 I'm Darren Kitchin, and this is my best man at my wedding, Seb Kina. Yeah, really, will you? Cool. I got two to say yes now. Don't ask me which one was more important. Is she in the room? Okay, we're good. Yeah, and I'm Seb, Sebastian Kina. We're the fruity guys from the Wi-Fi thing. And, you know, we typically start these with our mission statement, which is quite simply to make it do the thing. It's kind of the motto of our products. This year we decided, actually, well, you know, okay, that might be kind of unofficially our motto. We have many unofficial mottos, like make it so easy even an FBI agent can use it. Love you guys. The clicky-booty interface does make it quite simple. But we actually have a real mission statement this year, and I'm proud to say that this is it. That we are inspired to elevate the infosec industry by educating, engaging, and encouraging an all-inclusive community, one where all hackers belong. And I'm really proud of that. But we didn't just upgrade our mission statement this year. We actually, yeah, we actually upgraded the team. So if you guys want to come on stage, maybe? So it's, well, we'll get there. Come on. You don't need to bring your bags. You're fine. Or bring them. Hi. So I've been doing the development for a few years now. And at some point I said I really need help. So... Oh, I was going to help. I really was. And I wrote some bash scripts. And how did that turn out? I'm really sorry about the land turtle. Yeah. I'll make Seb fix it. No, no, no. You. You get to fix it. I don't want to. So I'd like to announce or introduce the new Hack 5 gear team, Foxtrot, Couchfail, and I'm sorry, Couchfault and Corbin. Couchfault got his name after struggling with many a Segfault and ended up that way. Passing out while debugging. Yeah. These guys have worked tirelessly for the last, I don't even know how long, but I know for the last week it's been till something AM every day. And I just want to hear our huge round of applause for this team because they've done some incredible work that we're all about to enjoy. You guys want to say something? No, not really. He's British and very much so. You do? Yeah. Okay. Well, I just wanted to say thank you. First of all, huge thank you to Seb and Darren. I hear you my job and so much of what I know today and everyone at Defconn is my first Defconn. It's been really a wild experience and especially without the sleep. I just could not be more happy to be here and surrounded by the community that I am and doing what I'm doing. So thank everyone. He's just excited he gets to stand here and doesn't have to work right now. We're going to need a bigger cube. Oops. Okay. All right. So this has been a very big year for Hack 5. We've got a lot of Hack 5 gear updates. We're going to breeze through some of these until we get to the main event. Let's start with my favorite illustration of the year that happens to also be a product, the Bash Bunny. Yeah. So we launched that last year. And yeah, we lose track of these things. So let us know if we're wrong about our own products, please. So we've done a couple of things in the past year or so. The first thing is like it was already agent proof and we kind of at the last talk. Now, you needed to be able to copy and paste a file from GitHub. Which is hard, right? So we reduced the GitHub part and just got it down to the copy and paste. So now you copy and paste a .exe or a bin to your Bash Bunny and you .slash it. Or you double click it. For Windows users. And you're done. Yeah. That's that. So the cross-platform update or Windows Mac Linux allows you to grab all of the latest firmware updates for the Bash Bunny as well as all of the payloads from the GitHub repository and just store them on the device so that you don't have to go searching for them. And it's just one of those little niceties that kind of refines these products. And it's an idea of like the future, kind of where we're heading for that kind of seamless, like, oh, here's all the stuff. You don't have to think. We've also added a bunch of things that like extend the default behavior. So we have a thing called like extensions for the bunny scripts. One of which is like the, I think the one we chose is the OS fingerprint because that's one of the, I guess, more intuitive ones and most usable ones. But we've also done stuff so that you can override things like arming mode depending on your scenarios. You might not want to drop a Bash Bunny somewhere and have them be able to flip into arming mode and see whatever you're doing. So you can override these configurations now. We also have the ability to read caps lock states, which if you're crafty with payloads and I'm like winking and nudging, you can do some really interesting things. And it's not just caps lock. It's any hit lock state obviously. So num lock, scroll lock, and the other one no one remembers. No, I'm joking. I think those are the only ones. There's also the ability to inject straight up alt codes overhead. So that's important if you want to like send emoji. Not emoji, but you know you've ever dealt with internationalized keyboards and you need to be able to like inject that one character that you keep getting wrong because everyone's using a weird keyboard like the Brits. Yeah, right. So this guy over here, Foxtrot, uses a keyboard where if you hit shift four, you don't get an octo-thrope or a pound. You get this like British pound sterling thing and the enter key is like shaped weird. Yeah, it's wrong. Iso. Wait, we love Iso, but... Yeah. So this gets around that so you can literally just send that character. Yeah. And overall, I think the Bash Bunny has now got a very, very large thriving community behind it and is just doing well. We really enjoy it. We've got a couple of cool updates planned for it, I think, and yeah. Cool. Should we let them sit? Do you guys want to sit down? Okay. That means you have to leave and you have to start coding again, right? Okay. All