Darren Kitchen

Hey yall - I'll chime in with some clarity regarding the warranty stuff. The Hak5 limited warranty covers defects in material or workmanship of new Hak5 products. What that means is we cover hardware faults, and guarantee our official software releases. While we can't possibly guarantee 3rd party modules/payloads/modifications - we do make a best effort to ensure that software contributions accepted into our repositories are of acceptable quality. I must say we have a great sense of pride building these easy to use penetration testing platforms -- and as platforms we encourage the community to contribute. We don't limit your access, and in fact go as far as to make access as convenient as possible. For example, the dedicated serial console from the Bash Bunny arming mode, the unlocked DFU bootloader of the Rubber Ducky, the onboard UART of the WiFi Pineapple TETRA. But as hacker hardware, there are certain risks associated with being root that we cannot guarantee. Knowing this we make a best effort to ensure that recovering is as easy as possible, should something go terribly wrong. Though even our best efforts can be thwarted by the wrong DD command. When you say "Its a simple fix drop the firmware file on the bunny and flash it again makes it like new again." that tells us we're doing our jobs right - making it easy to recover. But we don't want to give the impression that it's infallible. The Bash Bunny relies on a recovery partition, bootloader and other elements so that dropping a firmware file on it "makes it like new again". We're rightfully wary of things that could disrupt the recovery, because we don't want you to get locked out of your device. It's never fun. I'm not saying don't tinker - and I think it's great that you have 15+ years of experience with Linux. I'm sure that if you really get locked out you won't be the type opposed to soldering on UART jumpers to the pads on the PCB -- but that's not "normal use case" and something we can't guarantee. We just don't want to give the wrong impression to a newcomer that's a complete Linux beginner, because unlike a full fledged PC - the Bash Bunny isn't as easy for everyone to fix should it get completely bricked. Hell, I'm no Linux noob and even I can hose a system with DD. (note to self, IF= input file, OF= output file) ;-) In short, with root comes responsibility, and, in this case - if you brick it, you bought it. PS: The Bash Bunny has not been certified by the ADA as an adequate dental hygiene instrument.

Changlog is linked from the downloads page at https://bashbunny.com/downloads Direct link: https://storage.googleapis.com/bashbunny_updates/ch_fw_1.3-changelog.txt

First

This is an extension waiting to happen. I'd imagine DETECTOS would spit back version based on a scan. We're looking at building an AUTO_ETHERNET ATTACKMODE which will try ECM_ETHERNET then fail over to RNDIS_ETHERNET if the target does not obtain an IP in X seconds (or possibly the other way around). nmap can do an OS scan, as can p0f (included in the firmware). I agree that this sort of extension would be really useful in having more complex and intelligent payloads that make decisions based on various conditions including OS version. I'm keen on seeing its development. PoSHMagiC0de is correct that it could be done via powershell commands - though I think the less hacky way would be to scan the target via the pocket network in the first stage, then launch the appropriate second stage depending on the results.

Introducing Bash Bunny firmware v1.1 A feature packed firmware awaits Bash Bunny users just one month after release. We've excited to announce version 1.1, including many new features, conveniences, bug fixes and refined experiences. The newly improved LED command adds patterns in addition to variable blinks, as well as standardized payload states for common stages such as setup, attack, cleanup and finish. The Bash Bunny framework now includes support for extensions which augment the bunny scripting language with new commands and functions. Tools can now be installed with ease by copying .deb packages or entire directories to the dedicated /tools folder on the flash drive in arming mode. Updating ducky languages is now just a matter of copying json files to the dedicated /languages folder on the flash drive in arming mode. Many more features, fixes and experiences in the full changelog - so hop on over to BashBunny.com/downloads and nab version 1.1 today! (\_/)

If the target is Linux you could use a HID attack to inject the keystrokes keystrokes necessary to setup Internet Connection Sharing via iptables. You'll find the commands in bb.sh For Windows hosts there *should* be a way with powershell - but every time I've gone looking for a convenient way I've come up empty handed. ?

One thing I would recommend is adding a sync command to the end to synchronize the udisk file system. Another method would be to temporarily store the loot in /root/loot, then once successful go ahead and move it to the udisk partition at /root/udisk/loot, etc and be sure to once again sync the FS.

One solution would be to use HID only in stage 1, then switch from HID to just STORAGE in stage 2. Not knowing what payload you're referring to I'm not sure exactly what the stager would look like - so if you can provide any insight on that it would be helpful.

Wow - bringing it back to the USB Switchblade days. Sure, one could. CD-ROM emulation is on the list - though unless you're encountering unmatched XP systems in your audits, it's likely not going to be too helpful. ...then again... /me counts the XP boxes he's seen in the last two weeks...

Exactly the purpose of bunny_helpers.sh and something I'll be covering here soon.

Will add this to the framework wish list

This payload exfiltrates specified documents to the Bash Bunny via SMB (Windows File Sharing). https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/smb_exfiltrator The first stage injects keystrokes into the run dialog. The powershell one-liner wait until the Bash Bunny appears as a network, then copies files and exits. The powershell runs in a minimized state to limit visual impact on the target. The second stage switches the attack mode from HID to RNDIS_ETHERNET and sets up an SMB server using Impacket. It then waits for files to finish copying from the target to a temp directory. Once exfiltration is complete, files are moved to a named and numbered loot directory on the USB disk partition. A video walk-through can be found on Hak5 episode 2202: https://www.youtube.com/watch?v=VPhqD__lOBQ Version 1.0 of this payload uses conservative delay values and is not optimized yet for speed. A number of powershell aliases and shortcuts can be used to limit the first stage, while the function which waits for files to finish copying can also be improved. Hope you like guys! Cheers from Indonesia :) --Darren

Yes, we should absolutely hire that guy to do our marketing. Anyway, thanks for the wish list. :)

Very cool! I don't have one of my own to test with, just wanted to say this sounds really neat :)