madhak

Hehe nice, have you looked at the jammer on dx.com? I wanted to buy one badly but I don’t know any legit thing you could do with that (they even have one designed to steal car lol), I use a EMI proof pouch for my phone for secret meeting (from DX too, it work well). yes, Amp will work marvellously well if your application primary focus is transmitting like for my remote control for the copter. If you want to add a jammer to a RC vehicle you will need to use a low frequency TX as the GPS jammer will jam 1500MHz plus the harmonic all over 2.4GHz that will severely impact the range, check flytron.com they have awesome open-source TX/RX that work a 433MHz Not to mention jamming is illegal in most civilized country ;) and please don’t do that (flying multi-copter or jamming) near airport, that would violate several federal law and could kill me as I fly a lot :o

Hi KiatoG, thanks for the comment! 1) None really, a smaller one would do the job as far as the pineapple is concerned, but I connect the hub to my laptop from time to time so I have all my useful stuff there. (there is details about how my key is configured, you can take a look here, its an old post but still accurate; https://madhak.com/?p=41 2) It does make a difference, of course there is an issue with noise because it amplifies not only the WiFi signal but the whole 2.4GHz spectrum, I've bought many of these little Amp, they worth the price, I'm using them for my multi-copter remote because it use 2.4 spread spectrum. Its best to do a spectrum survey with it and without it... If the signal is visible above the noise floor, but not too strong, its good to use it. if the signal is already strong... weird thing happen. If signal is indistinguishable from the noise floor then you will amplify all the floor noise and the signal won't be more perceivable. The best tool I have to gain better signal is that little green (PCB) patch antenna, it is very directional and provide sufficient gain most of the time, if that is not enough I will add the Amp... Bottom line is don’t amplify an omni-directionnal antenna and watch the noise, otherwise your will amplify garbage.

I just got my pineapple a day ago, first thing I did right after testing its awesomeness was to replace the old dd-wrt linksys router from my WiFi Kit. Here's the result; The Kit consist of the following parts; - WiFi Pineapple MK4 - Ralink 300mW USB WiFi radio - 3G Modem, Router, AP - 4 port USB2.0 Hub - WiSpy 2.4 spectrum analyzer - WiSpy device finder (directional antenna) - High gain patch directional antenna - USB Bluetooth 2.0 dongle - 32Gb USB Key device (USB SwissKnife 2.0 pictured) - 12v 6000mAh LiPo battery - 2000mW WiFi Booster (inside the accessory bag) - 5v 3A UBEC (Voltage regulator) - Accessory bag with different antenna, patch, cable and gender changer) I get about 8h with everything on with the huge battery. It also has enough Amps to jump start a car (can always be useful if wardriving) ... The 2 directional antenna really work, I could leave it a few block away, for longer range there is a 2W booster in the accessory pouch but the battery would drain twice faster, plus the fact that transmitting at 2W require a HAM licence. I’m planning to replace the Ralink radio for an Alpha. While the pineapple fully recognize the Ralink, it can’t perform Deauth and other function that the Alpha can do. Still, I can use it to connect to the Pineapple which can perform the more advanced function. I’ll also replace the WiSpy with a Ubertooth because the WiSpy is not supported on the Pineapples. The Ubertooth will also replace the cheap USB Bluetooth dongle currently used. The Wispy and everything connected to the USB Hub can be connected to a laptop instead of the Pineapple so its not completely useless. There is also the HakRF project that look very interesting considering I work a lot with RF, not just WiFi. The Kit can easily communicate with my Omega Kit trough the UART interface of the Pineapples but I don’t see many scenario where that would be needed.

I suggest you google "history of hacker", there are several good read that will help you understand that hacker are not bad, the bad guy are "Cracker" but I myself call the bad guy hacker because its what is the most understood. Hacker are inventor, developers.... Like most of us here, I started as a cracker in the era of netbus, sub7, back orifice, in those day, firewall was almost existent, AV were primitive and it was possible to get any info on anyone computer... bottom line is that hacker find the risk, cracker exploit it and vendor have no choice making their stuff better... Hacker help making security better the same way that competition drive new feature... I got hacked this week, I can't be mad at him for stressing the fact that I need to improve the security of my network. Regarding censorship, I doubt that they can sensor us, and even the great firewall of china don't prevent them from hacking, there is a lot of talented hacker in china. Beside, their firewall can be bypassed by a simple VPN (I've been there lol) Unless you have malicious motive, you should not be scared of prosecution, Security is a real respected, exciting and gratifying job... If you are up to the challenge...

