Jump to content

Darren Kitchen

Root Admin
  • Posts

    4,887
  • Joined

  • Days Won

    248

Posts posted by Darren Kitchen

  1. Richard —

    In the past, we only offered DHL as an option for International orders. They're very fast, however they do not handle duties for our customer. That becomes their responsibility at time of border crossing.

    Because of this, we have implemented another shipping option for our International customers — Passport. They collect duties up front. It's a pretty smooth service, however it isn't as fast as DHL. They aren't a traditional carrier in their own right, rather a brokerage service that acts on your behalf for customs clearance. On the backend, packages are sent via UPU.

    If you aren't familiar with the Universal Postal Union (UPU), it's is a global postal network that facilitates international mail services. It works closely with the United Nations, and coordinates with each member countries postal service. As an example, when a package is shipped via UPU from the United States to the United Kingdom — it originates its journey with the United States Postal Service (USPS). Once it crosses the border and clears customs (something Passport facilitates for you) it will be handed over to the Royal Mail.

    Because multiple agencies are involved, tracking may take some time to update — and it won't be as fast as the DHL option that doesn't include customs brokerage. It's a tradeoff, but after having offered it for several years we've found it to be a reliable, economical choice, albeit slower.

    As the face of, and lead hacker behind Hak5, I have put a tremendous amount of effort into implementing systems that will ensure a smooth customer experience. Everything from customs brokerage to shipping services to package insurance to fraud mitigation to the support agents who are empowered to see that you have a successful and satisfactory transaction. It's my personal goal to make sure that when you order from us, it's a seamless experience. We have a process in place to deal with every potential edge case when an inevitable snafu does arrive, should you reach out.

    I've checked our support ticket system for any email from your r*@c*.com email address, however none have been found. We typically address tickets in 1-2 business days, so I advise contacting us at https://hak5.org/contact or visiting https://support.hak5.org if you still need assistance. We'd be happy to help.

    Best,
    Darren

  2. On 10/18/2022 at 7:29 AM, xinjia said:

    I contacted the support months ago and they responded with a succinct "use the recovery firmware"a month late. This isn't a solution. So support people either don't know there's a problem with their products or they ignore it for prevent RMAs.

    As you will understand, it is a very expensive product to have such horrible support and from what I see on reddit and in this same forum I'm not the only one who suffers from it. So I'll ask what I see necessary.

    With this situation I don't plan to buy anything else from Hak5.

    I was unable to find a support ticket with the email address you have listed on your forums account. Perhaps it went to our older system? Please keep a lookout for an email from us with RMA details for your WiFi Pineapple exhibiting the malfunctioning EMMC behavior. It will be coming from support@hak5.customerdesk.io

  3. Apple keeps changing the behavior in macOS. I can verify that this is working as expected on my Catalina mac, but agree it's also failing on my Monterey mac. I haven't tested Big Sur or Ventura.

    Thankfully the detection is all done in DuckyScript and extensions are versioned for this very reason, so we'll just need to test and update the extension. I wish it weren't such a moving target — but I'm glad we made the architectural choices to not hardcode values or bake detection into the firmware, which means we have a ton of flexibility to adapt as the environment changes.

    There are at least two potential vectors for macOS detection that I can think of off the top of my head which could be added to the extension: lack of scroll lock state reply (doesn't exist on mac) or brief press vs hold of capslock (macos requires ~100ms "hold" of capslock to enable, whereas every other system treats it the same as any ordinary key).

  4. Official answer:

    Use a MicroSD card — not a Micro SDHC, SDXC or SDUC card. That means 2 GB and under.

     

    Unofficial (I'm a hacker) answer:

    As long as the file system is FAT (FAT/VFAT or FAT32) as opposed to other common formats like exFAT, NTFS EXT4, etc — it should work, albeit with a potential performance hit*.

    image.png

    *The larger the partition (and the more files/directories) the longer it will take to be read — both from the perspective of the USB Rubber Ducky itself (reading inject.bin, seed.bin or writing loot.bin) but also to the target, enumerating the USB "Flash Disk" when using the command ATTACKMODE STORAGE.