right. Speaking of things that are mostly working, the other big updates on the land turtle side were mostly bug fixes and I think that just kind of shows that, you know, it works. It does what we set out to do. Our big release last year around this time was the land turtle 3G and while I can't relay any of the stories that have been privately told to me about the interesting places these have been, I'm just very happy to know that they are, either have been to interesting places or in many cases still in very interesting places doing their mission of exfiltrating data over out of band 3G backhaul. What else? The packet squirrel. We teased this in this very room or the wireless village room last year and I'm happy to say that the packet squirrel has landed and is very much doing our motto of making it do the thing and it's just that. I mean, aside from one firmware update to... Add wireless support so it, you know, it doesn't have wireless built in and people ask for wireless dongles so... There you go. Another beautiful example of how when people come to us, come to Sab and say, come to the devs and say, hey, it would be really great if and then there's a firmware update so it does that so we encourage that. Isn't it nice that it's not just me anymore? You can approach these guys now which is easier because you can just tell them to do things and they do it. Right and if you stick around, you can abuse them at 7 o'clock at the Hack 5 Meetup. Stay tuned. You need to... You can't... They're not for sale. You can't use them. Right, right, right. You can talk to them. You can... Yeah, it's a limited warranty, honestly. So lastly, you know, the little quacker that could, the USB rubber ducky is getting its, you know, its first kind of glossing over in several years because again, a device that just did what it was set out to do. You copy and inject that bin to the SD card and it types it. And we've been very happy with that functionality for years. Now we simplified kind of similar functionality in the Bash Bunny and we're taking some of those lessons learned and we're doing a first-party firmware for the USB rubber ducky that's going to allow it to perhaps type without using an inject.bin. Just copy over a script.txt, human readable. Right, we're also adding... Do you say mass storage? Not yet. Okay, cool. I can't see the notes. Yeah, so we're adding mass storage support which is something that exists in like a second-party, third-party firmware but you know, we wanted to have one native. We wanted to make a bunch of changes to the ducky firmware anyway so that's what we're working towards. The other thing that we have that's a new and first-party is... This was Dallas' first project which is amazing but a single HTML ducky encoder so all you do is you open the HTML file, it doesn't hit any servers, you can encode and decode your ducky scripts and inject up-ins. Decode? No. Not yet. Cool. Will be. And... Sorry? Right. So just encoding. By the way, it can be hosted on your device so you can always keep it with you, you can do it on Android Linux. So now you don't have to go to some, you know, third-party website to type in your ducky script and get an inject up-in. And I know everybody loved the Java attack jar duck and code dot jar slash dash I attack capital T, right? Everybody loved that, right? To Darren, that's magic. Yeah. No. Anyway, because we all have the JRE installed on... Never mind. Anyway, so fantastic work there and give it up for Dallas on that. I'm really excited for that feature. But this is the wireless village. So really, let's talk about our favorite fruity friend, the Wi-Fi pineapple. It's been a big year for the Wi-Fi pineapple. It has. It's amazing what can happen when we... What we originally tried to do was I went to Seb, I hit control A, I hit control C, and I was trying to just hold down control V. Nothing was happening. But now that he's cloned or something, we got a lot done in 2018. So we're going to start that off by talking about the core of the Wi-Fi pineapple, its engine, PineAP. Seb. Okay, so that's actually where CouchFault got his name from because SecFault's happened and he had to rewrite PineAP for me. And lots of sleepless lights. What are they? Sleepless lights. You wouldn't know anything about those. Right. Many of the nights I can't pronounce later. So that's how he got his name. But we did a complete rewrite of PineAP, which basically allows us to do a complete restructure, a complete re-architecture, a complete rewrite, which is getting re-ritten, but that's not a talk about that. But, see, they laugh because they know the pain that they're in. And that makes me sound really cruel. I'm not like that. He is German, however. And he's a Virgo engineer. Triple threat. So we did a complete rewrite of PineAP, which allowed us to do things like well, for instance, you can inject raw hex frames now. Right. Yeah, you can do that. I think more exciting are things like library con mode, which is a way to just see who... Everyone knows AirDump in here, I hope. Can I see hands? Because if I don't see everyone's hands, then... Visualizing the battlefield is really important. Asset management? Super important. As the attacker, even more fun, if you can actually understand what. Right. And so, you know, we like the approach that we had before where, you know, you kind of did a scan, you got a snapshot in time, but we also kind of wanted to have direct feedback, instantly being able to interact with the response, being able to sort them to be able to filter them and to be able to say this is what we want to do with the results. So that's why we added a live version of it, which the new version of PineAP enabled us to do. You can also do lots of little nice cities like saving your PineAP or sorry, your recon sessions so that you can load them up later and be able to download them. Yep, no more losing your recon results. You can also now do OUI lookup. I know that's something