Popular Content

Showing content with the highest reputation since 02/23/2017 in all areas

  1. 10 points
    BunnyTap is coming... 415 ? Ss 0:00 /usr/bin/SCREEN -dmS dnsspoof /usr/sbin/dnsspoof -i usb0 port 53 417 ? Ss 0:00 /usr/bin/SCREEN -dmS node /usr/bin/nodejs ./bunnytap.js 419 pts/0 Ss+ 0:00 /usr/sbin/dnsspoof -i usb0 port 53 420 pts/1 Ssl+ 0:02 /usr/bin/nodejs ./bunnytap.js
  2. 8 points
    Hello all, With MAC's (and Linux) you have to know the device of course to serial into it. To make it quicker for me I wrote the below script to search the MAC for the bash bunny (If you have multiple modems this may not work for you) and prompt you to connect to it. Feel free to use and modify as desired. #!/bin/bash # # Title: Mac Serial Connect # Author: NightStalker # Version: 1.0 # # Finds the Bash Bunny in the /dev/cu.* location and # prompt you to connect to it. clear bunnyloc=`ls /dev/cu.* | grep usbmodem` echo "Bash bunny is located at: $bunnyloc" read -r -p "Would you like to connect to it? (Y/N): " connanswer echo $connanswer if [ "$connanswer" == "N" -o "$connanswer" == "n" ] then exit 0 elif [ "$connanswer" == "Y" -o "$connanswer" == "y" ] then screen $bunnyloc 115200 fi
  3. 7 points
    Evil Portals Portals are compatible on both the Wifi Pineapple Nano and Wifi Pineapple Tetra and compatible only with Evil Portal module version 2.9. Github: https://github.com/kbeflo/evilportals Manual installation of Evil Portal 2.9 Github: https://github.com/frozenjava/EvilPortalNano/tree/development Captured data will be stored on the Tetra at /root/evilportal-logs/oauth-login.txt or on the Nano at /sd/evilportal-logs/oauth-login.txt Note that this project is for educational purposes only. No contributors, major or minor, are to fault for any actions done by this program. I'd be happy to hear about issues, suggestions and requests. Feel free to contribute new templates and improve the project. Screenshots shown here are not actual and have been stripped down of trademarks for forum discretion Android Marshmallow iPhone Logs
  4. 7 points
    not sure what it is yet but just shut up and take my money!!!
  5. 6 points
    This payload exfiltrates specified documents to the Bash Bunny via SMB (Windows File Sharing). https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/smb_exfiltrator The first stage injects keystrokes into the run dialog. The powershell one-liner wait until the Bash Bunny appears as a network, then copies files and exits. The powershell runs in a minimized state to limit visual impact on the target. The second stage switches the attack mode from HID to RNDIS_ETHERNET and sets up an SMB server using Impacket. It then waits for files to finish copying from the target to a temp directory. Once exfiltration is complete, files are moved to a named and numbered loot directory on the USB disk partition. A video walk-through can be found on Hak5 episode 2202: https://www.youtube.com/watch?v=VPhqD__lOBQ Version 1.0 of this payload uses conservative delay values and is not optimized yet for speed. A number of powershell aliases and shortcuts can be used to limit the first stage, while the function which waits for files to finish copying can also be improved. Hope you like guys! Cheers from Indonesia :) --Darren
  6. 6 points
    It really depends on what you're wanting to do. The Armory has some nice specs for a dev platform - so if you have a specific use case in mind and are keen on the programming, go for it. The Bash Bunny is a purpose built pentesting platform. We emphasize the convenience factor and really try to foster a healthy development community around the tools. It's a simple plan that's been working for us for nearly a decade as we've been making infosec tools. So - you could probably do some nifty attacks with the Armory, but there'll be more heavy lifting involved. As for the hardware differences - while Micro SD is nice for memory expansion, the fast SLC NAND memory in the Bash Bunny is one of the enabling factors for the quick boot -- which is very important for physical pentest engagements. The Bash Bunny has a 50% higher clock speed and 4x more cores. The other specs like RAM and dimensions are similar. At the end of the day it's really the software, community, and continued support you've come to know from Hak5 that makes the difference.
