D14b0l1c
-
Posts
25 -
Joined
-
Last visited
Posts posted by D14b0l1c
-
-
On 3/4/2024 at 11:35 PM, dark_pyrro said:
I guess you have to investigate what capabilities your phone has. Obviously the Bunny is capable of doing this (since my tests are successful), and if it's not working, it's logic to assume that any limitations are on the "phone side". I've successfully recreated this on 3 different Android devices now.
It is an older model phone, Pixel 2 XL. I'll try on other devices when I get a chance. I am able to execute once USB Debugging services are running but I can't get the bunny to restart adb services after device reboot. Thank you.
Are your devices rooted? Did you reboot phone and use bunny to see if it executed without reestablishing USB debugging connection over Wi-Fi or USB?
This is me attempting it again and outputting the connection error. There is something on the phone side that is enabled when a typical USB plugged in that enables the session. I am looking at ways to enable the connection over ethernet.
Keep in mind once the connection is started, I can maintain it. I primarily need bash bunny to restart this client server connection after phone reboot, secondary is to run adb shell <command>.
login as: root
root@172.16.64.1's password:
_____ _____ _____ _____ _____ _____ _____ _____ __ __
(\___/) | __ || _ || __|| | | | __ || | || | || | || | |
(='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|
(")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_|
Bash Bunny by Hak5 USB Attack/Automation PlatformLast login: Wed Feb 28 15:36:05 2024 from 172.16.64.10
root@bunny:~# dir
adb_7.0.0+r33-1_armhf.deb connection.txt
android-libadb_7.0.0+r33-1_armhf.deb dumpsys.txt
android-libbase_7.0.0+r33-1_armhf.deb ip.txt
android-libcutils_7.0.0+r33-1_armhf.deb udisk
android-liblog_7.0.0+r33-1_armhf.deb version.txt
root@bunny:~# cat connection.txt
unable to connect to 172.16.64.10:5555: Connection refused
root@bunny:~# cat ip.txt
172.16.64.10
root@bunny:~# cat dumpsys.txt
root@bunny:~#
ATTACKMODE ECM_ETHERNET HID
DELAY 2000
QUACK STRING adb kill-server
QUACK ENTER
DELAY 1000QUACK STRING adb start-server
QUACK ENTER
DELAY 1000sleep 5
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txtadb connect ${TARGET_IP}
adb connect ${TARGET_IP} > /root/connection.txtsleep 20
adb shell dumpsys > /root/dumpsys.txt
LED FINISH
-
5 minutes ago, dark_pyrro said:
If adding adb shell dumpsys -l to the payload (and write the output to a file on the Bunny), it works
I don't understand how you're getting a connection. My daemon starts on 5307. The connection defaults to 172.16.64.10:5555 and I get an error. I even tried doing it from with bunny directly connected to phone. I ssh from phone into bunny.
-
11 minutes ago, dark_pyrro said:
I can't recreate that scenario. If adding adb shell dumpsys -l to the payload (and write the output to a file on the Bunny), it works.
You're getting data in your file? I am getting file created but nothing is in it. Looking at the output of each line the connections isn't working.
-
With the following I am able to SSH into bashbunny from phone using termius app, but still not getting anything from adb shell dumpsys -l. I know debugging is enabled and the command dumps I did it already through laptop.
ATTACKMODE ECM_ETHERNET
sleep 5
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt
adb connect ${TARGET_IP}sleep 20
adb shell dumpsys -l > /root/dumpsyslist.txt
LED FINISH -
I removed adb tcpip 5555 and included sleep 10.
ATTACKMODE ECM_ETHERNET
sleep 5
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt
adb connect ${TARGET_IP}sleep 10
adb shell dumpsys battery > /root/battery.txt
LED FINISH -
battery.txt gets created in root directory but not data is being stored to it. I am getting an IP, so that's a plus!
