Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Xcellerator

  1. Pretty sure he was only referring to the USB Armory when he was talking about inotify-tools. There aren't any LEDS on the Turtle for inotify-tools to interface with.
  2. Hi, these are some good questions. I'll do my best to answer clearly! I don't own a Tetra/Nano yet (still on the MKV) but most of these are general questions. 1. SFTP can be used, but there's no need to run an SFTP daemon on the pineapple. You can use SCP which is just a file transfer protocol over SSH. Use it just like you would "mv" or "cp" in Linux. scp root@ /home/me/directory/to/save/to/ 2/3. In networking, the Gateway is the address that outbound traffic is sent to. So for your personal machine, it would be set to whatever router you're using to connect to the internet (either your home router or your pineapple if you're connected to that). If you're using Linux, type 'route' at a terminal to get a print out of your current network routing configuration. It will state your gateway there. The other things you mention are all different network interfaces. 'br-lan' is a virtual interface. The 'br' stands for 'bridge' and does exactly that - it bridges the connection from wlan0 and wlan0-1 (both are the radio that clients connect TO, there are two because there is an open access point and an encrypted one that you use to manage the pineapple securely) to wlan1 or wlan2 depending on which radio you're using to connect to a source of internet access. wlan2 is indeed your USB dongle by default. wlan1mon is another virtual interface. You are right in that it is just wlan1 but in monitor mode. eth0/eth1 are ethernet interfaces. 4. This is 100% possible. I believe that there is an openvpn module available but if there isn't then openvpn is available via 'opkg' (sort of like apt-get or yum from Ubuntu/Fedora but for OpenWRT). There is plenty of documentation available online for setting up OpenVPN. In fact Hak5 did a few segments on setting up a few seasons ago. Highly recommended. 5. I'm afraid I'm not sure what the lights mean on the Tetra. On the MKV they're just status lights. I'm sure they'll be explained in the manual. 6. I'm not sure what you mean by this. Most CLI tools allow you to set either '-C' or '-c' to specify a particular channel. I assume that you're using the wlan1 interface in monitor mode (wlan1mon)? Keep in mind, that it jumping all over the place isn't necessarily a problem. It certainly speeds things up by selecting the channel in advance. The only time it would really be important is if you had a weak signal. The channel hopping process could miss the frame from a weak signal so setting the channel guarantees that it'll find it (if you're in range!). 7. Placing a .bashrc file in /root/ won't do anything at all. The Pineapple runs a heavily modified version of OpenWRT which by default uses fork of BusyBox as a shell environment. I guess you could install bash via 'opkg' but bash is more memory intensive that BusyBox so its not recommended. BusyBox is actually a number of common gnu utilities all rolled into one specifically for embedded devices, so your best bet is to stick with that. 8. As I mentioned earlier, wlan0 runs this open access point. It is the access point that all your clients will connect to. This is how the WiFi Pineapple has always worked, even way back in the days of Jasager for the FON. wlan0-1 runs an encrypted (WPA2 iirc) access point for YOU to connect to. This way, your connection to the pineapple doesn't run in the same vein as your clients so they couldn't sniff YOUR traffic and see you connecting to on port 1471 and decide to take over your pineapple. Its hidden by default so it doesn't show up when people scan for nearby WiFi networks. Its best to leave it that way unless your looking to entice people who scan for free WiFi. For example, you could title it "Free WiFi" and set it to un-hidden and wait for unsuspecting WiFi users to connect. Hope this helps!
  3. For many (generally older) devices, if there's two APs with the same ESSID (or BSSID in some later implementations) then it is simply a race condition to see which one is associated to. It essentially boils down to which one has the stronger signal (in most cases this will be the same as which is closer). Karma is excellent at grabbing these devices because it just replies to all probe requests (the packets spat out by a client asking which of its known APs are nearby), therefore Karma will most likely win the race condition and get the association. However, if the target device is already associated to a nearby network, it won't do anything. This is where deauthenticating comes in. If you were to look at your device settings, you'd see two APs with the same ESSID (name) but with different security settings. If the attack had worked, then you'd be connected to the Open one rather than the real (hopefully) encrypted one. The the rest of this particular attack would then proceed, i.e. the user would be redirected to some web page asking for the WPA/WEP key.