a lot of you guys wanted to have like natively built in, so you can just click on the MAC address and get OUI information. You can also tell if a MAC address has been locally assigned or if it's been assigned by the hardware vendor, at least with high probability. Which kind of gives you an idea of what the MAC address is and what the MAC address is and what the MAC address is. So now we're going to do the SSIDs and MACs. Which to the pen tester is like, this is direct feedback from you guys last year saying, hey, what would you like to see? And you say like, you know, I see some heads nodding. Like I've got this client and I'm trying to keep track of all of these MAC addresses and is this the CFO or is this the CISO? Is this in scope? Is that out of scope? Yeah. Seb. My eyes are really bad and he's got this tiny little thing here which is I don't think that should be allowed. It's like a netbook. It's fun. Remember when netbooks were cool? Yeah, a demo would be good. Do you know what we forgot? What? Where's the pineapple? Henry, do you have the pineapple? Sorry about that. Did you really net bring a pineapple? No, no, no. We did a setup. Okay, okay. We'll grab one. Yeah, that would be a good idea. All right, well, you know, that's okay. We'll loop back around to that because it does look really cool if you haven't already played with it. Live Recon is pretty thick in that you can... Oh, there we go. Okay, well... This is how they're better than me. They label their devices. We just...to pick the wrong one and do a demo on the wrong device. So label them. They also don't flash firmware after they've been on scripts on the device itself. That's a fun way to lose your work. How often have you rewritten... Twice. Twice? I'm only going to admit to twice that you know of. Twice in front of an audience? We're going to go with that. We really should do more live hacking on Google Hangouts because... Yeah. It's good fun. But maybe we... Yeah, let's loop back around to that at the end because I feel like there's so much more to talk about since we have been really hard at work with Pineapple. One of the features that we have been...that has been requested upon us for years, and I know that at one point Seb was...I don't know if his life was threatened exactly, but this character here, I don't know if you know him, was adamant that Seb implement a feature for the Wi-Fi Pineapple that we are now lovingly calling Pine-A-P-E or Pine-A-P Enterprise. So, yeah, I was...I think... I don't know if he's in the room, if he is. We love you, Mubix. Okay, cool. Yeah, so I think if I hadn't had it done before DEF CON, if we hadn't released this before DEF CON, I wouldn't be on stage right now. I'd be in some barrel somewhere in the desert. He has a tendency to run around with Wiffle Bats, and if you've never been smacked by Wiffle Bats from Mubix, you don't know pain. Right, so Pine-A-P Enterprise is something that you guys all know. Enterprise networks are important for your job. You want to be able to clone them. You want to be able to capture credentials. You want to be able to capture the hashes. You want domain access. You can think of more ways than I can right now because I'm on stage. But basically, what we've done is we've done similar to host-A-P-E-W-P. We've taken a similar approach. In DEF CON, you're going to be able to clone an access point, so you just select the access point that you want. You click clone. That will spin up a new Enterprise access point that you'll be able to use. It actually clones, like it does a deep clone, is what we call it, but basically it clones everything. It means the MAC address, it clones the exact security types, the exact settings of the access point. At least everything we can see black box approach from the outside. You all right? Okay, cool. I'll just keep going. What we do is there's downgrade attacks, right? Because you all have fall with MS-Chap and cracking MS-Chap is kind of annoying. So what we did is we have a downgrade attack to GTC. We also have a base on iOS device. I know that, like, shout out to SensePost. I don't know if anyone is here. Cool. Either way, basically, we... I'm losing. It's interesting how, like, that works. Same thing worked recently with the X86 exploits, where it's like multiple resource shares on kind of the same wavelength at the same time. And it's really cool that we're all going in kind of a similar direction, too. Yeah. So, sorry, it's been a really long time, really long... See, I'm not doing well today. He's out of words. Very much so. But more water and I'll feel better. I literally get creds. It's just like, oh, plain text? Here's the password. And this is supposed to be the enterprise stuff, the stuff that's actually more secure. How is that possible? It's vendor implementation, right? Correct. Vendor implementation varies that thing we quote all the time. But to be completely honest, it's iOS. If someone from Apple is here, go fix it, please. Because, my God. But yeah, so, you know, and not downgrade anything to plain text passwords, because that's cool. So we have that, though, which is nice. We're also working on something. I know it's in the future section, but while we're on PineAP, I think it makes sense to talk about is because, since we talked about it yesterday, this was one of those examples where we had researched that happens at the same time, happened with Mana and PineAP at the same time, too. Where we basically have a relay attack, right? So we can perform, it's not released yet, but it's coming in the very, very near future. And it's a way that you can man in the middle device that wants to join an enterprise network and relay their MSChap credentials. You gain access to their network, and you don't have to crack the credentials, because you're on the network and the device is connected to you, so you're the man in the middle. Which gets you most of the way there, right? So I'm really stoked for the PineAP, the