fugu

I think you may be on to something with copy + paste. Maybe just try typing the command on the command line diskpart list volume (i think that's right?)

I'm not responsible for any damages so make sure you know what your doing! but you might try $ sudo apt-get install gparted $ sudo gparted find which drive your usb is (/dev/sdc, /dev/sdd, etc) so you don't nuke your hard drive exit gparted, then $ sudo dd if=/dev/zero of=/dev/ofyourusbdevice bs=1M then go back to gparted, recreate the partition table, then format it how you want, (for windows probably fat32 or ntfs)

Is the USB rubber ducky protected in the United States under the second amendment? I'm no lawyer but it seems like it might just be.

maybe just try part of the script, without running the duckyscript, but from the cmd line. echo list volume ^| diskpart ^| findstr "DUCKY" I think this should display the usb drive info for the ducky when the ducky is plugged in. can you verify?

Been thinking about firmware based malware and how difficult it is to "extract" most forms of raw code, once the code is embedded in a device. Makes me think, it might be a great place to hide important data that you want hidden for whatever reason (a password, small file, etc.). Although retrieving it may be difficult ;) Any thoughts?

I didn't know that, that's good to know. Thanks!

just a side note, if you do a $ cp hack.apk hack.apk.zip $ unzip hack.apk.zipyou can see the files that are created. I think if I remember correctly, port number is just a value in an xml entry. I haven't really messed around with it, but it appears easy to change manually.Also, you can try $ msfpayload android/meterpreter/reverse_tcp Sto get more information on a payload

what evidence are you trying to extract?

Here is a 1-liner for rsa 1024 key generation, haven't written code yet to do this, just been kinda lazy. $ openssl genrsa -out temp.key 1024 && openssl rsa -in temp.key -text -noout && rm temp.key edit: privateExponent is the decryption exponent.

Ok, buffer sizing is not my forte. There are probably many problems with it, but his was a simple demo I was using for my self to get the hang of gmp. Im using an rsa algorithm, and those funky sets of large numbers are the pairs of encryption/decryption keys. They can be generated with openssl or I can write another simple (probably bug ridden too lol) program for generating keys. This is an fyi: my random number seeding in the above program is definitely not secure (as in the starting seed number can be predicted, which means the random numbers that are created from the generator can be predicted). I suggest changing that if before using this for anything practical. The "convert to hex" was only to load strings into gmp, which I couldn't find anyway else by looking into the doc's, which is not to say there isn't a better way to do that.