  7. 5 points
    See some people getting stuck with updating bunnies and tools etc. so put together quicklist of what I did from a brand new bash bunny on my linux box. I'm sure there are some differences with OSX and windows but in general with adaptation or tweaks this should work for all as a general outline. 1. Read the wiki - seriously even if you dont remember it all, know where it is and use it for reference. 2. Switch position to 3 (closest to USB) and insert to pc. With mine I got a blue light. I also backed up the original payloads dir but its not required. 3. Clone the payloads github locally or download the zip and extract the contents. 4. Copy the payload folder you just cloned or extracted to the bash bunny storage and overwrite all. You now have latest payloads. At this point if you were to unplug the bunny, select switch 1 or 2 and then reinsert you would see a purple light rather than the blue one that came from factory (at least mine did). 5. Some payloads require dependencies such as quick creds. You install the dependencies using the tools_installer payload So its worth running this payload as your first payload. On the Bashbunny storage delete the payload in switch 1 or 2 and then CUT the contents of /payloads/library/tools_installer/ to the switch folder of choice. DONT copy it as there is a slight bug if you have 2x copy’s of this payload on the bashbunny storage when its run. Unplug the bunny and select the switch to match where you placed the payload and reinsert the bunny. If all goes well you should eventually see a white LED. if you see red LED you may need to check the forums. From this point your ready to try other payloads or start developing new ones. Talking of which I almost forgot DuckToolkit adds support for new languages. and uses the Ducktoolkit python library for encoding. I had some issues getting the bunny online with ICS on linux but was mostly down to me not reading things in the bb.sh ICS script but I will point them out in case others do the same. 1. A factory fresh bashbunny can only ICS when switch is in position 1 or 2 not in arming mode position 3. There is no Ethernet device on a factory fresh bunnny in arming mode. 2. When you download and run the bb.sh it should be first run without the bashbunny inserted and when the script gets to stage 3 you insert the bashbunny to complete the guided config. 3. Just because you configured the bb.sh does not mean your online, you still need to hit C to connect with the current configuration and start ICS. So from here you should have Bashbunny with up to date payloads, dependencies installed and are able to ICS to get it online if required. Hope this helps some people.
  8. 5 points
    The Bash Bunny averages 1.5A idle - 2A at load - so it works well with either the TETRA or NANO.
  9. 5 points
    Hopefully I have something people can try out in a couple of weeks :)
  10. 5 points
    Sorry about skylu being a bit of a dick. Most people here tend to be a bit more willing to help. The problem with your question is that "getting into hacking" is a very broad thing. It's like saying "I want to become a surgeon", but that can be anything from a vet to a brain surgeon. So maybe you could elaborate a bit on what, specifically you want to do? Something that might be able to get you started is this very lengthy thread in our security section. It's mostly about how hacking programs, coming to grips with the underlying technology and working out why things act the way they do, but there's a couple of outliers there. Just browse through that, see if there's anything that tickles your fancy and go from there. One thing I will say is that questions, while very welcome, tend to get a better response when you show that you've already done some of the basic work in researching the subject (google, wikipedia...) yourself and your questions is about something somewhat specific.
  11. 4 points
  12. 4 points
    Hello all, being a proxy engineer when I got the Bash Bunny the first thing I thought of was how can I force people who are (excuse my assumptions here ) lazy to lock their machines when they walk away and leave them vulnerable. As a pentester an unlocked and unattended machine is a gold mine but you sometimes only have those few precious seconds to gather the data you need. If you could set a proxy and more important a SSL proxy by inserting your certificate as well you could gather all the intel you need even after the initial attack. Enter Proxy Interceptor (Geeky name I know), this payload will enable the proxy settings and import the proxy certificate to the certificate store allowing you to man-in-the-middle the users web traffic including gathering credentials for later escalation use in the pentest. The payload is simple using PowerShell and Ducky Script and the end of the payload will even eject the bash bunny so you can just unplug and walk away. The script is 1.0 so there is more I want to do with it later including adding support for Firefox, running confirmation tests, dropping a script for persistence, and more. As of know this only affects IE and Chrome. Also there is no failure detection as of yet in the PowerShell scripts you just will not get the purple LED to confirm it is completed. I would love to hear your thoughts. https://github.com/ajmatson/bashbunny-payloads/tree/master/payloads/library/Proxy_Interceptor
  13. 4 points
    This is a little later than i had liked but im finally ready for an 'Alpha' Release. From the team that brought you https://ducktoolkit.com i am happy to announce https://bunnytoolkit.com Concept is fairly simple. All the payloads that are in the github can be opened in the browser. You can then edit the files in the browser make changes as you like and once your happy with changes click the download button to get your payload folder. Copy the contents of this in to a switch position and away you go. For those who need a quick way of creating your own payloads we have the custom payload wizard. Answer some questions or pick a template and when you click finish you get a page that contains all the base templates which you can then add your own code to and save it as you do with the payload editor above. I will continue to add more custom features to the wizard and welcome any feedback or thoughts you may have.