    As an example, I've formatted a 200 GB SanDisk Ultra MicroSDXC card with the FAT32 file system and loaded it with a very simple "Hello World" payload:

    ATTACKMODE HID STORAGE
    DELAY 1000
    STRING Hello, World!

    And it injected the keystrokes within a second of attaching it to the target — however the target (a Windows 10 PC in this case) took over a minute to recognize the USB drive in Explorer.

    • Like 4
  5. DuckyScript 3.0 for the new USB Rubber Ducky can be encoded in Payload Studio — both Community and Pro editions — right in your browser. The compiler and all payload editing is done client-side, locally. We never see your work. You can download an offline copy of the IDE from your browser.

    image.jpeg

     

    Keep in mind that the offline version you download will be frozen in time, whereas the online version will be continuously updated as we add features and fixes over time. You can see the version number in the bottom left corner of the page.

    • Like 2
    • Upvote 3
  6. Thank you all for the incredible feedback on the Key Croc – especially the 1.3 beta. We knew in development that we were on to something game changing, so to hear the enthusiasm from you all directly is truly rewarding. The amount of creativity shown in such a short period of time since initial release is encouraging.

    We hope that with this Key Croc firmware 1.3 we can further that creativity. As always we welcome your feedback here on the forums and of course on our Discord channel.

    Thanks for your support and happy hacking!

    Huge thanks to our team – @Korben for his work on this firmware with the support of @Foxtrot and everyone including 0xdade for feature inspiration.

    Changelog:

     

    • General
      • (optional) Password Protected Arming Mode built into framework/parser
        • ARMING_PASS and (optional) ARMING_TIMEOUT can be defined in config.txt (Credits: 0xdade)
      • Fix croc being shutdown by host machine going to sleep
      • C2 notifications added to relevant event handlers
      • iProduct can now be defined with PROD_ when calling ATTACKMODE, and defined in config.txt as PROD
      • iManufacturer can be defined in config.txt as MAN
      • Croc now waits for keyboard to enter ATTACKMODE HID
      • Increase output log write speeds
      • Fixed $LOOT
      • ATTACKMODE now automatically populates /tmp/vid /tmp/pid /tmp/man /tmp/prod along with /tmp/mode
      • Fixed payload validation at boot and added payload validation to RELOAD_PAYLOADS

    • Payloads / Tools
      • Add SAVEKEYS [path] UNTIL [regex] syntax support to payloads (Credits:0xdade)
      • SAVEKEYS NEXT/UNTIL now also produce .filtered logs handling backspaces and removing control characters/modifiers.
      • Ported GET extension script from Bash Bunny
      • Added GET_VARS script giving your payload access to the following live data
        • VID
        • PID
        • MAN
        • PROD
        • HOST_IP
        • TARGET_IP
        • TARGET_HOSTNAME
      • Added the following helper scripts
        • QUACKFILE (alias QFILE)
        • ENABLE_PAYLOAD
        • DISABLE PAYLOAD
        • WAIT_FOR_KEYBOARD_ACTIVITY
        • WAIT_FOR_KEYBOARD_INACTIVITY
        • WAIT_FOR_LOOT
      • Framework functions exported
        • MOUNT_UDISK
        • UNMOUNT_UDISK
        • UPDATE_LANGUAGES
        • ENABLE_WIFI
        • ENABLE_INTERFACE
        • START_WLAN_DHCP
        • CLEAR_WIFI_CONFIG
        • CONFIG_PSK_WIFI
        • CONFIG_OPEN_WIFI
        • ENABLE_SSH
        • DISABLE_SSH
      • Added the following scripts
        • WAIT_FOR_ARMING_MODE
        • WAIT_FOR_BUTTON_PRESS
        • ARMING_MODE
        • GET_HELPERS

