elkentaro
-
Posts
78 -
Joined
-
Last visited
-
Days Won
5
Posts posted by elkentaro
-
-
45 minutes ago, bg-wa said:
Got it form here:
wondering if I need to add another command to my json file.... Should that process be scripted or submitted in a PR?
@elkentaro any insight?
I'll have to look into it. The key would be to find out the byte array written to the /dev/hidg0 , in the ducky.py script . I'll take a look after I get done with some job-work. Although I suspect that if you add ["ALT-SHIFT-NUMLOCK " :"06,00,53"] to your language.json file it might work. Given that Alt-Shift is the modifier key code "06,00,00" and hence you would only need to add the num lock key to the modifier.
-
1
-
-
You need to add a keyboard layout file under /tools/languages.
See this writeup :
-
The language switch would depend on the setup and environment. Usually there is a short-cut key combination to switch from one input language to the other. The tricky part is that there probably isn't a good way to detect which language is active at the time of the attack.
However these keyboard shortcuts can and often are changed by the user. But assuming that you already have physical access to the machine , you might just visually look at the current language input settings and change it to English input then carry out a bash-bunny attack. If you know that the target is at a default settings then issuing any of the language switch keystrokes should change the input language to English.
-
I guess the ideal scenario would be to show the dangers of connecting to a public wifi spot . That scenario would be ideal to show case the pineapple's capability.
1.Pretend the class room is a coffee shop with wifi.
2. People would connect to the legitimate wifi spot . ( you probably would need another wifi AP for this )
3. Then a criminal could bring up a rogue AP using PineAP.
4. Deauth everybody.
5. Many clients end up connecting to the PineAP.
6. You could use tcpdump/urlsnarf or any of the other tools on how criminals could intercept the transmission.
7. Homework: How would you protect your communication transmission in this scenario?
-----Encrypt everything.
----- bring your own wifi spot
---- etc etc.
Something like this might be of interest.
-
1
-
-
I think what is more important is to build a scenario or syllabus around what it is you want the students to experience.
Rather than tackling the whole pie as one, start with something simple.
I think by mixing up wifi security with general web-activity safety , you are actually creating an overly complex issue.
Web activity security can be taught without an pineapple , but wifi security is much easier to teach with a pineapple.-
1
-
-
Thanks.
I assume then its a problem with your fr.json file. You can try out the payload manually by running the duck.py under /tools . But you gonna need to either mount the unmounted disk partition or temporary create a directory and payload under /root/ . Then issue
./ducky.py payload.txt -l fr
if it shows and error its likely and issue with the fr.json.
-
Unplugging the bunny without unmounting it when in STORAGE or Arming mode, will cause the error. Just mount it in Arming mode and scan the drive to fix it.
-
Does the payload.txt work when you don't specify the language? If so, the problem is with your fr.json . If payload.txt doesn't run , then the problem is with your payload.txt. Can't really help you more without knowing what it is you are trying to do. Maybe you can post your payload.txt?
-
By default there is only one language file.You need to add a fr.json manually under /root/tools/languages , just copy the us.json and modify it. If there is an error in the fr.json file the QUACK STRING command won't work.
-
Yea, just set the VID and PID to an Apple product.
-
So if the case your target is a Windows operating system with powershell, you could setup 2 Set-WinUserLanguageList payloads.
1.To set the keyboard layout to the en-US. (US keyboard layout)
2.To set it back to whatever layout you want.
--------Example payload.txt---
#!/bin/bash
ATTACKMODE HID VID_0x45E PID_0x0061
Q DELAY 4000
Q switch1/setUS.txt <-------- This sets the layout to en-US
Q DELAY 2000
Q switch1/quack.txt <------ Actual payload script
Q ENTER
Q DELAY 500
Q switch1/setJP.txt <-------- Reset it back to default layout.
LED R------Example SetUS.txt -----
GUI r
DELAY 500
STRING powershell -windowstyle hidden Set-WinUserLanguageList -LanguageList en-US -force
ENTER------quack.txt (character testing payload) -----
GUI r
DELAY 1000
STRING notepad.exe
ENTER
DELAY 2000STRING quacking
DELAY 2000
ENTER
DELAY 750
STRING abcdefghijklmnopqrstuvwxyz
DELAY 1000
ENTER
STRING ABCDEFGHIJKLMNOPQRSTUVWXYZ
DELAY 1000
ENTER
STRING 1234567890-^\\
DELAY 500ENTER
STRING !"#$%&'()0=~|
DELAY 500
ENTER
STRING @[;:],./
DELAY 500
ENTER
STRING `{+*}<>?
