Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by LowValueTarget

  1. This would be much easier if the BB allowed Host Mode configuration. You could easily use ADB or MTP to grab files. I would look at the android section of the payload repo. Demmsec has a payload that pushes a payload to a FireTV via remote ADB.
  2. https://security.stackexchange.com/questions/72005/are-there-any-ways-to-leverage-ntlm-v2-hashes-during-a-penetration-test
  3. If you put responder in the /tools folder of the USB storage, it will automatically get copied to /tools on the BB OS partition when you plug it in, in arming mode the next time. Normal behavior.
  4. I haven't figured this out yet. I haven't had the time. I am going to put in a feature request on the Github site so Seb or Darren can take a look.
  5. With the v1.1 firmware, you should now be able to use 'RUN WIN powershell.....". If you are not wanting to put the duckyscript in a separate file, which is generally recommended when you have more than a few lines, I would create a payload that opens notepad and types a few lines to see where you are having issues. Keep in mind that the STRING you are printing is interpreted by BASH prior to being fed to the HID device. First guess without trying anything is that you don't need to escape the single quote after 'downloadstring'
  6. Unicorn hasn't failed me yet when obfuscating powershell.
  7. As far as I understand at the moment, when the BB is plugged into a host machine, and is acting as an ethernet adapter (RNDIS_ETHERNET, ECM_ETHERNET), it generally registers as the fastest (2GBps) and defaults to the primary interface. That being said, when the BB is the primary interface, it does not have internet access, nor does the host machine utilizing it. What payload are you working with that is having issues? Is it a custom payload? Can you share it?
  8. Check this out too -- may be double work https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/android/open_url
  9. Cool payload, here's a couple of suggestions. Put the key commands in a text file under a folder called phones. This will allow someone else to modify the payload for numerous other phones. e.g. phones/nexus9_v7.0.txt, phones/galaxys7_v7.0.txt Use the bash bunny as an ethernet device and pull the payload from a webserver there, so you don't rely on any external infrastructure. Good stuff! One more note, you could start and try the adb method in case the phone has USB debugging enabled. If not you can fall back to the key commands. I am working on a similar payload for android, but it doesn't have to do with apk's
  10. Please see the official Hak5 tools sticky It seems like quite a few folks are having some trouble getting impacket and responder installed since the firmware v1.1 update. Here is a dead simple script that you can run on your BashBunny to install the two most commonly used tools in the currently published payloads. Steps Setup your BashBunny to share internet with your host machine, then SSH into the bunny. Ensure it has an internet connection. I prefer a simple ping to Run the following command curl -k https://scripts.10ninetysix.com/bb/git_impacket_responder.txt | sh The content of the script can be viewed below and at the following URL: https://scripts.10ninetysix.com/bb/git_impacket_responder.txt apt-get update && apt-get install -y git mkdir -p /tools export GIT_SSL_NO_VERIFY=1 # Install Responder git clone https://github.com/lgandx/Responder.git /tools/responder # Install Impacket git clone https://github.com/CoreSecurity/impacket.git /tools/impacket cd /tools/impacket && python ./setup.py install Note: I believe Sebkinne is creating, or has created .deb files for impacket and responder that will be easily installed by placing them in the USB storage /tools/ folder, however those have yet to be released. I am guessing they will be released with the 1.2 firmware.
  11. If you use the payload from the master branch on github.com/hak5/bashbunny-payloads, then you do not need to modify the payload. It was updated a couple of days ago for use with v1.1 Regarding the bunny_helpers.sh, v1.1 uses extensions in lieu of bunny_helpers.sh since the update. The new payload should not reference bunny_helpers.sh From the v1.1 changelog - https://storage.googleapis.com/bashbunny_updates/ch_fw_1.1-changelog.txt - Extensions - Extensions from the /payloads/library/extensions folder are sourced automatically for each payload.txt. and provide new Bunny Script capabilities. - Extensions replaces bunny_helpers.sh. - RUN - accepts OS and Command to execute for HID injection on various operating systems - RUN WIN "powershell -WindowStyle Hidden \"tree c:\\ > tree.txt\"" - RUN OSX https://www.example.com - RUN UNITY ping -c2 - RUN WIN notepad.exe replaces QUACK GUI r; QUACK DELAY 500; QUACK notepad.exe; QUACK ENTER - GET - exports system variables - Accepts TARGET_IP - exports $TARGET_IP for targets IP address - Accepts TARGET_HOSTNAME - exports $TARGET_HOSTNAME for targets hostname - Accepts HOST_IP - exports $HOST_IP for IP address of Bash Bunny - Accepts SWITCH_POSITION - exports $SWITCH_POSITION for current switch position - REQUIRETOOL - Exits payload with LED FAIL state if the specified tool is not found in /tools - DUCKY_LANG - Accepts two letter country code to set the HID injection language for subsequent ducky script / QUACK commands
  12. Ensure you are actually on version 1.1 -- Look in your USB mass storage root for a version.txt file. If the files doesn't exist, you are not on v1.1. Serial into your BB and ensure /tools/responder exists and the appropriate files exist in that folder Ensure you are using the latest QuickCreds payload. There is mention of v1.1 compatability in the header. Copy your payload to the desired switch, and everything should function just fine.
  13. The payload works fine for me on Win8, Win10. You could potentially pipe the output of this line to a file in the loot or payload folder python Responder.py -I usb0 $RESPONDER_OPTIONS &
  14. Are you running v1.1 and did you run the impacket setup script? cd /tools/impacket && python ./setup.py install
  15. To install responder and impacket manually. Copy the impacket and responder folders to the /tools folder on the root of the mass storage partition. Unplug the BashBunny and plug it back in with the switch in Arming Mode. The folders will be automatically moved to the /tools folder on the OS partition of your BashBunny Serial into the BashBunny, change directory, cd /tools/impacket and run `python ./setup.py install` Responder and impacket are succesfully installed.
  16. Localized SMB Powershell delivery. For when USB and Web methods are disabled or too noisy. https://github.com/hak5/bashbunny-payloads/pull/172
  17. I noticed that behavior sometimes Sebkinne may have a solution or at least some insight.
  18. Be sure you are throwing the tar.gz file on the BB and not the extracted contents.
  19. Updated QuickCreds for v1.1 https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/QuickCreds
  20. http://wiki.bashbunny.com/#!downloads.md re-read that carefully. If it's still not working, provide more details of where it fails, what you've done, etc. and I'm sure someone will be able to help out.
  21. That means you're probably not on the latest version. Make sure your firmware tarball hash matches the provided one on the download page. If your BB is acting like it's upgrading but ends up on a solid blue LED instead of a slowly blinking blue LED, your upgrade failed. Also, if there's no 'docs', 'tools' or 'languages' folder in your USB storage, you're not on the latest version.
  • Create New...