ATTACKMODE ECM_ETHERNET
sleep 5
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt
adb tcpip 5555
sleep 1
adb connect ${TARGET_IP}
adb shell dumpsys battery > /root/battery.txt
LED FINISHlogin as: root
root@172.16.64.1's password:
_____ _____ _____ _____ _____ _____ _____ _____ __ __
(\___/) | __ || _ || __|| | | | __ || | || | || | || | |
(='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|
(")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_|
Bash Bunny by Hak5 USB Attack/Automation PlatformLast login: Wed Feb 28 15:34:59 2024 from 172.16.64.64
root@bunny:~# dir
adb_7.0.0+r33-1_armhf.deb battery.txt
android-libadb_7.0.0+r33-1_armhf.deb ip.txt
android-libbase_7.0.0+r33-1_armhf.deb udisk
android-libcutils_7.0.0+r33-1_armhf.deb version.txt
android-liblog_7.0.0+r33-1_armhf.deb
root@bunny:~# cat ip.txt
172.16.64.10
root@bunny:~# cat battery.txt
root@bunny:~#
-
19 minutes ago, D14b0l1c said:
I added adb shell dumpsys battery > /root/adb_batt.log to my previously posted payload code and it worked as expected.
I got the file created but it was empty, I am getting closer. I am not sure if the connection is working. I added the battery so if can get at least that one to work I can get the bigger adb shell dumpsys -l and adb shell dumpsys.
ATTACKMODE ECM_ETHERNET
sleep 5
TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
adb tcpip 5555
sleep 1
adb connect ${TARGET_IP}
adb shell dumpsys battery > /root/battery.txt
LED FINISH -
5 minutes ago, dark_pyrro said:
I added adb shell dumpsys battery > /root/adb_batt.log to my previously posted payload code and it worked as expected.
Did you have to do USB Ethernet tethering in your phone? I see what you did, and it makes sense. I even see that the phone reads the ethernet connection for the bunny in the USB tethering settings it goes from greyed out to black for enablement.
-
9 hours ago, dark_pyrro said:
How did you execute these commands if your Bunny was connected to the phone? From the phone itself via serial or ssh?
I had the bunny connected to my laptop same time as phone and was going to attempt to see if I could share the connection through my windows box, then I found few links (example of video below) and forums on how to ssh over Bluetooth, this will be a different project.
I tried the code you provided, and I am still having issues with connection to the phone. When you ran your code were you able to execute adb shell commands like "adb shell dumpsys -l"?
Please help and thank you in advance,
-D14b0l1c -
10 hours ago, dark_pyrro said:
ATTACKMODE ECM_ETHERNET sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) /usr/bin/adb tcpip 5555 sleep 1 /usr/bin/adb connect ${TARGET_IP} LED FINISH
I am able to execute via bunny command line but it's not connecting or showing any signs to connect, the phone isn't recognizing the bunny as a client the same way it does my pi and laptop, so when the commands execute its not working.
Afterwards I added the adb usb below is demonstration of what happens when my laptop usb has been successfully recognized and adb usb works.
Laptop before (no devices/emulators found) and after usb is plugged in (restarting in USB mode connecting the device and running adb devices displaying the serial number of phone the laptop is connected too):
Microsoft Windows [Version 10.0.22631.3235]
(c) Microsoft Corporation. All rights reserved.C:\Users\Stude>adb usb
error: no devices/emulators foundC:\Users\Stude>adb usb
restarting in USB modeC:\Users\Stude>adb devices
List of devices attached
710KPZK0409189 deviceDo you think it would be a good idea to export the following commands to a text adb usb > adbusb.txt, adb devices > device.txt, and adb tcpip 5555 > tcpip.txt.
The below is what bunny will look like if the bunny and phone are not seeing each other.
login as: root
root@172.16.64.1's password:
_____ _____ _____ _____ _____ _____ _____ _____ __ __
(\___/) | __ || _ || __|| | | | __ || | || | || | || | |
(='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|
(")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_|
Bash Bunny by Hak5 USB Attack/Automation PlatformLast login: Wed Feb 28 16:29:06 2024 from 172.16.64.64
root@bunny:~# adb usb
error: no devices/emulators found
root@bunny:~# adb devices
List of devices attachedroot@bunny:~#
Your thoughts:
ATTACKMODE ECM_ETHERNET STORAGE
sleep 5
/usr/bin/adb usb > /loot/adbusb.txt
sleep 1
/usr/bin/adb devices > /loot/devices.txt
sleep 1
/usr/bin/adb tcpip 5555 > /loot/tcpip.txtLED FINISH
Please help and thank you in advance,
-D14b0l1c -
The following GitHub is the closes example of what I am looking to do bashbunny-payloads/payloads/library/mobile/android/fireytv/payload.txt at master · hak5/bashbunny-payloads · GitHub.
