Jay314

(SOLVED) Cannot SSH into BashBunny from Debian/Linux Host

30 posts in this topic

Posted (edited)

===========================SOLUTION==============================

Generate the following payload without STORAGE in the attackmode.

#!/bin/bash
LED G
ATTACKMODE ECM_ETHERNET

Thanks to Fang_Shadow, I've learned that using storage in concert ECM_ETHERNET prevents the system from pulling an IP (for what reason I still don't understand - I'm guessing it's just a bug).

I have had some issues with SSH but according to ifconfig (on local system) I see the interface is up and nmap scans show port 22 is open on the new IP, I'll update this post if anything changes.

===================================================================

Endgoal: I want to ssh from host machine into my BashBunny, then pivot from my BashBunny to a remote cloud hosted webserver, and write a testfile to that server.
Host System Used: Debian Linux
Crux: I am unable to acquire an ip address for my BashBunny using bb.sh

Attempts:
1. I tried to perform these actions from Arming Mode using the serial connection, however I learned that I am not able to share my network connection from serial mode and that Arming Mode only allows: Serial and Storage

2. I attempted to run the default payload in order to gain network connectivity:

#!/bin/bash
LED G
ATTACKMODE ECM_ETHERNET STORAGE

My understanding of this code is that it will indicate it is ready when there is a solid green light (LED G) and that it will facilitate Ethernet connectivity and Storage (Last line), it is also my understanding that this initializes a new network interface that can be seen with the commands "ip addr" or "ifconfig -a".

However this new interface does not appear to be configured yet and attempting to run the command

ssh root@172.16.64.1

does not result in the expected login prompt and eventually times out.

3. I've also attempted to run the bb.sh in order to share my hosts network connection, despite not being able to ssh into 172.16.64.1 IP. The script appears to work until you attempt to connect with it, and then it just hangs.

Any ideas on how to ssh into the BashBunny?

 

Thanks, Jay
 

Edited by Jay314
Solution found.
1

Share this post


Link to post
Share on other sites

switch your attackmode to STORAGE ECM_ETHERNET

1

Share this post


Link to post
Share on other sites
8 minutes ago, b0N3z said:

switch your attackmode to STORAGE ECM_ETHERNET

I changed the payload to read:

ATTACKMODE STORAGE ECM_ETHERNET

There doesn't appear to be any change, and I am curious why the ordering would matter?

0

Share this post


Link to post
Share on other sites

Can you show us the the payload.txt and its full path on the BB.

And the output of ifconfig after you have inserted it.

 

0

Share this post


Link to post
Share on other sites

Posted (edited)

@Lord_KamOS

When mounting /dev/sdb (the BB) to /mnt/external/, the full path to the Payload is:

/mnt/external/payloads/switch1/payload.txt

The contents of the payload reads:

#!/bin/bash
LED G
ATTACKMODE STORAGE ECM_ETHERNET

ifconfig -a entry for the new interface reads:

eth1      Link encap:Ethernet  HWaddr 00:11:22:33:44:55  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 

Edited by Jay314
1

Share this post


Link to post
Share on other sites
9 minutes ago, Jay314 said:

When mounting /dev/sdb (the BB) to /mnt/external/, the full path to the Payload is:

/mnt/external/payloads/switch1/payload.txt

The contents of the payload reads:


#!/bin/bash
LED G
ATTACKMODE STORAGE ECM_ETHERNET

ifconfig -a entry for the new interface reads:


eth1      Link encap:Ethernet  HWaddr 00:11:22:33:44:55  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 

Strange, i did the exact same thing and got a IP address.

 

0

Share this post


Link to post
Share on other sites

Firstly, what you could do is a live LED update. E.g.

LED W
ATTACKMODE ECM_ETHERNET STORAGE
LED G

Or you could use 'udisk_mount' to mount storage without using the STORAGE attackmode. This however does not allow you to access it at a USB.

I can SSH into my Bunny fine on Windows with RNDIS_ETHERNET, I'm not familiar with ECM_ETHERNET for Linux though. Also, there are some driver issues occasionally with ETHERNET modes and STORAGE mode.

0

Share this post


Link to post
Share on other sites
Just now, Lord_KamOS said:

Strange, i did the exact same thing and got a IP address.

 

Can I ask what Operating System you are using?