PineAPE and just let's hear it for the WifiPineapple team, because Enterprise has been a long time coming. Now, it's kind of interesting that the WifiPineapple known for all the awesome, fun stuff that it does on open networks now has leapfrogged to doing WPA Enterprise kind of missing something in between. You want to talk about some of the new stuff that we're dropping today. Yeah, so I guess the first sorry, my voice is going. I guess the first thing, you know, so we do open, we do WPA Enterprise. There's another one that we should really be doing out of the box, right? So just WPA personal. And we got tired of using tools that capture handshakes unreliably and, you know, we'll have everything, but don't verify that message for I'm not sure if, you know... Does anybody ever gotten the wrong handshake and then you're sitting there with like a ton of graphics cards or paying some of the exorbitant fee for somebody else's ton of graphics cards, and then suddenly, you know, you're not going anywhere. The hash is useless. Right, and we want to avoid that, right? So we want to make sure this feature was rock solid but really simple to do. So another addition to the WifiPineapple, which we're releasing today is a, you know, again in the recon live view when you go there, you'll be able to click on a network that has WPA, or sorry, an access point that has WPA security settings. You're going to be able to click on that as a drop down and just say capture, capture handshake. And so that's all it does. It captures the handshake. You have a little button that will de-auth everything that's like connected to it at that moment, but only the things that you see in the view because again, we don't want to get collateral by accident, right? And thank you so much. And then we present your handshake. So on average, it takes about five seconds ish to get some credentials. Ish? You don't try here because we've tried that before and that just RF nightmare in the wireless village. But, yeah. Yes, and also, you know, speaking to that, one of the things that could be very useful there is a de-auth and that is much more reliable, the de-auth mechanism. Absolutely, yeah. So before we kind of did a bit of an overkill de-auth attack which resulted in a worse experience. So we've throttled that down a little bit and now de-auth works really reliably which is great. Yeah, it's funny just that Sweetsplower is just right. It's like the porridge. Speaking of things that are just right, the Nano and Tetra now have a unified code base. That is so inside baseball it doesn't affect anybody, but it means we can build things faster. A lot faster. So, speaking of building things faster, what are we going to build next? What is coming up in the future? That says, to future, very small. And the gif is missing, or the image is missing. Yeah, that's okay. Oh well. Alright, so we, I couch fault over there finished a little bit early, you know, pre-Deafcon, and so I set him loose on 802.11, go nuts, and within a day he came back with about five attacks that will absolutely break Wi-Fi, as in like de-auth-ish but not. So, that's awesome because that took him a day or two. Can you guess to the point where you're like, you know, the vase has been knocked off the table and smashed into a million pieces and then you came by with a hammer and then you smacked all of those pieces with a lot of pieces and now we've got like ten new tiny hammers to smack all of those little pieces. Yay. Yay, indeed. Yeah, the other thing that I mentioned is obviously that relay attack for MSChat V2 so that's something that's in the works that's coming for the pineapple very soon. We have, oh, we have a couple of new improvements to just the current pineapple suite and how we do evil access points. So a way to kind of abuse different channels and be on different channels and kicking clients off of certain channels to stop fighting the competition because I'm sure you've all been on an access point or on a network that you were trying to get people off of and onto yours and they just kept connecting back to the access point with a enterprise AP that's got the better signal strength and we're working on a way to kind of get around that at the moment. So you put more honey in the honey pot, right? Yeah, and all the bears love it. Hey, I'm all about bears. So, you know what bears love? They love fingerprinting and tracking, don't they? Yeah, absolutely and that's the next thing that we're working on or well, it's one of the next things that he's working on which is a much more reliable way to fingerprint different devices. So if you want to trail devices or track devices across a place and you know how everyone is randomizing MAC addresses now, all the vendors are we have found pretty reliable ways to basically fingerprint these devices and make sure that once you connect to an access point we can track you and see what you've probed for and what you're looking for. That's going to make everything just a lot simpler in general. Yeah, it means we're undoing a little bit of the work. I'm sure, you know, I'm hoping that at some point it gets fixed, but yeah. Okay, so the next thing that we're really excited to announce here is something that we were talking about last year that is part of our strategic vision as we have like grown the ecosystem, you know, over the years the hack five gear cast of characters, the woodland creatures called Doom have gone from just a pineapple and a duck to turtles and squirrels and bunnies and octopus and everything in between. So what we're really excited is to finally have a way to manage all of that in a more standardized way and something that's a little bit more tenable than all of your discrete individual devices. So today we are very excited to introduce the hack five cloud C2. Alright, so let's start with the like very basics. It's self-hosted, so you get to run your own servers which is, you know, kind of want that. I mean, you