overwraith

So I am wondering what protocols, frequencies, etc can hak-rf one sniff/transmit to? Sure I can get the frequencies from the hak shop, but I have absolutely no idea what kinds of protocols exist on those spectrums. What would the range be on some of those spectrums? I heard that one of the hacking books on the beagle bone black had a special recipie for 10 mile or so transmissions from a drop box, would the RF one be able to sniff that, or detect it? There's also another question that has bothered me for a while that I have been meaning to ask about SDR. Most of the SDR programs I have tested you could only sniff one frequency at a time. If software were not the issue, could the hardware support monitoring of multiple frequencies within it's operational range? For instance, what If I had some hardware I could practice massive multithreading, and essentially wire up some events in a radio application? Is it the hardware that can only monitor a few frequencies at a time, or the actual software tools that have been built to date?

They might try, but the terrorists are probably communicating more through stego than crypto, I could be wrong, but I have heard that they mostly use stego documents which rely more on security through obscurity, and the fact that they 'look' like legit docs as opposed to actual crypto. Mind you the NSA has been trying to get the edge on cracking crypto for years through all sorts of methods. Political parties, and government parties frequently "Never let any crisis go to waste." If the NSA or someone does install some kind of back door in crypto, then the rest of us don't have much option other than to use it. I remember reading a practical cryptography book (no math, just good and practical API) that whenever a person roll's their own crypto they will almost always get it wrong. If our crypogrophers and the associated programmers are mandated by government to put back doors in they will have to do so, and any other effort to develop one's own crypto without formidable support and testing will inevitably contain bugs. It requires a lot of math, and a lot of computer science knowledge to do crypto right. The details kill open source or home made crypto standards. Essentially without a lot of experience and support any home made attempt will look like amateur night to somebody with the powers of the NSA. But then there's the question of how do you ensure that everybody follows the rules of such a rediculous rule. If a person walked into somebody's house and said "oh, we would like to be able to read all your emails, encrypted documents, network traffic, phone calls, etc, and while we are at it we would like to take a look into all your safes in your house..." that person would probably get shot. I'm just saying how would you enforce something which is quite obviously tyrrannical?

After reading that he was plugging into a rpi I thought that might be the problem too, but wasn't sure. Wanted to hear somebody else suggest it.

Whenever I need something like this I start the download at the very beginning of the duckscript, do all the precursory operations, and if I need to I insert a big delay, of about 7 or 8 seconds or something. Then I execute the downloaded program. What you might be able to do is md5 the file if it is fairly constant, and create a background task that md5's the file every few seconds, to determine if the hash matches what the final hash should be. If the download locks the file instead of sharing it however it might not be possible to do. If the file is not complete, the hashes will not match. This also hinges on the assumption that powershell has some sort of md5 function. I don't really know all that much about powershell, I just google what I need.

That doesn't sound right, I plugged mine into an ethernet cable, and then into a computer and it worked fine. Do you mean you plugged it into an ethernet cable and expected it to boot up without a power source? Fast Ethernet does not transmit enough power to power a device unless it is specifically POE. The turtle gets it's power from the USB side. If you do want to power it without connecting to a computer, hook it up to a usb battery pack. Perhaps you are experiencing some kind of MAC address filtering? IDK it could be a couple of things. Could you elaborate?

It isn't that necessary, it's still functional. It's more of an aesthetics thing really. I am sure If I do some googleing I could find something, but if anybody knows anybody good that would be cool too.

Hey, I have had to remove my sticker on my turtle to reset it, I was just wondering if there is a service where I could get manufactured stickers for the lan turtle, like by the roll or something. I am not interested in recording "accurate" info about the MAC, just something generic.

Ok, I can connect now. Password was probably too complex, but it was really wierd that it didn't work at all because typing twice is supposed to alert you if you didn't type it correctly. That's why people do it. It is to make sure you typed as intended. Whoever thought of giving networking devices web pages for setup was pretty smart. It's cool that you can upload via a web control. How much other web stuff can we do with the turtle? Would it be possible to host a webpage during normal configuration procedures?