DELAY 500
ENTERthe powershell parameters "-windowstyle hidden" and "-force" will run the powershell without any need for confirmation.
-
1
-
-
See this write up:
or this thread:
-
1
-
-
Simple write up on handling other layouts:
-
So I started to work on the Bash Bunny to be able to handle non-US keyboard layout attacks for ATTACKMODE HID.
To enable the SET_LANGUAGE option you need to add a [LanguageDescription].json under /root/tools/language.
I used the default "us.json" as a working template. (you wanna back it up and copy it and not work of the original file)Here is an example of Japanese keyboard layout description file: (i.e.:ja.json , however you can make it ja_win.json for specific environments.)
---ja.json (created under /root/tools/languages/ )---
{
"__comment": "All numbers here are in hex format and 0x is ignored.",
"__comment": " ",
"__comment": "This list is in ascending order of 3rd byte (HID Usage ID).",
"__comment": " See section 10 Keyboard/Keypad Page (0x07)",
"__comment": " of document USB HID Usage Tables Version 1.12.",
"__comment": " ",
"__comment": "Definition of these 3 bytes can be found",
"__comment": " in section B.1 Protocol 1 (Keyboard)",
"__comment": " of document Device Class Definition for HID Version 1.11",
"__comment": " - byte 1: Modifier keys",
"__comment": " - byte 2: Reserved",
"__comment": " - byte 3: Keycode 1",
"__comment": " ",
"__comment": "Both documents can be obtained from link here",
"__comment": " http://www.usb.org/developers/hidpage/",
"__comment": " ",
"__comment": "A = LeftShift + a, { = LeftShift + [",
"__comment": " ",
"CTRL": "01,00,00",
"CONTROL": "01,00,00",
"SHIFT": "02,00,00",
"ALT": "04,00,00",
"GUI": "08,00,00",
"WINDOWS": "08,00,00",
"CTRL-ALT": "05,00,00",
"CTRL-SHIFT": "03,00,00",
"ALT-SHIFT": "06,00,00",
"__comment": "Below 5 key combinations are for Mac OSX",
"__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal",
"COMMAND": "08,00,00",
"COMMAND-CTRL": "09,00,00",
"COMMAND-CTRL-SHIFT": "0B,00,00",
"COMMAND-OPTION": "0C,00,00",
"COMMAND-OPTION-SHIFT": "0E,00,00",
"a": "00,00,04",
"A": "02,00,04",
"b": "00,00,05",
"B": "02,00,05",
"c": "00,00,06",
"C": "02,00,06",
"d": "00,00,07",
"D": "02,00,07",
"e": "00,00,08",
"E": "02,00,08",
"f": "00,00,09",
"F": "02,00,09",
"g": "00,00,0a",
"G": "02,00,0a",
"h": "00,00,0b",
"H": "02,00,0b",
"i": "00,00,0c",
"I": "02,00,0c",
"j": "00,00,0d",
"J": "02,00,0d",
"k": "00,00,0e",
"K": "02,00,0e",
"l": "00,00,0f",
"L": "02,00,0f",
"m": "00,00,10",
"M": "02,00,10",
"n": "00,00,11",
"N": "02,00,11",
"o": "00,00,12",
"O": "02,00,12",
"p": "00,00,13",
"P": "02,00,13",
"q": "00,00,14",
"Q": "02,00,14",
"r": "00,00,15",
"R": "02,00,15",
"s": "00,00,16",
"S": "02,00,16",
"t": "00,00,17",
"T": "02,00,17",
"u": "00,00,18",
"U": "02,00,18",
"v": "00,00,19",
"V": "02,00,19",
"w": "00,00,1a",
"W": "02,00,1a",
"x": "00,00,1b",
"X": "02,00,1b",
"y": "00,00,1c",
"Y": "02,00,1c",
"z": "00,00,1d",
"Z": "02,00,1d",
"1": "00,00,1e",
"!": "02,00,1e",
"2": "00,00,1f",
"\"": "02,00,1f",
"#": "02,00,20",
"4": "00,00,21",
"$": "02,00,21",
"5": "00,00,22",
"%": "02,00,22",
"6": "00,00,23",
"&": "02,00,23",
"7": "00,00,24",
"'": "02,00,24",
"8": "00,00,25",
"(": "02,00,25",
"9": "00,00,26",
")": "02,00,26",
"0": "00,00,27",
"ENTER": "00,00,28",
"ESC": "00,00,29",
"ESCAPE": "00,00,29",