can run it on my server, I wouldn't mind looking at your traffic. Oh, you know, that's a new model. You know those friends that, yeah, we should just I mean, you didn't hear any of that. No, so we've got that. What else do we have? Well, essentially it's a single dashboard that allows you to do command and control for all of your network hack five gear. So your squirrels, your turtles, your current gen Wi-Fi pineapples, all in one place. So it's C2 and it works and it's brilliant. And we're going to show you a demo. Yep, so we're just going to show you a demo video because we've not sacrificed enough to the demo gods to make sure that this goes over smoothly. This would have been at least two or three laptops of sacrifice. Yeah, one is not enough. It's not, it never is. So let's go ahead and take a look. And I know I gave like, you know, Dallas a shout out and couch fault over here, but that interface, that beautiful thing you're about to see is all Foxtrot. So clap for him. You guys haven't even seen it yet. Okay, so I'll just paint a picture for you. It's a black background with bright green text with little boxes. Again, I'm very sorry about that. So it's kind of modern and new. And here you can see all of your devices connected. You can add and delete devices very easily. Simply nickname your device. This is the one in the hallway. This is the one in the reception. Whatever type of device and we'll add to those as we create more hack five gear. And specifically for the Wi-Fi pineapple, you have complete control over pine AP and recon. So if you're familiar with managing the Wi-Fi pineapple over its current interfaces should seem very familiar, but a lot sexier. And of course, recon scans and connected clients should also feel very familiar. And with this interface you're going to be able to see all of the clients and all of the devices across the entire fleet. So if you've got hundreds of these deployed across a campus, you now have a central interface where you can see all of these. Or if you're a pentest firm that does wireless audits, you can send these to your client sites and say here just plug this in and it connects back to the C2. So this is as you've seen, this is the first of all, this is a demo. It's release. Yes. So this is live September 1st. We're going to have a release event. It is a cloud software package. So we're going to have a release event in the cloud. Because also we're all remote so we need to be. So apart from releasing it this is version 1.0. We, those who know our development cycles, we usually push out updates very, very quickly and we listen to whatever the community wants. So if we don't do that call me out on it please. But we kind of wanted to see what you guys want with this. We have a few ideas and I'm going to run through a couple of those and things that we're going to implement. So first of all, we want to make this extensible in one way or another for other people to be attached to. So that's one portion of it. I think that's kind of core to the ethos of all of our products whether it's payloads or modules. We want people to be able to contribute to this. Absolutely. The other thing that we really want to do is so, you know, you saw on the pineapple right now there's a lot more that you can do on like locally connected the pineapple versus connected to the webinar phase. There's quite a lot more because it's obviously a device that's been in development for many years. It's really fresh. The idea has been around for a long time but the actual code base is quite fresh. And we are I think the framework was put together in such a way that it can be built upon very simply. There's a lot of intelligence being put into just the protocol that it's using so that adding to this is going to be a breeze and it means that, you know, as we come up with more ideas of what you can do with your pineapple remotely or even new devices or new transport mechanisms we'll be able to adapt to the whole thing to that. Right. So, for example, right now the way that this device connects to the C2 is over HTTP or HTTPS, obviously, you know. Even if it's over HTTP, it's AS encrypted and signed so, you know, it's whatever we can get out for now. But we are adding everything from DNS tunneling to ping tunneling to TCP. Smoke signals. Yeah, smoke. As long as you get some sort of packet out of a network you'll get to connect back to you and you'll get updated information and be able to feed information back. Along those lines, though, has anyone ever wanted to have, like, a wireless card across the country? Like, that you can use as if you were there and you don't have to, like, SSH into a box and run the tools there. You want to run them locally? Okay, a few, yeah. Okay. So, that's something that we're working on which seems like a really weird idea to everyone I've talked to about this, really likes it. It's basically we spin up a local interface and you can run your tools on it and they'll just relay that back to the device and the magic happens in between. But, yeah, why don't you want to, I mean, I guess we have a competing product to air dump, but why don't you want to air dump over your interface locally, right? Why don't you want to do run wireless shark on your local interface? You don't want to have to have a capture that you then pipe back that you then work with that way, right? So, sometimes it's easier to use your own tools. That's something that we're doing with it. It also means that all of the hack 5 gear that you already have will be able to integrate with this right now. And in traditional hack 5 fashion, we're releasing this to you for free so that you can start using it and give us some feedback and really shape the way that it's going to grow. Because we're really excited to see this as kind of the new model for interfacing with your hack 5 gear. All right, so at that point, I'm sure you have plenty of questions for the people here. So we've got about 17, oh, 12 