  14. 4 points
    Don't fuck with the school computers. We hate that shit.
  15. 4 points
    Thought some here might get a laugh out of it. If you've ever taken an Offsec course, you'll know this feeling. http://www.captiongenerator.com/320492/Offsec-Student-Admins
  16. 4 points
    By default the installer doesn't work if you *copy* the content of /payloads/library/tools_installer to /payloads/switch1/ you have to *move* the content of /payloads/library/tools_installer to /payloads/switch1/ But before doing that you need to clean any previous installation attempt by logging into the serial console as root and typing : rm -rf /pentest The explanation of the failure is in the install.sh script. The following line TOOLSDIR=$(find /root/udisk/payloads/ -name tools_to_install) returns 2 entries instead of just one.
  17. 4 points
    When I do physical assessments that have WPA/2 enabled wireless networks I would like to have the ability to walk around the facility with a pineapple in my backpack and have it constantly trying to get a handshake in a reliable way. Here are a few requirement requests: Stability is key. I might only get one walk through to get it done. Needs to support more than one WPA ESSID (name). If I am targeting a building and they have a Employee and Guest networks I need to be able to get both in one go. See #1 Ability to automatically verify the handshake is valid via Aircrack or other tool Remove WPA ESSID automatically from the rotation if valid handshake is captured Shutdown the pineapple if all captured (save battery) optional setting Constantly be re-scanning the area for best AP to target. (If "BOBWIFI") is no longer in range it shouldn't attack it again Always target AP with best signal if possible Prioritize APs with clients if possible Have an auto-on with loaded AP names so I can just plug in the Pineapple when it's go time and not have to configure anything post-boot. Have the ability to auto-add APs in the area to a "temp" list while keeping a "target" list. List of APs with captured/verified handshakes for easy download of cap file Use both wifi cards if possible for 5ghz (TETRA) as well as 2ghz Try a few ways to get the handshake, I know there are a few techniques out there but I don't recall them all. Thoughts?
  18. 4 points
    Here's some hi-res nude bash bunnies!...
  19. 4 points
    It's the kinda hardware you're gonna wanna hop on... PS: How do you know when a joke becomes a dad joke? It's apparent.
  20. 4 points
    Weak** not week. This isn't anyones fault. No one actively seeks to have their accounts hacked. Yelling at someone changes nothing. Drive by attacks that go after accounts happen all day long. Weak and strong passwords get hacked, including 2FA. 2FA makes it much harder, but depends on the implementation. If they have it sent to a phone and they also hacked the phone, it's not going to help. Not everything out there does 2FA either, and I personally won't use it with my phone, as that is my own belief that a phone is no more secure than your password. Someone wants to get in, they'll find a way. Yubi-key might be the only thing I'd go with for 2FA, and even then, you lose it, you have to have an alternative backup to get in, which again defeats the use of 2FA if a reset is possible in any way once 2FA stops being accessible for any reason. As for the attackers IP, never a guarantee it's the actual attacker, and given the amount of Russian bots out there, more than likely it's a proxy or hacked account anyway. Only thing you can do is change all your passwords, if possible, use a different email address for multiple different accounts or groups of emails for types of accounts, ie: one for game sites, one for social networks, one for fam, one for work, etc. Also, never reuse passwords among sites, and always safeguard passwords, preferably not stored on your machine unless using a password locker or such, but I'll admit, I've had passwords for things stored in text files at times when I needed them in the past. Mostly I memorize them all now, and when I can't remember, I do the reset password dance as needed.