  4. Although the pineapple does indeed only have two wireless radios, (namely wlan0 and wlan1), you can plug in a USB wireless adapter (as long as its supported see here: http://wiki.wifipineapple.com/#!compatible_wifi_cards.md) and it will show up as wlan2 (as you'd imagine). The best use for wlan2 is to use it for your connection to the AP as it suffers less from the rate-limiting issues in wlan1 (I think its due to a timing issue over the internal bus, correct me if I'm wrong anyone..). This frees up wlan1 for things like deauthing, packet captures, etc..
  5. Also you'd be surprised how much more efficient the PineAP/Karma suite is if you also use wlan1 to deauth everyone except your pineapples MACs. (If you don't already do that anyway..). But I think most places treat deauthing the same as jamming so you're getting into even muddier waters than you were before... Anyway, I'd much prefer an extension to the Mk5 rather than a Mk6. If it's not then the expansion bus and the "slices" all came to pretty much nothing. (I know you could still do it yourself, but as far as I'm aware, there isn't anything serious as far as the expansion bus goes...).
  6. A raspberry pi is a pretty good idea too. The standard OS for the pi is called "Raspbian" which is just an ARM version of Debian (which is what Ubuntu, Mint, Elementary, etc are all based on). So with that you could use iptables as I mentioned. I've just found http://makezine.com/projects/browse-anonymously-with-a-diy-raspberry-pi-vpntor-router/. Which looks quite interesting. I think this is pretty much the best way to set up a Raspberry Pi to do what you want (and it looks quite fun too!). They use Raspbian in it too, so you can still use iptables (just make sure your firewall rules don't conflict with TOR/VPN that you'll set up!). Other than that, I guess its the usual "change the default password", "don't run unnecessary services", etc.. I guess if you were really security concious you could look into recompiling the linux kernel under Raspbian with the SELinux module added in. But if you're just using the Pi for what they set up in that article, (i.e. not running Apache or other internet-facing services I think you should be *pretty* good out of the box). As usual, "how secure" is always a comparison and you can never be 100% safe, just like you can never be 100% anonymous. But you can get damn close...
  7. Hmmm... Sounds very annoying. I've been thinking about your question though, its quite an interesting one. I guess in Windows you could use the built-in "Windows Firewall" to block ALL inbound/outbound connections except for those from a VPN that you've got running back home? Pretty sure you can do that in advanced firewall settings in control panel. Your machine would basically ignore everything that didn't originate from a specific IP address (in this case it'd be your machine running a VPN back home). So in effect you would HAVE to tunnel EVERYTHING through that VPN to be able to access anything on the internet. In linux you can achieve a similar thing with iptables. Another option (which I do whenever I need WiFi away from a protected hotpot on my laptop) is to use WiFi tethering on your phone, assuming you got a model that supports it and have a data plan that would be able to handle whatever it is your trying to achieve. Basically anything which means you connecting your laptop only to a network that you control, so even a Pineapple would work (but may look a little suspicious...). A general rule of thumb is to only connect directly to a open AP if you really need to. Another idea that just occurred to me would be to run a VM on your laptop and plug in a USB WiFi adapter. Then you can forward that USB to the VM and connect to the WiFi through that (rather than having the VM use the hosts connection, you'd need to turn that off in virtualbox/vmware settings). Then set up a shared folder from the VM to the host to transfer any files that you need. If they screw up the VM, who cares? Restore it from a snapshot if you have to. I'm sure other people can come up with some better ideas, but those are what I could come up with in the time it took me to type this! Good luck fixing your laptop.. ;)
  8. Hmm, as far as books go, it depends on how in depth you wan to get. I suggest getting your head around receivers first (because after that, transmitting becomes very simple). The people behind RTL-SDR published a book called "The Hobbyists Guide to RTL-SDR" which is excellent. It assumes no knowledge on behalf of the reader and will get you set up and receiving signals very quickly. Then there is also Richard Lyons' "Understanding Digital Signal Processing" textbook which is quite heavy on maths but cuts no corners whatsoever. Finally, Mike Ossmann has a series of videos out called "SDR with HackRF" which is a great introduction. You can find it on the Great Scott Gadgets website. They're quite slow to be put out, but in fairness, he's a busy guy. I think he's up to episode 10. Hope all that helps!
