D14b0l1c

Thank you @dark_pyrro, I have tried this on a few devices and it only works if I plug in a USB trigger the debugging and then remove, but once device reboots, I am unable to get it to work again. After asking around, a pentester I know mentioned to try the USB Armory MkII - Hacker Warehouse it does have the additional feature to attach the phone via USB and this might be what is needed to trigger the debugger listener to activate on a non-rooted phone.

It is an older model phone, Pixel 2 XL. I'll try on other devices when I get a chance. I am able to execute once USB Debugging services are running but I can't get the bunny to restart adb services after device reboot. Thank you. Are your devices rooted? Did you reboot phone and use bunny to see if it executed without reestablishing USB debugging connection over Wi-Fi or USB? This is me attempting it again and outputting the connection error. There is something on the phone side that is enabled when a typical USB plugged in that enables the session. I am looking at ways to enable the connection over ethernet. Keep in mind once the connection is started, I can maintain it. I primarily need bash bunny to restart this client server connection after phone reboot, secondary is to run adb shell <command>. login as: root root@172.16.64.1's password: _____ _____ _____ _____ _____ _____ _____ _____ __ __ (\___/) | __ || _ || __|| | | | __ || | || | || | || | | (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _| (")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| Bash Bunny by Hak5 USB Attack/Automation Platform Last login: Wed Feb 28 15:36:05 2024 from 172.16.64.10 root@bunny:~# dir adb_7.0.0+r33-1_armhf.deb connection.txt android-libadb_7.0.0+r33-1_armhf.deb dumpsys.txt android-libbase_7.0.0+r33-1_armhf.deb ip.txt android-libcutils_7.0.0+r33-1_armhf.deb udisk android-liblog_7.0.0+r33-1_armhf.deb version.txt root@bunny:~# cat connection.txt unable to connect to 172.16.64.10:5555: Connection refused root@bunny:~# cat ip.txt 172.16.64.10 root@bunny:~# cat dumpsys.txt root@bunny:~# ATTACKMODE ECM_ETHERNET HID DELAY 2000 QUACK STRING adb kill-server QUACK ENTER DELAY 1000 QUACK STRING adb start-server QUACK ENTER DELAY 1000 sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt adb connect ${TARGET_IP} adb connect ${TARGET_IP} > /root/connection.txt sleep 20 adb shell dumpsys > /root/dumpsys.txt LED FINISH

I don't understand how you're getting a connection. My daemon starts on 5307. The connection defaults to 172.16.64.10:5555 and I get an error. I even tried doing it from with bunny directly connected to phone. I ssh from phone into bunny.

You're getting data in your file? I am getting file created but nothing is in it. Looking at the output of each line the connections isn't working.

With the following I am able to SSH into bashbunny from phone using termius app, but still not getting anything from adb shell dumpsys -l. I know debugging is enabled and the command dumps I did it already through laptop. ATTACKMODE ECM_ETHERNET sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt adb connect ${TARGET_IP} sleep 20 adb shell dumpsys -l > /root/dumpsyslist.txt LED FINISH

I removed adb tcpip 5555 and included sleep 10. ATTACKMODE ECM_ETHERNET sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt adb connect ${TARGET_IP} sleep 10 adb shell dumpsys battery > /root/battery.txt LED FINISH

battery.txt gets created in root directory but not data is being stored to it. I am getting an IP, so that's a plus! ATTACKMODE ECM_ETHERNET sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt adb tcpip 5555 sleep 1 adb connect ${TARGET_IP} adb shell dumpsys battery > /root/battery.txt LED FINISH login as: root root@172.16.64.1's password: _____ _____ _____ _____ _____ _____ _____ _____ __ __ (\___/) | __ || _ || __|| | | | __ || | || | || | || | | (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _| (")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| Bash Bunny by Hak5 USB Attack/Automation Platform Last login: Wed Feb 28 15:34:59 2024 from 172.16.64.64 root@bunny:~# dir adb_7.0.0+r33-1_armhf.deb battery.txt android-libadb_7.0.0+r33-1_armhf.deb ip.txt android-libbase_7.0.0+r33-1_armhf.deb udisk android-libcutils_7.0.0+r33-1_armhf.deb version.txt android-liblog_7.0.0+r33-1_armhf.deb root@bunny:~# cat ip.txt 172.16.64.10 root@bunny:~# cat battery.txt root@bunny:~#

I got the file created but it was empty, I am getting closer. I am not sure if the connection is working. I added the battery so if can get at least that one to work I can get the bigger adb shell dumpsys -l and adb shell dumpsys. ATTACKMODE ECM_ETHERNET sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) adb tcpip 5555 sleep 1 adb connect ${TARGET_IP} adb shell dumpsys battery > /root/battery.txt LED FINISH

Did you have to do USB Ethernet tethering in your phone? I see what you did, and it makes sense. I even see that the phone reads the ethernet connection for the bunny in the USB tethering settings it goes from greyed out to black for enablement.