  21. 3 points
    MANA-Toolkit! Now for the Pineapple NANO + TETRA. (IPK installation-files, and source-files ready to compile with OpenWRT-SDK) MANA-Toolkit also includes a working version of SSLstrip2+dns2proxy for the Pineapples. (Which you cannot find anywhere else) Last update: 21.02.2017 Changelog: Beta-release of the Mana Toolkit "Module". SSLstrip2, SSLsplit, dns2proxy, crackapd, net-creds, firelamb and every part of the MANA-Toolkit comes with the package. (Even aslEAP) Install procedure: root@Pineapple:~# wget -qO- https://raw.githubusercontent.com/adde88/hostapd-mana/master/INSTALL.sh | bash -s -- -v -v How do i start MANA? Make sure you are not using wlan1 for anything. If you are, hostapd-mana will not be able to set the interface to 'master' mode Just type 'launch-mana' in the terminal to launch the attack. root@Pineapple:~# launch-mana Module: https://github.com/adde88/ManaToolkit I have released a beta-version of the Mana Toolkit "Module" for the Pineapples. This lets you launch the attack from the Pineapples interface. General feedback or tips for improving the module are greatly appreciated! Github repo. + source-codes: https://github.com/adde88/hostapd-mana-openwrt https://github.com/adde88/hostapd-mana https://github.com/adde88/ManaToolkit The first repo. contains the IPK files you need to install everything, but it also contains the files you need to build it yourself with a proper SDK. The second repo. is used by the SDK. The SDK Makefile will download everything it needs from the github repo. to build the MANA-Toolkit package. You don’t need to touch the second repo. to get anything up and running. (OpenWRT-SDK handles this automatically.) The third repo. is the Mana Toolkit "Module". Important directories: Startup-script location: /usr/share/mana-toolkit/mana-pineapple.sh (A copy of the script that launches the attack) Config files: /etc/mana-toolkit/ Log files: /var/lib/mana-toolkit/ You will find the usual MANA tools installed at: /usr/share/mana-toolkit/ OPKG Installation Files: (For those who want to install it manually) https://github.com/adde88/hostapd-mana-openwrt/raw/master/bin/ar71xx/packages/base/asleap_2.2-1_ar71xx.ipk https://github.com/adde88/hostapd-mana-openwrt/raw/master/bin/ar71xx/packages/base/hostapd-mana_2017-01-12_ar71xx.ipk
  22. 3 points
    This seems like a good start. https://nuxview.blogspot.com/2016/11/poisontap-setting-up-backend.html?m=1
  23. 3 points
    I actually started working on a program you can execute on a target machine (that does not require root/admin) that will be able to automatically share internet connection to the Bash Bunny. It's not a priority, yet, but it shouldn't take too many evenings to implement.
  24. 3 points
    Hey everyone i just had a thought... wouldnt it be better to categorize all payloads in different folders for what it is meant to attack? Like a folder for windows attacks, one for mac, one for linux, one for universal, one for bashbunny innstallers and so on.. I just feel like the library is going to be very messy if not :/
  25. 3 points
    PR is waiting for approval
  26. 3 points
    Sounds like a good use for a supercap or a microlipo.
  27. 3 points
    As the project progresses we're going to find dependencies that might be best to bake into the firmware. This is one of them. The install script expects an Internet connection. I skipped this in the episode for time. I expect to be doing more in depth style screencasts on stuff like this soon.
  28. 3 points
    The SSD is split up between the OS (3.2 GB), the swap (~1GB), the USB Disk (2 GB) and the Recovery partition (1.6 GB)
  29. 3 points
    Hello all, while I am no Photoshop expert I wanted an Icon for my MAC when the Bash Bunny is plugged in as storage so that I can quickly find it so I made the below and wanted to attach here for anyone who would like to use it. This is an original image of mine not one I downloaded. I may clean it up later if needed and will update if I do. It is saved as a .PNG and the first image is how it looks on my MAC desktop. To save just right click the bare drive image and save to your desktop and follow your OS requirements to assign to the Bunny. Cheers, NightStalker
  30. 3 points
    Update Notifications on web interface, thanks to @stilia.johny. Tetra compatibility. Thank you for the help and testing to @Just_a_User and @b0N3z.
