phlakvest

Active Members
  • Content count

    7
  • Joined

  • Last visited

About phlakvest

  • Rank
    Newbie
  1. Like anything security there isn't one silver bullet to prevent it, you have to layer several controls. A few possible items: Controlling physical access is the best approach. Depending on the office environment require all guests to check in at the front desk, and be escorted at all times. Its not fool proof since you can spoof it, but blocking the default device IDs. Whitelist known USB peripherals if and block everything else is a good approach if you can pull it off. Configure the firewall to treat all new networks as untrusted. I'm not sure how easy it is to do that on Windows Firewall, but most 3rd party AV/firewalls have the ability to go into a protected mode on new networks. Enable an AV scan when a new USB device is plugged in, scan network drives as well. Implement 802.1X on your wireless with network access control, so if people get your wifi credentials they still cant join the wifi. Restrict unsigned powershell scripts.
  2. Am I incorrect in thinking I should be able to run GET TARGET_IP from the shell?
  3. I'm not sure if I'm on to something, or going about it completely wrong. From the shell if I run, find / -name get.sh the file comes back in /usr/local/bunny/udisk/payloads/library/extensions/ after a clean flash this directory has the same files as if I browse to the mass storage disk in /payloads/library/extensions. If I create a "new.sh" file in that directory from the USB drive, eject, and plug the bash bunny back in, the file is still there if I browse through mass storage. However if I browse to that directory from the shell, the new.sh file I created isn't there. Running find / -name new.sh doesn't find anything either. If I create a file in that directory from the shell then the file is there after an eject/replug, but the file isn't there if I browse the mass storage? Should this not be the same location with the same files?
  4. I am running 1.1 I have tried reflashing for good measure, and I have also tried the latest version of the quick creds script. If I replace the GET portion of the script, with the execute lines out of get.sh I can get quickcreds to work, so I'm able to make any of the scripts that are using that variable work. Its just kind of annoying to have to do that to every script. When I do a little more digging, it doesn't look like any of the functions declared in the extensions directory are valid commands. My linux skills are a little rusty, could somebody explain how the extensions are loaded on startup, is there an rc.d script that is supposed to run them?
  5. Are you running ADFS to integrate your users with Active Directory? If so you can restrict access to the ADFS proxy to restrict authentication to lock down all O365 external access. To only restrict Sharepoint Online to a subset of IPs you can try the Set-SPOTenant Cmdlet. https://technet.microsoft.com/en-us/library/dn917455.aspx I haven't tested it but based off the article, it will work.
  6. JHack, Here is what I did to get responder to work on BB 1.1 1. Download the responder repo to a zip file. https://github.com/lgandx/Responder/ 2. Extract the zip file, Rename Responder-master to responder. 3. Copy that responder to /tools/ on the USB drive while in arming mode. 4. Safely Eject. 5. Plug the bunny back in, it will flash purple briefly then go blue. 6. Connect via Serial, or SSH and verify you have a /tools/responder folder. I would think impacket would work the same way since like responder its a collection of python scripts. https://github.com/CoreSecurity/impacket
  7. Is the GET command working for other people? I'm trying to get quickcreds working on 1.1, In the changelog it mentions the GET command will re-export the system variables, but if I replace the source line in the quickcreds script it still flashes a red light. Running GET from bash gives me command not found. If I manually export the environment variables each time it works, but that's not the most elegant solution. export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})