Jump to content

LowValueTarget

Active Members
  • Posts

    80
  • Joined

  • Last visited

  • Days Won

    3

Posts posted by LowValueTarget

  1. I remember talk a while ago about potentially adding a HOST attack mode where the bash bunny would essentially become a USB host.

    This would facilitate attacks on phones and other devices that normally act as USB clients. Has there been any progress made on this front?

  2. I've updated my psh_DownloadExecSMB payload to allow for exfiltration.

    psh_DownloadExecSMB will take any powershell payload, execute it and alert via green LED when it's completed. All file transfers happens over SMB  to the Bash Bunny.

    In order to exfil data, have your powershell payload upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot.

    Bonus: Because this payload uses SMB, any captured SMB credentials will be stored as loot.

    My Repo: https://github.com/hink/bashbunny-payloads/tree/payload/pshExecFixes/payloads/library/execution/psh_DownloadExecSMB

    Pull Request: https://github.com/hak5/bashbunny-payloads/pull/268

  3. I've updated one of my payloads recently that might be able to help out.

    Check out https://github.com/hak5/bashbunny-payloads/pull/268 (it hasn't been merged yet) for an updated psh_DownloadExecSMB.

    psh_DownloadExecSMB essentially runs a powershell payload from the BB using SMB. Because it's using SMB, it makes it trivial to exfil data. Also, since the powershell payload is abstracted from the BB payload, your possibilites are endless.

    The payload waits for the powershell to complete, and then changes the LED green.

    If you want to exfil data, put that corresponding powershell in p.txt and upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot.

  4. Short Answer: No (not that i am aware of)

    Long Answer: The BashBunny is not some magic hacking device. Think of it this way. If you have a linux computer, a USB flash drive, a USB keyboard,  a USB ethernet adapter, and a USB serial device, would you be able to accomplish what you are trying to accomplish? That's basically what the bashbunny is, with automation capabilities.

    Theoretical: You might be able to use responder to get a password hash from the target, then crack it or pass it to the victim assuming they aren't using SMBV2 and have SMB file sharing enabled. Even then, you'd be limited to file location if the user is not an Administrator.

  5. There's a payload floating around that uses adb remote to connect to an android device.

    Based on my ideas, there's really not much you can do until BashBunny gets USB host support. I have an idea that will try ADB (assuming the victim phone has USB Debugging enabled) first, then fallback to MTP if ADB is not enabled. This would allow relatively plug-n-play exfil of user data.

    • Upvote 1
  6. 48 minutes ago, Dice said:

    Is there another way to install these tools i am unaware of ?

    TIA

    ./Dice

    You could always clone the git repos on your local device, copy them to the /tools folder on the BB USB storage, and plug the device into power in arming mode. This will copy all the files from /tools on usb storage to /tools on the BB system partition. If you wanted to complete the install, you could ssh/screen into the bunny and run the ./setup.py from the CLI.

  7. 47 minutes ago, Dice said:

    Thanks @LowValueTarget

     

    If i use the curl command i get there is no such file

    root@bunny:~# curl -k https://scripts.10ninetysix.com/bb/git_impacket_responder.py | sh
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100   162  100   162    0     0    303      0 --:--:-- --:--:-- --:--:--   303
    sh: 1: cannot open html: No such file
    sh: 2: Syntax error: redirection unexpected
     

     

    I can resolve : 

    root@bunny:~# ping scripts.10ninetysix.com
    PING finch.10ninetysix.com (45.55.208.70) 56(84) bytes of data.
    64 bytes from 45.55.208.70: icmp_seq=1 ttl=50 time=149 ms
    64 bytes from 45.55.208.70: icmp_seq=2 ttl=50 time=172 ms
     

     

     

    browsing to the page on my Laptop to the bb folder gives me a 403 error , if i try to save the .py file manually i get 404

     

     

    My mistake -- the extension is .txt -- edited the original post.

  8. On 5/6/2017 at 2:55 AM, PoSHMagiC0de said:

    Hey there.  Been exploring the inner workings of the Bunny more like what version the packages are at.  I have one request after my deep dive.  Could we get the NodeJS package on the Bunny updated to a more current version?  I am feeling NodeJS more for writing my network apis for the Bunny.  Would be nice to have the newer stuff.

     

    You could always download the source and compile locally on the bunny.

  9. 12 hours ago, Sebkinne said:

    Hot off the heels of 1.2 our brave little bunny is hopping into 1.3 with exciting new features and fixes!

    Full Changelog

    This is great! Two quick questions.

    1. Does ATTACKMODE OFF essentially turn the BB into a USB host?

    2. When using RNDIS_SPEED_XX, is RNDIS_ETHERNET a prerequisite, or are they mutally exclusive?

     

    Thanks,

    • Upvote 1
  10. bb.sh never worked for me. Here's as simple script I made to make it work for me

    #!/bin/bash
    ifconfig $2 172.16.64.64 netmask 255.255.255.0
    iptables -X
    iptables -F
    iptables -A FORWARD -i $1 -o $2 -s 172.16.64.0/24 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A POSTROUTING -t nat -j MASQUERADE
    echo 1 > /proc/sys/net/ipv4/ip_forward

    Then I just feed it the wan iface and lan iface

    sh ./bbshare.sh eth0 eth1

     

    • Upvote 1
  11. From the changelog

    - User configuration file
      - A config.txt is now found on the root of the Bash Bunny's storage partition
      - This config.txt is sourced before payloads are executed, allowing global configurations
      - By default the DUCKY_LANG command is run to set the keyboard to 'us'.
      - NOTE: settings in config.txt will be overwritten if a payload decides to do so
      - NOTE: config.txt will currently not survive factory resets or firmware upgrades. This will change in the future

     

×
×
  • Create New...