My focus is an android phone, and I don't want to upload an APK. I do want to run adb commands. Based on my understanding of reading this my payload would look something like:
LED SETUP
GET TARGET_IP
GET SWITCH_POSITION
ATTACKMODE ECM_ETHERNET
adb tcpip 5555
adb connect ${TARGET_IP}
LED FINISHOr would creating a Bash script executing the commands be a better alternative or even possible? Based on reading the rdp_checker bashbunny-payloads/payloads/library/recon/rdp_checker/payload.txt at master · hak5/bashbunny-payloads · GitHub, it appears I could create a script store it in /tools and call it in the payload.txt.
Please help and thank you in advance,
-D14b0l1c -
On 3/1/2024 at 5:04 PM, dark_pyrro said:
Using ATTACKMODE this way will kill the network on the Bunny straight away and it will just work as a HID device for the rest of the payload.
If you want HID (keyboard) and network at the same time, you need to specify it on the same line, such as:
ATTACKMODE HID ECM_ETHERNET
From the docs: "ATTACKMODE is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions."
https://docs.hak5.org/bash-bunny/writing-payloads/attackmode
I would really advise you to read the documentation instead of blindly executing commands. It will save you time.
Not sure what you want ENTER to do here. It's not a DuckyScript command and it's not Bash.
The ENTER was from when I had QUACK in front I just removed QUACK and left the ENTER there.
-
Thank you for the addressing my ATTACKMODE syntax, my mistake I overlooked that being impatient.
ADB consists of three components:
Client: The client runs on your development machine (your computer). You can invoke it from a command-line terminal by issuing an ADB command.
- Essentially want to execute adb usb and adb tcpip 5555 as if it is from the bunny terminal. After reading readme.txt this is what made me think to include ECM_ETHERNET.
- The HID was included later on when I thought I needed to manually start the adbd server, so I added QUACK STRING adb kill-server; QUACK ENTER; DELAY 1000; QUACK STRING adb start-server; QUACK ENTER.
Daemon (adbd): This runs on the Android device itself. It executes commands sent from the client.
- Typically, this starts when I start running the commands from the Client.
Server: The server manages communication between the client and the daemon. It runs as a background process on your development machine.
When you start an ADB client, it checks if there’s already an ADB server process running. If not, it starts the server. The server binds to local TCP port 5037 and listens for commands from ADB clients. It sets up connections to all running devices (physical devices or emulators). ADB locates emulators by scanning odd-numbered ports in the range 5555 to 5585. Each emulator uses a pair of sequential ports: an even-numbered port for console connections and an odd-numbered port for ADB connections.
For example:
Emulator 1, console: 5554
Emulator 1, ADB: 5555Based on what you mentioned above and what I read I didn't even have my ATTACKMODE syntax correct. For the other part I wanted to execute as a command line command not the Android phone, but on the bunny.
Please help and thank you in advance,
-D14b0l1c -
So far this is what I have built out I think I am off with my IP connection. I am able to get daemon to start on tcp:5307
My "adb connect 172.16.64.1:5555" times out# Set Bash Bunny to ECM Ethernet mode
LED B SLOW
ATTACKMODE ECM_ETHERNET
ATTACKMODE HIDDELAY 2000
QUACK STRING adb kill-server
QUACK ENTER
DELAY 1000QUACK STRING adb start-server
QUACK ENTER
DELAY 1000adb usb
ENTER
adb tcpip 5555
ENTERQUACK STRING adb connect 172.16.64.1:5555
QUACK ENTERLED FINISH
-
I am still unable to get the device to work as needed. I read the readme.txt file and it mentions:
ECM_ETHERNET ECM Ethernet Control Model Linux/Mac/AndroidI started building using ATTACKMODE ECM_ETHERNET, but still no luck on getting it to trigger the phones USB debugging.
The phone is in developer mode and has USB debugging enabled. I am able to do USB debugging from my laptop via USB, I am able to do Wi-Fi debugging on the same network with only two phones, and I am able to plug the phones directly into each other via USB and trigger the USB debugging. But for whatever reason when I plug bash bunny in, it does not work. I am aware it's most like something I am doing incorrectly.