Yep, its an old treat, yet very simple; would you allow a 3rd party application on your LAN, maybe even a virus to open port on your firewall? If you answer no then you should have UPnP turned off... I know it can be useful and allow normal user to not have to worry about opening port for external services but for this to be secure it would need to have a key and application should know that key to talk with your firewall... What's the point of putting a lock on your door it you leave the door window open... Just my 2 cent.

@Telot yes I've tried air marshal, it does detect it but because it is not spoofing my SSID I can't deauth it. There are few hundred other SSID, we normally ban those that have the word "hotspot" that get rid of people buying 1 internet and share with say 5 friends... but for the pineapple, the malicious user could have spoofed an other SSID that I do not manage and been white-listed... Guys, Please correct me if I'm wrong, Alto I'm going to be able to test this myself in a few hour (pineapple arrived in town, delivery on scheduled for the end of the day :)) but the pineapple doesn’t broadcast being such and such, it simply answer when someone ask for right? so there is no point trying to deauth it? Its is clearly documented that it does not advertise but just answer yes... @WM and Dijininja, I'll have a look at the MITM module, also my idea about the logger actually came from reading your post about it ;) but the attacker could inject other less malicious traffic like add from his own affiliate program... For my side, I'm looking at using the proxy I mentioned in the OP to add a persistent information and tool bar on top of my hotspot traffic (the legit use for it)... So do you use proxi for content injection or did you managed to do something with Ebtables? I know Ebtables is commonly used to redirect traffic to the l7-filter and perform traffic shaping but I didn’t know It can inject content? maybe I got it wrong, read dijininja blog last night and my head was about to explode (TMI man! very nice blog), need to reread it with a fresh mind after my coffee. Thanks for your comments, I really appreciate that you took time to look at this...

If we focus on the step 1 to 5 of the scenario then its just a matter of detecting and blocking NAT'ed traffic on the LAN, which to my understanding require NAC and/or Layer3 switches and AP. This would prevent the hacker from being able to obtain internet access with someone else login behind the hacker NAT (this also can be done with dd-wrt and such...) But as soon as he proceed to step 6+, turn on his own captive portal with an identical splash page as the legit one, he doesn't even need to be connected to my network to trick user into revealing his credential. (step 1 to 5 and the rest can be viewed as 2 different and independent issue, but more persuasive when combined) the second issue can also be realized without a captive portal, just with DNS spoofing (still less convincing as client will not gain access after authenticating)... So what I can see from my network is: - there is a yes man (heard by my AP when he say yes i'm 'myssidname') - there is NAT'ed traffic (can see the TTL) but I do not have the ability to stop it without stooping other legit client too and TTL can be spoofed anyway - I can see credential collision in the radius log, I could allow 2 connection, that would satisfy the hacker and the legitimate user, everybody could be happy but what if he isn't there just for free wifi... What I'm doing about it: - Trying to make a module to expose this issue if there is any interest about that and learn about it - Front desk staff now ask iStuff user to disable autologin when we sell them access - silly but true - Move toward Radius-WPA Enterprise so I can have an encrypted public network with guess access and different wpa2 pass-phrase for every guest :D All that because of a fruity little device ;) Next week the guy will have moved on but that really got me tinkering. EDIT - only step 1 to 5 has been observed, the rest is hypothetical...

