no42

hmm, my mate hasn't returned my pineapple, to see if i can duplicate your results - odd. For the moment I'm stuck! and cant fathom it; maybe some-other pineapple expert can spot something i missed?

Sorry I wasnt clear earlier. Can you either mount the sda drive on the pineapple / another linux OS. it looks like the sdcard is assigned to /dev/sda, it could be 1 large partition or it could be that the sdcard is not formatted. commands: mkdir /mnt/test mount /dev/sda /mnt/test or fdisk /dev/sda > p

Depends if your emulating / spoofing RSSI is a hard thing to fake, but the reset is achievable through Lorcon I believe Lorcon2 is now part of Metasploit (its how metasploits fake AP modules work etc) http://blog.opensecurityresearch.com/2012/05/installing-lorcon2-on-backtrack-5-r2.html https://code.google.com/p/lorcon/ http://forums.hak5.org/index.php?/topic/26092-lorcon-error-metasploit-backtrack-5-r2/

I'm rather limited on memory, I have to load the inject.bin into memory, before starting the USB stack (as the AVR cant read from the sdcard, when functioning as Mass Storage). I've tried manipulating SRAM and the Heap - to no effect! I'm either missing some info, or the Ducky is eating up the AVR's SRAM. I'm limited to 4KB since each keypress is encoded as 2-bytes that's really 2048 keystrokes. So implementing this function for one key (eg caps) should be relatively straight forward, for two keys (caps and num lock) - its really going to reduce memory again.

Not sure whats going on but looks like (from dmesg and /dev/s*) that the sdcard is mapping to /dev/sda, im not seeing any partitions. Can you try to mount /dev/sda ? or fdisk /dev/sda?

The Naked Duck has been upgraded to version 2 firmware. This means: VID & PID Controlled through vidpid.bin (on sdcard root).Upgrades: Multi-payloads now trigger on Keypress (added interrupt B) ) No longer have to press the GPIO button Meaning the Ducky can put on his Black Dinner Suit like a real spy (or the USB case in reality); Probably means he needs a new codename. Warning: the use of CAPS_LOCK/NUM_LOCK/SCROLL_LOCK in Ducky scripts may cause scripts to collide! And if you didn't spot it: Inject.bin = default payload on boot Inject2.bin = Num_Lock Inject3.bin = Caps_Lock Inject4.bin = Scroll_Lock <- New Trigger Key Usually procedure, provide feedback here. My laptop doesn't haves scroll_lock so its untested - the other keys work fine. Download in usual place: http://code.google.com/p/ducky-decode/downloads/list ~~Snake PS. Kind breaks rule 6 of Duck Club, for those unfamiliar with Duck Club see post http://forums.hak5.org/index.php?/topic/28323-happy-ducky-xmasnew-year/

The switchblade targeted Windows machines, with Auto-run enabled. http://en.wikipedia.org/wiki/Autorun.inf Since then Vendors like Microsoft have disabled Auto-run, thats why alternatives were searched for e.g Teensy PHUKED project, Ducky V1. These initially used HID attacks, attacking the trust between a machine and a keyboard - keyboards are not usually limited by device control software (unlike mass storage drives). The power of the Ducky was noticed quite quickly, and others like myself in the community had a crack at writing different firmware's for different purposes eg. mass storage; multi-payload(demo);composite-device (systems without internet access). Hopefully, if more people invest in the Ducky, the price can drop further.... promote the power of the Ducky

VPN is the most secure option (assuming client data etc, is traveling between your two machines): You have three options: PPTP VPN - http://knowledgelayer.softlayer.com/procedure/setting-pptp-windows-xp SSL VPN (openvpn) - http://openvpn.net/index.php/open-source/documentation/howto.html IPSEC VPN - http://support.microsoft.com/kb/816514 The pptp is the easiest to set up, but recent hash attacks powered by the cloud, make this a bit worrying. OpenVPN has a good setup guide, I know this is used by a lot of pentesting companies. IPSEC I think is one of the harder VPNs to set up, if you use this ensure you use main-mode auth (not aggressive mode)

Both HID and USB actually load and enable at the same time, its your initial ducky DELAY X, that makes the keyboard appear 2nd. You have a race-condition! The stack is laid out as composite device - so both get loaded at the same time, not sure if the USB mounting can be delayed.

your probably looking at editing the c:\windows\system32\drivers\etc\hosts file, and mapping hostnames www.(google/facebook/hotmail/twitter).com to an ip, that has a rickroll as an index page. You'll need admin user privs to pull it off.

