LowValueTarget

Please see the official Hak5 tools sticky It seems like quite a few folks are having some trouble getting impacket and responder installed since the firmware v1.1 update. Here is a dead simple script that you can run on your BashBunny to install the two most commonly used tools in the currently published payloads. Steps Setup your BashBunny to share internet with your host machine, then SSH into the bunny. Ensure it has an internet connection. I prefer a simple ping to 4.2.2.2 Run the following command curl -k https://scripts.10ninetysix.com/bb/git_impacket_responder.txt | sh The content of the script can be viewed below and at the following URL: https://scripts.10ninetysix.com/bb/git_impacket_responder.txt apt-get update && apt-get install -y git mkdir -p /tools export GIT_SSL_NO_VERIFY=1 # Install Responder git clone https://github.com/lgandx/Responder.git /tools/responder # Install Impacket git clone https://github.com/CoreSecurity/impacket.git /tools/impacket cd /tools/impacket && python ./setup.py install Note: I believe Sebkinne is creating, or has created .deb files for impacket and responder that will be easily installed by placing them in the USB storage /tools/ folder, however those have yet to be released. I am guessing they will be released with the 1.2 firmware.

If you use the payload from the master branch on github.com/hak5/bashbunny-payloads, then you do not need to modify the payload. It was updated a couple of days ago for use with v1.1 Regarding the bunny_helpers.sh, v1.1 uses extensions in lieu of bunny_helpers.sh since the update. The new payload should not reference bunny_helpers.sh From the v1.1 changelog - https://storage.googleapis.com/bashbunny_updates/ch_fw_1.1-changelog.txt - Extensions - Extensions from the /payloads/library/extensions folder are sourced automatically for each payload.txt. and provide new Bunny Script capabilities. - Extensions replaces bunny_helpers.sh. - RUN - accepts OS and Command to execute for HID injection on various operating systems - RUN WIN "powershell -WindowStyle Hidden \"tree c:\\ > tree.txt\"" - RUN OSX https://www.example.com - RUN UNITY ping -c2 172.16.64.1 - RUN WIN notepad.exe replaces QUACK GUI r; QUACK DELAY 500; QUACK notepad.exe; QUACK ENTER - GET - exports system variables - Accepts TARGET_IP - exports $TARGET_IP for targets IP address - Accepts TARGET_HOSTNAME - exports $TARGET_HOSTNAME for targets hostname - Accepts HOST_IP - exports $HOST_IP for IP address of Bash Bunny - Accepts SWITCH_POSITION - exports $SWITCH_POSITION for current switch position - REQUIRETOOL - Exits payload with LED FAIL state if the specified tool is not found in /tools - DUCKY_LANG - Accepts two letter country code to set the HID injection language for subsequent ducky script / QUACK commands

Ensure you are actually on version 1.1 -- Look in your USB mass storage root for a version.txt file. If the files doesn't exist, you are not on v1.1. Serial into your BB and ensure /tools/responder exists and the appropriate files exist in that folder Ensure you are using the latest QuickCreds payload. There is mention of v1.1 compatability in the header. Copy your payload to the desired switch, and everything should function just fine.

The payload works fine for me on Win8, Win10. You could potentially pipe the output of this line to a file in the loot or payload folder python Responder.py -I usb0 $RESPONDER_OPTIONS &

Glad to hear it!

Are you running v1.1 and did you run the impacket setup script? cd /tools/impacket && python ./setup.py install

To install responder and impacket manually. Copy the impacket and responder folders to the /tools folder on the root of the mass storage partition. Unplug the BashBunny and plug it back in with the switch in Arming Mode. The folders will be automatically moved to the /tools folder on the OS partition of your BashBunny Serial into the BashBunny, change directory, cd /tools/impacket and run `python ./setup.py install` Responder and impacket are succesfully installed.

Localized SMB Powershell delivery. For when USB and Web methods are disabled or too noisy. https://github.com/hak5/bashbunny-payloads/pull/172

I noticed that behavior sometimes Sebkinne may have a solution or at least some insight.

Be sure you are throwing the tar.gz file on the BB and not the extracted contents.

Updated QuickCreds for v1.1 https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/QuickCreds

http://wiki.bashbunny.com/#!downloads.md re-read that carefully. If it's still not working, provide more details of where it fails, what you've done, etc. and I'm sure someone will be able to help out.

That means you're probably not on the latest version. Make sure your firmware tarball hash matches the provided one on the download page. If your BB is acting like it's upgrading but ends up on a solid blue LED instead of a slowly blinking blue LED, your upgrade failed. Also, if there's no 'docs', 'tools' or 'languages' folder in your USB storage, you're not on the latest version.

There should be a version.txt file in the root of the USB storage.

Don't worry about the payloads. All previous payloads should work. As far as I could tell, all LED statuses may not work; those that combine colors. (e.g. LED R B). Everything else seemed to worked fine. I updated my payload and pull request to make it more 'compatible' with the new firmware.