But my intention is to be able to trigger the phone to read the bash bunny as another device so I can create payload to execute:
adb tcpip 5555The other alternative I seen is to reflash the bash bunny to run a different operating system, but there's so much that goes into that. I can't seem to understand or find why bash bunny can execute onto the Android device, but the Android doesn't read the bash bunny in a way to trigger the USB debugging. Attached are
Attachments Explanation:
bash bunny payload - screenshot of payload pushing the text to the phone, connection not working.After USB-C connection between laptop and phone:
laptop command line - me executing adb commands laptop.
USB connection working - showing on the phone that the connection established.
display of USB debugging triggered via USB cable - display of USB debugging being activated when USB cabble plugged inPlease help and thank you in advance,
-D14b0l1c
-
ATTACKMODE HID
LED SETUPQUACK STRING "adb usb"
QUACK ENTER
sleep 2
QUACK STRING "adb tcpip 5555"
QUACK ENTERLED FINISH
Pushes the commands "adb usb" and "adb tcpip 5555" to phone (I have screenshots).
What I am trying to do is to have the bash bunny be read as if it's a usb device to enable usb debugging (same as if I am plugging my laptop or pi into the phone).
Run on bash bunny as if I am on the laptop or pi command line (I have screenshots):
adb usb
adb tcpip 5555Then on phone I am able to physically click the adb toolbox app connect and unplug usb. This command line interface allows me to run adb shell commands such as adb shell dumpsys -l (I have screenshots of this).
I am attempting to figure out how to get bash bunny to be detected and enable the usb debugging feature then locally exectue the "adb usb" and "adb tcpip 5555".
If I figure this out before any response I will respond with the solution, but any guidance and help is very much appreciated.
Thank you in advance,
-D14b0l1c
-
Wait for bash bunny to be recognized before executing the commands. I am going to assume based on you asking it's not needed.
ATTACKMODE HID
LED SETUPQUACK STRING "adb usb"
QUACK ENTER
sleep 2
QUACK STRING "adb tcpip 5555"
QUACK ENTERLED FINISH
Save this as adbpayload.txt in switch1/payload?
-
The app just allows me to run adb shell commands from the phone after I set up the connection from the laptop using the following commands:
adb usb
adb tcpip 5555I am able to disconnect phone from laptop after doing this and use the app to conduct adb shell commands, problem comes when phone dies or restarts. Then I have to plug it back into laptop to restart server and I don't always have a computer with me.
What I would like to do is alleviate the laptop and have the bash bunny restart the server.
ATTACKMODE HID
LED SETUPwhile [ ! -d /media/BASHBUNNY ]; do
sleep 1
doneQUACK STRING "adb usb"
QUACK ENTER
sleep 2
QUACK STRING "adb tcpip 5555"
QUACK ENTERLED FINISH
-
In the below post I mentioned the project I had built I decided to incorporate bash bunny as a means to get server running. I was able to get my adb installed onto my bash bunny.
After some additional research I was trying to attempt my first payload:
SWITCH 1/Payload
ATTACKMODE HID
LED SETUP
adb usb
adb tcpip 5555
LED FINISHWhen I plug my phone into usb and run:
adb usb
adb tcpipI connect via the below app, and I am able to run all my "adb shell" commands. I would like to be able to use the bash bunny payload, so I don't have to connect to a laptop.
ADB Shell - Debug Toolbox - Apps on Google Play
Please help and thank you in advance,
-D14b0l1c -
Thank You!!!
root@bunny:~# man adb
ADB(1) adb Manuals ADB(1)NAME
adb - Android Debug BridgeSYNOPSIS
adb [-d|-e|-s serialNumber] commandDESCRIPTION
Android Debug Bridge (adb) is a versatile command line tool that lets
you communicate with an emulator instance or connected Android-powered
device. It is a client-server program that includes three components:o A client, which sends commands. The client runs on your development
machine. You can invoke a client from a shell by issuing an adb com-
mand. Other Android tools such as DDMS also create adb clients.o A daemon, which runs commands on a device. The daemon runs as a
background process on each emulator or device instance.o A server, which manages communication between the client and the dae-
mon. The server runs as a background process on your development ma-
chine.If there's only one emulator running or only one device connected, the
adb command is sent to that device by default. If multiple emulators
are running and/or multiple devices are attached, you need to use the
-d, -e, or -s option to specify the target device to which the command
should be directed.OPTIONS
-a Directs adb to listen on all interfaces for a connection.-d Directs command to the only connected USB device. Returns an
error if more than one USB device is present.-e Directs command to the only running emulator. Returns an error
if more than one emulator is running.-s specific device
Directs command to the device or emulator with the given serial
number or qualifier. Overrides ANDROID_SERIAL environment vari-
able.-p product name or path
Simple product name like sooner, or a relative/absolute path to
a product out directory like out/target/product/sooner. If -p
is not specified, the ANDROID_PRODUCT_OUT environment variable
is used, which must be an absolute path.-H Name of adb server host (default: localhost)
-P Port of adb server (default: 5037)
COMMANDS
adb devices [-l]
List all connected devices. -l will also list device quali-
fiers.adb connect host[:port]
Connect to a device via TCP/IP. Port 5555 is used by default if
no port number is specified.
