factgasm

How about this: Payloads get stored on an EEPROM within the Duck (so as to be undetectable to AV) but data exfiltrated data from the target machine gets stored on the Micro SD Card? Would that be a better idea?

@Broti, Neither these two methods worked on XP, though both did on Vista forwards. for /f %D in ('wmic volume get DriveLetter^, Label ^| find "DUCKY"') for /f "tokens=3 delims= " %%A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') @Overwraith, many thanks for the code, this definitely works on XP. Not pretty, but certainly effective. @Oli. Me slightly confused. Here's how I have been using the Duck: I take a Micro SD Card making sure it has volume name 'Ducky' Using the supplied USB adapter I connect that Micro SD Card to my laptop and do all my development work with it attached that way. All my bin files go on that Micro SD Card, along with any other files I might need such as Mr Gray's executables. This way all the files I need for an attack are stored in one place. I then unplug the USB adapter from my laptop and slide the Micro SD Card into the USB Ducky Micro SD Card socket, I then insert the USB Ducky into a USB socket on the target machine. Have I got the wrong end of the stick? (I am happy to make a fool of myself here if it means I get my attacks right in future).

I would be grateful if someone could explain how to bypass UAC when executing these programs. I tried this script on a plain Windows 7 machine and UAC immediately requested permission from the user to run some of them. UPDATE: I carried out an exercise to determine which of the 19 executables triggers UAC. It appears that five will trigger it as follows Executable Trigggers UAC? BrowsingHistoryView.exe No BulletsPassView.exe No ChromeHistoryView.exe No ChromePass.exe No Dialupass.exe Yes iepv.exe No mailpv.exe No mspass.exe No netpass.exe Yes OperaPassView.exe No OutlookAddressBookView.exe No PasswordFox.exe No PasswordScan.exe Yes pspv.exe No RouterPassView.exe No SkypeLogView.exe No SniffPass.exe Yes WebBrowserPassView.exe No WirelessKeyView.exe Yes

I was experimenting with some innocuous Ducky scripts at a local internet cafe and, much to my surprise, it appeared that their rickety old Windows XP computers were able to stop the Ducky in its tracks. How come? Well, certainly those machines had been installed with some antivirus software called S****** (I won't name it here, PM me if you need to know) . Even before the Duck got to send so much as one key stroke the AV kicked in and an autorun.inf file appeared on the Duck's SD card. While the Duck did execute its binary file, the Diskpart/WMIC code for determining the Duck's volume name ("Ducky") didn't work - it just gave the error message "volume - Alias not found". Was this snag caused by the AV? UPDATE: Further to this, I have just run the Diskpart/WMIC code in an XP virtual machine on my own laptop at home (clean install, no AV) and got the same error message as yesterday: "volume - Alias not found" This suggests that the payload's failure to execute at the internet cafe yesterday wasn't down to AV on the host machine, but down to the payload being incompatible with XP. Here's some steps that replicate the error: The good news is that despite an autorun.inf file being written to the Duck's SD Card by the host machine, the Ducky still executed its payload anyway, even if that payload didn't work properly. Your thoughts please.

How about using EEPROMs instead of relying on Micro SD Cards? I tried out some innocuous scripts at an internet cafe two days ago. Their machines had AV which scanned the Duck. It didn't stop the Duck sending keystrokes, but it did wipe the volume name off the Duck and thus prevent the payload succeeding. This wouldn't happen with an EEPROM.

(1) How can I verify which version of the duck encoder I have installed on my machine? (2) What is the latest version? (3) Does anyone else have trouble making the ALT SPACE command work? ALT SPACE is meant to open the menu in the top left corner of an application window. I could not get it to work last autumn and I cannot get it to work now either. If you ask me there's a problem with the compiler, but what do I know? REM This is supposed to run CMD then hide it. Pauses are slow to allow for testing. DELAY 3000 GUI r DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE DELAY 750 STRING N DELAY 750 When I run this script, the CMD windows opens but instead of a menu popping up and the window hiding, all that happens is that a letter N appears at the DOS prompt, nothing more. This tells me that, unless I have misunderstood something (and I am happy to be corrected) then the compiler simply isn't interpreting the ALT SPACE instruction correctly when translating the script into the binary file. (I nearly titled this thread "In ALT SPACE no-one can hear you scream"). Constructive advice gratefully received. EDIT: Solved my own problem - I was not using the correct keyboard layout. Now working properly.

