'll see them from the link above. If anyone comes across a more official list, I'd be keen to see them as well.
  7. I just tested the following on my Samsung Z Fold2 and a Google Pixel 5. Worked on both. ATTACKMODE HID STORAGE WAIT_FOR_BUTTON_PRESS GUI b DELAY 700 CTRL l DELAY 700 STRINGLN hak5.org inject.bin attached. inject.bin
  8. DuckyScript 3.0 for the new USB Rubber Ducky can be encoded in Payload Studio — both Community and Pro editions — right in your browser. The compiler and all payload editing is done client-side, locally. We never see your work. You can download an offline copy of the IDE from your browser. Keep in mind that the offline version you download will be frozen in time, whereas the online version will be continuously updated as we add features and fixes over time. You can see the version number in the bottom left corner of the page.
  9. Thank you all for the incredible feedback on the Key Croc – especially the 1.3 beta. We knew in development that we were on to something game changing, so to hear the enthusiasm from you all directly is truly rewarding. The amount of creativity shown in such a short period of time since initial release is encouraging. We hope that with this Key Croc firmware 1.3 we can further that creativity. As always we welcome your feedback here on the forums and of course on our Discord channel. Thanks for your support and happy hacking! Huge thanks to our team – @Korben for his work on this firmware with the support of @Foxtrot and everyone including 0xdade for feature inspiration. Changelog: General (optional) Password Protected Arming Mode built into framework/parser ARMING_PASS and (optional) ARMING_TIMEOUT can be defined in config.txt (Credits: 0xdade) Fix croc being shutdown by host machine going to sleep C2 notifications added to relevant event handlers iProduct can now be defined with PROD_ when calling ATTACKMODE, and defined in config.txt as PROD iManufacturer can be defined in config.txt as MAN Croc now waits for keyboard to enter ATTACKMODE HID Increase output log write speeds Fixed $LOOT ATTACKMODE now automatically populates /tmp/vid /tmp/pid /tmp/man /tmp/prod along with /tmp/mode Fixed payload validation at boot and added payload validation to RELOAD_PAYLOADS Payloads / Tools Add SAVEKEYS [path] UNTIL [regex] syntax support to payloads (Credits:0xdade) SAVEKEYS NEXT/UNTIL now also produce .filtered logs handling backspaces and removing control characters/modifiers. Ported GET extension script from Bash Bunny Added GET_VARS script giving your payload access to the following live data VID PID MAN PROD HOST_IP TARGET_IP TARGET_HOSTNAME Added the following helper scripts QUACKFILE (alias QFILE) ENABLE_PAYLOAD DISABLE PAYLOAD WAIT_FOR_KEYBOARD_ACTIVITY WAIT_FOR_KEYBOARD_INACTIVITY WAIT_FOR_LOOT Framework functions exported MOUNT_UDISK UNMOUNT_UDISK UPDATE_LANGUAGES ENABLE_WIFI ENABLE_INTERFACE START_WLAN_DHCP CLEAR_WIFI_CONFIG CONFIG_PSK_WIFI CONFIG_OPEN_WIFI ENABLE_SSH DISABLE_SSH Added the following scripts WAIT_FOR_ARMING_MODE WAIT_FOR_BUTTON_PRESS ARMING_MODE GET_HELPERS Misc Added get_payloads.html to udisk Fixed language file consistency, example: CONTROL/CTRL Moved examples into library/examples Debug logs moved to /root/loot so they will be automatically moved to udisk for easier debugging access DEBUG ON in config.txt now enables parser and framework debug logs at boot Download from https://downloads.hak5.org/croc Documentation from https://docs.hak5.org/ Flashing Instructions from https://docs.hak5.org/hc/en-us/articles/360048015333-Updating-the-Key-Croc