    • Misc
      • Added get_payloads.html to udisk
      • Fixed language file consistency, example: CONTROL/CTRL
      • Moved examples into library/examples
      • Debug logs moved to /root/loot so they will be automatically moved to udisk for easier debugging access
      • DEBUG ON in config.txt now enables parser and framework debug logs at boot

     

    Download from https://downloads.hak5.org/croc

    Documentation from https://docs.hak5.org/

    Flashing Instructions from https://docs.hak5.org/hc/en-us/articles/360048015333-Updating-the-Key-Croc

    • Like 1
  7. On 12/9/2019 at 4:08 PM, Francis Daigneault said:

    Is there a way to recover in case I did not RTFM correctly and use the Firmware TAB instead of OS ?

    No, unfortunately doing so will overwrite the bootloader thus rendering the device incapable of software-based recovery.

    In this case your best course of action is to contact support to inquire about an express replacement for accidental damage.

    https://shop.hak5.org/pages/support

  8. The Shark Jack features a firmware recovery option which allows the user to restore the devices firmware image. This procedure is performed via a special web interface.

    Download the latest firmware image for your Shark Jack from the Hak5 Download Center.

    It is extremely important that you follow the directions precisely as it pertains to powering the device and image selection from the web recovery interface. The video is provided as a reference however does not replace carefully reading the instructions listed below.

    Follow these steps to access the recovery web interface and update the firmware.

    • With the switch in the OFF position, plug in a suitable USB power source and fully charge the Shark Jack. The LED will blink blue while charging, and solid blue when fully charged. If no LED activity is present, leave the Shark Jack connected to the power source for 10 minutes.
    • Unplug  the Shark Jack completely from the USB power source
    • Prepare to press the Shark Jack reset button located on the bottom of the device next to the regulatory label. Using a paperclip, SIM card removal tool or similar instrument practice pressing the button. With the Shark Jack unplugged and with its switch in the off position, carefully insert the instrument and directly downward until you feel resistance. Gently press the button. You should feel a click.
    • With the instrument at the ready, flip the switch into the arming (middle) position and immediately after press and hold the reset button for 7 seconds.
    • Connect a USB power source to the Shark Jack
    • Connect the Shark Jack to your host PC Ethernet interface. After a moment the Shark Jack LED will indicate solid green with intermittent activity flashes.
    • Set a static IP address for the host PC Ethernet interface connected to the Shark Jack as follows:
      • IP Address: 192.168.1.2
      • Netmask: 255.255.255.0
    • From the host PC, browse to http://192.168.1.1
    • A Shark Jack Recovery interface with a red banner will appear. Click to the Recovery tab, then click Browse Firmware, select the Shark Jack firmware downloaded from the Hak5 Download Center, then click Start Upload File.
      • If your Shark Jack web interface shows a blue banner reading Web Failsafe Recovery, click the OS tab, then click browse, select the Shark Jack firmware downloaded previously, then click Start Upload File. If your Shark Jack features the blue bannered Web Failsafe Recovery interface, it is extremely important that you select the OS tab and not the Firmware tab or any other tab as doing so will render the device inoperable.
    • This process will take several minutes. Do not interrupt the power supply while the firmware is updating. Once complete, the Shark Jack will restart as indicated by a green blinking LED. At this point, disable the static IP address on the host PC Ethernet interface connected to the Shark Jack and reset it to receive an IP address automatically via DHCP.
    • Upvote 1
  9.  

    27 minutes ago, Milhouz said:

    Just because I've been digging for this info for a bit as I just ordered a Shark Jack. If I want to setup a Cloud C2 instance what are the recommended specs for that system if its going onto a VPS?

    I use a Digital Ocean "droplet" (VPS) with 512 MB RAM and 20 GB disk. I hardly tax the thing. 

     
  10. @Topknot thanks for detailing the process you followed to upgrade - however I want to advise against this method as it will not be supported. We cannot guarantee that the firmware file will always fit in the root file system in /root/, and the sysupgrade function may not always be present in the framework.

