[Payload]

You forgot 

NETMODE TRANSPARENT
wget https://packetsquirrel.com
BUTTON 1m && {
  echo "Discount unlocked!"
  LED FINISH
} || {
  echo "Timeout dude!"
  LED FAIL
}

 

[[PAYLOAD] RevShellBack]

minimum cmd "mode" is 18,1 -- at least on my systems. Also you can pre-load the obfuscation commands on line 39 with this

cmd /K "mode 18,1 & color FE & cd C:\ & title "

Cheers!

[[PAYLOAD] RevShellBack]

Awesome payload. Neat concept of a powershell reverse shell stager to kick off commands by netcat.

It's a shame the powershell netcat interpreter is 342 characters long - necessitating opening and obfuscating a cmd window. I wonder if it could be whittled down to fit in the run dialog with its 260 max length.

Something like

cmd /c "start /MIN powershell <command goes here>"

 

[VNC+Xfce on bunny (WIP)]

Hey yall - I'll chime in with some clarity regarding the warranty stuff.

The Hak5 limited warranty covers defects in material or workmanship of new Hak5 products. What that means is we cover hardware faults, and guarantee our official software releases. While we can't possibly guarantee 3rd party modules/payloads/modifications - we do make a best effort to ensure that software contributions accepted into our repositories are of acceptable quality.

I must say we have a great sense of pride building these easy to use penetration testing platforms -- and as platforms we encourage the community to contribute. We don't limit your access, and in fact go as far as to make access as convenient as possible. For example, the dedicated serial console from the Bash Bunny arming mode, the unlocked DFU bootloader of the Rubber Ducky, the onboard UART of the WiFi Pineapple TETRA.

But as hacker hardware, there are certain risks associated with being root that we cannot guarantee. Knowing this we make a best effort to ensure that recovering is as easy as possible, should something go terribly wrong. Though even our best efforts can be thwarted by the wrong DD command.

When you say "Its a simple fix drop the firmware file on the bunny and flash it again makes it like new again." that tells us we're doing our jobs right - making it easy to recover. But we don't want to give the impression that it's infallible. 

The Bash Bunny relies on a recovery partition, bootloader and other elements so that dropping a firmware file on it "makes it like new again". We're rightfully wary of things that could disrupt the recovery, because we don't want you to get locked out of your device. It's never fun.

I'm not saying don't tinker - and I think it's great that you have 15+ years of experience with Linux. I'm sure that if you really get locked out you won't be the type opposed to soldering on UART jumpers to the pads on the PCB -- but that's not "normal use case" and something we can't guarantee. 

We just don't want to give the wrong impression to a newcomer that's a complete Linux beginner, because unlike a full fledged PC - the Bash Bunny isn't as easy for everyone to fix should it get completely bricked. Hell, I'm no Linux noob and even I can hose a system with DD. (note to self, IF= input file, OF= output file) ;-)

In short, with root comes responsibility, and, in this case - if you brick it, you bought it.

PS: The Bash Bunny has not been certified by the ADA as an adequate dental hygiene instrument.
 

[The HID is coming from inside the Bunny!]

This is an extension waiting to happen. I'd imagine DETECTOS would spit back version based on a scan. We're looking at building an AUTO_ETHERNET ATTACKMODE which will try ECM_ETHERNET then fail over to RNDIS_ETHERNET if the target does not obtain an IP in X seconds (or possibly the other way around). 

nmap can do an OS scan, as can p0f (included in the firmware). I agree that this sort of extension would be really useful in having more complex and intelligent payloads that make decisions based on various conditions including OS version. I'm keen on seeing its development.

PoSHMagiC0de is correct that it could be done via powershell commands - though I think the less hacky way would be to scan the target via the pocket network in the first stage, then launch the appropriate second stage depending on the results.

[[RELEASE] Bash Bunny 1.1]

Introducing Bash Bunny firmware v1.1
A feature packed firmware awaits Bash Bunny users just one month after release. We've excited to announce version 1.1, including many new features, conveniences, bug fixes and refined experiences.

The newly improved LED command adds patterns in addition to variable blinks, as well as standardized payload states for common stages such as setup, attack, cleanup and finish.

The Bash Bunny framework now includes support for extensions which augment the bunny scripting language with new commands and functions.

Tools can now be installed with ease by copying .deb packages or entire directories to the dedicated /tools folder on the flash drive in arming mode.

Updating ducky languages is now just a matter of copying json files to the dedicated /languages folder on the flash drive in arming mode.

Many more features, fixes and experiences in the full changelog - so hop on over to BashBunny.com/downloads and nab version 1.1 today! (\_/)

 

 

[Stop Windows' autorun]

One solution would be to use HID only in stage 1, then switch from HID to just STORAGE in stage 2.

Not knowing what payload you're referring to I'm not sure exactly what the stager would look like - so if you can provide any insight on that it would be helpful. 

 

[Bash Bunny Improvments]

Wow - bringing it back to the USB Switchblade days. Sure, one could. CD-ROM emulation is on the list - though unless you're encountering unmatched XP systems in your audits, it's likely not going to be too helpful. 

...then again... /me counts the XP boxes he's seen in the last two weeks... 

[BashBunny Common Library]

Exactly the purpose of bunny_helpers.sh and something I'll be covering here soon. 