  31. 3 points
    If you inspect the packets and ports, you'll see there is a command prompt of plain text data going across the line, over the normal port for DNS. I would believe this to be compromised in some manner, as you shouldn't see the following being SENT and Received from port 53 (which is domain name service) in a normal situation. DNS should only be being used to resolve names, but in the pcap you link to, it looks to be using it as a covert channel to connect to a remote machine to this port, possibly to bypass IDS or filters on the network that don't block port 53 as in and out. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\>dir Volume in drive C has no label. Volume Serial Number is FF47-80EB Directory of C:\ 01/12/2005 11:59 AM 0 aierrorlog.txt 01/19/2004 09:45 PM 0 AUTOEXEC.BAT 01/19/2004 09:45 PM 0 CONFIG.SYS 06/26/2004 12:12 PM <DIR> Documents and Settings 02/03/2005 11:40 PM <DIR> EasyBoot 02/29/2004 02:51 PM 11,531 installer-debug.txt 12/19/2004 12:50 AM <DIR> mga 12/19/2004 12:51 AM <DIR> mgafold 11/24/2004 07:47 PM <DIR> mnt 10/07/2004 10:01 AM <DIR> movie 06/26/2004 01:03 PM <DIR> My Downloads 01/13/2005 10:52 PM <DIR> Program Files 01/04/2005 10:27 AM <DIR> quarantine 04/19/2004 09:57 PM 7,241 s37g 10/31/2004 08:36 PM 0 s3fs 06/02/2004 08:54 PM 123 systemscandata.txt 08/08/2004 10:48 AM <DIR> Temp 12/12/2004 02:24 PM 94,135,944 temp.mpg 01/13/2005 06:10 PM <DIR> WINDOWS 11/20/2004 09:27 AM <DIR> WUTemp 8 File(s) 94,154,839 bytes 12 Dir(s) 7,145,897,984 bytes free C:\> looks like it may be the attacking machine while is the victim, and also listening on port 53 for the remote connection from I also see trying to connect back to that same machine on port 21, which is FTP, but it's getting a RST for failed connection which may have been an old connection used for remote access no longer in use. If you sort by source IP, you can see the conversations a bit easier as well, but understand where the conversation starts(not numerically by IP). The conversation starts off using port 53(dns) and then switches to port 21(ftp) from as the attacker IP to as the listener, but seems that the receiver doesn't like access from port 21 to the listener, and does a RST or was a failed/old connection. Eventually we see the attacker reconnect to the victim, only this time, the receiving port is 23(telnet) to the victim from port 1403 which is just an uncommon port above 1024.The fact it is listening on this port and taking command line commands, would also make me think this machine is compromised. Look at the new data we see now, which is almost as if the attacker is looking for data on their own machine locally, accidentally typing it into the remote victims console: C:\>ls -la ls -la 'ls' is not recognized as an internal or external command, operable program or batch file. C:\>exit exit At some point, the attacker has a new connection to the victim, over port 80, which is http. We again see the common windows command line data sent over in plain text. Attacker and victim, on port 80: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\>dir dir Volume in drive C has no label. Volume Serial Number is FF47-80EB Directory of C:\ 01/12/2005 11:59 AM 0 aierrorlog.txt 01/19/2004 09:45 PM 0 AUTOEXEC.BAT 01/19/2004 09:45 PM 0 CONFIG.SYS 06/26/2004 12:12 PM <DIR> Documents and Settings 02/03/2005 11:40 PM <DIR> EasyBoot 02/29/2004 02:51 PM 11,531 installer-debug.txt 12/19/2004 12:50 AM <DIR> mga 12/19/2004 12:51 AM <DIR> mgafold 11/24/2004 07:47 PM <DIR> mnt 10/07/2004 10:01 AM <DIR> movie 06/26/2004 01:03 PM <DIR> My Downloads 01/13/2005 10:52 PM <DIR> Program Files 01/04/2005 10:27 AM <DIR> quarantine 04/19/2004 09:57 PM 7,241 s37g 10/31/2004 08:36 PM 0 s3fs 06/02/2004 08:54 PM 123 systemscandata.txt 08/08/2004 10:48 AM <DIR> Temp 12/12/2004 02:24 PM 94,135,944 temp.mpg 01/13/2005 06:10 PM <DIR> WINDOWS 11/20/2004 09:27 AM <DIR> WUTemp 8 File(s) 94,154,839 bytes 12 Dir(s) 7,145,889,792 bytes free C:\>exit
  32. 3 points
    It seems that I've simplified it so much that we're over thinking it. The tools_installer payload is just that -- a payload. It's meant to be run just as any other payload -- by copying it to a switch folder from Arming mode, ejecting the BashBunny USB flash disk, putting the switch in that position and plugging it into your PC. It'll then run the install.sh. I'm going to be updating the documentation tomorrow to outline how the Bash Bunny framework operates, from USB disk mounting to Install.sh, payload.txt, etc. Then I'll be doing some screencasts over the weekend similar to what I did with the LAN Turtle. It's really intuitive once you get the gist -- but if you treat it like a complex Linux box and not a easy drag-and-drop tool, it'll over complicate things.
