[RELEASE] Bash Bunny 1.1

[RazerBlade]

I don't really understand how the new ducky Language selection works. If I am correct you set the language by 

Quote

DUCKY_LANG=us

From the previous 

Quote

QUACK SET_LANGUAGE se

I have moved all the languages files from ducky install to the newly created languages folder on the bunny but I still can't get the bash bunny to accept Swedish keyboard. Any help would be appreciated. I have also tested to move the ducky_install to the tools directory to install them that way but still no succes

[terrier]

4 hours ago, Bryfi said:

How did you get quickcreds to work. Mine refuses to work.

EDIT: Will there be an update to bunny_helpers.sh?

change /pentest to /tools :)

[rattyss]

On 4/6/2017 at 5:29 PM, rattyss said:

hey all,

So I tried to update the firmware and now i am getting nothing. So I decided to try to go back and here is what i get:

plug/unplug 3 times then plug in get the green then switch over to red flashing ( all seems good). It flashes for about 4 minutes, then I get a blue to red flashing (about 6 alternating flashes) then long red. I get the green led, showing it is rebooting but then I get the red flashing again but this time it is only about 1 minute, then nothing. I have left it plugged it in to see if it is doing anything (about 15 minutes). Finally unplug and let the BB cool down and plug it in and all i get is the green led then nothing.

any advice?

well I must have messed my BB up pretty good as I can not even access the it. after it goes through the process of trying to reload, it will start to blink blue pink(looks pink) red, the the green to reboot but after that, I get nothing but a hot BB.  

Any help would be greatly appreciated.

[defiant]

9 hours ago, Bryfi said:

How did you get quickcreds to work. Mine refuses to work.

EDIT: Will there be an update to bunny_helpers.sh?

Check out the newly updated payload.  It basically has the changes I had.

bunny_helpers.sh is no longer used as of v1.1.  Check out the changelog for further details.

Do you know where your quickcreds is getting stuck?  You may need to tinker with the payload (add logging or LED's) to indicate where it is getting stuck.

[Ev!c70r]

23 hours ago, suchasurge said:

Hi.

My upgrade isn't working.

I did the following steps (I followed the upgrade guide in the wiki):

1. copy the downloaded firmware file to the root of the flash drive
2. Safely eject the Bash Bunny flash drive
3. Put the bunny back into my Mac Book Pro

What happened is that I see the the green light for some seconds. Then the bunny moved to red blinking for about 10 to 20 seconds. After that the light gets dark.

I waited several minutes but nothing happens except that the bunny gets really hot.

I left the bunny in the USB port for for about half an our or more. Still no lights.

Then I plugged out the bunny and after I plugged it back in I get it recovered to the v1.0 firmware.

I tried this several times. Also with the bunny plugged into a USB charger from my iPhone. But the results are the same.

Any Idea what happened and how I can solve this?

Thx

Had the same issue. Don't use a Mac. Lol. 

 

I think it has something to do with not completely compatible file systems. 

[jjd]

6 hours ago, Ev!c70r said:

Had the same issue. Don't use a Mac. Lol. 

 

I think it has something to do with not completely compatible file systems. 

i updated with my mac no issue

[JHack]

so I cannot seem to install tools. I tried adding the impacket deb file.  tried just copying the responder and impacket folders to the /tools/ folder safe ejected and plugged back in.  nothing... am i doing something wrong?

 

On 4/6/2017 at 3:04 PM, zoro25 said:

 

[phlakvest]

Is the GET command working for other people?

I'm trying to get quickcreds working on 1.1, In the changelog it mentions the GET command will re-export the system variables, but if I replace the source line in the quickcreds script it still flashes a red light.

Running GET from bash gives me command not found.

