Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Profile Information

  • Gender

Recent Profile Visitors

323 profile views

Sect10n_9's Achievements


Newbie (1/14)

  1. Its an interesting Idea. I guess it depends on how you are using the OWL. Is it a an on-network tool that you want to access to pull loot over a period of time? Is it somewhere you will have repeated access to or will most of your "retrievals" have to be remote/from somewhere else "AKA the lobby"? Are you using it like a payload dumper for onetime use? The look of the device (looks like a USB hub) lends to a more permanent placement. Can you somehow use it to create a secondary management network as to keep your connections of the target network, to reduce the possibility of unfriendly attention. I do like the idea though, but if only the "BUTTON" was easier to access. I will admit along with the LED being only one color, the "BUTTON" is my main hangup with this device." I wonder if there is some way to use what you suggest to get the device to "Call Out" to a predetermined path. This would also solve re-connection issues if you were to lose a DHCP lease and get ReIp'd. Id love to see something like this with a 3g card. Just a thought 😉
  2. I was able to mount multiple devices to a standard usb 3.0 4 port hub powered directly from USB (no seperate external power for the hub) the only issue I've run into is that any storage needs to be connected before boot or I cant get it to mount. Something in the boot auto mounts any connected storage during startup. Once its mounted it can be disconnected and reconnected without issue but any new storage devices wont auto mount without rebooting the OWL. I'm looking at adding something to the payload or making a change to the OpenWRT OS to change that.
  3. Sect10n_9