minutes left until we need to start clearing this room out for the hack 5 meetup. In which case, you can actually even have some beers with us and continue to ask and harass Lavender. So he's wrong. For anyone that actually kicked out. Forget what I said about best man. No, I'm not going to. You ask me that every year. Any legitimate technical questions or questions about vector art? I mean, I love that. The question is, any chance we're going to see the bandwidth on the squirrel go up anytime soon? We're going to release a firmware update tomorrow that will increase your packet squirrel's 10 100 network. I'm being told that's not physically possible, but no, we are working on additional equipment. So the idea with the packet squirrel was to be that low barrier to entry and to be that small footprint and to be that low power profile and for many of the things that we're using it for, like for instance, capturing all port 9100 stuff destined to the HP printer that it's buried behind. Anybody know what goes through port 9100 to HP printers? Yeah, fill your USB desk full of that stuff and it doesn't matter if it's gigabit. Most of those things are already 10 100 anyway. However, it is a much more expensive problem to solve both on a hardware side and a software side and it's something that we're actively doing. I can't give you an exact date, but as we have done with all of the products, we're continuing to look at where we can innovate and that's one of the biggest pieces of feedback that we've received on the packet squirrel and so we're hoping that we can augment the product line with additional packet squirrel lily squirrel's is... Any other questions? Question is, will the Wi-Fi pineapple have full functionality through the Hack5 Cloud C2 without having to log into the Wi-Fi pineapple's web interface? So I think most things that you are going to be able to do locally, you will be doing through the cloud in the future. There'll be some things that don't make sense to have in the cloud such as changing... I don't know, clearing your page cache or something like that, managing API keys. There's a lot of inside baseball stuff. Yeah, so stuff that's specific to your local access, right, is probably not something that you have to bother about anymore. Stuff like being able to change your MAC address, being able to set up different ways to get internet, being able to configure those things, reconfiguring, reconfigurations, changing where the C2 goes, firmer updates via the C2 and stuff like that. You'll see all of that being rolled out so the answer is pretty much yes. Anything that's applicable will make it to the C2. There was a question in the back there earlier. Yes, absolutely. So right now it's a single user but it works across, like if you share that user, which, you know, don't do that, but if you share user amongst the company then yes, obviously you'll be able to use the interface and nothing will conflict with itself, so at least we have that covered. Now in regards to the actual multi-tenancy, that is something that we will have in the next version that's going to release or actually we might still be able to put it into that version because it's a database in a day. But yeah, so if that's something you guys want, sure. I know that that was like, you know, a big thing when you could do the similar stuff multiple red teamers on a single engagement using your common pen testing frameworks and we would be happy to hear more from you if you've got time later on to let us know your specific use cases. And along those lines of the multi-tenancy we will also have multi-site support which means basically, you know, you have your different working sites and you'll be able to select the different areas that you've deployed the things in and so then you have multiple people working on the same cloud server but with different things. Right, which is good for me as the pen tester to be able to see the difference between the pineapples that I have planted at Seb's house versus the pineapples that I have planted at Couchfalt's house. You should look under your bed. Has anyone seen a cow? There is a small stuffed cow there's a reward, it's $100 if anybody would like to turn in a small stuffed cow. I think you'd have to fly to Oakland really quickly. If you conspired with her No, I didn't know such thing. I didn't want to cause any tension. Sorry, can you repeat that one more time? The day's been very long. Yes, absolutely. Yeah, absolutely. And there's actually, so even though the Bash Bunny for example isn't a networked device there is a thing, I guess we can talk about that because we talked about other things. Has anyone ever made a proxy using web sockets? Have you ever proxied stuff over HTML? Yeah, it's fun, right? Hey, no, come on. Sox 5 proxies, this is the best, right guys? Who doesn't like proxy chains through your proxy chains? Honestly, I just RDP to a host and then VNC from there into the next thing. So imagine all you need to do is open a single HTML page anywhere, be it locally, be it remotely, be it wherever and be able to pivot through the HTML page, literally HTML page, well JavaScript, you know, but a blank page that will just tunnel your connection. So basically a VPN but with a hop over HTML page. In which case it's technically possible to network the Bash Bunny in a way that has never been done before. Correct, which was originally the idea on like how do we do updates and so on without you having to mess with internet connection sharing which is difficult across different OSes and we thought like an HTML page, you'd be happy. Right, and this is really fun and experimental but opens up a world of possibilities when you think about the bring your own network attacks where you can do things like captive portals to automatically open pages on the hosts, even potentially if they're locked and I think that's something that we'll continue to explore. I know that that's something that's kind