[Modifying Serial Number]

Will add this to the framework wish list 

[BashBunny 2.0 wish]

Yes, we should absolutely hire that guy to do our marketing. 

Anyway, thanks for the wish list. :) 

[KeeLog Keyboard Logger]

Very cool! I don't have one of my own to test with, just wanted to say this sounds really neat :) 

[March 10th Batch cutoff]

♥ 

[Run on Battery for instant attacks?]

Wow. That's some innovative thinking. I take it your idea is about "priming" the Bash Bunny with juice to boot so that when it's finally inserted into the target - it's already alive and kicking - ready to take names... 

Yeah - that seems pretty wicked. I could imagine a USB Y cable and a payload which monitors "dmesg" before launching. 

[Ducky VS Bunny]

The Bash Bunny differs from the USB Rubber Ducky in a number of ways.

While it's compatible with Ducky Script and supports a HID attack mode, that's only one of the 5 current attack vectors it supports.  

The USB Rubber Ducky is capable of executing payloads faster than the Bash Bunny (0.1 seconds vs 7 seconds).

It's also more economically (less than half the cost thanks to economies of scale).

And very importantly, the USB Rubber Ducky is far more covert (with its generic flash drive case).

For social engineering ops, USB drops and attacks which require the target to plug in the drive, I'd say the USB Rubber Ducky will continue to be the gold standard.

But don't take my word for it - just ask the CIA ;) #HarpyEagle https://wikileaks.org/ciav7p1/cms/page_20873532.html

[Quickest Way to Fingerprint/Identify Target Host]

So there are two parts to your query - and I love them both. This the sort of creative thinking that I'm all about. :) 

So, as for profiling a target, the ways I've considered outside the long and tedious way (nmap -O --fuzzy $TARGET_IP) is to use p0f (pre-installed). 

Another similar thought exercise is to determine whether or not a specific Ethernet attack mode was successful, and failing that switch to another. For example, first register as RNDIS - and if after N seconds the BB doesn't receive a DHCP client - switch to ECM. Now, that doesn't provide an OS fingerprint - but certain assumptions can be made. I have noticed RNDIS to be successful on most Windows and Linux machines while ECM is more prevalent on Mac, Linux and "other" (Android, Chrome) 

 

Regarding off-site transmission in switch 2 after successfully exhilarating files from your target, I believe there are many possibilities - especially if the "drop box" is preconfigured to recognize the Bash Bunny. For instance, another embedded Linux machine with either a tunneled Internet connection or a large encrypted disk drive would be an ideal platform to immediately recognize and offload data from the Bash Bunny via SCP. 

Similarly there's no reason why the "loot" folder on the BB can't be encrypted. 

Anyway - just tossing fuel on the fire. Eager to hear everyone's remarks. Cheers! 

[The Bash Bunny is coming]

As the project progresses we're going to find dependencies that might be best to bake into the firmware. This is one of them. The install script expects an Internet connection. I skipped this in the episode for time. I expect to be doing more in depth style screencasts on stuff like this soon. 

[March 10th Batch cutoff]

We're very conservative when it comes to our estimates and cutoff times. We were actually fulfilling BB orders well after the notice was put up. I don't have the exact date/time - but they're on track to be received on Friday so I very much expect them all to be going out the following Monday. Jayson and Sara at HakShop.com/contact could tell you more. Thanks for your patience and support! 

[The Bash Bunny is coming]

6 hours ago, peterkozmd said:

BB should arrive tomorrow hopefully. Just curious when we will get a video tutorial guide for beginners?

Tough to say. I had hoped to over the weekend. My next few days are going to involve 23 hours of flying and a lot of jetlag - so probably not until next week. 

That said it's very simple and pretty well documented on the wiki. Oh, and we just did another Hak5 segment in it - so check out the show. 

 

[Proper command for ATTACKMODE custom VID and PID]

Thanks for the heads up!

[no loot folder?]

The loot folder isn't created until you actually acquire some loot. We may change this in a future version. Currently we're all on 1.0 ;-)

[The Bash Bunny is coming]

On 3/6/2017 at 8:26 AM, Zurix said:

My Bash Bunny :)

Winner

[Bunny thinks payload is compete before payload is complete]

2 hours ago, b0N3z said:

Do you have to call for switch2 if your already on switch2 for the attack?

QUACK runs from payloads/ so switch2/ is relative to that. When payloads execute both switch1 and switch2 are in the $PATH. This is going to change to something a lot more obvious in the next release.

Squish - I advise copying the contents of those texts into the main payload.txt and trying it from that (obviously prefixing each ducky script command with "QUACK ") -- then we'll know if that's what's causing the LED to go off early. If that's the case, we'll need to tidy that up.

[CA Certiciates and the hak5 irc]

That's strange. I'm having no problem with either. The git you'll want is git@github.com:hak5/bashbunny-payloads.git or simply https://github.com/hak5/bashbunny-payloads

[Pineapple Core]

12 minutes ago, b0N3z said:

in your experience and use of the bunny, have you found a usb port that won't power the bunny enough to execute.  I know this is also a new product so testing like this might not be available.  

I can't recall ever finding a USB port unable to provide 150-200 mA (1 watt). I'd be seriously concerned if there were any out there.

2.5 watts is most common, with modern machines providing 5-10 watts.