    If you wish to manually upgrade the Shark Jack, as opposed to the guided method using the sharkjack.sh helper available from https://downloads.hak5.org I advise you to please follow the instructions listed at https://docs.hak5.org/hc/en-us/articles/360038189894-Manual-Upgrade

    • Upvote 2
  11. Thanks for the report. We are looking into this now. This is related to Hak5 infrastructure as it pertains to adding packages not already in the mainline OpenWRT feeds end and will not impact your ability to install standard packages.

    • Like 1
  12. On 11/9/2019 at 5:49 AM, Cyo59 said:

    @Darren Kitchenhey what did you use to get your Ethernet and sharkjack on the same laptop? 

    I'm using the USB Ethernet adapter from https://shop.hak5.org/collections/accessories/products/combo-ethernet-adapter-and-retractable-cable (which is included in the Shark Jack Combo Kit) - but any regular USB Ethernet adapter will work.

    22 hours ago, Geeksystem said:

    Hmmm... suspect behaviour here.

    I downloaded new firmware and sharkjack.sh to my kali machine. Shark Jack is connected, pinging and i can connect to it with ssh.

    When i run sharkjack.sh and select "connect" it only says "waiting for shark jack to connect"

    Same on upgrade so i can't upgrade. Is there a way to manually copy the upgrade to,the Shark and start the upgrade directely from ssh shell ?

    Greets, Heiko

    I'll post a manual upgrade guide to https://docs.hak5.org but essentially the process is similar to that of the Packet Squirrel or WiFi Pineapple where you download the latest firmware from downloads.hak5.org, copy the file to /tmp/ on your device via SCP, then SSH into the device, verify its SHA256 sum, then issue sysupgrade -n /tmp/upgrade.bin

    The IMPORTANT bit to keep in mind with the Shark Jack is that it should be plugged into USB power during the flashing process, as an interruption in power will result in a bricked device. 

     

  13. Everything from unboxing your Shark Jack to connecting in arming mode, exfiltrating loot, changing out payloads, upgrading the firmware, checking out the new web interface and even connecting it to Cloud C2.  

    VIDEO CHAPTERS:
    0:58 - Unboxing
    4:22 - Attacking with the default payload
    7:08 - Connecting in arming mode
    10:40 - Navigating the file system
    12:34 - Exfiltrating loot to our local host
    14:13 - The sharkjack.sh helper script
    17:16 - Upgrading the firmware
    19:26 - The new arming mode web interface
    20:30 - Loading new payloads
    25:19 - Setting up Cloud C2
     

    • Like 1
  14. @monsieurmarc you'll find serial pads on the bottom of the board along the side opposite the USB ports. I believe they're labeled and you need only connect RX, TX and Ground.

    image.png

    Baud Rate: 115200
    Parity: 8N1
    Hardware Flow Control: No
    Software Flow Control: No

    On boot you'll be prompted "Hit any key to stop autobooting". Pressing any key will drop you to a uboot> prompt. The help command shows all that's available. It supports tftpboot, but I can't say I've ever flashed it directly via serial. 

    Hit any key to stop autobooting:  0 
    
    uboot> help
    ?        - alias for 'help'
    bootm    - bootm   - boot application image from memory
    cp       - memory copy
    dhcp     - invoke DHCP client to obtain IP/boot params
    echo     - echo args to console
    erase    - erase FLASH memory
    exit     - exit script
    go       - start application at address 'addr'
    help     - print embedded help
    httpd    - start www server for firmware recovery
    iminfo   - iminfo  - print header information for application image
    itest    - return true/false on integer compare
    md       - memory display
    mm       - memory modify (auto-incrementing)
    mtest    - RAM test
    mw       - memory write (fill)
    nm       - memory modify (constant address)
    ping     - send ICMP ECHO_REQUEST to network host
    printenv - print environment variables
    printmac - print MAC addresses stored in FLASH
    reset    - perform RESET of the CPU
    run      - run commands in an environment variable
    saveenv  - save environment variables to FLASH
    setenv   - set environment variables
    setmac   - save new MAC address in FLASH
    startnc  - start net console
    startsc  - start serial console
    test     - minimal test like /bin/sh
    tftpboot - boot image via network using TFTP protocol
    version  - print U-Boot version
    
    uboot>

    There's also a failsafe section later on in the boot process that'll drop you into a busybox shell if you press f then enter.