  33. 3 points
    There are a number of currently undocumented pins on the board for serial and micro sd - however as with anything like this, opening it up and soldering to the PCB will invalidate the warranty. In other words, if you let out the magic smoke there's not much I'll be able to do. Foxtrot is welcome to post pics as long as you're all cool with seeing a naked bunny (do NSFW tags apply?)...
  34. 3 points
    The case is easy to open, just be careful and go around the sides of it with something like a guitar pick. I can take pictures of the internals, but won't until staff say its okay out of respect. I'm having lots of fun with it and would encourage anyone who hasn't bought one to grab one asap. :)
  35. 3 points
    The Bash Bunny is not a USB Rubber Ducky replacement. While it's compatible with Ducky Script and supports a HID attack mode, that's only one of 5 current attack vectors. The USB Rubber Ducky will always execute payloads faster (0.1 seconds vs 7 seconds), more economically (less than half the cost), and more covertly (with its generic flash drive case). For social engineering ops, USB drops and attacks which require the target to plug in the drive, the USB Rubber Ducky is still the gold standard.
  36. 3 points
    I'm tidying up a few things in the repo and will be setting it to public today - so stay tuned to bashbunny.com
  37. 3 points
    Assuming ravang is revenge then no, definitely not helping, that is not the way to go about things. Regardless of the circumstances, what you are asking is illegal and we don't condone that on these forums.
  38. 3 points
    LOL I know right. Imagine having a girlfriend. @telot, I think you may be able to do this already with the Tracking system module.
  39. 3 points
    Edit: A test version First major release is now on my GitHub at https://github.com/sud0nick/CursedScreech. The C# API, Python API, and documentation are also there. I started working on a new module and I'll keep this thread up to date as I work on it. I'm much farther along with it than I thought I would be at this point so hopefully it won't be too long before it's initial release. Purpose: • Securely control compromised systems on the network by sending commands to them all at once, one at a time, or to a custom group. Features: • Commands sent via TLS (level negotiated by systems; highest available is chosen) • Execute shell commands on all targets at once or those selected and receive responses individually. • Store commands for quick reuse. • Utilize the Certificate Store in Papers for TLS keys. • Multi-threaded python scripts that listen for compromised systems on the network and do your bidding. This is an advanced module that will require some programming knowledge (not to use the module itself but for payloads that are required). I plan on including a small API that you can import into your payload so it will work seamlessly with CursedScreech. Default EZ Commands are as follows: Get PS Version Get SysInfo Windows PSv3+ Phish Windows PSv2- Phish Windows Alert Logoff User Restart Shutdown Add User Change User Password Delete User Enable RDP Add User to Remote Desktop Users Group Add User to Administrators Group And a video tutorial
  40. 2 points
    Instead of step's 3 and 4, you can copy my payload.txt to one of the switch directories and it will git clone the payloads directly on the device. That way, you can just run `git pull origin master` from /root/udisk to keep your library up to date. The payload will also run the git pull command the second time you use it. Git Bunny Git: https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/GitBunnyGit
  41. 2 points
    You sir are a gentleman and a scholar.
