[Ettercap DNS spoofing]

Irongeek has a simple tutorial for replacing images

http://www.irongeek.com/i.php/i.php?page=security/ettercapfilter

and theres upside down ternet

http://www.triki.ca/index.php?option=com_content&view=article&id=60&Itemid=92

[[BugReport] Troubles with Encoder]

Make sure there are no spaces at the end of the line.

I get, the following:

Char not found:ASCII_72
Char not found:ASCII_70
Char not found:ASCII_6F
Char not found:ASCII_77
Char not found:ASCII_65
Char not found:ASCII_72
Char not found:ASCII_73
Char not found:ASCII_68
Char not found:ASCII_65

This is because the ru.properties file is not finished, its just a start. Like the Italian keyboard post, you need to help build a working ru.properties file

[[BugReport] Rubber Ducky with Italian Keyboard Support]

You definitely need to move to Encoder 2.2 and build a valid it.properties, then the command will be:

java -jar encoder.jar -l ./resources/it.properties -i myfile.txt -o inject.bin

Inorder to generate a proper Italian Ducky Binary Payload.

[[BugReport] Rubber Ducky with Italian Keyboard Support]

Make sure your using the latest encoder (currently v2.2).

I think your our first Italian so ill help walk you through creating a new file it.properties for Italian keyboards

You best option is download the ducky-decode svn

inside the svn is the Folder

 Encoder/v2/resources

This is the location of all the language maps.

keyboard.properties is the main file, it maps ascii characters to their HID values. Do not edit this file.

You probably now want to read a non-english language french/spanish/german to see how special characters are mapped.

An example from de.properties:

ISO_8859_1_A7 = KEY3, MODIFIER_SHIFT

This website http://www.charset.org/charactersets.php is good for finding your character map and ISO codes.

Basically, you need to create a new file it.properties, and build the ISO_8859_1_code = key_located_on_US_QWERTY_keyboard

It may be a long process, but do this for all the characters you need.

This is a brief post, if you need clarification, ask questions, and I'll edit this post to make things clearer.

[[Firmware] Custom firmware request?]

Ok. Here we go:

Mass storage and HID load at the same time

HID wont fire until users lights one of the following LEDs: CAPS/NUM/SCROLL Lock. - Still Only 1x payload inject.bin

Hopefully, have safeties to prevent script, reloading mid-injection if special key is involved in Ducky script.

http://code.google.com/p/ducky-decode/downloads/detail?name=c_duck_v2_S001.hex&can=2&q=

After injection, Duck should return to default state.

Post feedback here.

[Mark IV and 3G HUAWEI 1750 + microSD 2GB - Not mounting SD partitions]

hmm, my mate hasn't returned my pineapple, to see if i can duplicate your results - odd.

For the moment I'm stuck! and cant fathom it; maybe some-other pineapple expert can spot something i missed?

[Mark IV and 3G HUAWEI 1750 + microSD 2GB - Not mounting SD partitions]

Sorry I wasnt clear earlier.

Can you either mount the sda drive on the pineapple / another linux OS.

it looks like the sdcard is assigned to /dev/sda, it could be 1 large partition or it could be that the sdcard is not formatted.

commands:

mkdir /mnt/test

mount /dev/sda /mnt/test

or

fdisk /dev/sda

> p

[Simulating WIFI APs]

Depends if your emulating / spoofing

RSSI is a hard thing to fake, but the reset is achievable through Lorcon

I believe Lorcon2 is now part of Metasploit (its how metasploits fake AP modules work etc)

http://blog.opensecurityresearch.com/2012/05/installing-lorcon2-on-backtrack-5-r2.html

https://code.google.com/p/lorcon/

http://forums.hak5.org/index.php?/topic/26092-lorcon-error-metasploit-backtrack-5-r2/

[[Firmware] Custom firmware request?]

One thing that would be cool with the latest firmwares would be when you set caps lock run inject. Bin numlock run inject2.bin.

Because when I run on a fresh computer it takes like 15 seconds to install both hid and drive making timing a payload hard. I've been plunging in then removing the duck just after the computer finishes installing then plunging back in to run the payload.

This would be awesome. Kinda like choose your own adventure;-)

I'm rather limited on memory, I have to load the inject.bin into memory, before starting the USB stack (as the AVR cant read from the sdcard, when functioning as Mass Storage). I've tried manipulating SRAM and the Heap - to no effect!

I'm either missing some info, or the Ducky is eating up the AVR's SRAM.

I'm limited to 4KB since each keypress is encoded as 2-bytes that's really 2048 keystrokes.

So implementing this function for one key (eg caps) should be relatively straight forward, for two keys (caps and num lock) - its really going to reduce memory again.

[Mark IV and 3G HUAWEI 1750 + microSD 2GB - Not mounting SD partitions]

Not sure whats going on but looks like (from dmesg and /dev/s*) that the sdcard is mapping to /dev/sda, im not seeing any partitions.

Can you try to mount /dev/sda ? or fdisk /dev/sda?

[[Firmware] Naked Duck Now Dressed to Kill (Ducky Suits Up)]

The Naked Duck has been upgraded to version 2 firmware.

This means:

• VID & PID Controlled through vidpid.bin (on sdcard root).

Upgrades:

• Multi-payloads now trigger on Keypress (added interrupt B) )
• No longer have to press the GPIO button

Meaning the Ducky can put on his Black Dinner Suit like a real spy (or the USB case in reality); Probably means he needs a new codename.

Warning: the use of CAPS_LOCK/NUM_LOCK/SCROLL_LOCK in Ducky scripts may cause scripts to collide!