  9. If you've not done much with radio before, I'd suggest starting off with the Yardstick One and an RTL-SDR for transmit/receive respectively. It handles the modulation all on-chip so you don't need to have an in-depth knowledge of all of the maths thats going on. For that reason, the Yardstick One isn't an SDR (its not *software* defined!). Then you should upgrade to the Hack RF which is a true SDR and all the modulation and (almost) all the maths is handled by the host computer.
  10. IMO, its unlikely to be a new pineapple. In the announcement at DefCon a couple of years ago when the MK5 was announced, Darren made it pretty clear that the MK5 was the LTS version as far as Hak5 were concerned. Darren and Seb between them have also said several times that they haven't got any plans for a MK6 any time soon and I'd imagine that it takes quite a bit longer to design and build and get a new one approved. Just my two cents, put my money on either a slices module (the bit at the end looks kinda touch-screeny) or FW 3.0..
  11. It looks like Ubuntu is automatically loading the builtin kernel module for the dvb tuner. Try running sudo rmmod dvb_usb_rtl28xxu and see if it works. It it does, then you can make the change permanent (after reboot) by creating "rtlsdr.conf" in "/etc/modprobe.d" and put blacklist dvb_usb_rtl28xxu in it. Hope that helps!
  12. You've been clear that you aren't interested in learning how the platform works but that is exactly what everyone here on the forum is open to helping you achieve. I really don't know what you're expecting to get from us and I don't think there's anything else I can do for you.
  13. No, there is not any such disclaimer just as there isn't a disclaimer when you buy an oven saying that you need to be a cook. Nonetheless, if you buy an oven, you either already know how to cook or are going to learn how to cook. The same logic applies to the pineapple. When I said "click-and-go", I apologise for any confusion if you thought I was referring to your post. I meant from the way that you describe how you want the pineapple to work makes it sound like you just want to click a few buttons and expect things to happen. As anyone on this site will tell you, penetration testing (and in fact, hacking as a whole) is not a simple process. It requires insight and in-depth technical knowledge. You are right that everyone has to start somewhere, but believe me when I tell you that a certain amount has to be done by yourself. I'd highly recommend downloading a simple linux distribution (like Ubuntu) and install it onto a spare USB drive (Google it) and then boot into it on your computer. Learn some about linux and generally get comfortable with the command-line. It will help you enormously in everything you do with the pineapple. All that being said, you said that you are seeking someone who can break down the operation of the pineapple. The pineapple is just a linux device. 100% of what you see when you're using the web interface is just a front-end for different linux commands that are being executed in the background. In theory, everything that is done in the web interface can just as easily been done through SSH instead. I cannot recommend highly enough that you familiarise yourself with linux. See this link that I found on Google: http://www.tldp.org/LDP/intro-linux/html/. I understand your point about driving a car, but I don't see how it applies in this case. If we were talking about some Netgear router that I'd completely agree with you. You shouldn't need to have any knowledge of how networks work or linux to be able to setup a stock router from your ISP. But the pineapple isn't something for your average consumer. Its a sophisticated tool for professionals and enthusiasts (such as myself - I'm not a security professional. 100% hobbyist.) who are looking to explore and probe into wireless networks more easily. The vast majority of people who use a pineapple will already be very familiar with many, if not all, of the facilities that it offers. Once you've read that Linux Introduction in the last paragraph, then I'd also suggest reading "Metasploit Unleashed" (although its for Metasploit, it covers an enormous amount of content and applies to many areas of wireless hacking) here: https://www.offensive-security.com/metasploit-unleashed/. I hope you enjoy getting into the field!
  14. I feel I should point out that the pineapple is a tool for professional penetration testers. It's not designed to be just a simple "click and go" that the average computer user could pick up and start stealing gmail passwords from their neighbours. Not trying to sound rude, but the overall impression your posts seem to have is that the pineapple isn't as simple as you expected. I'd highly suggest getting familiar with linux if you haven't already and then SSH into the pineapple to see exactly why your connection keeps dropping off. I don't mean to say "go work it out yourself" - I mean that it makes it easier to help you if you're more experienced in these areas.
