Active Members
  • Content count

  • Joined

  • Last visited

  • Days Won


About PoSHMagiC0de

  • Rank
    Hak5 Zombie

Contact Methods

  • Website URL

Profile Information

  • Gender
  1. Hmm, so you want to run jar files. Well, if you know the java command line here is how you can always get the path to the java executable. it seems it is installed in programdata but to make sure you can do this. $javapath = $env:Path -split ";" | where {$_ -match "Oracle" -and $_ -match "java"} if([string]::IsNullOrEmpty($javapath)) { Write-Error "Java JRE seems to not be installed on this system" exit; } else { $javaapp = $javapath + "\\java.exe" } $null = Start-Process $javaapp -WindowStyle "<You can hide the window or completely leave WindowStyle Parameter out.>" -ArgumentList "<Your java arguments go here>" If you did not run the script as admin and want to run the jar as admin then you will need to add the parameter: -verb "runas" to run java as admin but it will prompt.
  2. I had to look through the videos to see what this module does. Pretty cool. It looks like it acts as light session manager for machines that have been hooked. I could see this used for a pineapple left behind connected to an access to point to autosnare victims and track them. You can come along later and connect and then use the control control to make inject your own framework agent like meta or Empire to interact fully with it. I have some idea to add to all agents that can maybe expand it. Right now I see your agent maybe using system calls you run command see that Powershell has to be used in front of the commands. Have you though about adding a separate command or payload section that you can deposit scripts as modules and then you can call them from the control panel and the command to run them. Python can run scripts that are delivered as strings. You could have a section for payloads for python to store all your python modules that be sent and called to do stuff in python and for the C# one you can include in the agent the Automation class located in the GACs to internally run Powershell scripts in a runspace. Now you can have a separate section for running modules. It doesn't copy https urls? What are the difficulties it has with https sites. Sets seem to be able to clone https pages fine. Wonder what Setoolkit is doing to resolve this.
  3. Hey Seb, you might want to add to the upgrade wiki and bright note letting folks know they will need to reinstall their tools and even their payloads after updating the firmware. I see that question being asked a lot on the forums by new users who firmware update.
  4. Still would require using iptables to NAT to it from external interface to interface facing the BB.
  5. Well, on Windows 7 and I think 10 you will have to get a program to do Natting to do it but you will have to Nat you BB interface on your windows machine to the interface facing the network you are trying to access and port on both ends that you will be firing up a handler on. Might be easier just to run a VM in virtualbox on the Windows machine to run Metasploit.
  6. Guessing but I would assume after you get ICS going you will have to use Windows Advanced firewall to nat some traffic between your internet interface and port with your BB interface and a port Metasploit listeners will be listening on.
  7. I knew what he meant heheh.
  8. I redid this payload to fit into the BBTPS. One issue I did run into is some Windows 10 machines will prompt for smb creds always. Working on that part because I want it to try and use the existing user creds to try and grab hash at the same time but looks I need to put in to detect if I need to use a default cred or not. I did see a post above talking about another set of unescaped double quotes which would break the string and script.
  9. Check out this thread.
  10. I know a lot of the people have been updating their payloads to utilize the newer firmwares over time. If you are factory reset, you are back on the original so will need to find a 1.0 payload to test payloads. Check their payload.txt, usually the version of firmware needed to run it is in there. If you are on the original that is. If you are going to do a firmware upgrade, remember to be patient with it, have a good connection and power. It can take 10mins or sometimes more. Also, if you are having RNDIS driver issue, make sure the payloads you are testing do not use the ethernet attack modes. Also remember the BB ethernet rule of thumb, RNDIS for windows and ECM for *NIX and Mac. Last, if first time using BB, experiment on a Windows 7 machine first until you have it down. Windows 10 has been recently hardened with new protections nullifying some payloads.
  11. Entering late into this. Had to backtrace. So with some fancy maneuvering of switches your Bunny is back. Before I go try to run full payloads, I would test functionality. Try editing one of the switch payloads to do just HID and do the hello world default payload people do for the quack commands which is to open notepad and type something and try running it. If it works, HID works. Next do one for just the network type for the OS you are connected to and try SSHing into the bunny. If you are in, network for that part is working. While inside, use python to launch a SimpleHTTPServer and see if you see it on your host machine through a browser at its port. If so, definitely network communication between the bunny and the host works. Only thing left is to troubleshoot the payloads and make sure you have all depend tools installed and bash extensions those payloads use.
  12. Your issue maybe similar to the issue i was having with my dual attack modes that Seb resolved with the 1.3 update. 1.3 implements the ability to change the speed the BB reports as to the host machine. In your ATTACKMODE line, after the other 2 parameters, add "RNDIS_SPEED_10000" and then see what happens when you plug in. The issue I was experiencing in 1.2 was when I used HID RNDIS_ETHERNET, drivers could not install for the HID because when the ethernet comes online, windows used the BB instead of its internet capable device. This is because by default the BB reports as 2GB. The speed line above has it report as a 10Mb ethernet. Why is this an issue? Windows 7 and 10 will use Windows update to look for drivers it does not have. Note: I notice on some machines this can delay your attack by sometimes up to a couple of minutes and limits your surface to machines that are online.
  13. evil portal