If I manually export the environment variables each time it works, but that's not the most elegant solution.

export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})

[phlakvest]

JHack,

Here is what I did to get responder to work on BB 1.1

1. Download the responder repo to a zip file. https://github.com/lgandx/Responder/

2. Extract the zip file, Rename Responder-master to responder.

3. Copy that responder to /tools/ on the USB drive while in arming mode.

4. Safely Eject.

5. Plug the bunny back in, it will flash purple briefly then go blue.

6. Connect via Serial, or SSH and verify you have a /tools/responder folder.

 

I would think impacket would work the same way since like responder its a collection of python scripts. https://github.com/CoreSecurity/impacket

[Pancakes]

Cool but i have had problem with LED

it blincs once and REALLY fast

plss help

[NooBody]

Is it possible to put the payload back to install the tools to the /tools area for decoder and impacket?

Since the fw upgrade I seems to have an empty tools folder no pentest folder but a text file saying tools are installed... LOL

Thanks!

[1mrwhitehat]

Flashed my bb on a windows 10 box and all worked beautifully. Lights flashed in the perfect sequenced it was supposed to and finished by blinking blue slowly. The new folders are on the root directory and all looked good until...I tried running the system default payload with a blinking green light instead of a blue light. The LED didn't change color:

LED G SLOW
ATTACKMODE SERIAL STORAGE

after that I tried running the tools_installer payload, copied all files (tools_to_install, install.sh, payload.txt, readme.txt) to my switch 1 folder. When I unplugged, set the switch to 1 on the bb, and plugged back in, nothing happened. Not sure why it's not working...

[1mrwhitehat]

31 minutes ago, 1mrwhitehat said:

Flashed my bb on a windows 10 box and all worked beautifully. Lights flashed in the perfect sequenced it was supposed to and finished by blinking blue slowly. The new folders are on the root directory and all looked good until...I tried running the system default payload with a blinking green light instead of a blue light. The LED didn't change color:

LED G SLOW
ATTACKMODE SERIAL STORAGE

after that I tried running the tools_installer payload, copied all files (tools_to_install, install.sh, payload.txt, readme.txt) to my switch 1 folder. When I unplugged, set the switch to 1 on the bb, and plugged back in, nothing happened. Not sure why it's not working...

Edit: I figured it out. Noob mistake...I had the switch in the wrong position. New payloads work beautifully.

[Paulgommard]

On ‎09‎/‎04‎/‎2017 at 4:53 PM, phlakvest said:

Is the GET command working for other people?

I'm trying to get quickcreds working on 1.1, In the changelog it mentions the GET command will re-export the system variables, but if I replace the source line in the quickcreds script it still flashes a red light.

Running GET from bash gives me command not found.

If I manually export the environment variables each time it works, but that's not the most elegant solution.

export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})

same problem with me, can someone help us ?..

[LowValueTarget]

4 minutes ago, Paulgommard said:

same problem with me, can someone help us ?..

• Ensure you are actually on version 1.1 -- Look in your USB mass storage root for a version.txt file. If the files doesn't exist, you are not on v1.1.
• Serial into your BB and ensure /tools/responder exists and the appropriate files exist in that folder
• Ensure you are using the latest QuickCreds payload. There is mention of v1.1 compatability in the header.
• Copy your payload to the desired switch, and everything should function just fine.

[Paulgommard]

32 minutes ago, LowValueTarget said:

• Ensure you are actually on version 1.1 -- Look in your USB mass storage root for a version.txt file. If the files doesn't exist, you are not on v1.1.
• Serial into your BB and ensure /tools/responder exists and the appropriate files exist in that folder
• Ensure you are using the latest QuickCreds payload. There is mention of v1.1 compatability in the header.
• Copy your payload to the desired switch, and everything should function just fine.

but I did not need to modify the payload?
should I not replace source bunny_helpers.sh by get.sh ?And how ?
 

[LowValueTarget]

9 minutes ago, Paulgommard said:

but I did not need to modify the payload?
should I not replace source bunny_helpers.sh by get.sh ?And how ?
 