of proof of concept stage right now so I can't wait until that comes to fruition but that's a great point because it's more than just squirrels and turtles and pineapples there's a lot more to the ecosystem. Yes, back here. Okay, the question was about the Wi-Fi Pineapple Mark 4 that came out in 2014. Yeah, so it's a single radio device by default, right, so if you add another radio and you add more power and you add more RAM and you add more, you know, then you start porting back features but without you making a really weird Frankenstein device that's not repeatable and yeah, so basically no, but I would Okay, so to answer a different question we're really focused on adding the features that is going to have the biggest impact and spending our time in a way that's going to help the vast majority of you and we know that there's a lot of really cool edge cases and trust me, we've gone down so many edge case rabbit holes just because we're hackers and we love to see things blink but we also want to provide you guys with the tools that allow you to get the job done because we've got more important things to do like playing Counter-Strike Go. Which we can do now because we've got that. Right, right, right, right, but also we want to get the hack done so we can get paid, so while yes, that is technically feasible and the problem with asking a hacker if they can do something technically feasible is we will rise to the occasion and do that but then we will ignore the base that is using the current gen stuff that we should focus on adding features to, so that's where we're going to spend our energy. So the question is whether or not there's going to be any obfuscation in the data transmissions between hack 5 gear and the cloud C2 so that anybody eavesdropping in between would be able to know that oh hey there's a bunch of hack 5 gear in your network. Seb? Yeah, so the answer I guess for the first version is kind of, it's encrypted and signed which means that it looks like any data leaving, it's garbled right, you wouldn't be able to really identify that this was going to a C2 unless you hit the IP address and worked out what was happening there excuse me I'm really not doing well tonight. Also, this wouldn't really apply to a land turtle 3G have I mentioned how many fun stories we've heard so far about the land turtle 3G being in fun places, if you are one of those whether you have shiny shoes or not and would like to tell me privately about the fun places that your land turtle 3G has been in all years, lips are sealed. Go on Seb. Right, so but back to your question right, so the obfuscation we can do things to make it look more like the current protocol that's going over right now there's two ways that we do it, the first is HTTP, this does not look like I mean it's an HTTP request but the body is encrypted so it doesn't look like your standard HTTP traffic right the other thing that we do is we do the default mode which hopefully you all use and yeah let's encrypt built in but the I guess the point is that if you do that then yes it is, if we're doing egress through pings or through DNS and so on then it gets a bit finicky because you have to make it look as real as possible and they're going to be real requests but obviously if you look at the payload you may realize that this is not and again this is the kind of place where we really rely on you guys for the feedback because it really depends on the engagement and for many engagements we're hearing feedback like hey that doesn't matter I just want to ship these to the client site they know that they're plugged into their networks they're here to find rogue things that's kind of funny wife I pine apples finding rogue things but in any event it really depends on the scenario and so this is why we we hope that you'll give us that kind of feedback to really tell us where to go with this yeah sorry the last thing I want to say to that the idea of the egress busting isn't necessarily to go out covertly because you can't get out of the network who has shipped a device to another location and then ask them to like open a port or had I see nods I know those nods but basically you know sometimes working with clients is very difficult and getting egress out even if it's purely outbound and it's like yeah there we go it's hard right so it's less to do with the fact that you know we want you to be able to go out secretly that's part of it obviously but it's more to do with the fact that if they allow HTTP out if they allow web sockets out at least then we get streaming socket that looks like HTTP right if we get UDP TCP ICMP whatever we get out we're going to try to get your connection back so you can get your job done yeah a lot of the focus on the underlying you know framework and about the reliability aspects because we've heard the horror stories where the laptop gets sent to the client site oh just turn the laptop on and then we'll be able to pivot through and do the pentest on the network and then we hear the terrible stories about how many days and weeks go by and the late night remote sessions because they're in a different country to get everything working so right now we're just focused on that aspect I think you were up before earlier yeah here the question is whether or not after deploying hack 5 gear in a network there's ability to disable the reset functionality I'm assuming you're talking about in regards to the moment where oh crap the hack 5 gear gets found and now they're doing forensics work on it nod yes so they don't reconfigure they go oh free pineapple yeah absolutely so there's that the current way that we do configuration is via configuration file so I'm not sure if the video showed it off but there's a little button on the side this is download setup data or setup you click that button then you click on the file back and you just either on the pineapple there's a web interface for it where you just upload the file and it's done on the