Month: November 2020

macOS internet connection and service order

Many times I’v got asked (directly, via messages or forums) why the macOS internet connection does not work anymore, while using devices like Shark Jack, O.MG Cable and so on. In my tutorials I also did not mention this in detail, because I assumed this should be clear. A big mistake from my side. Therefore now this article. I will now do my best to explain, using a few examples, how to prioritize the services so that you do not lose your internet connection from your macOS. I will use the internet connection via Wifi hotspot.

Note: I show here an specific example for Shark Jack now. But main target is that you understand and can reuse your knowledge also for different other situations.

Network locations

The first part is about macOS network locations. To not destroy your current settings, we will create a new network location (all via command line).

Warning: The following steps will disconnect your internet connection (briefly), because the new created network location is not populated. Read the tutorial carefully before you execute any command!

# list all network locations
$ networksetup -listlocations

# show name of the current location
$ networksetup -getcurrentlocation

# create new location (SharkJackNetwork)
$ networksetup -createlocation SharkJackNetwork

# change location
$ networksetup -switchtolocation SharkJackNetwork

# lists network interfaces (should be empty)
$ networksetup -listallnetworkservices

Services

The newly created network location does not contain any service now. In the next second part we create two (Wifi and Bluetooth), set own DNS server and test. If you have stored your Wifi credentials (see Keychain Access.app), the internet connection will automatically established again.

# list all hardware ports with corresponding device name and port
$ networksetup -listallhardwareports

# create WI-FI service (named WLAN)
$ networksetup -createnetworkservice WLAN "WI-FI"

# create Bluetooth PAN service (named Bluetooth)
$ networksetup -createnetworkservice Bluetooth "Bluetooth PAN"

# lists network interfaces (WLAN and Bluetooth)
$ networksetup -listallnetworkservices

# add dns server (to WLAN)
$ networksetup -setdnsservers WLAN 8.8.8.8 8.8.4.4

# verify DNS settings (optional)
$ dig +all example.com

My MacBook Pro does not provide an RJ45 interface (only USB-C). Therefore I buyed a Multi-Port-Adapter from Satechi. After plug in, I add this device now to my services. There are many other vendors as well, for such please choose your own name.

# list all hardware ports with corresponding device name and port
$ networksetup -listallhardwareports

# create adapter service (named Satechi)
$ networksetup -createnetworkservice Satechi "USB 10/100/1000 LAN"

Now it’s time to use Shark Jack. Turn it on (arming mode), plug into adapter, wait for IP and test. If you haven’t changed it, the default IP is “172.16..24.1”, the user is “root” and password is “hak5shark”.

# wait for IP
$ ifconfig en8

# run command over SSH
$ ssh -C4 root@172.16.24.1 -C 'pwd'

# ping google dns
$ ping -c 1 google.com

The internet connection is not working anymore but Wifi seems working correctly!

Service order

Now it comes to the order of all services (prioritization). Here we ensure that internet connection works again.

# show services in the order they are contacted for a connection
$ networksetup -listnetworkserviceorder

# command to designate the order network services are contacted
$ networksetup -ordernetworkservices WLAN Satechi Bluetooth

# ping google dns
$ ping -c 1 google.com

All good now … The newly created network location (incl. services) can be used as soon you develop your Shark Jack payloads. Specific to your environment needs, you can create and use many of these network locations (to quickly switch between).

macOS network locations via gui

O.MG Cable Setup on (Kali) Linux

MG made something really cool (and dangerous too) to perform keystroke injection attacks (via Rubber Ducky scripts) simply over wireless interface. In this tutorial I want to show you the first important steps before you can start the penetration testing. The cables, programmer and other awesome MG products are available from Hak5.

Important: You should own (or buy) at least one O.MG Cable Programmer, otherwise you will not be able to follow the steps below!

Preparation

First check whether Python 3.7 (or higher) and pyserial (incl. dependencies) is installed. It is already pre-installed in my Kali Linux.

# check python version
$ python3 --version
Python 3.8.6

# check for python package
$ pip3 freeze | grep 'pyserial'
pyserial==3.5b0

If you still need to install the necessary packages.

# install needed python package(s)
$ sudo pip3 install pyserial

Download the latest O.MG Firmware (incl. needed scripts/binaries) now.