Hold on people... Sorry for leaving this forum unattended for so long. Maddog is right, you have to actually install the firmware. There used to be a pretty good word doc that midnight snake made online. It was on the ducky decode website, you'll have to google. If it isn't there any more you will have to go to darren's github page, and read the flashing page there. https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Flashing-ducky You don't have to necessarily learn a whole lot about the ducky before buying it, you should be able to follow some procedures outlined online however, you should be able to figure out how to google for what you need, you should have the intention and drive to learn something programatical. A lot of rubber ducky related stuff is scripting, programming, windows scripting, and firmware development, etc. You don't necessarily have to learn everything right away, but you should have the intention and drive to actually go out and find and follow some of the tutorials already online. I actually didn't know a whole lot about ducky dev when I first got the usb rubber ducky, in fact it is actually probably one of the tamest, and most user friendly tools you can buy in the hak-shop. I still don't know as much as I want to, but that is going to require grokking shellcode and by extension ASM and reversing. That could get a little bit intense, and looking for a job right now is taking priority to extra-cirricular activities. Long story short you have to exert some effort on your part, mainly going through the online tutorials and the scorecard links that hak 5 gave you.

I was able to set a password after your first post, so the password is set, it's just whenever I type that password in it tells me it is incorrect. So what probably just happened is that the password is set, and I accidentally mistyped something, or there's a bug in the password input program. So essentially now I am ssh-ing into it and I can't get past the login screen. So what I am wondering is if the login setup prompt is programmed correctly. IDK, It is a pretty wierd coincidence that I keep typing my password in and keep getting it wrong, considering I would have had to type it in incorrectly ***twice*** on the turtle setup screen in order to get this problem.

I actually was able to connect to the login screen though. IDK. I will try a few things, perhaps even disconnect from my local net in order to get the reset procedure working. If all else fails, and I still don't have the thing working I will consider an RMA, but not before I exaust a few other alternatives. Your password set program does check input passwords to make sure they are the same right, for example if I typeed password, and pas$word while setting up the turtle?

Yep, that fixed it. How necessary do you think it would be to reset the device to factory defaults? It did just come through the mail. I just hadn't plugged it in since I got it. ... It seems that my password is no longer working. Probably a typo or something, but I guess I will have to reset anyway... Lan turtle is a good idea, it just seems like it's a little difficult to set up correctly...

I don't see why it wouldn't be possible, other than probably not having the libraries in place to do it. Teensy and Arduino are probably good microcontrollers to start prototyping on. You also might need a usb protocol analyzer. If it is possible to hook up to a generic usb wifi/bluetooth dongle with a teensy you need not necissarily recollect your wireless dongle you used in the attack. They are typically cheap, and provided you get resold dongles, or purchase with pre-paid cards, and from seldom used manufacturers it would probably be pretty much untracable. There are wifi breakouts, as - well as bluetooth ones. Depending on which microcontroller you use you just have to make sure your microcontroller reasonably supports both.

I actually do use HTTPS everywhere, and though this forum post may suggest otherwise I actually don't care that much where people know I am browsing to. I was mostly just wondering if the site had changed their encryption practices to exclude images.

Hello everybody, for the past few months I have been noticing that certain elements of this site have been unencrypted, for example, when I visit the Hak 5 main page, there are elements, such as pictures or something which are unencrypted. I have also noticed that the main forums have been encrypted, but whenever I click into a specific topic things are unencrypted. Is someone man in the middleing me, or is this a website specific problem? Everything appears to be encrypted correctly now however.

Ok, so I am trying to get this turtle to work on my computer, unfortunately I am working in a windows environment. This is the first time I plugged the turtle in, and I would like to reflash it. Unfortunately it appears that windows doesn't like the drivers associated with the turtle. The turtle is listed in device manager under "other devices", "USB 10/100" LAN correct? If so then I am actually getting a yellow exclamation mark next to the device. The drivers for this device are not installed. (Code 28) There is no driver selected for the device information set or element. To find a driver for this device, click Update Driver. One goes to update driver, and it doesn't accept a .bin file. Should I use the ducky flashing procedure to flash this? To complicate matters my router seems to use the default ip address that the lan turtle uses. I am a bit tired tonight. I will try to fix this mess tomorow. I just rebuilt my comptuer also, so I will probably have to get all that ducky firmware flashing software working correctly again. Some of this stuff has kinda taken back seat to other things that need doing.

mmmmm, soulder joints! Finger licking good! Just remember what happened to the roman emporors who drank from their "favorite" lead cups. Don't give snubs any ideas lol.