0

Share this post


Link to post
Share on other sites
2 minutes ago, Lord_KamOS said:

Strange, i did the exact same thing and got a IP address.

 

Yeah, so more than likely it's a driver issue...

0

Share this post


Link to post
Share on other sites
Just now, Jay314 said:

Can I ask what Operating System you are using?

Debian 8 

Can you try re-flashing the firmware.

 

 

0

Share this post


Link to post
Share on other sites
Just now, Dave-ee Jones said:

Yeah, so more than likely it's a driver issue...

Driver issue isn't likely, we're talking linux here, I'm on a debian system and the BB runs on debian also...

0

Share this post


Link to post
Share on other sites
Just now, Lord_KamOS said:

Debian 8 

Can you try re-flashing the firmware.

Sure, I'll let you know the results.

1

Share this post


Link to post
Share on other sites
16 minutes ago, Jay314 said:

Sure, I'll let you know the results.

if that does not work, can you try it on a different computer?

 

 

0

Share this post


Link to post
Share on other sites
2 minutes ago, Lord_KamOS said:

if that does not work, can you try it on a different computer?

 

 

Sure

1

Share this post


Link to post
Share on other sites
26 minutes ago, Lord_KamOS said:

if that does not work, can you try it on a different computer?

 

 

I just updated to version 1.3, but that didn't seem to make any difference, still not pulling an IP.

Just booted up my other linux system now, I'll let you know whether that solves the problem.

0

Share this post


Link to post
Share on other sites

Posted (edited)

46 minutes ago, Lord_KamOS said:

if that does not work, can you try it on a different computer?

 

 

Same results on a different machine (diff processors, diff Network Interface Card, diff mobo, same OS)

It starts a new interface but doesn't generate an IP

Edited by Jay314
1

Share this post


Link to post
Share on other sites

Okay so you can connect to the Bunny's network but you don't get an IP?
You can always set a static one? 172.16.64.20 should work?

0

Share this post


Link to post
Share on other sites

Remember that linux uses both RNDIS_ETHERNET and ECM_ETHERNET, since it wants to be compatible with both windows and unix(mac). Has the usage of both storage and another attack mode work at the same time before on linux, or could be something different.

1

Share this post


Link to post
Share on other sites

If you're doing it on Linux Debian, you should set the payload to RNDIS_ETHERNET

From my experience it doesn't work if I use ECM

0

Share this post


Link to post
Share on other sites
1 hour ago, HeadScratchCode said:

If you're doing it on Linux Debian, you should set the payload to RNDIS_ETHERNET

From my experience it doesn't work if I use ECM

It should be the other way around. RNDIS is a windows specific protocol that has support in Linux (though if you look at the source files, you will find comments on how it's kind of hacky). ECM ethernet is the way to go on Linux operating systems.

I have yet to see a full distribution that doesn't support ECM out of the box but supports RNDIS.

2

Share this post


Link to post
Share on other sites

Try taking off STORAGE.  I have done all other combos, including the newly working HID RDNIS_ETHERNET but never ethernet with storage.  In fact, I can't ssh into my bunny while in arming mode. :-P  I have to make a payload.txt for just the ethernet type of the OS I am on to get an IP.

0

Share this post


Link to post
Share on other sites
3 hours ago, PoSHMagiC0de said:

In fact, I can't ssh into my bunny while in arming mode. :-P  I have to make a payload.txt for just the ethernet type of the OS I am on to get an IP.

That's because arming mode doesn't start Ethernet. Once we have AUTO_ETHERNET working that will change. 

2

Share this post


Link to post
Share on other sites
27 minutes ago, Sebkinne said:

 Once we have AUTO_ETHERNET working that will change. 

Is this what I think it is?  An attack mode that will auto detect the best use ETHERNET attack mode.  

0

Share this post


Link to post
Share on other sites
2 minutes ago, b0N3z said:

Is this what I think it is?  An attack mode that will auto detect the best use ETHERNET attack mode.  

Yup, that's it. I have it working but it's a bit slow. There are some tricks to speed it up though, so once I finish that, I'll push out a new firmware. 

5

Share this post


Link to post
Share on other sites
On 19.6.2017 at 2:51 AM, Jay314 said:

Same results on a different machine (diff processors, diff Network Interface Card, diff mobo, same OS)

It starts a new interface but doesn't generate an IP

Did you get a shell?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.