  10. Our of curiosity, what was the issue you had with Finder on your Mac?
  11. Key Croc A keylogger armed with pentest tools, remote access and payloads that trigger multi-vector attacks when chosen keywords are typed. Find the manual, or full user documentation for the Key Croc including getting started, software updates, payload development and tips from the Hak5 Documentation Center at: https://docs.hak5.org/hc/en-us/categories/360003797793-Key-Croc
  12. No, unfortunately doing so will overwrite the bootloader thus rendering the device incapable of software-based recovery. In this case your best course of action is to contact support to inquire about an express replacement for accidental damage. https://shop.hak5.org/pages/support
  13. The Shark Jack features a firmware recovery option which allows the user to restore the devices firmware image. This procedure is performed via a special web interface. Download the latest firmware image for your Shark Jack from the Hak5 Download Center. It is extremely important that you follow the directions precisely as it pertains to powering the device and image selection from the web recovery interface. The video is provided as a reference however does not replace carefully reading the instructions listed below. Follow these steps to access the recovery web interface and update the firmware. With the switch in the OFF position, plug in a suitable USB power source and fully charge the Shark Jack. The LED will blink blue while charging, and solid blue when fully charged. If no LED activity is present, leave the Shark Jack connected to the power source for 10 minutes. Unplug the Shark Jack completely from the USB power source Prepare to press the Shark Jack reset button located on the bottom of the device next to the regulatory label. Using a paperclip, SIM card removal tool or similar instrument practice pressing the button. With the Shark Jack unplugged and with its switch in the off position, carefully insert the instrument and directly downward until you feel resistance. Gently press the button. You should feel a click. With the instrument at the ready, flip the switch into the arming (middle) position and immediately after press and hold the reset button for 7 seconds. Connect a USB power source to the Shark Jack Connect the Shark Jack to your host PC Ethernet interface. After a moment the Shark Jack LED will indicate solid green with intermittent activity flashes. Set a static IP address for the host PC Ethernet interface connected to the Shark Jack as follows: IP Address: 192.168.1.2 Netmask: 255.255.255.0 From the host PC, browse to http://192.168.1.1 A Shark Jack Recovery interface with a red banner will appear. Click to the Recovery tab, then click Browse Firmware, select the Shark Jack firmware downloaded from the Hak5 Download Center, then click Start Upload File. If your Shark Jack web interface shows a blue banner reading Web Failsafe Recovery, click the OS tab, then click browse, select the Shark Jack firmware downloaded previously, then click Start Upload File. If your Shark Jack features the blue bannered Web Failsafe Recovery interface, it is extremely important that you select the OS tab and not the Firmware tab or any other tab as doing so will render the device inoperable. This process will take several minutes. Do not interrupt the power supply while the firmware is updating. Once complete, the Shark Jack will restart as indicated by a green blinking LED. At this point, disable the static IP address on the host PC Ethernet interface connected to the Shark Jack and reset it to receive an IP address automatically via DHCP.
  14. I use a Digital Ocean "droplet" (VPS) with 512 MB RAM and 20 GB disk. I hardly tax the thing.
  15. @Topknot thanks for detailing the process you followed to upgrade - however I want to advise against this method as it will not be supported. We cannot guarantee that the firmware file will always fit in the root file system in /root/, and the sysupgrade function may not always be present in the framework. If you wish to manually upgrade the Shark Jack, as opposed to the guided method using the sharkjack.sh helper available from https://downloads.hak5.org I advise you to please follow the instructions listed at https://docs.hak5.org/hc/en-us/articles/360038189894-Manual-Upgrade
  16. Thanks for the report. We are looking into this now. This is related to Hak5 infrastructure as it pertains to adding packages not already in the mainline OpenWRT feeds end and will not impact your ability to install standard packages.