Yes it is safe, I doubt the USB ports put out that much charge, touching with sopping wet hands might not be a good idea, but touching with bare skin, even if somewhat sweaty should be ok. I have touched my ducky while plugged in all the time, repeatedly since the red version came out. The older the duck gets however, the more the push button wears, so you may find yourself accidentally touching it as you plug it in inadvertently. This being said however static electricity, and short circuiting are a concern sometimes. As a computer programmer/IT guy I don't often wear sweaters due to the ESD possibilities. Plus every car I ever touch seems to shock my fingers so bad that they go numb. Cold weather makes static electricity worse. While the duck is not plugged in you shouldn't have that much problems shocking it. You can always touch a computer case to ground yourself to it.

Give Karit a cookie!

Don't know right off the top of my head, but you could probably determine the max payload the ducky had by just copying and paisting some strings in to see when it stops. I know I routinely use DOWNARROW, REPEAT 100 in my scripts, which is actually translated to 100 bytes, so there is probably enough room there for your purposes, you just have to be aware of the byte limitation. I think the limitation had something more to do with the library used to code the duckys, but am not for sure.I don't do that much duck development these days, I have to hold down a job. just type out a script, and copy paiste like this... STRING LN-1 ENTER STRING LN-2 ENTER STRING LN-3 ENTER STRING LN-4 ENTER STRING LN-5 ENTER This way each line is exactly 5 characters (+enter), only one char changes per line, and you can open up notepad and see when it stops typing. You could probably also come up with a different string which has 10 chars per line so that it can be copy/paisted easier, and has more substantial chars per line.

Blocking the signal of a cell phone does not necessarily protect the company. Most phones have a Micro SD slot on them. This plus a little bit of Crypto and a 64 GB card would easily be able to exfiltrate data. I am also sure that some phones would have some way of communicating with the network, via a Micro USB adapter, and some form of other network adapter/bluetooth network connection. In this type of scenareo the phone would have metasploit or something installed, and then exfiltration could literally take place over the company's network if the infiltrator didn't care about network alarms. (correct me if I am wrong about adapters to micro usb, I am more a programmer than a pen tester, hacking is really more of a hobby at this point). There are actually some ferric paints, for blocking wifi signals, I see no reason it couldn't also block other signals with enough coats of the stuff. Is like a black primer or something.

So I just found something really really cool today! http://www.voxel8.co/printer/ I actually thought to myself, it would be really cool to have something were I could make a custom circuit board, except make it 3d. I go to google it, and apparently this already exists, or will eventually. Initial thoughts are I could now make a raspberry pi about the size of an ice cube/jumbo dice, due to the fact that you could literally layer or mesh the electronics, or like the videos, actual robotics/drones which are made of uniform parts fused with both motors, etc and electronics. Now this being said the reason we don't generally layer electronics is so we get some air flow (heat), but could one make a circuit board which took into account surface area and cooling and made modern computers essentially smaller due to the fact that they are layered? Could one make a 3d circuit board, and still have it reasonably heat efficient? I have seen some 3d print things where the objects printed had hollow internal structure, like a bridge superstructure or something. So if one had hollow spaces, or some kind of structure/plan I think manufacturers could take advantage of something similar to this for space compaction.

