Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Onus

  1. @icarus255 Here is your first update. I have migrated to hcxdump and published my first major version! Thanks again for inspiring me to take another look at that tool set. It proved to be a huge improvement in so many ways. And as a thanks for your constructive feedback, by all means feel free to throw some hashes my way, that won't kill my electric bill with some unreasonable permutations that take a year or 11, lol
  2. Lol yeah I have a rig set up with 3 1080s and 5 1070s so I'm all set. But thanks. FYI I was just about done migrating to hxcdump and then I corrupted my boot image while trying to fix an auto mounting USB issue.. lol, but it was considerably cleaner and faster. Update coming soon
  3. @icarus , looking into hcxdumptool a little further this morning, i am seeing that i indeed am getting and able to sort handshakes and pmkid with rather ease. Im wondering though how that tool gets handshakes? is it passive? does it still use deauths? I will have to investigate a little more as to how long on average i should let it run, and if i there is an efficent way for me to monitor it. Definitely going to migrate in that direction.. Now that i really look into it, it definitely seems a bit more robust and would make my attack script rather clean. thanks again
  4. @icarus255 all very good feedback and thank you. To your negatives: * I am NOT looking to commercialize it. Really just built it for fun and to play around / make use of the plethora of pi zeros i have laying around. thus the github repo. * yeah i thought about that. That is why it only deauths for like 10 seconds on APs with clients and then reverts back to a ready mode. with no attacking. I wanted to make it as automated as possible. I guess i could make the deauth specific to a client on that AP instead of the AP itself.. (thoughts?) The use case i imagine is that you have a target and you know you can physically get rather close to the router and hang there for a minute. You get close, press the trigger, it grabs BSSIDs with clients (sorted by power/strength) does a quick 30 second deauth attack and goes back to ready mode.. you walk away.. The indicators just let you know if you caught valid handshake or if you need to try again.. * Noted.. but in my experience this attack is still very effective, To your suggestion: I absolutely thought about the hcxdumptool/PMKID attacks and i have been experimenting with them. There are a lot of variables time wise involved and by that i mean it can take a considerable amount of time to capture a PMKID. I did notice though that it seems to capture handshakes as well, and a bit more passively, though i have not got as far as sorting handshakes and pmkid. Also in my experiments i am not getting hashcat to crack the pmkid in most cases even with a short list that includes the known pw. Maybe next revision. blessings always welcome as is the constructive feedback.. again thank you.
  5. Well I could use besside-ng in my script sure, instead of aircrack suite directly. I really just wanted a handshake device. I love my nano and my tetra but some times it's a little more like a flame thrower in that unless I manually set it specifically for this task in advance it's likely going to start broadcasting open APS. This device would serve just that one purpose and merely needs to be powered on and it's ready to go. Plus I wanted to build something!
  6. Hello all. I have been a fan of the hak5 team for a while and over the last 2-3 years have collected pretty much everything in the hak5 shop. I have all the things that do the things. ? Recently during a fever dream, I imagined that I had a new device. One that magically grabbed 4 way WPA handshakes with the push of a button and was small enough to hold in my tiny pen testing fist. We have all been there right? We know there is a network with clients but we are just too far away to effectively do a deauth airodump attack. Sure we could get closer and open our Linux laptop, plug in a wonky antenna and fire up a couple terminals, but as if our hoody wasn't enough of an indication, now we'd really be drawing attention. Ok maybe we all haven't been there but at least I have and when I awoke from that fever dream I thought to myself, damn why didn't I think of this sooner. I need this thing to be as real as all my other things. Anyway, I went right to my work bench and started soldering away. I have started a GitHub repo for this thing that I'm tentatively calling FistBump. It's in it's beta stage for sure and a fairly simple device really, but would love some feedback. Please be constructive with your feedback, it's my first try at prototyping my own device. https://github.com/eliddell1/FistBump
  7. Are there any demos for the new enterprise feature.. seems like the security drop down in recon results is always blocked for me, and i can't seem to figure out how to clone an enterprise ap and harvest the rewards..
  8. How can I install git and responder and such via the terminal/ssh. I tried apt-get only to realize I don't have that.. :/ the responder that comes in module doesn't seem up to date..
  9. I have not tried that.. wonder if responder works better that way as well, and maybe I can install bettercap that way.. :)
  10. I just got a brand new tetra a few days ago and am noticing a slight electric clicking sound coming from it.. almost sounds like Morse code (dot dot dot dot dot dash, dot dot dot dot dash) is this normal? everything seems to be working fine, accept i did notice that if i want to use the eth1 usb port i have to initially unplug tha c adapter to get my machine to see it.. hoping i don't have a short/defective tetra,
  11. I don't see any documentation on the db of the antennas that ship with the Tetra. I am guessing they are around 5 db? Wondering if people have upgraded the antennas on the Tetra and if so what antennas are you using. I have two 7db antenna lying around that i bought for my nano, but not 4, so if i were to try to boost my signal, i wouldn't know which of the 4 antennas to replace, since i only have 2 9bd antennas. I ssh-ed into the pineapple and noticed that only three wireless adapters are actually up: root@Pineapple:~# iwconfig lo no wireless extensions. eth1 no wireless extensions. wlan0-1 IEEE 802.11abgn Mode:Master Tx-Power=30 dBm RTS thr:off Fragment thr:off Power Management:off wlan0 IEEE 802.11abgn Mode:Master Tx-Power=30 dBm RTS thr:off Fragment thr:off Power Management:off eth0 no wireless extensions. wlan1mon IEEE 802.11abgn Mode:Monitor Frequency:2.462 GHz Tx-Power=30 dBm RTS thr:off Fragment thr:off Power Management:off br-lan no wireless extensions. Its great to see they are already at 30dBm but that was confusing to me since there are 4 antennas, and how do i know which antennas on the physical device are which..
  12. Yeah.. never had much luck with ettercap so went with something better ;) it's great.. yeah I tried connecting to the secured AP as well even tried running the scan from different interfaces... Can only detect the gateway and any computer directly connected to the pine AP. Oh well
  13. I have not played with my pineapple in a while but fired her up this morning and got two clients almost immediately. I have it running connected to my linux box, and with bettercap running on the linux box pointing to the interface, eth1 with a gateway of . Bettercap can see the two clients, but when i run zenmap it only sees the and it will not see any of the clients. I have then connected a machine to the the locked(authenticated) pineapple AP it's self and i can that pc, but not any of the victem clients. Does the pineapple prevent this type of scan? i have tried downloading the nmap module but it won't install its dependencies for some reason..
  14. Im going to play around with this tomorrow afternoon.. thank you so much.. we can investigate later about decreasing boot time. Im just trying to understand the bones.. can you speak a bit to what the thought process of picking ip range..
  15. It's the same as adafruits tutorial.. mind you my pizero is a pi zero W (built in wifi) don't know if that is interfering, but it's shouldn't.. could you share the changes to DHCPD.conf and isc- DHCP-server
  16. Looking at Mubix's and sammyk's work with quick creds and posion tap, and of course playing with the bunny got my wheels turning and i decided i wanted to play around building my own pi zero into a custom ethernet gadget. I recently bought a few pi zero W's (with wifi) and am trying to get passed stage 1 of my project, i.e. getting the pi to be recognized as an ethernet adapter when plugged in to a pc or mac. i followed adafruits tutorial: https://learn.adafruit.com/turning-your-raspberry-pi-zero-into-a-usb-gadget/ethernet-gadget but it doesn't seem to work. Has anyone else tried this? can you point me to some tutorial gold! I know i am reinventing the wheel here, but for me i just want to learn buy trying to build my own from scratch.. FYI loving the bunny
  17. danka.. this should be a best practice..
  18. One thing that i noticed that may or may not be relevent here is that sometime editing a payload in something like wordpad will change normal quotations to the slanted ones.. (forgetting what thats called) . I had to manually paste in the "
  19. Onus