I was playing around with the gmplib source and wrote a simple example of encryption, I thought that I'd share it would you //A Simple Asymmetric Encryption Example #include <stdio.h> #include <string.h> #include <gmp.h> #include <sys/time.h> int main(int argc, char *argv[]){ int shift, nblock_unpadded_len, nblock_padded_len = 64, i, input_str_len; char buff[nblock_padded_len*4]; mpz_t ciphertext, nblock, encryption_exponent, modulus, zero, two, temp, rand_pad, decryption_exponent, result, temp2; struct timeval tv; if(argc < 2){ printf("Usage: %s \"a string of text\"\n", argv[0]); return -1; } //send argv[1] to "buff" but in hex input_str_len = strlen(argv[1]); if(input_str_len >= nblock_padded_len){ printf("Usage: %s \"a string of text\"\n", argv[0]); printf("Input is longer then the encryption maximum length\n"); return -1; } memset(buff, '\0', sizeof(buff)); for(i=0; i<input_str_len; i++){ sprintf(buff+strlen(buff), "%02x", (unsigned int)argv[1][i]); } sprintf(buff+strlen(buff), "\x00"); mpz_init(ciphertext); mpz_init(temp); mpz_init(temp2); mpz_init(rand_pad); mpz_init(result); mpz_init_set_str(nblock, buff, 16); mpz_init_set_str(zero, "0", 16); mpz_init_set_str(two, "2", 16); mpz_init_set_str(encryption_exponent, "10001", 16); mpz_init_set_str(modulus, "c4afd144e57fa6f4308a440515eaad0933a798cad123440d9d6bddf481652c2734e282000c60095fe9244e5027cf87901d4bc2f48be431450cc7776a18140b8f9856d2a08c1f706a233933ef34894e0c9010a7c4ccc4be94e6cf7c4f735349e371b23b05a8a7b1ee67ccb6db94c71f1a6e793d92556d0f30ea87652892dbf54b", 16); gmp_printf ("nblock = %#Zx\n", nblock); //pad the input with random bytes, after our cleartext nblock_unpadded_len = strlen(mpz_get_str(NULL, 16, nblock)); if(nblock_unpadded_len % 2 == 0){ nblock_unpadded_len = nblock_unpadded_len/2; }else{ nblock_unpadded_len = nblock_unpadded_len/2 + 1; } shift = nblock_padded_len-nblock_unpadded_len; mpz_pow_ui(temp, two, 8*shift); mpz_mul(nblock, nblock, temp); gmp_randstate_t rstate; gmp_randinit_mt(rstate); gettimeofday(&tv,NULL); gmp_randseed_ui(rstate, tv.tv_sec*1000000+tv.tv_usec); mpz_urandomb(rand_pad, rstate, 8*(shift-1)); mpz_add(nblock, rand_pad, nblock); //encrypt mpz_powm(ciphertext, nblock, encryption_exponent, modulus); printf( "input_str_len = %d\n", input_str_len); printf( "shift = %d - %d = %d\n", nblock_padded_len, nblock_unpadded_len, shift); gmp_printf ("nblock = %#Zx\n", nblock); gmp_printf ("encryption_exponent = %#Zx\n", encryption_exponent); gmp_printf ("modulus = %#Zx\n", modulus); gmp_printf ("ciphertext = %#Zx\n\n", ciphertext); //delete cleartext memset(buff, '\0', sizeof(buff)); mpz_set_str(nblock, "0", 16); mpz_clear(nblock); //decrypt mpz_init_set_str(decryption_exponent, "13c7d6d505fbab8fbd5dfa6f4480007cff6be88ae53395c184c6776102ae691d5c4d3763c7dad4b6879cf61f4b91ac818ae0b6af9f6e08a278218b59e92802ed75db5fe5769ee61d5ee9c86daeb24583c97310819c4a93375d5b1ee45534ff5da1f9ce2a0e1e229954098e77121deaa75aeab7b0b86b0f906bc082389d434949", 16); gmp_printf ("decryption_exponent = %#Zx\n", decryption_exponent); mpz_powm(result, ciphertext, decryption_exponent, modulus); gmp_printf ("result = %#Zx\n", result); //convert from hex to readable ascii if(strlen(mpz_get_str(NULL, 16, result)) % 2 == 0){ shift = strlen(mpz_get_str(NULL, 16, result))/2; }else{ shift = strlen(mpz_get_str(NULL, 16, result))/2 + 1; } for(i=1; i< shift; i++){ mpz_set_str(temp, "FF", 16); mpz_tdiv_q_2exp(temp2, result, 8*(shift-i)); mpz_and(temp2, temp, temp2); if(mpz_cmp(temp2, zero) == 0){ printf("there are %d characters!\n", i); break; } sprintf(buff+strlen(buff), "%c", mpz_get_ui(temp2)); } printf("%s\n", buff); mpz_clear(ciphertext); mpz_clear(encryption_exponent); mpz_clear(decryption_exponent); mpz_clear(modulus); mpz_clear(zero); mpz_clear(two); mpz_clear(temp); mpz_clear(temp2); mpz_clear(rand_pad); mpz_clear(result); return 0; }

I would look into if the drive has firmware available for download. Start there.

Whittle the tip till its a sharp pointy stick.

you could also try lowering the transmission power. I can't remember exactly how its done, maybe someone else can help correct me if I'm wrong ifconfig wlan2 down iwconfig wlan2 txpower 4dbm ifconfig wlan2 up

You could try to plug the wifi adapter into the pineapple before you boot up. Idk but plugging it in might be causing electrical bouncing like THCMinister commented on.

crunch-wordlist.sourceforge.net you can make wordlists, or even better you can pipe a wordlist into aircrack; i.e. username$ crunch 10 10 -t %%%%,%%%%, | aircrack-ng -w - -e 00:11:22:33:44:55 test.pcap although, coopers method or digip's method of running in parallel would be much faster

I found this and it looks interesting, I haven't tried it yet though. It looks like an IDS for an EvilTwin Attack. https://github.com/moha99sa/EvilAP_Defender/blob/master/README.TXT

are you looking for an independent executable, when run looks like an authentication request for the WPA/2 password?

idk of pam for android, but I'm still pretty new to the OS. I do know that messing around with and testing an android shell, it never asks me for a password. I've heard that android has things like iptables, but I havn't gotten there yet. I'd be real nice if it worked just like a full blown PC, which is what I'm most familiar with. (BTW the android source for su.c is at https://android.googlesource.com/platform/system/extras/+/master/su/su.c, i didn't see any mention of pam, not sure if it'd be there anyway, but it does some checking of the UID)

well because mysu would still be a gapping security hole. I wanted something that would only function if you had the correct password. If someone were to get a user shell on the phone, they might be able to figure out security through obscurity.