  42. 2 points
    Hey guys, I was talking with Seb on irc and he tells me that you cannot directly share the connection on a mac, as of now. However, it does work if you use a linux vm (I am using ubuntu in virtualbox) on top. The sequence is a little tricky and took me a while to figure out; so I'll describe how I got my bunny connected to the internet on my mac: With you vm turned off and the bunny unplugged, go to Settings > Ports > USB and enable usb 3.0 Switch the bunny to state 1; plug it in and wait for it to load completely Add a usb filter (plus icon) and add the device (mine says "Linux 3.4.39 with sunxi_usb_udc RNDIS/Ethernet Gadget [0333]") Eject the bunny Flip the switch to states 2 & 3 and repeat steps 2-4 Turn on your vm and keep the bunny unplugged wget the bb.sh script in the vm Run `sudo bash bb.sh` and follow the guided setup With the bunny NOT in arm mode (position 3) plug the bunny in after the third step/question If you did it right, the script will "detect" the bunny at this stage The last step is to press "C" once you see the main menu again to "connect" using the settings you just set up You should now be able to ssh in and test the connection with ping Hope this helps somebody.
  43. 2 points
    Restore the Bash Bunny from the recovery partition: Set the Bash Bunny switch to position 3 (arming mode) Plug the Bash Bunny into a USB power source. The LED will momentarily light green. As soon as the LED goes off, unplug the Bash Bunny. Repeat the previous step twice more (for a total of 3 times) Plug the Bash Bunny into a USB power source and leave for 4 minutes. The LED will light RED to indicate recovery. When the light returns to BLUE blinking, the Bash Bunny has recovered.
  44. 2 points
    V0.4 has been released! https://github.com/notpike/The-Fonz TX all commands as you would with the remote! Passive PIN discovery! Brute Force a command, loops threw all 256 PINs for a single command! Dank ass meme's! Booze, Chicks/Dudes and more! No piratical application but here's a script that uses the YSO (or any other CC1111 radio that uses RfCat) to emulate, brute force, and listen for the TouchTunes Jukebox remote transmissions. With this power you could skip songs, turn up/down the volume, or possibly add promotion credits for free songs. For research purposes only of course :D. -=Here's the quick and dirty on how I reversed this remote=- So… This project all started 2 years ago when my wife and I dropped $20 at the local gay bar to listen to some filthy Dubstep, rad ass EDM, and Beck. After inserting that Jackson, I realized my grand idea of saving money isn’t working out… (We spent $120 that night… $40 on the jukebox…) Next morning, hung over and sad, I made it my mission to figure out how to get free music out of this Jukebox. This is how I started, and here’s how I bumbled my way to to figure out an IoT Jukebox known as TouchTunes. -=Reading=- I would just say research but TBH what I did wasn’t that sexy. Armed with my skill of “Google Fu” I found various manuals about the device. I found some good information in these manuals and it gave me a few ideas on how to score free jams. http://productwarranty.touchtunes.com/download/attachments/655383/900475-001-Virtuo Installation and Setup Guide-Rev08.pdf?api=v2 http://productwarranty.touchtunes.com/download/attachments/1572899/900203-002-Dashboard User Guide-Rev00.pdf?version=1 http://www.touchtunes.com/media/marketing_resources/Remote_Control_Users_Guide_1.pdf -=I called random strangers and sat at a bar=- I made a few phone calls to random TouchTunes Techs who specialize in repairing these devices and got a lot of good info for them. I learned it was Linux box, everything is encrypted, It costs money to own the key, everything is locked down, and you need to own ~10 of them to get true admin rights. I wanted a way to experiment with a VM of the OS to figure out how it ticked. Because I don’t have $5000 laying around I’m kinda forced to black box this device. Thanks to a few local bars who had their IoT Juke box on the public WiFi, I was able to take a quick gander. Sadly the techs where right… It’s locked down... I’ll revisit this approach latter when I can save up for my own personal Jukebox lol. You can also add credits via the Internet BTW. Try to see if there’s a way to make the Jukebox believe I’m god and make it sing and dance. -=Three things I learned=- 1.) You can fill the queue with music to play with out paying for it. This was a marketing plan to make people more committed to pay for music if they made a queue first. 