Hi Guys, I should receive my pineapple tomorrow and I been reading the entire forum , wiki, and manual but besides some similarity with WM and Digininja interceptor project, I think this one is a bit different. I want to put Coovachilli or Chillispot on the pineapple, since its already supported on open-wrt, I assume Its should be an easy task... Unless some of you already tried and can share their success? I know how to configure it and install it on centos and ubuntu but the limited resource on the pineapple may bring some challenge. I also want to put tinyproxy and privoxy in order to inject content into passing traffic. I have limited experience with those and I'm currently getting it to work on centos. but that's just for a proof of concept, my main goal is the captive portal. I consider myself as experienced with captive portal and I want to see how deep down the hole I can go on such a limited device. The goal of this experience is to simulate the following scenario that I think is happening in an Hotel where I manage the network... -Hacker power on his pineapple in Jasager + NAT mode -Hacker copy the splash page and store it in pineapple web server for future use -Client roam close to the Hacker and autojoin the pineapple -Client is presented the legit splash page to enter his credential -Client authorise the pineapple not his device (because of NAT) to use internet on the network -Hacker have free internet now, but that doesn’t stop there alto it could in theory... that's where I want to dig deeper -Hacker turn on his own captive portal and redirect the splash to the pineapple web server where a copy of the legit splash page is stored. -An other client roam close the the Hacker and autojoin. -Client2 enter his credential and the pineapple captive portal is set to accept any. -On top of that hacker insert key logger in client 1 and 2 traffic while they were in range and you know... -Client get online, but his credential were not used and can be resold to client 3 under the table at discount by hacker (maybe) -Client 1 and 2 roam away from hacker and can't connect as the legit captive portal say already connected (then I get complain) -Client 3 is satisfied, he bought the credential at discount and can roam until client 2 complain and the credential get reset. As you can see, that make a lot of unhappy client they think my network suck, most complain of similar incident were reported by iphone users so far. That doesn’t happened all the time, its been 6 month since the last time one of the hotel network I manage was hacked seriously and we are very serious about security, I can tell on the map where he is spoofing but don't have enough proof to perform physical body inspection, hopefully he's leaving this weekend. We are using Meraki AP and custom centos Layer3/7 gateway/firewall/captive portal with IDS. By documenting and proving that this is possible, I will be able to reach to my client and explain the situation regarding sporadically unsatisfied user as well as putting in place contingency plan to make my public network a safe place. Tell me what do you think and any suggestion comment are welcome. maybe a captive portal and captive frame module could emerge from that.

If you are talking about the RT version, Sober started this tread http://forums.hak5.org/index.php?/topic/28635-microsoft-surface-pen-testing-setup/#entry217448 with link to a community that is working on the RT I don’t think there will be much hack on RT as the PRO should release with a Intel CPU and full windows application support, its likely that the RT will become as popular as blackberry playbook for developer... no app, too locked down. but that’s only my opinion I could be wrong an I usually am.

Parabolic dish Yagi You are right, Yagi should be easier to aim, however, RF efficiency is really case by case, there are so many factor that will make one or the other better. In my own test, with a yagi and parabolic with same gain side by side, I couldn’t see the yagi 2km away but was getting good signal with the dish. In my specific case, I had to shoot it between tree that was half way (1km) that's maybe why the dish had better success for me. thanks for pointing out that I was wrong with the cone, I know what I know by trying stuff, never really did the math.

I personally prefer dish to yagi because yagi have very narrow beam which make it difficult to aim and they are very sensitive to polarisation so if the router you are trying to reach doesn’t have its antenna straight, you will get better result with it tilted (which most mast mount doesn’t do) yagi are good for point to point with 2 of them equally polarised. Dish on the other hand have few more degree of aim and, while still being polarised, doesn’t care that mutch unless you are going extremely far and will get you a decent signal (I think the world record was something like 400km LOS with dish!). I had mixed experience with small dish/panel but they do improve the gain significantly but come with cable too long most of the time. My best experience was with a 2ft large grid dish was getting 36db of gain, I couldn’t find a place in LOS far enough to lose the signal, I was using it to reach my office a few km away with a row of tree in the way and bellow the proper Fresnel zone.

Oops my bad, Its just that the title contained 2 statement that my mind couldn't accept... but yeah with ssh support and a pineapple there is definitely some fun thing to do. I didn't knew about the android arm app support. I had the surface for 1 day and returned it back when I realized how locked the device was... secure bootloader? its just a matter of time before someone find a way to install Linux on it... I can't live without the capability to boot into Ubuntu, but I have to admit that the surface is a really cool tablet considering its not a computer but a tablet. cool link and project, good luck.