    More specifically the splash screen shows: BusyBox v1.30.1 () built-in shell (ash) .___. {o,o} /)__) Hak5 Signal Owl " " Version 1.0.0 ======================================= Built on OpenWRT 19.07 ======================================= root@Owl:~#
  4. Hey SteveMatrix check out Just note a couple of details. CASE matters in Linux. If your command for WIFI_CONNECT is in all caps in the pay load the name for the extension needs to match. WIFI_CONNECT.sh Remember to include #!/bin/bash at the beginning of the payload and extensions. https://docs.hak5.org/hc/en-us/articles/360033504014-Payload-Development-Basics if it doesn't boot try it a few times as there is a 25% to 30% failure rate on boot.
  5. What your doing is really interesting, whats happening is that pressing the button after the payload has been run is causing a soft reboot. You can start the owl at anytime with the USB drive containing the payload & extensions and it does the same thing. However if the button was easier to press. (see first post in thread about things id liked changed.) you could quickly run multiple payloads as long as you have a few drives and a different payload on each drive. you could color code the drives and quickly change your attack or scan on the go. Ive also discovered that starting the OWL with a USB drive containing the payload and extensions decreases the fail rate by a lot. It still happens from time to time but its less the 50% failure rate Vepr mentioned. However if you do this, unless you are using a USB hub, you lose the ability to have a Bluetooth or secondary WiFi adapter connected. Ive only tested this with USB drives but if it isn't booted with the device connected it cannot be accessed. If this behavior is different for WiFi adapters or Bluetooth adapters ill find that out soon as I've got one of each on order to mess around with. Also if you boot with a USB device connected and then once the payload is run press the recessed button, it creates a folder on the USB drive that contains the "LOOT" from the previous payload. Its a quick way to dump your "LOOT" during engagement and why I'm upset that the "Button" is not easily accessed.
  6. That sucks man. Id like to know from Hak5 if there is any way to factory default the device with just power and the button. like holding it down during boot for 30 secs or something. "Oh voice from the sky, Darren Kitchen, any advice"
  7. Np, I've done that a few times. going back and forth between windows boxes and linux makes my head hurt sometimes. The SSH thing is interesting. I'm curious why that works. I'd really like to see log output on what happens when the script runs the command. I am really interested in setting up a second WiFi adapter for management. I just wish there was some way to set both the USB ports for either pass-through or active use. Now i have discovered something interesting. When the OWL is booted with a USB storage device attached at some point during boot it auto-mounts it. Once this is done It can be removed or reinserted at will. However, if a new drive is inserted it does not auto mount. I suspect this (https://openwrt.org/docs/guide-user/storage/usb-drives-quickstart) is happening. Next i connected a USB 3.0 hub and had 2 USB drives inserted at the time of boot. It auto-mounted both starting with slot 0 then moving on to slot 1. I suspect if 4 drives were placed in the hub it would follow the same pattern. in the end i think they all would be auto mounted. I suspect that if we want to connect WiFi adapters, Bluetooth adapters, or USB drives they will need to be inserted before boot before they will work. Unless we can built a script into the payload to control mounting new hardware when its attached. The following is my SSH output after booting with 2 usb drives in a usb 3.0 hub. Pay attention to the names it gives the drives. It names drive 0 /sdb and creates a seperate partition mount /sdb1 even though it is in slot 0. the drive in slot 1 receives /sda. BusyBox v1.30.1 () built-in shell (ash) .___. {o,o} /)__) Hak5 Signal Owl " " Version 1.0.0 ======================================= Built on OpenWRT 19.07 ======================================= root@Owl:~# cd .. root@Owl:/# ls bin etc mnt proc root sys usb var dev lib overlay rom sbin tmp usr www root@Owl:/# cd mnt root@Owl:/mnt# ls sda sdb1 root@Owl:/mnt# cd sda root@Owl:/mnt/sda# ls System Volume Information root@Owl:/mnt# ls sda sdb1 root@Owl:/mnt# cd sdb1 root@Owl:/mnt/sdb1# ls System Volume Information owl_loot_1565663725 extensions payload.txt root@Owl:/mnt/sdb1# ls -al /dev/sd* brw------- 1 root root 8, 0 Jan 1 1970 /dev/sda brw------- 1 root root 8, 16 Jan 1 1970 /dev/sdb brw------- 1 root root 8, 17 Jan 1 1970 /dev/sdb1 root@Owl:/mnt/sdb1#
  8. I have a couple of questions Did you do the firmware update? https://docs.hak5.org/hc/en-us/articles/360033611914-Setting-up-the-Signal-Owl-for-the-first-time What is the LED showing? In my config up top i have LED SPECIAL2 which changes the LED to a double blink followed by a solid red that repeats once the payload runs successfully. Is your payload labeled payload.txt and on the root of a inserted flash drive? Is your extension labeled WIFI_CONNECT.sh (in all caps) and located in a folder labeled extensions on your flash drive? Did you use the configs i have at the top exactly? (except for the SSID and password of course)
  9. That might work but its going to look really odd to anyone paying attention. Which is ultimately the point i guess. 😉 I really like the idea of having a second adhoc network not broadcasting SSID that i could "drive by" connect and dump data from. Or fly a drone by with a micro comp set to pull on connection. I really want to use a drone one time. Just to say I've done it. No, Ive been using the builtin WiFI because Ive been having to reinsert a USB stick after the OWL randomly fails to boot to refresh the Payload. No the %sign% is just a place holder. Like %appdata%. make sure you have the #!/bin/bash a the start of your payload and your WIFI_CONNECT.sh https://docs.hak5.org/hc/en-us/articles/360033504014-Payload-Development-Basics for some reason Ive seen people leave this out. #!/bin/bash WIFI_SSID="something" WIFI_PASS="somethingelse" The best advice i can give is approach the process piece by piece. Get it on the WiFi, confirm its on the WiFi, then try to get a shell prompt, afterwards try to get it connected to C2. If you try to approach it all at once you can run into a lot of problems.