I had the bunny connected to my laptop same time as phone and was going to attempt to see if I could share the connection through my windows box, then I found few links (example of video below) and forums on how to ssh over Bluetooth, this will be a different project. I tried the code you provided, and I am still having issues with connection to the phone. When you ran your code were you able to execute adb shell commands like "adb shell dumpsys -l"? Please help and thank you in advance, -D14b0l1c

I am able to execute via bunny command line but it's not connecting or showing any signs to connect, the phone isn't recognizing the bunny as a client the same way it does my pi and laptop, so when the commands execute its not working. Afterwards I added the adb usb below is demonstration of what happens when my laptop usb has been successfully recognized and adb usb works. Laptop before (no devices/emulators found) and after usb is plugged in (restarting in USB mode connecting the device and running adb devices displaying the serial number of phone the laptop is connected too): Microsoft Windows [Version 10.0.22631.3235] (c) Microsoft Corporation. All rights reserved. C:\Users\Stude>adb usb error: no devices/emulators found C:\Users\Stude>adb usb restarting in USB mode C:\Users\Stude>adb devices List of devices attached 710KPZK0409189 device Do you think it would be a good idea to export the following commands to a text adb usb > adbusb.txt, adb devices > device.txt, and adb tcpip 5555 > tcpip.txt. The below is what bunny will look like if the bunny and phone are not seeing each other. login as: root root@172.16.64.1's password: _____ _____ _____ _____ _____ _____ _____ _____ __ __ (\___/) | __ || _ || __|| | | | __ || | || | || | || | | (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _| (")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| Bash Bunny by Hak5 USB Attack/Automation Platform Last login: Wed Feb 28 16:29:06 2024 from 172.16.64.64 root@bunny:~# adb usb error: no devices/emulators found root@bunny:~# adb devices List of devices attached root@bunny:~# Your thoughts: ATTACKMODE ECM_ETHERNET STORAGE sleep 5 /usr/bin/adb usb > /loot/adbusb.txt sleep 1 /usr/bin/adb devices > /loot/devices.txt sleep 1 /usr/bin/adb tcpip 5555 > /loot/tcpip.txt LED FINISH Please help and thank you in advance, -D14b0l1c

The following GitHub is the closes example of what I am looking to do bashbunny-payloads/payloads/library/mobile/android/fireytv/payload.txt at master · hak5/bashbunny-payloads · GitHub. My focus is an android phone, and I don't want to upload an APK. I do want to run adb commands. Based on my understanding of reading this my payload would look something like: LED SETUP GET TARGET_IP GET SWITCH_POSITION ATTACKMODE ECM_ETHERNET adb tcpip 5555 adb connect ${TARGET_IP} LED FINISH Or would creating a Bash script executing the commands be a better alternative or even possible? Based on reading the rdp_checker bashbunny-payloads/payloads/library/recon/rdp_checker/payload.txt at master · hak5/bashbunny-payloads · GitHub, it appears I could create a script store it in /tools and call it in the payload.txt. Please help and thank you in advance, -D14b0l1c

The ENTER was from when I had QUACK in front I just removed QUACK and left the ENTER there.

Thank you for the addressing my ATTACKMODE syntax, my mistake I overlooked that being impatient. ADB consists of three components: Client: The client runs on your development machine (your computer). You can invoke it from a command-line terminal by issuing an ADB command. Essentially want to execute adb usb and adb tcpip 5555 as if it is from the bunny terminal. After reading readme.txt this is what made me think to include ECM_ETHERNET. The HID was included later on when I thought I needed to manually start the adbd server, so I added QUACK STRING adb kill-server; QUACK ENTER; DELAY 1000; QUACK STRING adb start-server; QUACK ENTER. Daemon (adbd): This runs on the Android device itself. It executes commands sent from the client. Typically, this starts when I start running the commands from the Client. Server: The server manages communication between the client and the daemon. It runs as a background process on your development machine. When you start an ADB client, it checks if there’s already an ADB server process running. If not, it starts the server. The server binds to local TCP port 5037 and listens for commands from ADB clients. It sets up connections to all running devices (physical devices or emulators). ADB locates emulators by scanning odd-numbered ports in the range 5555 to 5585. Each emulator uses a pair of sequential ports: an even-numbered port for console connections and an odd-numbered port for ADB connections. For example: Emulator 1, console: 5554 Emulator 1, ADB: 5555 Based on what you mentioned above and what I read I didn't even have my ATTACKMODE syntax correct. For the other part I wanted to execute as a command line command not the Android phone, but on the bunny. Please help and thank you in advance, -D14b0l1c

So far this is what I have built out I think I am off with my IP connection. I am able to get daemon to start on tcp:5307 My "adb connect 172.16.64.1:5555" times out # Set Bash Bunny to ECM Ethernet mode LED B SLOW ATTACKMODE ECM_ETHERNET ATTACKMODE HID DELAY 2000 QUACK STRING adb kill-server QUACK ENTER DELAY 1000 QUACK STRING adb start-server QUACK ENTER DELAY 1000 adb usb ENTER adb tcpip 5555 ENTER QUACK STRING adb connect 172.16.64.1:5555 QUACK ENTER LED FINISH