Hi Sober, I would advise not to buy the RT version for that purpose, its extremely limited, wait for the PRO or buy a W7 tablet and put W8 if you really want it. I did that on my Acer Iconia Tab W500, W8 run perfectly and I can use any windows app, W8 RT will limit you to app in the app store only so no hacking for you my friend! hope this help.

What about using true-crypt to encrypt the executable? http://www.truecrypt.org/docs/?s=command-line-usage its a portable app and can be run in command-line you can mount the volume in read-only :D just throw in an extra command to your ducky script to mount the encrypted file as read-only first, then lunch your exe from that volume...

Well ok, Still, its a good idea, I'll submit it to the next lab, maybe get some people interested... What kind of Admin don’t like to be tough a lesson? in my organisation that kind of hacking is tolerated as long as its prove a point, and not destructive... I work in the engineering department and we always come with crazy idea on how to get the IT dept. to pull their hair off... Hak5, why don’t you work on a pineapple stuffed duck ;) basically just add ducky capability to pineapple and an interface to upload payload from the wifi webconfig... that being said, I need to buy a pineapple now...

Unless you go the Arduino way you will need some soldering, Arduino provide all the shield you need for this project, you dont need to solder anything but you will end up with something the size of half a brick that cost a lot of money... BUT, if you can afford to do 8 solder joint, you can get away with a teensy and a wifi module. all you need to do is connect the TX, RX, GND, 5V from teensy to wifi module. here the exact part (I have them in stock in my Lab): -teensy 2.0 -xbee adapter -wifi module (Xbee format) I am very interested in this project, I have very little time to code when I'm home I prefer playing with hardware and trying to take over the world with my multi-copter and robots... If you are serious about this, Can I suggest that I ship you a pre-assembled module and you make the code and share with me :D, this assume you are a guru in C and micro-controller programming... just kidding, i'll be happy with an Arduino sketch, its not difficult, it just take time that I don’t have and I have so many of these electronic modules I can afford the lost, just pay for the shipping...

Nice job on that one, all 4 payload worked indeed! Oops, look like I broke rule 6 too... nevertheless, pwned the IT admin by asking "can you check what’s wrong with my mouse?" Needless to say he bought a ducky and implemented soap load of GPO, pun intended!

Hi Midnitesnake, Thanks you very much for the twinduck firmware, I love it, I just posted a comment in an other post stating the same thing about transfer speed but now I understand you are using SPI to talk to the SD card reader, I had that same problem with the teensy version, I thought the new faster chip on the rubber ducky would have addressed that. anyway, I remember a while ago wile testing with the teensy that by using a Apple keyboard VID I could skip the windows update driver part which made thing much faster, not sure if that is still valid tho... I'll dig in my old code to find the exact VIP & PID and post it here when I can find it.

Hi Guys, I tought I would share some of my experience with the USB rubber ducky with the twinduck firmware. It can come very handy but it come with some disavantage; -SD card get corupted from time to time so it need a format once in a while (but I never clean eject mass storage so maybe I'm to blame for this one ;) -SD card access is very slow, about 70Kbps so executing large file take a while -The payload stored on the SD card will execute faster is the SD card is smaller, count about 1sec to initialise for every GB of total storage on the card, so keep it as small as you need You can easily write a shell script that will locate the SD card by its volume name and execute more complex payload from there so your duck script can be shorter. I also created a folder with script to move the desired payload from a library of .bin file to the root of the card. also after each payload, I call a script that will put the hello world payload back in the root so I can plug it safely on my computer to select the desired payload. Keep up the good work, I was hoping there is something to do to make the mass storage part a bit faster, at least to spec with usb 1.0? Thanks