2.) If configured, the jukebox can be set up to receive “promotional credit”. Bar tenders and or managers can add to the balance so more music could be played. This is added by pressing the ‘P1’ button the wireless remote… 3.) There is a wireless remote! It, transmits on 433.92 MHz and it can be found for $50 on ebay! -=My plan of attack=- Add music to the queue Add promotion points Get free music! -=I spent money=- Because I’m cheap, I picked up a after market remote that works with all TouchTunes Jukebox’s Gen 2 and above. The plan was to reverse this remote with my Yard Stick One and HackRF and try to figure out how it works. The remote only has 256 PIN provabilities to keep neighboring bars from walking on each other so I could just hand jam all 256 PIN’s (000-255) to figure out which one they are using. 9 times out of 10, it was 000. So yah, nothing complex here. -=Reversing… Kinda…=- The first thing I did was find the FCC data, not a lot of useful info here but I at least figured out it existed. https://fccid.io/2AHXI-T1 I used a HackRF with the 'osmocom_fft' to monitor and record the wireless remotes transmissions. I then took a look of the raw IQ data with 'inspectrum' to see what I was dealing with. Below is what the On/Off command looks like with a 000 PIN. With this I know I'm working with ASK/OOK. The message in raw binary is... 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, In Hex it would be... FFFF00A2888A2AAAA8888AA2AA2220 I found this by right clicking and added an 'Amplitude Plot in 'inspectrum', moved the bar over the transmission, added a 'Threshold Plot', clicked 'Enable cursors' to count out how many symbols are being used (also tells you the Symbol Rate) and then right clicked to 'Extract Symbols' and the values where outputted in the terminal. -=RfCat=- At this point I switched from using an SDR to RfCat and the YSO. After figuring out the preamble was 1111111111111111 or FFFF in hex, Modulation (ASK/OOK), and symbol rate (~1766) I was able to create a script based off Michael Ossmann's work to help me record the data. https://github.com/mossmann/stealthlock/blob/master/sl.py After a lot of beer and recording every PIN possibility for the On/Off a few patterns emerged. If you want to look threw all my data you can check out the paste bin below but here's what I believe how the transmission is formated. ==Preamble== ==key== ==Mesage== ==?== ffff00a2888a2 aaaa 8888aa2aa22 20 I still no idea what the last 2 hex values are about (I noticed that their where 2 possible messages for each command depending on what PIN was. The last 2 where either 02 or 88... I couldn't figure out the pattern so I just hard coded when which command was used vs the other depending on what PIN in my final script) -=After that=- I expand the original script I used to record all the transmissions of the remote and added a passive PIN discovery feature to it. I then recorded all the message's (All the buttons) the remote would send (Both potabilities) and added the ability to determine which command was used. A week later I figured out how to TX the decoded values and I made a working TouchTunes remote for the YSO. And it's been tested. :D http://pastebin.com/Ue7UYAPg http://www.pressonproducts.com/t1-jukebox-remote-touchtunes-compatible/
  45. 2 points
    Payloads repo is now live: https://github.com/hak5/bashbunny-payloads
  46. 2 points
    Just woke up. I'll update this thread with full specs and dimensions today. Cheers!
  47. 2 points
    What a week!!! Got my New Pi zero W and ordered me a bunny!!! Life is Good!!!
  48. 2 points
    Get 2FA on all your accounts, set good passwords and make sure you pay attention to any alerts of people trying to log into your account. I'd say it is very unlikely you'll be able to do anything to stop them, just keep things locked down and hope they go away.
  49. 2 points
    Sounds like something illegal to me
  50. 2 points
    https://www.youtube.com/watch?v=CRwO8rpHXBM In this video I will show you step-by-step on how to Capture a WPA Wireless handshake using a WiFi Pineapple NANO. We will be using a module, by the name of site survey which will allow us to capture, the WPA wireless handshake. I will walk you through putting your WiFi Pineapple NANO wireless card into monitor mode, and show you how to catch the WPA handshake. Please take in mind, that the WiFi Pineapple NANO is not capable of cracking a WPA wireless handshake it will require you to, transfer the capture file to a machine capable of cracking the handshake.