  17. @Geeksystem here's the article on manual flashing as promised: https://docs.hak5.org/hc/en-us/articles/360038189894-Manual-Upgrade
  18. I'm using the USB Ethernet adapter from https://shop.hak5.org/collections/accessories/products/combo-ethernet-adapter-and-retractable-cable (which is included in the Shark Jack Combo Kit) - but any regular USB Ethernet adapter will work. I'll post a manual upgrade guide to https://docs.hak5.org but essentially the process is similar to that of the Packet Squirrel or WiFi Pineapple where you download the latest firmware from downloads.hak5.org, copy the file to /tmp/ on your device via SCP, then SSH into the device, verify its SHA256 sum, then issue sysupgrade -n /tmp/upgrade.bin The IMPORTANT bit to keep in mind with the Shark Jack is that it should be plugged into USB power during the flashing process, as an interruption in power will result in a bricked device.
  19. Everything from unboxing your Shark Jack to connecting in arming mode, exfiltrating loot, changing out payloads, upgrading the firmware, checking out the new web interface and even connecting it to Cloud C2. VIDEO CHAPTERS: 0:58 - Unboxing 4:22 - Attacking with the default payload 7:08 - Connecting in arming mode 10:40 - Navigating the file system 12:34 - Exfiltrating loot to our local host 14:13 - The sharkjack.sh helper script 17:16 - Upgrading the firmware 19:26 - The new arming mode web interface 20:30 - Loading new payloads 25:19 - Setting up Cloud C2
  20. @monsieurmarc you'll find serial pads on the bottom of the board along the side opposite the USB ports. I believe they're labeled and you need only connect RX, TX and Ground. Baud Rate: 115200 Parity: 8N1 Hardware Flow Control: No Software Flow Control: No On boot you'll be prompted "Hit any key to stop autobooting". Pressing any key will drop you to a uboot> prompt. The help command shows all that's available. It supports tftpboot, but I can't say I've ever flashed it directly via serial. Hit any key to stop autobooting: 0 uboot> help ? - alias for 'help' bootm - bootm - boot application image from memory cp - memory copy dhcp - invoke DHCP client to obtain IP/boot params echo - echo args to console erase - erase FLASH memory exit - exit script go - start application at address 'addr' help - print embedded help httpd - start www server for firmware recovery iminfo - iminfo - print header information for application image itest - return true/false on integer compare md - memory display mm - memory modify (auto-incrementing) mtest - RAM test mw - memory write (fill) nm - memory modify (constant address) ping - send ICMP ECHO_REQUEST to network host printenv - print environment variables printmac - print MAC addresses stored in FLASH reset - perform RESET of the CPU run - run commands in an environment variable saveenv - save environment variables to FLASH setenv - set environment variables setmac - save new MAC address in FLASH startnc - start net console startsc - start serial console test - minimal test like /bin/sh tftpboot - boot image via network using TFTP protocol version - print U-Boot version uboot> There's also a failsafe section later on in the boot process that'll drop you into a busybox shell if you press f then enter. Press the [f] key and hit [enter] to enter failsafe mode Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level f - failsafe - /etc/preinit: line 6: dropbearkey: not found /etc/preinit: line 7: dropbear: not found BusyBox v1.30.1 () built-in shell (ash) ash: can't access tty; job control turned off .___. {o,o} /)__) Hak5 Signal Owl " " Version XVERSIONX ======================================= Built on OpenWRT 19.07 ======================================= .___. {o,o} /)__) Hak5 Signal Owl " " Version XVERSIONX (Failsafe) ======================================= Built on OpenWRT 19.07 ======================================= root@(none):/# From here you have all the usual suspects - iwconfig, scp, sysupgrade - which in concert should get you going. Obviously the warranty is void when you crack the case, but seeing as it's bricked anyway you've really got nothing to lose. My condolences on your loss - and best of luck should you take on the adventure. There's also an express replacement service that covers accidental damage and other out-of-warranty claims for a small one-time incident fee. More info at the bottom of https://shop.hak5.org/pages/support
  21. No, unfortunately there is not a firmware recovery option if the power is lost while flashing.
  22. Yep - that's for real. We'll have a site detailing all of our official global distributors shortly - we just have a few more partners coming online now.
  23. Holding the button for 7 seconds will reset the password and network configuration to defaults.
×
×
  • Create New...