That's interesting, I know how I would make that work; Ducky side: -arduino board -usb host shield -bluetooth client module PC side: -usb bluetooth host module prepaired with client module ducky=>usbhost shield=>arduino=>wifi, bt or any radio module =>(over the air)=>paired radio module=>teensy=>PC Or you can replace the bluetooth part with xbee or even wifi providing you put the same radio on the PC side and translate to USB with a tensy. At this point you should realise your ducky is not needed anymore because you can write the payload straight on the teensy and have it controlled remotely so pershap your project should look more like that: Wifishield=>teensy or arduino=>PC then write an interface you can use on your phone, tablet to inject payload remotely ;) you can find all that stuff on sparkfun.com (I am not afiliated with SF but I buy A LOT from them) Happy remote quacking

Sorry to bump this tread but anyone here know about ClearOS? I've been using it for a while and it work fantastic, maybe not as customizable as PFSense but it run traight out the box. but how secure is it, because it receive comunity update, is this really a good thing? to me it sound like a possible backdoor altho it passed all security audit I tried on, what do you think? PS: MR series AP from Meraki rock, got my hand on a few MR66 and my wifi setup went from nightmare stuff to dream! The MX security applicance are pretty good to.

I've made a super long range wifi antenna from an old LOOK TV antena, its a grid dish with a down converter from 2.4Ghz to 900mhz, well, get rid of the down converter with a simple bypass and you get a 2.4Ghz 36dbi directionnal antenna, keep the antenna cable short, put the router (DD-WRT) right bellow the dish in a water proof box. For extreme range you can even add a 2 watt booster but you will bread FCC allowance which is a very bad thing. Without the booster I reached 3 miles LOS with a tree row in between at full 54Mbps speed... With the booster, I saw a VSAT vehicule going around triangulating my position, took it off forever, its not worth the trouble as I've read the fine is something like 5000$ a day here in canada, I think US could be worst than that I calculated that with the proper elevation (fresnel zone) I could have reach 10 time that distance but I dont have a target at that distance, I just needed to link my home office to a client

I'm not a professional mechanic but I know how to install a car stereo (having done it for myself 4 time on 3 different car brand). All the habitacle sound you hear come from your original radio, there a few signal line comming from the BCM of your car to the Radio, when you change the radio, you have to buy a convertion kit that will take these control line and feed it to the always on AUX port of the radio. For your project, you should get your hand on this convertion kit for your specific car make and fool around, reverse engeneer it... its probably jsut a PIC that check for signal and output chime... From there you can either reuse existing signal (door open, contact in...) or add your from a switch or sensor Hope this help EDIT: here's the step I would make to reverse engeneer it - Grab a buspirate or a protocol analyser that support CAN protocol - Get the repair manual of your car make - Find the control line from BCM to Radio - Triger various chime and sniff the data. - Write an arduino code that understand the data and output chime If you have the original radio: - Get a cheap amplifier board and few diode and connect the sound in parallel to speaker (diode are to prevent the car radio blasting the small amp board, its unlikely that the small board can break the radio but be carefull, you can use a relay to switch the speaker from radio to arduino amp if you scared of frying the radio) - there is no always on AUX in on the original radio - Connect signal line in parallel to arduino and original radio If you have 3rd party radio: - Connect the sound output of the arduino to the always on AUX in port of the radio - Dedicate signal line to arduino (remove conversion kit) or connect arduino in parallel to the conversion kit (You will lose some sound or have double sound depending on your choice)

Thanks a lot! that's more than I needed... Will add this in my toolbox

With the new rubber ducky 2 and the twin duck firmware it is possible to access the SD card from the same USB port as mass storage, Its too slow for a bootable drive but enough for small exe and script payloads. I have an old one based on the teensy too... I used a small hub + teensy + flash to achieve the same result, see my old usb swissknife: https://madhak.com/?p=41 The new version I'm working on is quite different, it doesn't use a hub, it has a bootable side and a HID side: https://madhak.com/?p=398 I agree with what you say regarding the reboot not being needed as I will most likely connect it to my computer, select a payload, then connect it to the target computer, but I would still like to know how to reboot it from an application on the host... I just got my hand on the firmware source code, I'll see what I can do but I'm just asking if anyone know how already? To recap; Rubber Ducky lunch App stored on SD card => this C application now running on host (Win or Linux) => Send reboot command to ruber ducky address Thanks