    Has anyone thought of combining portal auth and evil portal with some of the abilities that SeToolkit, Fluxion, linset and all these others folks bring up. I got my Nano not too long ago and been looking through the modules and researching and see some that seem to cover the same functions and could be combined. What I have been doing lately is doing most of mitm stuff on my PC for the Nano only cause my php sucks (never latched to the language, nothing wrong with it just never got into it except for research for vulnhub VMs). Idea I had in mind is the cloning ability of Set to clone a website or the captive portal you are behind. Set can clone the active portal you are behind. Not expecting the automated accuracy of Set. I seen in demos that Portal Auth can clone and be used after some templating which is way okay in my book. Would take me a bit to replicate that ability myself. This ability mixed with the ability to set it either as a Captive or dnsspoofed site would be cool and combine evil portal with portal auth. Under dns spoofed it could function like Set's portal where after they enter credentials, it just forwards them to the real site login page. Adding a sub option under Captive to be used as Portal Auth would add the portal authentication to it. Don't ask me to name it, my names are corny. :-P Haven't given much though on how you could implement Fluxion (I assume wifiphisher is about the same) into the mix since fluxion captures the handshake of the real wifi point and then deauths it to oblivion while serving an open version that hopefully the person will connect to and get the captive portal that looks like their router model page asking them to validate their wifi password which checks against the handshake with aircrack and if successful drops the deauth and releases them from the rogue.
  14. Yeah, if you are trying to brute force incremental with no wordlist base, it will take forever. I use Hashcat with my gpu using a wordlist and some of the rules hashcat has. If target is researched and I generate a wordlist for them then I use dymerg to combine and unique a new word list using it and my default list to use. I have a pretty okay success rate and most time I spend is with the biggest rule but believe it is only a few hours to exhaust. If that fails then only time I try again is if I have new words to add to the list. Mass brute force takes too long and not feasible without a crackzilla.
  15. I'm camera shy. :-P I actually have zero skills at doing video stuff. Never was my bag. If I did, it would probably end up being 2-3 clips. One made on my linux box about how to npm the packages and then add it to the bunny and how all the parts work using the VSCode editor. Yeah, I used VSCode, I even included a VSCode launch.json for testing locally without the bunny. After the linux stuff a demo would have to be shown on the Windows victim...and people would probably want to see the bunny lights and explanation of them. Lots of video splicing. Only thing I spliced is wires hehe. Not even remotely as skilled as Darren K who can spin out a multicultural hack across the plan video in a week with all the frills. :-) I am working on a wiki for it though, with screenshots.