  15. Oh, I see what you mean! That is much nicer than using nano. (I've never had any trouble using nano to edit /etc/sudoers as I sudo'd it first?) I've never really been able to get along with vi. Apple are still likely to be pretty slow at patching this. If it was a serious RCE then we might see a different reaction, but in the real world, people are so precious of their Macs that its gonna be so hard to get the physical access to a machine that you need to exploit this. (Thats Apple's justification, anyway!).
  16. Nice! The only thing I'd change is your cleanup operation. Depending on how long someones username is it could overwrite and erase other parts of the sudoers file. I'd suggest using nano the CTRL-k to cut the whole line out instead of worrying about removing a certain number of chars. Other than that, its a nice implementation. Lets see how long it takes Apple to push out a patch?
  17. Does Veil not support reverse_https? reverse_tcp is just plaintext all the way - you even sniff it in wireshark if you wanted too. If it is indeed just the AV picking up the stream, then try using reverse_https and see if you different results.
  18. I'm afraid I don't understand your stance on this Polisher. At first you say: But then follow on with: These two statements seem to completely disagree with each other. You don't want to release your work in full because it'd make it too easy to use on the ducky and teensy but you also say that the developers can't be held liable for the use of their tools. If you can't be held responsible for how other people use your work, then why does it matter that it'd be very easy to implement? Also, I'd like to point out that there are defences against these kinds of attacks such as USB whitelisting and key entry rate limiting that have actually been around since before the Ducky ever came out, its just that these defences aren't implemented very often by corporations. Finally, I'd advise you to actually devise some kind of license for your work if you do intend to sell it. Sharing your entire project with someone for a small price and a gentleman's agreement that they won't share it with anyone is a terrible idea to go ahead with. Your code would end up publicly online somewhere within a week. All that said, I wish you luck with the development. I'll be following things to see what comes from it.
  19. Absolutely, as the WiFi connection is handled by the firmware drivers themselves, using a 5GHz usb adapter will work just fine. You'll be able access the internet and use all the infusions as normal.
  20. Thing with iOS issues is that people tend to be fairly reluctant to upgrade if they're already jailbroken. So even after the patch is out, you'll probably find that it'll still work for ages on most devices...
  21. I don't know how it works in other countries, but here in the UK, you can get a 3G/4G sim over the counter without even registering it in the shop. Besides that, there are loads of "student telcos" that let you sign up for a pay as you go sim online. Its just a name/address form and they send you the sim in the post. Anonymous internet really isn't too hard if you know where to look. (forgetting about triangulation techniques, etc)
  22. The understanding that I've always had (maybe falsely, I don't know) is that all cars and fobs from the manufacturer have built-in synchronised clocks (similar to the ones in GameBoy cartridges). Then using some arbitrary count off the clock and a unique code between the car and fob, they are combined in some manner and then transmitted. The car picks this up and verifies it. The count would be fairly large (relatively, considering these clocks can usually accurately measure down to milliseconds) i.e a few minutes which would save a lot of power using the clock. Although the batteries for the transmitter part often need replacing (again, "often" is meant relatively), the clock is probably on a separate circuit with its own power source. If the clocks power dies, then the clocks go out of sync and you'd need a new fob. This would explain your observation of the code still working for a few minutes. Of course, all this is from what I've always thought to be the case. I'd have to take a look at the PCB of the fob to confirm any of this. I live pretty close to Central London, so I've no need to own a car. And I'm afraid none of my friends would trust me to break open their fobs. It'll be good to hear how you get on!
  23. Agreed. If you managed to gain access to an air gap machine, you're kinda shooting yourself in the foot with these cloak-and-dagger tactics. A really cool implementation would be the reverse. If you could "tune" a GFX card to receive instructions via FM sent from an attacker, then there'd actually be some use. Again, it'd require some other exploitation in the first place, but I guess it'd be an effective form of persistence. Its probably just the geek in me that'd like to see it done though.
  24. Reading all of this, I'm reminded of PiFM for the Raspberry Pi. It uses GPIO Pin 4 to broadcast an FM signal. Video cards do use GPIO usually, so I guess its not beyond the realms of possibility that firmware could be reverse engineered to this effect. Still pretty farfetched, mind...
  25. According to https://en.wikipedia.org/wiki/Vol_%28command%29, its present in DOS, OS/2 and Windows. It doesn't specify exactly what versions of Windows, but if it was in DOS, its probably been there since forever anyway. Nice fix, by the way!
  • Create New...