-
Goal is to build payload that restarts the adb service if phone restarts without having to connect phone back into laptop.
Currently I am able to setup the phone, not rooted:
- adb device connection
- sustain server connection once device is unplugged from usb without using wifi (requires additional applications)
- able to establish connection back to laptop over cellular network, not wifi (requires additional applications)
Once phone dies or restarts, the original server session is killed, I have use laptop and/or pi to restart the server.
I have just opened my bash bunny to build this out as one of my first use cases. From my research I seen I needed to install adb toolkit, so I first ran "apt -y update && apt -y upgrade" and I start getting 404 errors. From that I did research on the 404 errors and was directed to looking into "/etc/apt/sources.list". Keep in mind I am able to ping out "ping 8.8.8.8" from bad bunny.
The following was the first issue I had:
root@bunny:~# apt update
Get:1 http://archive.debian.org jessie-backports InRelease [166 kB]
Ign http://archive.debian.org jessie-backports InRelease
Ign http://archive.debian.org jessie-backports/main Sources/DiffIndex
Ign http://archive.debian.org jessie-backports/main armhf Packages/DiffIndex
Get:2 http://archive.debian.org jessie-backports/contrib Translation-en [6946 B]
Get:3 http://archive.debian.org jessie-backports/contrib armhf Packages [7980 B]
Get:4 http://archive.debian.org jessie-backports/non-free armhf Packages [6692 B]
Hit http://archive.debian.org jessie-backports/main Translation-en
Hit http://archive.debian.org jessie-backports/main Sources
Ign http://archive.debian.org jessie-backports/non-free Translation-en
Err http://archive.debian.org jessie-backports/main armhf Packages
404 Not Found [IP: 151.101.66.132 80]
Fetched 188 kB in 6min 9s (508 B/s)
W: GPG error: http://archive.debian.org jessie-backports InRelease: The following signatures were invalid: KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1587841717 KEYEXPIRED 1668891673 W: Failed to fetch http://archive.debian.org/debian/dists/jessie-backports/main/binary-armhf/Packages 404 Not Found [IP: 151.101.66.132 80] E: Some index files failed to download. They have been ignored, or old ones used instead.I ran:
apt-key adv --refresh-keys --keyserver hkp://keys.gnupg.net
apt-key adv --refresh-keys --keyserver hkp://keyserver.ubuntu.comI made the following changes to the /etc/apt/sources.list:
deb http://archive.debian.org/debian jessie-backports main
deb-src http://archive.debian.org/debian jessie-backports main
deb http://archive.debian.org/debian jessie-backports contrib
deb http://archive.debian.org/debian jessie-backports non-freeNow I am getting:
E: The value 'jessie' is invalid for APT::Default-Release as such a release is not available in the sources
I have reverted back to the original sources.list:
deb http://archive.debian.org/debian jessie-backports main
deb-src http://archive.debian.org/debian jessie-backports mainI am still getting the following error:
E: The value 'jessie' is invalid for APT::Default-Release as such a release is not available in the sources
Please help and thank you in advance,
-D14b0l1c
SWITCH 1 adb usb | adb tcpip 5555 payload build help
in Payloads
Posted
Thank you @dark_pyrro, I have tried this on a few devices and it only works if I plug in a USB trigger the debugging and then remove, but once device reboots, I am unable to get it to work again.
After asking around, a pentester I know mentioned to try the USB Armory MkII - Hacker Warehouse it does have the additional feature to attach the phone via USB and this might be what is needed to trigger the debugger listener to activate on a non-rooted phone.