You can simply take the contents of the tools_to_install folder in the tools_install payload. You'll have this directory structure on your bash bunny (USB Storage): tools --> ./responder/ ./impacket/ Safely eject, make sure the device is in arming mode and insert. The BB will automatically copy the contents of the folder to /tools/. If you throw a deb in there, it will run `dpkg -i <your deb files>`

Updated for Firmware 1.1

What does a solid blue light after the red blinking light mean? EDIT: Assuming that means it failed. I believe the file wasn't 100% copied.

Demmsec looks to have submitted a pull request that may help https://github.com/hak5/bashbunny-payloads/pull/135/files

The benefit of this approach, depending on the Powershell command, is that nothing ever touches disk and it's a little lower profile than attaching a USB mass storage drive to the computer. Hell, there may even be GP that disables that. Grabbing the script from the web server is essentially the same as grabbing it from the mass storage right? There are multiple ways of accomplishing this, however "web" deilvery is tried and true and not reliant on mass storage. Speed Scenario: You have a unicorn-encoded payload you want to execute. Instead of waiting for the entire payload to be typed out on the victim (~7K of text), you just have the HID type out the ~238 bytes of text and go.

Thank you!

Also, don't forget to check the pull requests - https://github.com/hak5/bashbunny-payloads/pulls

Fair enough. Good payload.

Going through the forums looking for payloads is not always the easiest. I made a quick list for myself of the payload discussions I could find on the first 5 pages for the Bash Bunny forums. Here's a list. If you're up for trying some, I'm sure the authors could use feedback, additional testing on hardware/software they may not have access to; efficiency improvements or bug reports. Feel free to reply and add more if I've missed any. [PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage ) Discussion: https://forums.hak5.org/index.php?/topic/40582-payload-drumpcreds-20-smb-wo-internet-wo-usb-storage/ [PAYLOAD] Rick Roll Prank Discussion: https://forums.hak5.org/index.php?/topic/40579-payload-rickroll-prank/ [PAYLOAD] BrowserBunny Discussion: https://forums.hak5.org/index.php?/topic/40571-payload-browserbunny/ [PAYLOAD] SMB Exfiltrator Discussion: https://forums.hak5.org/index.php?/topic/40509-payload-smb-exfiltrator/ [PAYLOAD] USB_Exfiltrator Discussion: https://forums.hak5.org/index.php?/topic/40225-payload-usb_exfiltrator/ [PAYLOAD] MrRobot Discussion: https://forums.hak5.org/index.php?/topic/40524-payload-mrrobot/ [PAYLOAD] Android Open URL (Unlocked) Discussion: https://forums.hak5.org/index.php?/topic/40565-payload-android-open-url-unlocked/ [PAYLOAD] psh_DownloadExec Discussion: https://forums.hak5.org/index.php?/topic/40529-payload-psh_downloadexec/ [PAYLOAD] Rooter Discussion: https://forums.hak5.org/index.php?/topic/40561-payload-rooter/ [PAYLOAD] Ghost Cleanup Discussion: https://forums.hak5.org/index.php?/topic/40343-payload-ghost-cleanup/ [PAYLOAD] FTP Exfiltrator Discussion: https://forums.hak5.org/index.php?/topic/40492-payload-ftp-exfiltrator/ [PAYLOAD] dns_spoofer Discussion: https://forums.hak5.org/index.php?/topic/40487-payload-dns_spoofer/ [PAYLOAD] BrowserCreds Discussion: https://forums.hak5.org/index.php?/topic/40431-payload-browsercreds/ [PAYLOAD] ProxyInterceptor Discussion: https://forums.hak5.org/index.php?/topic/40476-payload-proxy-interceptor/ [PAYLOAD] WiFiCreds Discussion: https://forums.hak5.org/index.php?/topic/40413-payload-wificreds/ [PAYLOAD] QuickCreds Discussion: https://forums.hak5.org/index.php?/topic/40226-payload-quickcreds/ [PAYLOAD] DuckToolKit + Languages Discussion: https://forums.hak5.org/index.php?/topic/40444-payload-ducktoolkit-languages/ [PAYLOAD] PasswordGrabber Discussion: https://forums.hak5.org/index.php?/topic/40437-payload-passwordgrabber/ [PAYLOAD] Chrome Creds Discussion: https://forums.hak5.org/index.php?/topic/40387-dumping-chrome-creds-completely-in-memory-using-powershell/

What are your thoughts on a subforum for new/updated payloads only? People seem to be creating quite a few payloads, and pull requests seem to be quite slow to get reviewed/merged. I suggest a subforum, e.g. `Home > Active Projects > Bash Bunny > Payload Discussion` for people to post new payload threads which will allow forum visitors to easily find and try new payloads and provide input before Github merges. Support, features suggestions, etc can stay in the parent forum.