# download latest Firmware via CURL
$ curl -L -C - https://github.com/O-MG/O.MG_Cable-Firmware/releases/download/v1.5.3/O.MG_Cable-Firmware-v1.5.3.zip -o ~/Downloads/O.MG_Cable-Firmware-v1.5.3.zip

# unzip archive
$ unzip ~/Downloads/O.MG_Cable-Firmware-v1.5.3.zip -d ~/Downloads/

# list content (optional)
$ ls -la ~/Downloads/O.MG_Cable-Firmware-v1.5.3/

# list physical USB device hierarchy (optional)
$ lsusb

Install Firmware

Now plug the O.MG programmer into your computer and the O.MG cable into the programmer. This can be a bit more difficult at first, so be careful not to destroy everything right away. Even when pulling out – Treat it like a beautiful woman.

Note: If you are running Kali Linux as VM (e.g. VirtualBox), passthrough needed USB devices.

VirtualBox USB passthrough

Change into directory O.MG_Cable-Firmware-v1.5.3 and set the file permissions for file flash.py and start the Firmware configuration and setup.

# list physical USB device hierarchy (optional)
$ lsusb

# run python script
$ sudo python3 ./flash.py

Caution: If you see the following output (or similar) Connecting........_____..... but flashing the firmware ends with an error – means that the programmer was recognized correctly but the cable was not. Remove the cable and plug it in again. In addition, the cable needs a reset after every firmware flash.

If everything works (which is the normal case) you will be asked in which mode (AP or STA) the wifi should work. In my example, I am using for this tutorial the Access Point (AP) mode. So I’ll set the SSID as well as wifi credentials. You can later access with any modern browser via URL http://192.168.4.1. Whether you need AP or STA mode depends on your environment and your attack vector. But try to get to know both as well as their respective advantages and disadvantages.

SELECT WIFI MODE ...: 2
ENTER WIFI SSID ...: OMGtest
ENTER WIFI PASS ...: test12345

Confirm your entries and wait a moment. An overview is displayed (do not forget the password).

Flash Operation Complete!

[ WIFI SETTINGS ]
  WIFI_SSID: OMGtest
  WIFI_PASS: test12345
  WIFI_MODE: 2
  WIFI_TYPE: ACCESS POINT

[ FIRMWARE USED ]
  INIT: firmware/esp_init_data_default_v08.bin
  ELF0: firmware/image.elf-0x00000.bin
  ELF1: firmware/image.elf-0x10000.bin
  PAGE: firmware/page.mpfs

<<< PROCESS FINISHED, REMOVE PROGRAMMER >>>
Press Enter to continue...

That was done super quickly and easily. Now pull the cable out of the programmer and you can start.

First steps with Shark Jack

After you receive your new Shark Jack device from Hak5, you need to upgrade the Firmware. This tiny tutorial will guide you through the process. You should plan a maximum of 10 minutes of your life for this action.

Preparation

Enable the Arming mode (middle switch position) and connect with your RJ45 interface, also connect USB-C for charging. Do not stop charging while the whole upgrade process! In case your local device does not provide such interface, I have really good experience with the multiport adapter from SATECHI.

Download and install latest Firmware

The default settings for your new Shark Jack are:

  • IP: 172.16.24.1 (Arming mode)
  • User: root
  • Password: hak5shark

Download latest Shark Jack Firmware from here.

Hak5 Download Center - SharkJack
# download Firmware (via command line)
$ curl -L -C - https://downloads.hak5.org/api/devices/sharkjack/firmwares/1.1.0-stable -o ~/Downloads/upgrade-1.1.0.bin

# verify SHA256 checksum (optional)
$ shasum -a 256 ~/Downloads/upgrade-1.1.0.bin

# copy Firmware from local to Shark Jack device
$ scp -C4 ~/Downloads/upgrade-1.1.0.bin root@172.16.24.1:/tmp/

# SSH into SharkJack device
$ ssh -C4 root@172.16.24.1

# list directory content (optional)
root@shark:~# ls -la

# show current version
root@shark:~# cat VERSION
1.0

# start update
root@shark:~# sysupgrade -n /tmp/upgrade-1.1.0.bin

Now be patient and do not remove the Shark Jack from RJ45 or the USB-C for charging! The device installs the new firmware and reboots. For me it was around 3 – 4 minutes.

# check interface status (optional)
$ ifconfig

# SSH into Shark Jack device
$ ssh -C4 root@172.16.24.1

# show current version
root@shark:~# cat VERSION
1.1.0

That’s it … have fun and success.