And if you didn't spot it:

• Inject.bin = default payload on boot
• Inject2.bin = Num_Lock
• Inject3.bin = Caps_Lock
• Inject4.bin = Scroll_Lock <- New Trigger Key

Usually procedure, provide feedback here. My laptop doesn't haves scroll_lock so its untested - the other keys work fine.

Download in usual place: http://code.google.com/p/ducky-decode/downloads/list

~~Snake

PS. Kind breaks rule 6 of Duck Club, for those unfamiliar with Duck Club see post http://forums.hak5.org/index.php?/topic/28323-happy-ducky-xmasnew-year/

[[Question] Rubber Ducky Without The SD Reader?]

The switchblade targeted Windows machines, with Auto-run enabled.

http://en.wikipedia.org/wiki/Autorun.inf

Since then Vendors like Microsoft have disabled Auto-run, thats why alternatives were searched for e.g Teensy PHUKED project, Ducky V1.

These initially used HID attacks, attacking the trust between a machine and a keyboard - keyboards are not usually limited by device control software (unlike mass storage drives).

The power of the Ducky was noticed quite quickly, and others like myself in the community had a crack at writing different firmware's for different purposes eg. mass storage; multi-payload(demo);composite-device (systems without internet access).

Hopefully, if more people invest in the Ducky, the price can drop further.... promote the power of the Ducky

[Accessing remote pc through vpn or team viewer ?]

VPN is the most secure option (assuming client data etc, is traveling between your two machines):

You have three options:

PPTP VPN - http://knowledgelayer.softlayer.com/procedure/setting-pptp-windows-xp

SSL VPN (openvpn) - http://openvpn.net/index.php/open-source/documentation/howto.html

IPSEC VPN - http://support.microsoft.com/kb/816514

The pptp is the easiest to set up, but recent hash attacks powered by the cloud, make this a bit worrying.

OpenVPN has a good setup guide, I know this is used by a lot of pentesting companies.

IPSEC I think is one of the harder VPNs to set up, if you use this ensure you use main-mode auth (not aggressive mode)

[[Firmware] Custom firmware request?]

Both HID and USB actually load and enable at the same time, its your initial ducky DELAY X, that makes the keyboard appear 2nd.

You have a race-condition!

The stack is laid out as composite device - so both get loaded at the same time, not sure if the USB mounting can be delayed.

[[Question] The Duck and HowTo Rick-Role?]

your probably looking at editing the c:\windows\system32\drivers\etc\hosts file, and mapping hostnames www.(google/facebook/hotmail/twitter).com to an ip, that has a rickroll as an index page.

You'll need admin user privs to pull it off.

[[BugReport] Can't get LEFTARROW to work on Win7 UAC]

Have you tried Encoder version 2.2?

[[Question] How to remove sd card from usb ducky]

you normally have a small RX, where X is a number in the corner of the board (usually appears on both sides)

I believe the color versions are:

• Green = R1
• Red = R2
• White =R3

So you probably have one with the sliding metal tab

[New guy Question about Nmap/NMapWin]

Thats easy!

Ndiff

Part of the nmap package (I know its there when you compile from source): http://nmap.org/book/ndiff-man.html

You probably want to create a 2 scripts:

1 - periodically perform nmap scan

2 - ndiff previous result, email results to specific inbox

[New guy Question about Nmap/NMapWin]

Look into the windows scheduler: http://windows.microsoft.com/en-GB/windows7/schedule-a-task

Or on Linux Cron: http://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/

[list good free hosting services]

Ive used these free providers in the past, there are many more options on google: "Free Web hosting"

Hosting:

http://www.000webhost.com/

DNS:

http://freedns.afraid.org

Free web hosting services are always quite low on resources, you may want to evaluate hosting providers.

It only costs an average of $2-3 month to host a small website and database, together with a domain and email.

[General question about proxychains]

Most free-shells additionally kick you out, if they catch you proxying/tunnelling, its usually against their policies. Probably due to people abusing connections in the past.

You can normally pay for proxies through VPS providers - then you get a decent speed, but lose anonimity.

VPS Proxies are useful for web developer's when you work in one country and are developing a website with country/language/ IP restrictive content (eg. gambling websites; like local lotteries).

I personally find VPS proxies useful to view US netflix content in Europe/UAE, Netflix content in Europe and UAE is limited or next to nothing.

The best proxy-chain for staying anonymous (conditions depending) is essentially TOR.

I know HD Moore was working on a de-cloak project (dont no if its still live?), in an attempt to expose people hiding behind proxy-chains.

[Ubuntu 12.10: Searchable Files and Folders]

this might help: http://www.webupd8.org/2011/05/real-files-folders-search-unity-lens.html

[Alfa Power Issue]

My advice is powered USB hub.

Raspberry Pi's have the same issue, as the pineapple on battery packs. Assuming your using one or the other.

[f0ne.sh]

You run some kind of asterisk box at home or you actually using dial up? lol

If you're looking for fun with phone and voip systems HD Moore has a tool for tracking voice systems and being able to listen in and capture/record calls, but I don't know if hes ever released the code publicly. I've seen him give talks about it in the past and building stats on voip systems which can be used, I assume, to pivot into a companies network.

It was called warvox http://warvox.org

[reboot the ruber ducky from application]

On Windows you should be able to use devcon to restart the Ducky

link: http://support.microsoft.com/kb/311272

There is this post on restarting usb devices based on their identifers in Linux, but I've never tried it, the author reported that his USB froze!