Jump to content

Windows 10 Support


J@rr0d

Recommended Posts

Has anyone else come across any driver issues with the RNDIS or WPD drivers for BashBunny on Windows 10 x64 Build 14393? Flash drive loads, payload is set for ATTACKMODE RNDIS_ETHERNET STORAGE and the device shows in device manager but without drivers.

Link to comment
Share on other sites

It looks like the sample payload file that ships with the bunny doesn't work. I stripped everything out of it except for ATTACKMODE RNDIS_ETHERNET and it is now working. Not sure if it was the combination of storage, the LED, or the commented bash line at the top.

Link to comment
Share on other sites

The default switch2 payload recognizes as storage but not Ethernet on Windows. Same thing with Mac. Go figure - it works on my development Linux box. The issue has to do with composite devices and Windows ability to recognize RNDIS as one.

When combining attack modes the Bash Bunny registers as a composite device. Windows doesn't recognize RNDIS_ETHERNET as a composite device by default. Drivers could be installed, but that defeats the purpose in many instances. Alone ATTACKMODE RNDIS_ETHERNET works without drivers on Windows hosts. Thankfully the ATTACKMODE command can be run subsequently to change the state to other modes later on in payloads conditionally.

As for the USB disk - when the payload executes it can access the storage from /root/udisk. At the moment this gets unmounted from the Linux side when payload execution completes. So if you terminal in and ls /root/udisk you won't see anything. 

 

Link to comment
Share on other sites

I figured out which driver to get SERIAL RNDIS_ETHERNET working in Win10.

In device manager select your unrecognized RNDIS adapter

Browse my computer for driver software

Let me pick from a list of drivers on my computer

IBM Corporation

IBM USB Remote NDIS Network Device

 

  • Like 1
Link to comment
Share on other sites

@Darren Kitchen


Your statement on the need of manual driver installation for a RNDIS composite device is wrong. My already mentioned project P4wnP1 works as composite RNDIS, USB Mass Storage, HID keyboard and CDC ECM without installing custom drivers on Windows 7 to 10 (Plug and Play). Its a matter of having the right USB configuration to force Windows to enumerate the composite interfaces one by one and install a driver for each single interface. BTW. Although I'm doing exactly the same on a 5$ device, I ordered a bash bunny - I like the work of hak5 ... Keep on going.

See here for details:

P4wnP1

Link to comment
Share on other sites

@Darren Kitchen

Maybe we should get in touch, according the composite device configuration which is needed to make Windows enumerating the interfaces in correct manner. Feel free to copy the setup from my repo, otherwise. Would love to see this PnP capability for RNDIS+UMS+HID in Bash Bunny firmware, too. I'm looking forward for the arrival of my bash bunny. I'm really interested in how you managed to get the device to act as insanely fast 2GBit adapter. Could you give details on the UDC of bash bunny?

Link to comment
Share on other sites

Yes its's really bad, that the driver must installed manually if you have ATTACKMODE RNDIS_ETHERNET <STORAGE | HID> 

While most compannies block USB Storage devices, it would be nice if we will have a server (impackets smbserver.py or  python SimpleHTTPServer) running on bash bunny and HID for downloading and running code with i.e. powershell.

 

Link to comment
Share on other sites

@qdba

Quote

it would be nice if we will have a server (impackets smbserver.py or  python SimpleHTTPServer) running

Although I'm still waiting for the bash bunny to arrive, two ideas come into mind in order to achieve what you want.

We known Python Responder is available (for Quick Creds)...

1) Use pre-installed python with

python -m SimpleHTTPServer

2) As responder is able to deliver a custom HTTP error page, change the error page to deliver your powershell payload and you should be able to access it (no matter what target URI your victim client is using). To change the HTTP header of the Responder error page, some code manipulation is needed (change content-type from "text/html" to "application/octet-stream"), but you're basically able to deliver a custom HTTP page

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...