Jump to content

More issues with ATTACKMODE..


Dave-ee Jones

Recommended Posts

Yes, I know I myself have addressed this issue on numerous other posts but this is slightly different...

I want to use this line (tried either or):

ATTACKMODE RNDIS_ETHERNET HID

or

ATTACKMODE HID RNDIS_ETHERNET

However, I get the issue where the ethernet adapter doesn't start up, and therefore the PC doesn't get an IP and doesn't even show it is connected on another network (usually Network 2).

I would usually address this issue and say "Just swap ATTACKMODEs when you need to" but in this instance, I cannot.
I need to use a HID attack WHILE I am hosting a webserver over ethernet, which I cannot do because of the silly 'One Attack at a Time, People!' bug.

A fix would be good :)

Link to comment
Share on other sites

1 hour ago, Dave-ee Jones said:

Yes, I know I myself have addressed this issue on numerous other posts but this is slightly different...

I want to use this line (tried either or):


ATTACKMODE RNDIS_ETHERNET HID

or

ATTACKMODE HID RNDIS_ETHERNET

However, I get the issue where the ethernet adapter doesn't start up, and therefore the PC doesn't get an IP and doesn't even show it is connected on another network (usually Network 2).

I would usually address this issue and say "Just swap ATTACKMODEs when you need to" but in this instance, I cannot.
I need to use a HID attack WHILE I am hosting a webserver over ethernet, which I cannot do because of the silly 'One Attack at a Time, People!' bug.

A fix would be good :)

A fix is in the works for v1.3. Firmware v1.2 is currently undergoing some last testing.

Link to comment
Share on other sites

Yeah, noticed this bug too.  I wanted to do combo but looks like it doesnt find drivers for the NIC if you use it with another mode.

Notice this in the load mode the serial is not recognized.

Using HID and ethernet I am waiting for to,  It will make the BBTPS I have built more responsive instead of a download cradle having to check for when the server is available I could launch the HID when the IP is available leaving just the load time for the js server which is very quick.  From what I see it takes longer for the attack mode to switch.  Waiting for the Target and Host IP to available would fix waiting for the drivers to install and what not.

 

  • Upvote 1
Link to comment
Share on other sites

I think the issue is not that it is missing initialization but that when used in combination the rndis is not seen as the standard IBM device anymore but takes on another ID.  One thing I can try is the PID/VID options, get the deviceID from the known driver and see if they can be spoofed to work in combination.  Hmmm, will have to try tomorrow morning unless someone gets the bug and beats me to it before then and finds out.  :-P

Link to comment
Share on other sites

Welp, I know you can get HID ECM_ETHERNET to work with the below command and VID, I used the VID that came up in linux lsusb for the device in ECM_ETHERNET mode.

ATTACKMODE HID ECM_ETHERNET VID_0XF000 PID_0XFF13

 

Windows with the HID RNDIS_ETHERNET are no joy no matter what I try.  Notice that the device when ran by itself doesn't match any of the devices in the wiki list.  In windows up comes up as:

VID_0X04B3 PID_0X4010

 

I tried to append that on at the end since when I did HID RNDIS_ETHERNET it was the ethernet that was off but then the opposite happened.  The ethernet came on but HID never does work.

In Linux under lsusb I only see the 1 device which is the one above for ECM.  In Windows I see the same as 1 device comes up but the quack commands I have in place to test never type out. In fact it seems to stick with the light after the attackmode before the quack commands which make me thing quack is getting stuck cause the HID mode driver never loads for some reason.  Conflict?

Just for kicks I did the ecm one on Windows and the expected happened, no drivers for the CDC_ECM but the keyboard did type.  Wonder if there is a CDC_ECM driver built inside windows, get the device ID of that I wonder if the dual command will work without having to load drivers.

Link to comment
Share on other sites

On 4/26/2017 at 10:31 AM, PoSHMagiC0de said:

Yeah, noticed this bug too.  I wanted to do combo but looks like it doesnt find drivers for the NIC if you use it with another mode.

Notice this in the load mode the serial is not recognized.

Using HID and ethernet I am waiting for to,  It will make the BBTPS I have built more responsive instead of a download cradle having to check for when the server is available I could launch the HID when the IP is available leaving just the load time for the js server which is very quick.  From what I see it takes longer for the attack mode to switch.  Waiting for the Target and Host IP to available would fix waiting for the drivers to install and what not.

 

Indeed. It would significantly help my case, as I'm trying to use some Powershell commands that require the Bunny to have ethernet mode on.

Link to comment
Share on other sites

Soooooo....

BUMP! :P

Has anyone got any temporary fixes for this? This issue is the bane of my payload right now...

Checked the Hardware IDs of my BashBunny, and I'm getting these:

VID_F000 & PID_FFF0. Along with an REV and MI ID as well.
Can I spoof the HID/RNDIS attack using these or no?

Edited by Dave-ee Jones
Link to comment
Share on other sites

44 minutes ago, Dave-ee Jones said:

Soooooo....

BUMP! :P

Has anyone got any temporary fixes for this? This issue is the bane of my payload right now...

Checked the Hardware IDs of my BashBunny, and I'm getting these:

VID_F000 & PID_FFF0. Along with an REV and MI ID as well.
Can I spoof the HID/RNDIS attack using these or no?

Depending on what I hear from Darren today we'll either release 1.2 and 1.3-RC1 (with this issue hopefully fixed), or roll it all into 1.3 and release that. Keep an eye out for the new thread.

Link to comment
Share on other sites

1 minute ago, Sebkinne said:

Depending on what I hear from Darren today we'll either release 1.2 and 1.3-RC1 (with this issue hopefully fixed), or roll it all into 1.3 and release that. Keep an eye out for the new thread.

Sounds good. I will keep an eye out for it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...