"BACKSPACE": "00,00,2a",
"TAB": "00,00,2b",
"ALT-TAB": "04,00,2b",
"SPACE": "00,00,2c",
" ": "00,00,2c",
"-": "00,00,2d",
"=": "02,00,2d",
"^": "00,00,2e",
"~": "02,00,2e",
"@": "00,00,2f",
"`": "02,00,2f",
"[": "00,00,30",
"{": "02,00,30",
"]": "00,00,32",
"}": "02,00,32",
";": "00,00,33",
"+": "02,00,33",
":": "00,00,34",
"*": "02,00,34",
",": "00,00,36",
"<": "02,00,36",
".": "00,00,37",
">": "02,00,37",
"\/": "00,00,38",
"?": "02,00,38",
"CAPSLOCK": "00,00,39",
"F1": "00,00,3a",
"F2": "00,00,3b",
"F3": "00,00,3c",
"F4": "00,00,3d",
"F5": "00,00,3e",
"F6": "00,00,3f",
"F7": "00,00,40",
"F8": "00,00,41",
"F9": "00,00,42",
"F10": "00,00,43",
"F11": "00,00,44",
"F12": "00,00,45",
"PRINTSCREEN":"00,00,46",
"SCROLLLOCK": "00,00,47",
"PAUSE": "00,00,48",
"BREAK": "00,00,48",
"INSERT": "00,00,49",
"HOME": "00,00,4a",
"PAGEUP": "00,00,4b",
"DELETE": "00,00,4c",
"DEL": "00,00,4c",
"END": "00,00,4d",
"PAGEDOWN": "00,00,4e",
"RIGHTARROW": "00,00,4f",
"RIGHT": "00,00,4f",
"LEFTARROW": "00,00,50",
"LEFT": "00,00,50",
"DOWNARROW": "00,00,51",
"DOWN": "00,00,51",
"UPARROW": "00,00,52",
"UP": "00,00,52",
"NUMLOCK": "00,00,53",
"MENU": "00,00,65”,
"APP": "00,00,65",
"\\": "00,00,87",
"_": "02,00,87",
"\\": "00,00,89",
"|": "02,00,89"
}There are still some caveats I need to work out, somehow I can't get " ¥,| "(USB HID Keycode 87) and " ¥_ "(USB HID Keycode 89) to work but the rest seems fine. (I suspect that this is due to the fact these keys do not exist on a regular 101-US keyboard and there are no modifier combinations to trigger it neither, which is gonna be problematic since they are used as a backslash in file paths. But I'll work some more to figure it out.)
Workaround for Windows:
For Windows you can use powershell to set the layout to a US keyboard by using "New-WinUserLanguageList en-US", which installs a US-keyboard layout then issue a "Set-WinUserLanguageList -LanguageList en-US" to set the default layout to a US keyboard , its a bit slower but if you have the time, this way is easier, you do need to reset the settings with issuing another Set-WinUserLanguageList -LanguageList [WHATEVERLANGUAGE] it was, otherwise the compromise will be detected.
----sample payload.txt---
#!/bin/bash
ATTACKMODE HID VID 0x45E PID 0x07B3
Q SET_LANGUAGE ja
Q DELAY 5000
Q STRING starting with ja language option
Q ENTER
Q switch1/quack.txt
Q ENTER
Q DELAY 200
Q ENTER
STRING done
LED R---quack.txt( to test basic and special characters.)---
STRING quacking
DELAY 2000
ENTER
DELAY 750
STRING abcdefghijklmnop
DELAY 500
ENTER
STRING ABCDEFGHIJKLMNOP
DELAY 500
ENTER
STRING 1234567890-^\
DELAY 500
ENTER
STRING !"#$%&'()0=~|
DELAY 500
ENTER
STRING @[;:],./
DELAY 500
ENTER
STRING `{+*}<>?
DELAY 500
ENTER-
2
-
-
the RPI 3 USB controller craps out when drawing too much power, you need a powered hub to power the alpha card and others. I had similar issues when I build my first wifi-box-of-doom .
http://akasakatonight.com/elkentaro/2014/11/18/wifi-box-of-doom-meets-manapi-write-up-part-1/
-
A verbal step by step demo video would be cool.
Bash bunny ducky default keyboard language
in Bash Bunny
Posted
you would have to rename the file to us.json since the us layout is the default layout used in ducky.py , so technically can either rename the json file to us.json file or just edit ducky.py to use gb.json by default.