So in the wake of android malware that is reliant on a phone being rooted, I'm looking at alternatives for the su program, which IMO is main source for root access. Looking at the su.c source code, I thought it might be easy to add a little bit of code to create a hard-coded password, that would slow malware that relied on su for functionality. //$ gcc -o sha1_sample1 sha1_sample1.c -lcrypto //$ ./sha1_sample1 //password> password //[+] Continue with program... //$ ./sha1_sample1 //password> wrong //./sha1_sample1: permission denied #include <stdio.h> #include <stdlib.h> #include <string.h> #include <openssl/sha.h> #define OK 0 #define NO_INPUT 1 #define TOO_LONG 2 static int getLine (char *prmpt, char *buff, size_t sz) { int ch, extra; // Get line with buffer overrun protection. if (prmpt != NULL) { printf ("%s", prmpt); fflush (stdout); } if (fgets (buff, sz, stdin) == NULL) return NO_INPUT; // If it was too long, there'll be no newline. In that case, we flush // to end of line so that excess doesn't affect the next call. if (buff[strlen(buff)-1] != '\n') { extra = 0; while (((ch = getchar()) != '\n') && (ch != EOF)) extra = 1; return (extra == 1) ? TOO_LONG : OK; } // Otherwise remove newline and give string back to caller. buff[strlen(buff)-1] = '\0'; return OK; } int main(int argc, char **argv) { unsigned char digest[SHA_DIGEST_LENGTH]; SHA_CTX ctx; char* string; char salt[] = "areallylongsalt"; char buff[40]; int i, rc; rc = getLine ("password> ", buff, sizeof(buff)); if (rc == NO_INPUT) { // Extra NL since my system doesn't output that on EOF. printf ("\n"); fprintf(stderr, "%s: permission denied\n", argv[0]); return 1; }else if (rc == TOO_LONG) { fprintf(stderr, "%s: permission denied\n", argv[0]); return 1; } string = malloc(strlen(salt)+1+sizeof(buff)); strcpy(string, buff); strcat(string, salt); //printf("%s\n", string); SHA1_Init(&ctx); SHA1_Update(&ctx, string, strlen(string)); SHA1_Final(digest, &ctx); //char mdString[SHA_DIGEST_LENGTH*4+1]; //for(i = 0; i < SHA_DIGEST_LENGTH; i++){ // sprintf(&mdString[i*4], "\\x%02x", (unsigned int)digest[i]); //} //printf("SHA1 digest: %s\n", mdString); //passwordareallylongsalt //SHA1 digest: \x12\x33\x1e\x67\x16\xdd\x1b\x34\x66\x9a\xcb\x36\xd1\x4b\x04\xd9\x8e\x36\x42\x22 if(strncmp(digest, "\x12\x33\x1e\x67\x16\xdd\x1b\x34\x66\x9a\xcb\x36\xd1\x4b\x04\xd9\x8e\x36\x42\x22", 20) != 0){ printf("%s: permission denied\n", argv[0]); return 1; } printf("[+] Continue with program...\n"); return 0; }

Was the Mk1 a fon based system? If so, and you happen to have a 5V? ftdi cable laying around, you can talk to the system directly through the serial pins.

I missed the part where it said the name of the website from the OP. I, too, would also think Alibaba would not want to risk their reputation by selling fraud goods. I was thinking this was some crappy Chinese website with no traffic and nothing in English except maybe hak5 and pineapple.

regardless, the hardware it 99% likely to be trojaned and damaging, I just feel bad for the people who mistakenly buy it instead of from the hakshop.

So as an ethical thought experiment, not that I condone cyber attacks in anyway, if the website is fraud, and the skirt the laws, is it still illegal/wrong if someone where to dos them? (i do consider myself whitehat, so I personally would never do this)