If you use the payload from the master branch on github.com/hak5/bashbunny-payloads, then you do not need to modify the payload. It was updated a couple of days ago for use with v1.1

Regarding the bunny_helpers.sh, v1.1 uses extensions in lieu of bunny_helpers.sh since the update. The new payload should not reference bunny_helpers.sh

From the v1.1 changelog - https://storage.googleapis.com/bashbunny_updates/ch_fw_1.1-changelog.txt

- Extensions
  - Extensions from the /payloads/library/extensions folder are sourced automatically for each payload.txt. and provide new Bunny Script capabilities.
  - Extensions replaces bunny_helpers.sh.
  - RUN - accepts OS and Command to execute for HID injection on various operating systems
    - RUN WIN "powershell -WindowStyle Hidden \"tree c:\\ > tree.txt\""
    - RUN OSX https://www.example.com
    - RUN UNITY ping -c2 172.16.64.1
    - RUN WIN notepad.exe replaces QUACK GUI r; QUACK DELAY 500; QUACK notepad.exe; QUACK ENTER
  - GET - exports system variables
    - Accepts TARGET_IP - exports $TARGET_IP for targets IP address
    - Accepts TARGET_HOSTNAME - exports $TARGET_HOSTNAME for targets hostname
    - Accepts HOST_IP - exports $HOST_IP for IP address of Bash Bunny
    - Accepts SWITCH_POSITION - exports $SWITCH_POSITION for current switch position
  - REQUIRETOOL
    - Exits payload with LED FAIL state if the specified tool is not found in /tools
  - DUCKY_LANG
    - Accepts two letter country code to set the HID injection language for subsequent ducky script / QUACK commands

 

[phlakvest]

I am running 1.1 I have tried reflashing for good measure, and I have also tried the latest version of the quick creds script.

If I replace the GET portion of the script, with the execute lines out of get.sh I can get quickcreds to work, so I'm able to make any of the scripts that are using that variable work. Its just kind of annoying to have to do that to every script.

When I do a little more digging, it doesn't look like any of the functions declared in the extensions directory are valid commands.  My linux skills are a little rusty, could somebody explain how the extensions are loaded on startup, is there an rc.d script that is supposed to run them?

[phlakvest]

I'm not sure if I'm on to something, or going about it completely wrong.

From the shell if I run, find / -name get.sh the file comes back in /usr/local/bunny/udisk/payloads/library/extensions/  after a clean flash this directory has the same files as if I browse to the mass storage disk in /payloads/library/extensions.

If I create a "new.sh" file in that directory from the USB drive, eject, and plug the bash bunny back in, the file is still there if I browse through mass storage.  However if I browse to that directory from the shell, the new.sh file I created isn't there.  Running find / -name new.sh doesn't find anything either.

If I create a file in that directory from the shell then the file is there after an eject/replug, but the file isn't there if I browse the mass storage?

 

Should this not be the same location with the same files?

[phlakvest]

Am I incorrect in thinking I should be able to run GET TARGET_IP from the shell?

[peterkozmd]

So how do we technically install this? Yes i know darren says copy it over the tar.gz file but is it really that simple, or do we uncompress it first? Do we put it in root along with the previous 1.0 files and it will overwrite? Sorry been away for awhile and don't wanna mess up the upgrade. thanks

 

edit: okay brought the tar.gz file over in arming mode, safely ejected it, plugged back in. was green for reboot for like a minute now its just flashing red (not red/blue alternate)

Edited April 12, 2017 by peterkozmd

[JHack]

I am having the same issue with installing tools. I put the folders or the .deb into the tools folder. safely eject, plug it back in and the tools are just sitting in the tools folder.  I serial into bunny and the tools were not added to the tools folder.

[peterkozmd]

jhack did it go through the 1.1 install though, red/blue alternate colors?

 

How did others get the 1.1 to install? did you literally bring the tar.gz files and copy it over to root with the previous 1.0 files?

[JHack]

yeah i have flashed it twice now. Im about to go through number 3.  first time it did not do the police lights.  second time it did and i went ahead and removed all folders off of the bunny.

[peterkozmd]

you literally just moved the 446mb compressed tar.gz over to root in arm mode?