Yes indeed it was the version of Ruby I had installed on my machine that was causing the problem. Downgrading to an older Ruby (I tried 1.9.3) stopped those error messages appearing and allowed Metasploit to work The only problem I now have in running anything Metasploit related is I get notification stating "It seems your ruby installation is missing psych (for YAML output). To eliminate this warning, please install libyaml and reinstall your ruby" These seem easy enough instructions to follow (famous last words).

Anyone think "Pine Apps" would have been a better term than "Infusion"?

Funnily enough it might have been me that posted that very linky-loo-loos. https://forums.hak5.org/index.php?/topic/32335-getting-an-error-on-kali-when-using/?p=247731 Also: http://tinyurl.com/kuncn6o

Besides the Pineapple I am trying to learn how to use Kali Linux. Over the weekend I was interested to take a look at exe2vba.rb which converts exe code to vba. Not having the first clue about Ruby, I cloned a copy of exe2vba.rb from Github then tried tinkering to get it to run. First of all I tried running it from the command line using the suggested command: ruby exe2vba.rb [somefilename].exe That wouldn't work, so I installed ruby on rails. I then tried the same command again but kept getting the error message "Could not find i18n-0.6.9 in any of the sources" So I installed Bundler. After hours and hours of trying to trying to install and get them working correctly I then discovered that exe2vba.rb now appears to have been replaced by a Kali command "msfpayload" anyway. Great. Now that I've gone back to try "msfpayload" that command has stopped working: "Could not find i18n-0.6.9 in any of the sources". Screenshot In fact it appears that I have broken my Metasploit Framework completely by installing Ruby on Rails, Bundler and so forth. Typing "msfconsole" at the command line simply results in - you guessed it - "Could not find i18n-0.6.9 in any of the sources". Joy. This is all the more galling as I now remember trying out msfpayload one afternoon about two months ago - so there was never actually any need for me to get embroiled with exe2vba.rb in the first place. Perfect. I have tried everything I can think of to get Metasploit Framework running again but I simply keep running into the same error message: "Could not find i18n-0.6.9 in any of the sources" You can see from the top of the screenshot that that gem appears to be installed. As I am utterly mystified and confused any constructive help would be most welcome. I no longer care for exe2vba.rb nor ruby, I just want my Metasploit Framework back please.

I fully understand why BlackOp asked the question as I asked them same one about a month ago https://forums.hak5.org/index.php?/topic/32987-how-to-use-pineapple-to-capture-handshake/ But of course the Pwnapple is about much more than cracking WPA-PSK - infusions like Karma, Urlsnarf and Dnsspoof are especially interesting.

Are exe2vba.rb or exe2vbs.rb still in use as hacking tools? I ask because I haven't been able to find them in Kali Linux and was wondering if they have now been rendered obsolete? All I have been able to find is the script on Github. Have these two methods now effectively been replaced by msfpayload?

I prefer to think of Hak5 Forums as being "more select" than "less common".

This sounds very encouraging.

With regards to the suggestion that cookies etc get cleaned out from the browser first - how realistic is this? I trust this means the browser on the victim's device. Is that right? If so, how likely is it that the victim's browser will be in such fresh condition? I don't think that's going to be very likely. So, the question is who's browser to clean up? Attacker' or victim's?

@daniboy92: Thanks for that. I'd like to see bbc, dailymail and one or two others spoofed too.

Is it possible to install the Pineapple software on a Linux PC* (a sort of Pineapple emulator) - and then attach a separate Atheros AR9331 and Realtek RTL8181 radios? I'm having a lot of trouble with DNSSpoof and I'm just wondering if it is down to a relatively inexpensive processor inside the Pineapple. What is the processor inside the Pineapple and can it be upgraded? *I am aware of Kali Linux of course.

Can anyone get their Pineapple to DNSSpoof 100% of websites they want spoofed without failure? (Excepting https sites) My Pineapple only spoofs intermittently and unreliably and until I can get it working correct 100% of the time its no good to me in the field.