    Press the [f] key and hit [enter] to enter failsafe mode
    Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
    f
    - failsafe -
    /etc/preinit: line 6: dropbearkey: not found
    /etc/preinit: line 7: dropbear: not found
    
    
    BusyBox v1.30.1 () built-in shell (ash)
    
    ash: can't access tty; job control turned off
     .___.
     {o,o}
     /)__)  Hak5 Signal Owl
      "  "  Version XVERSIONX
    =======================================
     Built on OpenWRT 19.07
    =======================================
     .___.
     {o,o}
     /)__)  Hak5 Signal Owl
      "  "  Version XVERSIONX (Failsafe)
    =======================================
     Built on OpenWRT 19.07
    =======================================
    root@(none):/# 

    From here you have all the usual suspects - iwconfig, scp, sysupgrade - which in concert should get you going.

    Obviously the warranty is void when you crack the case, but seeing as it's bricked anyway you've really got nothing to lose. My condolences on your loss - and best of luck should you take on the adventure. 

    There's also an express replacement service that covers accidental damage and other out-of-warranty claims for a small one-time incident fee. More info at the bottom of https://shop.hak5.org/pages/support

  15. On 10/22/2019 at 5:56 AM, monsieurmarc said:

    I had a battery failure during upgrade to 1.01 and now also just have the slow blinking light.  Did anyone find a recovery method?

    No, unfortunately there is not a firmware recovery option if the power is lost while flashing.

  16. The Screen Crab by Hak5 is a stealthy video man-in-the-middle. This covert inline screen grabber sits between HDMI devices - like a computer and monitor, or console and television - to quietly capture screenshots. It's perfect for sysadmins, pentesters and anyone wanting to record what's on a screen. Out of the box it saves screenshots to a MicroSD card every few seconds. And by editing a  simple text file you can configure every option, including capturing full motion video. Planting the Screen Crab is easy. Just plug it in, power by USB, pop in a card and get instant feedback from the multi-color LED. Coupled with a large MicroSD card - you can discreetly save nearly a year's worth of data. And with the Screen Crab, remote monitoring is built right in. Connect it to the Internet over WiFi and exfiltrate those screenshots, or watch the screenshots live from anywhere online with Hak5's Cloud C2.

    Screen Crab - covert inline screen grabs.

    screen crab.jpg

    SHOP: https://shop.hak5.org/products/screen-crab
    DOCUMENTATION: https://docs.hak5.org/hc/en-us/categories/360002117873-Screen-Crab

    • Like 1
  17. The Signal Owl by Hak5 is a signals intelligence platform with a unique design allowing it to be discreetly planted, or taken with you on any engagement. With a dynamic payload system, it orchestrates attacks using custom utilities and popular tools - like Aircrack-ng, MDK4, Kismet and more. The internal WiFi radio is optimized for close access operations, and coupled with a number of common transceivers it'll support GPS, SDR and Bluetooth. Powered by USB and featuring USB pass-through, the Signal Owl is able to share a port that may otherwise be occupied without interference. And with Hak5 Cloud C2, command and control is at the forefront. Easily exfiltrate data and drop right into a shell from the web and get root access anywhere. Signal Owl - the signals intelligence platform with simple payloads.

    signal-owl.jpg

    SHOP: https://shop.hak5.org/products/signal-owl
    PAYLOADS: https://github.com/hak5/owl-payloads
    DOCUMENTATION: https://docs.hak5.org/hc/en-us/categories/360002117953-Signal-Owl

     

    • Like 1
    • Upvote 1
×
×
  • Create New...