turtle and the squirrel you just put it on the USB or SCP it over so that's the setup we're trying to make this setup easier and easier as time goes by but we're also working on things like rekeying so that if data is in transit and it was logged that it has been rekeied and stuff like that right so we're trying to make it as hard as possible to you know go and recover data and so on for anyone that does find the devices but again like things like being able to reset it reboot it and so on it'll always try to come back in that state say with firmware updates right firmware updates we usually always wipe everything for when it's deployed to the cloud controller we don't wipe everything it just wipes the things that it needs to wipe and the things that are important for the cloud connectivity and it'll just restore back from the cloud probably also disable the reset switch maybe it is but yeah so the question is is going to have comprehensive auditing and logging so that you can find out which of your red teammates messed up so I'm notoriously bad at logging but thankfully we have this guy here who logs everything you should see his debug output for the client like just do like what is it like dash hex or something like that yeah basically but you see way more information than you ever need to see but we are going to have stuff like that in the server too probably not for version one because that's a whole thing where we need to figure out how do we do it in a way that it is actually safe and logged to a proper database and doesn't die when you know something breaks we don't want to corrupt the whole thing so it takes a little bit more thought but that's something that we're going to have yeah and this is the kind of stuff where we want to hear like what is the interoperability that you're going to want to see with this with the other products that you're already using where you're going to actually be able to leverage this in your organization to its fullest effect where it can plug into your existing infrastructures yeah like your CM or something like that so anything that's relevant we'll try to try to pull in and export it to those type of formats so please let us know you want it integrating with your CM so the question is am I understanding that your question is how is this going to be hosted we're deployed sure it's cloud based okay right now it's on your cloud as in go and find a VPS and Amazon AWS or whatever you prefer or your local machine it could be local host I've been to 127001 and it's a great place to be you can run it there and how do you run it Seb this is brilliant so um I'm going to annoy these three a little bit who here programs and go you guys don't have anything to throw the people that program and go over here it's great now anyway I love the language which means that it's easy for us to do a cross platform it's easy for us to package everything up in a single binary so that means you basically just dot slash run it it's got an embedded database it's got embedded html so I mean it means that potentially there could be a windows version but he's now giving me that death stare that he gives me sometimes I'll give you a windows version but only you may run it because I don't want to break your machines this is something that you're going to be able to very easily spin up a couple of clicks automatically generating certs and everything and adding your devices to it is as simple as clicking add giving it at the nickname choosing thing from the drop down it gives you a file copy that file to your device you're good to go you put this in the cloud DNS doesn't matter you change it later it's as simple as moving a web server where you just change DNS so I guess the only other thing that like along those lines that I've wanted to do is if you do have a dynamic IP for whatever reason right we'll be able to tie in with some basic things like like DNS and stuff like that yeah any other I'm more interested which one to use it's a same I normally don't share a secret you know it's just a yes sorry the question was are we going to add sorry I do this thing where I don't repeat the question as really bad practice is there will there be a way to do 802.11x in kind mode on the wifi pineapple and the answer is yes so yes sir so you want to do a docker the question is is there a reason that we just run it as an executable rather than a docker image or something of that nature yes so you can run in a docker we can publish a docker image but it would just be what's the very basic alpine no it's alpine yeah okay so alpine we can give you an alpine image which has a network stack in the binary like we do that but really the reason why we didn't is because it's up to you if you want to deploy it in docker if you want to deploy it locally do it locally if you want to deploy it on a raspberry pi you can do it on a raspberry pi so that was kind of the idea behind it there's no dependencies to it either as long as you've got a well it's go it runs on plan 9 or does it anymore it runs on everything almost and it doesn't require a database to set up so there's no mysql it just creates a file and it you know uses that as a database obviously not just crazy alright we're going to take one or two last questions here as we are much over on time oh brilliant we nailed it one more hack the planet indeed well thank you so much you guys for being a great audience today thank you for giving us the energy to continue to make these awesome products thank you for thank you to our amazing team once again for working tirelessly to bring you guys the awesome new wifi pineapple features in the cloud c2 alright as those I'm Darren kitchen I'm Sebastian kidding stick around we're going to have a little shin dig I think there's an open bar I hope there's an open bar alright we're going to have to play musical chairs and get these chairs out of here but thank you guys for coming stick around for the hack 5 meetup right here