There is definitely something wrong with DNSSpoof. Yesterday I had it working for some of the sites I wanted to spoof, but not all. Late last night I had to reflash my Pineappple (wlan0 and wlan1 had stopped working) so this morning I set my DNSSpoofing back up with the same previous list and some new sites I added too - and experienced the same issue again as I did last night. Some of the sites were spoofed correctly, others were not. Here's the weird thing - as I started at the top of my list of sites to spoof and worked my way down the first few worked correctly, then the Pineappple encountered the first site it could not spoof it could not spoof any other sites further down the list either. Then when I got back to the top of the list to sites it spoofed first time it could no longer spoof them too. My Pineapple is connected to my laptop via ethernet and my laptop connected to the internet via its own wifi. Alternatively I tried connecting my laptop to the internet via a USB Dongle but this resulted in the same problems. It seems as if, once DNSpoof encounters a site that it fails to spoof, then it can no longer spoof other sites either. Its as if some background dll/daemon type process that runs periodically within the Pineapple causes the DNSSpoofing to temporarily stop working or stop working completely until the Pineapple is rebooted. Further note: The Pineapple is capable of DNSSpoofing just using its default firmware - click the Configuration pane and then the DNS Spoof tab and there you go. However, there is also a separate DNS Spoof infusion which can be installed separately, too. Thing is, when you install the DNS Spoof infusion, the Configuration pane still retains its DNSSpoofing functionality. This means there are two places where DNSSpoof can be independently stopped and started - which creates the situation where its possible to have DNSSpoof running in one pane but stopped in the other - which strikes me as inconsistent. Apologies if I have misunderstood something here. Perhaps for later versions of the Pineapple firmware, DNSSpoof could be removed from the Configuration pane and installed as a default infusion instead.

cheeto: Somethings I appear to have discovered when editing the sites I want to spoof: (1) Make sure the DNSSpoof infusion is stopped. (2) Go into the DNSSpoof pane and add the entry you want, for example '172.16.42.1 bbc.co.uk; and then click save. (see my earlier post). (3) Go into the redirect.php file and add the redirect code for the site you are spoofing (you can do this using WinSCP or PUTTYing into the Pineapple's CLI), then save the redirect file and close it. (4) Reboot the Pineapple. To test, switch the Pineapple back on, start the DNSSpoof infusion running and then join some other device (smartphone, tablet, spare PC) to your Pineapple and enter the url for the site you are spoofing into your device's browser. If everything works properly the Pineapple will redirect you to the alternate site! Sorry, can't post the code from my redirect right now, my Pineapple is packed away for a flight early tomorrow morning, besides take a look at my earlier post, that has some of my code. I hope this is helpful. PS Make sure too that you have followed Darren's advice in the post at the top of this page about editting the dhcp file in the Pineapple's /etc/config folder.

@cheeto: The Wifi Pineapple ships with www folder already setup and a redirect.php file already in there for you. If you are using Windows and you install WinSCP then you can view the Pineapple's whole folder and file structure just as if you were looking at in Windows Explorer. Basically the www folder contains four files, redirect.php, index.html, index.php and error.php. As daniboy92 said, you need to add code (like the code you mentioned earlier) into the redirect.php for every website you want to spoof. You could edit the index.html if you want, but only if you want to redirect people to that page. For my purposes, I want to redirect people to other sites on the internet. (take a look at my code in my earlier post). With regards to the other two files, namely index.php and error.php, I have not come across any reason to want to edit them so for, but I am still learning too! Here's what the folder and file structure looks like on my Pineapple using WinSCP: (1) www folder: (2) Here's my Pineapple's root folder: I hope this helps.

Glad I found this thread. Much neater solution to use the cable Darren suggested, rather than a battery or mains adapter hanging around.

I'd be very grateful if someone could shed some light on the urlsnarf command please: I was hoping to reduce the output down to just device name, top-level url and timestamp. I don't need browser info etc. What line of code would produce that and is it possible to have this information formatted neatly into columns? Edit: Answered my own questions: To see output in neat columns, replace 'cat' with column -t. To see just certain fields (such as timestamp,client and url) go the urlsnarf output tab and enter code such as 'awk {'print $4, $1, $7'}' then click refresh. Perfect for my purposes. PS Thanks to Mr-Protocol.

Urlsnarf is OK, but provides too much information for my simplisitic purposes.I just want to see client surfing habits in a simple table like the nice, neat Karma Intelligence report. Here's an example of the sort of thing I'd like to see:

The Pineapple is a brilliant way to get insight into people's surfing habits paving the way for more tailored attacks. Therefore, which infusion if any keeps a log of which websites were visited by which client?