Have you tried Encoder version 2.2?

you normally have a small RX, where X is a number in the corner of the board (usually appears on both sides) I believe the color versions are: Green = R1 Red = R2 White =R3 So you probably have one with the sliding metal tab

Thats easy! Ndiff Part of the nmap package (I know its there when you compile from source): http://nmap.org/book/ndiff-man.html You probably want to create a 2 scripts: 1 - periodically perform nmap scan 2 - ndiff previous result, email results to specific inbox

Look into the windows scheduler: http://windows.microsoft.com/en-GB/windows7/schedule-a-task Or on Linux Cron: http://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/

Ive used these free providers in the past, there are many more options on google: "Free Web hosting" Hosting: http://www.000webhost.com/ DNS: http://freedns.afraid.org Free web hosting services are always quite low on resources, you may want to evaluate hosting providers. It only costs an average of $2-3 month to host a small website and database, together with a domain and email.

Most free-shells additionally kick you out, if they catch you proxying/tunnelling, its usually against their policies. Probably due to people abusing connections in the past. You can normally pay for proxies through VPS providers - then you get a decent speed, but lose anonimity. VPS Proxies are useful for web developer's when you work in one country and are developing a website with country/language/ IP restrictive content (eg. gambling websites; like local lotteries). I personally find VPS proxies useful to view US netflix content in Europe/UAE, Netflix content in Europe and UAE is limited or next to nothing. The best proxy-chain for staying anonymous (conditions depending) is essentially TOR. I know HD Moore was working on a de-cloak project (dont no if its still live?), in an attempt to expose people hiding behind proxy-chains.

this might help: http://www.webupd8.org/2011/05/real-files-folders-search-unity-lens.html

My advice is powered USB hub. Raspberry Pi's have the same issue, as the pineapple on battery packs. Assuming your using one or the other.

It was called warvox http://warvox.org

On Windows you should be able to use devcon to restart the Ducky link: http://support.microsoft.com/kb/311272 There is this post on restarting usb devices based on their identifers in Linux, but I've never tried it, the author reported that his USB froze!

Nice PoC and Vid.

Firmware is not responsible for keycodes, check the encoder source. The Windows Key is special with 2x codes: 0xe3 - when used on its own (GUI) from keyboard.properities - key_left_gui 0x08 - when used as a modifier (eg. GUI-R) from keyboard.properities - modifierkey_left_gui UPDATE: Looks like it was the encoder, updated to version 2.2 as download and svn. Please continue testing. There may be more bugs this GUI thing is strange sometimes it works sometimes it doesnt???? Example: DELAY 5000 WINDOWS DELAY 500 GUI DELAY 500 GUI R STRING did you see GUI first? DELAY 1000[/CODE]

Dont necessarily need the switch ;) - thats just for replaying the commands!

ducky-decode wiki should be some help. There are instructions in a past post: re-flashing/upgrading the usb rubberducky WINDOWSxp 32bit

Brought to you by popular demand..... The Twin Duck version 2. So whats different since before Xmas? VID & PID controlled by binary file vidpid.bin (like other v2 firmware) WARNING: You need a valid VID & PID of a composite device to function correctly! Rather than having hardset instructions, and language dependencies. It will now read inject.bin (language independent), payload auto triggered (need long delay), replay payload upon pressing the Ducky's button. So now you have Mass Storage and truly configurable HID injection. Happy Quacking New Year! ~~Snake PS. HID Injection via inject.bin is currently limited to 4KB, each keypress is currently represented as 2-Bytes