Some firmware can react to different things, such as caps lock, I think probably num lock, pressing the button, simply inserting, pressing multiple times, etc. You basically just rename the script inject2.bin ... etc. So there is really no reason you couldn't manually say, hey execute this payload. There are also some people who have worked on things like Bad USB (was this the one, i don't remember), which from what I hear has actually determined what it is connected to via the USB stack/protocol features. Basically the USB protocol is implemented differently on different systems. The thing about this however, is that you would essentially need to be in a position to be able to sniff the USB port you connected your USB rubber ducky to, and you would need to program the code (C-code) in order to do the detection. There is no reason you can't sniff USB ports, there are actually programs for this utility, but make sure you use a normal dell usb keyboard to type on your computer, otherwise you could essentially make your razer keyboard unresponsive during install. Determining the code to do the detection would probably be an intensive process since from what I remember, the person who actually did write the detection code I am thinking about is not releasing the source code for it. Another thing you would have to determine is whether the ducky has enough memory for the firmware in question. I have had issues before with small devices, such as Lego-NXT bricks not having enough room to run my programs. (Lego NXT is not related to ducky, my point being is that small devices have limited memory with which you can play with) Now the thing about this type of detection is that all android phones will essentially emit the same usb protocol. All the IOS phones will also have the same USB protocol. So you can't actually determine which version of an apple device you are plugging into, you just know you are plugging into an apple device.

Best thing I have read all day cooper, ty. As you all can see though programmers all have their preferences. You can see a benign holy war brewing here. lol. These holy wars are actually very typical in our field, and a few of my recruiter contacts have even commented on them.

Now, bad teachers are one of the things I have had to contend with too. Once I had a format nazi teach one of our classes, always insisted on "citing" the code we used, so we essentially couldn't use snippets, or even translate them, and we had to use the teacher's convoluted fucked up sample code, everything in one file, etc etc etc. I am convinced I have probably picked up some bad habits from that class, and it pisses me off so bad. What's more we had to cite the teacher as the main contributor to our frigging programs. Why I wonder do we have to cite him for creating obscure half finished programs and telling us to finish them? And of course it wasn't enough that I had good commenting habits before the class, he insisted on comments where the granularity of them seriously contributed to the obfuscation of what the code was actually doing. The deplorable person also would essentially write programs with the intent to rim-rock us into corners which we had to code our way out of. This essentially caused us to spend way too much time trying to figure out exactly what he wanted (I am talking, like days even for experienced programmers). Quite frankly there are some practices for formatting code which aren't used much anymore, and create obscure code, but he insisted we use them anyway. There was a damn APA citation in each and every one of the programs we wrote. And of course every time you missed something really really small formatting wise you would loose points on the assignment, regaurdless of whether the program preformed flawlessly. I debated for a while creating a program which would remove these "code features" automatically for me, and clean up the mess, but unfortunately I would probably need some kind of java parser or something. At this point I have completely written off actually being able to use those programs as examples. I think this teacher in particular didn't like me much, and therefore sought ways to make the class harder than it actually needed to be. Oh, and have you had those teachers who mess up the requirements for the program, and use an "and" when they meant an "or" in their language, etc? Or the ones who say one thing, but meant something completely different? Whenever there was the possiblility of the teacher wanting something else, I would essentially have to code the program twice to ensure that I got at least one good answer, and I would put a comment in, essentilaly saying "hey you fucked up with the instructions" (say it nicer than this you don't want to get marked down) comment or uncomment the following line depending on what you actually wanted. The programs we wrote were also really really lame. I wrote it and would be like, oh, that was a waste of time, and will be useful to absolutely no-body! I don't entirely agree that java is shit, I have seen some really awesome java code before. I think early on it's emphasis on pure OO was a bit much. I am very happy that now they have actually added callbacks to the language in java 8. Now you can do some really cool things with the streams api etc. You can create these data pipelines etc. They are essentially trying to compete with LINQ in C#, and possibly scala which is built on their runtime. Object oriented is a little bit more complex, but it is where most of the languages seemed to be going to over the years. objects can be very useful, due to the fact that you can essentially create your own "types" which have their own self contained functions/methods and therefore behavior. You can encapsulate, and you can practice least privilage stuff, etc with encapsulation. Java however is not my absolute favorite language, because I really enjoy some of the features some other lanugages offer. Java can do some really cool things though, and does have a very good Network API. One of the things that I don't like about java so much is that doing some things, especially Windows specific becomes more difficult, and this would be expected due to the cross platform nature of java. C# doesn't even allow you to inherit from thread, java does. In summary "Those who can, do; those who can't, teach."