J@rr0d Posted March 4, 2017 Share Posted March 4, 2017 Has anyone else come across any driver issues with the RNDIS or WPD drivers for BashBunny on Windows 10 x64 Build 14393? Flash drive loads, payload is set for ATTACKMODE RNDIS_ETHERNET STORAGE and the device shows in device manager but without drivers. Quote Link to comment Share on other sites More sharing options...
J@rr0d Posted March 4, 2017 Author Share Posted March 4, 2017 It looks like the sample payload file that ships with the bunny doesn't work. I stripped everything out of it except for ATTACKMODE RNDIS_ETHERNET and it is now working. Not sure if it was the combination of storage, the LED, or the commented bash line at the top. Quote Link to comment Share on other sites More sharing options...
J@rr0d Posted March 4, 2017 Author Share Posted March 4, 2017 ATTACKMODE RNDIS_ETHERNET works ATTACKMODE RNDIS_ETHERNET STORAGE does not work Quote Link to comment Share on other sites More sharing options...
b0N3z Posted March 4, 2017 Share Posted March 4, 2017 Did you try ATTACKMODE STORAGE RNDIS_ETHERNET ? Thats how the the wiki shows it. http://wiki.bashbunny.com/#!index.md Quote Link to comment Share on other sites More sharing options...
J@rr0d Posted March 4, 2017 Author Share Posted March 4, 2017 That doesn't work either. Quote Link to comment Share on other sites More sharing options...
b0N3z Posted March 4, 2017 Share Posted March 4, 2017 Lets see the payload? Quote Link to comment Share on other sites More sharing options...
illwill Posted March 4, 2017 Share Posted March 4, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted March 4, 2017 Share Posted March 4, 2017 The default switch2 payload recognizes as storage but not Ethernet on Windows. Same thing with Mac. Go figure - it works on my development Linux box. The issue has to do with composite devices and Windows ability to recognize RNDIS as one. When combining attack modes the Bash Bunny registers as a composite device. Windows doesn't recognize RNDIS_ETHERNET as a composite device by default. Drivers could be installed, but that defeats the purpose in many instances. Alone ATTACKMODE RNDIS_ETHERNET works without drivers on Windows hosts. Thankfully the ATTACKMODE command can be run subsequently to change the state to other modes later on in payloads conditionally. As for the USB disk - when the payload executes it can access the storage from /root/udisk. At the moment this gets unmounted from the Linux side when payload execution completes. So if you terminal in and ls /root/udisk you won't see anything. Quote Link to comment Share on other sites More sharing options...
super-6-1 Posted March 5, 2017 Share Posted March 5, 2017 I have tried this and it works but i cant get the driver for the EDM. internet sharing iz going to be hard to use when i cant have it for serial as well Quote Link to comment Share on other sites More sharing options...
illwill Posted March 5, 2017 Share Posted March 5, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
illwill Posted March 5, 2017 Share Posted March 5, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
snowc Posted March 8, 2017 Share Posted March 8, 2017 I figured out which driver to get SERIAL RNDIS_ETHERNET working in Win10. In device manager select your unrecognized RNDIS adapter Browse my computer for driver software Let me pick from a list of drivers on my computer IBM Corporation IBM USB Remote NDIS Network Device 1 Quote Link to comment Share on other sites More sharing options...
Cpt.Pickles Posted March 8, 2017 Share Posted March 8, 2017 Nice find, just know that if you are building attacks based off of that you will run into issues when you go to attack. However, they do sell these devices as more than just an attack surface ;) Quote Link to comment Share on other sites More sharing options...
mame82 Posted March 11, 2017 Share Posted March 11, 2017 @Darren Kitchen Your statement on the need of manual driver installation for a RNDIS composite device is wrong. My already mentioned project P4wnP1 works as composite RNDIS, USB Mass Storage, HID keyboard and CDC ECM without installing custom drivers on Windows 7 to 10 (Plug and Play). Its a matter of having the right USB configuration to force Windows to enumerate the composite interfaces one by one and install a driver for each single interface. BTW. Although I'm doing exactly the same on a 5$ device, I ordered a bash bunny - I like the work of hak5 ... Keep on going. See here for details: P4wnP1 Quote Link to comment Share on other sites More sharing options...
mame82 Posted March 11, 2017 Share Posted March 11, 2017 @Darren Kitchen Maybe we should get in touch, according the composite device configuration which is needed to make Windows enumerating the interfaces in correct manner. Feel free to copy the setup from my repo, otherwise. Would love to see this PnP capability for RNDIS+UMS+HID in Bash Bunny firmware, too. I'm looking forward for the arrival of my bash bunny. I'm really interested in how you managed to get the device to act as insanely fast 2GBit adapter. Could you give details on the UDC of bash bunny? Quote Link to comment Share on other sites More sharing options...
qdba Posted March 15, 2017 Share Posted March 15, 2017 Yes its's really bad, that the driver must installed manually if you have ATTACKMODE RNDIS_ETHERNET <STORAGE | HID> While most compannies block USB Storage devices, it would be nice if we will have a server (impackets smbserver.py or python SimpleHTTPServer) running on bash bunny and HID for downloading and running code with i.e. powershell. Quote Link to comment Share on other sites More sharing options...
mame82 Posted March 15, 2017 Share Posted March 15, 2017 @qdba Quote it would be nice if we will have a server (impackets smbserver.py or python SimpleHTTPServer) running Although I'm still waiting for the bash bunny to arrive, two ideas come into mind in order to achieve what you want. We known Python Responder is available (for Quick Creds)... 1) Use pre-installed python with python -m SimpleHTTPServer 2) As responder is able to deliver a custom HTTP error page, change the error page to deliver your powershell payload and you should be able to access it (no matter what target URI your victim client is using). To change the HTTP header of the Responder error page, some code manipulation is needed (change content-type from "text/html" to "application/octet-stream"), but you're basically able to deliver a custom HTTP page Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.