    2Gb Ethernet

    I had the same problem.. that script would be awesome.. would also be awesome if it could detect OS and switch automatically from MAC/ linux to RDNIS . and if Mac change the VID/PID to apple
  20. So playing around with some Mac HID STORAGE payloads, I noticed that when you pull out the OS will leave a message prompt "Bash Bunny was not ejected properly" is there a way to eject from the payload script?
  21. Hi all.. IM trying to wrap my head around everything that can be done with responder and impacket as well as any other tool kits available that would be useful in creating Ethernet attacks.. if anyone can point me to some good nooby tutorials for either that would be awesome.. maybe the next hak YouTube show can cover them? Specifically looking for SMB attacks that can take ntmlv2 hashes.. or ways to inject browser based payloads to locked machines Thanks in advance .
  22. Hi all, im pretty new to responder and was wondering if someone could let me know how to read the output log. I ran quickcreds on a VM running windows 8 and got the following log file with creds. Batman::Batcav:1c93d2ae0a457f99:FCEE4E4C0642636DF8B4F25F2103A1E8:0101000000000000C7302F5C549FD201F68533B32AA2A4FC000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000FC102DA35E193C199E6CD31916EF9B8C9C6E67F99BD6F2612D9684B30145268C0A0010000000000000000000000000000000000009001A0048005400540050002F00700072006F00780079007300720076000000000000000000 Batman::Batcave:d2c085b3b7dfb090:9714D79FAD2EC23E3FB93935526EF6DE:01010000000000001DBA385C549FD201DCDAD414F7880853000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000FC102DA35E193C199E6CD31916EF9B8C9C6E67F99BD6F2612D9684B30145268C0A0010000000000000000000000000000000000009001A0048005400540050002F00700072006F00780079007300720076000000000000000000 great! a few questions though.. they are both for the user batman on batcav machine, so why are they different? also there seems to be three hashes for each.. Is one an LMHASH and one an NTHASH? if so which is which.. im so confused.. need sleep.
  • Create New...