  10. I cant just issue /etc/init.d/ssh start on the command line either but having it in the script is the only way I've gotten it to work. Its strange as hell.
  11. I agree, having some sort of management option is a must with this device. I am curious if it could be set up with a WiFi or Bluetooth chip in the usable USB slot but I'm worried about storage space for the "Loot" or how many times it has failed during boot for me even after 1 day. I know we are on firmware 1.0.0 but it really seems to have issues during boot. It seems like every other boot attempt either fails or corrupts the current "Payload". I've taken to leaving the USB stick plugged in as the only way to ensure a clean boot. once its online it can be removed and reinserted if necessary. It does seem to auto mount the sda1 without issue. My next experiment will be having it C2 connect to a domain outside of its network. Though from an engagement standpoint this would be dangerous as it would leave a traceable connection. I just want to be sure that it can be pointed in that direction and if i can set a custom port to use. on the receiving end i will use a custom port number as well and see if it can be hopped across multiple connections. Think Seedbox, in an offsite location where i can connect and download at will, a sort of logging server. For a BlueTeam device this might be an interesting "Canarie". i could leave it onsite at locations that have experienced issues or is at risk. Have it uploading a constant NMAP or other tools and set alerts on the logging server to alert me when certain conditions are connected. This is already something that can be done with other devices but i like the low power use and the Stealth aspects of this device. Its small, light, and can easily be mistaken for a USB hub. I have already use a Pineapple Nano for this in a few circumstances but this would be an interesting addition, assuming the bugs can be worked out.
  12. I am running a Google Mesh setup at home and the app allows me to view all connected devices by MAC. I suppose NMAP would work to find it. If your on the network then there are a number of ways to discover devices. What i would like to see is having dual network cards one connecting to the network to run the payload and one for management with the option to disable the SSID brodcast to collect loot or manage. If you have the device permanently deployed you could use it to collect loot anytime you are in range as well.
  13. I did just figure out how to connect the OWL to C2. See https://docs.hak5.org/hc/en-us/articles/360014295634-Adding-Devices-to-Cloud-C2
  14. After getting my OWL today and spending way more time then necessary trying to figure out the "LED BLINKS" I have finally gotten my OWL onto my WiFi and accessible via SSH. This seems like it would be easy to do, but alas its not. You need to understand that the OWL is not running its payload off of the USB device you plug into it. Rather it overwrites the payload.txt file located in /root/payload and overwrites the files located in /root/payload/extensions. I have yet to confirm that it erases the directory completely before writing, but I think it is likely just overwriting files with the same name. Once the files are written the USB stick just becomes mounted space. Clicking the "Button" causes the system to re-run the payload and dumps the created folder in /root/loot to the mounted USB device. I don't think this folder is created on the mounted USB stick until the button is pressed. Pressing the "Button" at the wrong moment in the boot can crash the entire thing. I have also noticed that it may corrupt or erase the payload.txt and cause you to need to reinsert the USB stick and refresh the payload.txt or extensions. The following is my WIFI_CONNECT named payload.txt #!/bin/bash WIFI_SSID="%mySSID%" WIFI_PASS="%myPWD%" WIFI_CONNECT /etc/init.d/ssh start C2CONNECT LED SPECIAL2 The following is my WIFI_CONNECT extension located in /root/payload/extensions labeled WIFI_CONNECT.sh I did not write this, i located it at https://github.com/hak5/owl-payloads/ #!/bin/bash # # Title: WIFI_CONNECT # Description: Simplifies WiFi client mode connection. Expects $WIFI_SSID and $WIFI_PASS # Author: Hak5Darren function WIFI_CONNECT() { logger running extension: wifi_connect ifconfig wlan0 up;sleep 2 echo -e "network={\nssid=\"$WIFI_SSID\"\npsk=\"$WIFI_PASS\"\npriority=1\n}">/tmp/wpa.conf wpa_supplicant -B -Dnl80211 -i wlan0 -c /tmp/wpa.conf while(iwconfig wlan0 | grep Not-Associated); do sleep 1; done udhcpc -i wlan0 } export -f WIFI_CONNECT After a few attempts to run this payload and about 2-3mins of waiting it was accessible VIA ssh on my network. the default login is USER:root PWD:hak5owl notice that on my payload.txt i have the line /ect/init.d/ssh start. In the small amount of documentation I've found this line has always been /ect/init.d/sshd start. I don't know why this made a difference for me but i could never access it via SSH until i changed this line. The system is running on OpenWrt and I've since looked at some info on commands there and i still don't have an answer. I do know that once you successfully login you are greeted with the following: BusyBox v1.30.1 () built-in shell (ash) .___. {o,o} /)__) Hak5 Signal Owl " " Version 1.0.0 ======================================= Built on OpenWRT 19.07 ======================================= root@Owl:~# Mby this will give everyone some version numbers to research and find answers. For any Hak5 people reading this. Multi color LEDs are a must on this. even 2 or 3 colors with blink patterns is better than what this has. I have had it 1 day and I want to throw it into a wall trying to diagnose the rapid red led blink codes. Stop recessing the "Button". If I were to go on engagement and bring this with me it would need to be something i can manipulate one handed. we would like some documentation on how some of the "uncommon" Features work. i.e. the uploading and downloading from usb drive. Explain how to connect this to C2. I cant find anything to get this to work. There is a file that C2 gives you but where do i put it. Where in my payload do I run the command. That's just a few questions, I'm sure ill have more. Unless I break it first. 😉
  • Create New...