LowValueTarget
-
Posts
80 -
Joined
-
Last visited
-
Days Won
3
Posts posted by LowValueTarget
-
-
Take a step back and think about what you are asking.
Ask it this way -- "Am I able to accomplish this with a keyboard, a mouse, a network accessible linux computer, a serial device, a usb ethernet adapater and a thumb drive?"
-
Short Answer: No (not that i am aware of)
Long Answer: The BashBunny is not some magic hacking device. Think of it this way. If you have a linux computer, a USB flash drive, a USB keyboard, a USB ethernet adapter, and a USB serial device, would you be able to accomplish what you are trying to accomplish? That's basically what the bashbunny is, with automation capabilities.
Theoretical: You might be able to use responder to get a password hash from the target, then crack it or pass it to the victim assuming they aren't using SMBV2 and have SMB file sharing enabled. Even then, you'd be limited to file location if the user is not an Administrator.
-
Like Unixnerd777 said, use SMB, FTP, HTTP, or some other delivery device and forego the storage method.
-
Take a look at the following payload. It sets up a FireTV (android device) to download and install an APK.
https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/android/fireytv
- 1
-
There's a payload floating around that uses adb remote to connect to an android device.
Based on my ideas, there's really not much you can do until BashBunny gets USB host support. I have an idea that will try ADB (assuming the victim phone has USB Debugging enabled) first, then fallback to MTP if ADB is not enabled. This would allow relatively plug-n-play exfil of user data.
- 1
-
Yes as of 1.3 i believe.
-
In your payload.txt, you can remove about 10 lines and replace it with one.
https://gist.github.com/hink/a8b57d16234042e5adc0182e5e1779c7
GET SWITCH_POSITION
takes care of the logic of finding the switch position for you. It's a default extension.
-
5 minutes ago, Dice said:
Worked Like a charm !
Really appreciated.
Editing the quote as well
Copying this link to the other topic if you dont mind
That's perfectly fine.
Glad to hear it.
- 1
-
48 minutes ago, Dice said:
Is there another way to install these tools i am unaware of ?
TIA
./Dice
You could always clone the git repos on your local device, copy them to the /tools folder on the BB USB storage, and plug the device into power in arming mode. This will copy all the files from /tools on usb storage to /tools on the BB system partition. If you wanted to complete the install, you could ssh/screen into the bunny and run the ./setup.py from the CLI.
-
47 minutes ago, Dice said:
Thanks @LowValueTarget
If i use the curl command i get there is no such file
root@bunny:~# curl -k https://scripts.10ninetysix.com/bb/git_impacket_responder.py | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 162 100 162 0 0 303 0 --:--:-- --:--:-- --:--:-- 303
sh: 1: cannot open html: No such file
sh: 2: Syntax error: redirection unexpected
I can resolve :
root@bunny:~# ping scripts.10ninetysix.com
PING finch.10ninetysix.com (45.55.208.70) 56(84) bytes of data.
64 bytes from 45.55.208.70: icmp_seq=1 ttl=50 time=149 ms
64 bytes from 45.55.208.70: icmp_seq=2 ttl=50 time=172 ms
browsing to the page on my Laptop to the bb folder gives me a 403 error , if i try to save the .py file manually i get 404
My mistake -- the extension is .txt -- edited the original post.
-
Bumping this to the top for visibility -- it seems that people are still needing assistance.
-
On 5/6/2017 at 2:55 AM, PoSHMagiC0de said:
Hey there. Been exploring the inner workings of the Bunny more like what version the packages are at. I have one request after my deep dive. Could we get the NodeJS package on the Bunny updated to a more current version? I am feeling NodeJS more for writing my network apis for the Bunny. Would be nice to have the newer stuff.
You could always download the source and compile locally on the bunny.
-
bb.sh never worked for me. Here's as simple script I made to make it work for me
#!/bin/bash ifconfig $2 172.16.64.64 netmask 255.255.255.0 iptables -X iptables -F iptables -A FORWARD -i $1 -o $2 -s 172.16.64.0/24 -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
Then I just feed it the wan iface and lan iface
sh ./bbshare.sh eth0 eth1
- 1
-
This could easily be an extension -- WAIT_FOR_IP
-
From the changelog
- User configuration file - A config.txt is now found on the root of the Bash Bunny's storage partition - This config.txt is sourced before payloads are executed, allowing global configurations - By default the DUCKY_LANG command is run to set the keyboard to 'us'. - NOTE: settings in config.txt will be overwritten if a payload decides to do so - NOTE: config.txt will currently not survive factory resets or firmware upgrades. This will change in the future
-
-
This would be much easier if the BB allowed Host Mode configuration. You could easily use ADB or MTP to grab files.
I would look at the android section of the payload repo. Demmsec has a payload that pushes a payload to a FireTV via remote ADB.
- 1
-
If you put responder in the /tools folder of the USB storage, it will automatically get copied to /tools on the BB OS partition when you plug it in, in arming mode the next time.
Normal behavior.
- 1
-
1 hour ago, viperguy07 said:
Did you figure this out? This would make life better.
I haven't figured this out yet. I haven't had the time. I am going to put in a feature request on the Github site so Seb or Darren can take a look.
-
This has been merged with the Hak5 repository.
-
With the v1.1 firmware, you should now be able to use 'RUN WIN powershell.....".
If you are not wanting to put the duckyscript in a separate file, which is generally recommended when you have more than a few lines, I would create a payload that opens notepad and types a few lines to see where you are having issues. Keep in mind that the STRING you are printing is interpreted by BASH prior to being fed to the HID device.
First guess without trying anything is that you don't need to escape the single quote after 'downloadstring'
-
On 4/12/2017 at 5:17 AM, RazerBlade said:
Someone has suggested to use Unicorn: https://github.com/trustedsec/unicorn To avoid AV. Something people can also try is to incorporate Nishang/ Powersploit AV bypass by encoding the payload. Read-Only storage is coming I think in the next firmware which will block AV from removing the files.
Unicorn hasn't failed me yet when obfuscating powershell.
-
As far as I understand at the moment, when the BB is plugged into a host machine, and is acting as an ethernet adapter (RNDIS_ETHERNET, ECM_ETHERNET), it generally registers as the fastest (2GBps) and defaults to the primary interface. That being said, when the BB is the primary interface, it does not have internet access, nor does the host machine utilizing it.
What payload are you working with that is having issues? Is it a custom payload? Can you share it?
-
[PAYLOAD-UPDATE] psh_DownloadExecSMB
in Payloads
Posted
I've updated my psh_DownloadExecSMB payload to allow for exfiltration.
psh_DownloadExecSMB will take any powershell payload, execute it and alert via green LED when it's completed. All file transfers happens over SMB to the Bash Bunny.
In order to exfil data, have your powershell payload upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot.
Bonus: Because this payload uses SMB, any captured SMB credentials will be stored as loot.
My Repo: https://github.com/hink/bashbunny-payloads/tree/payload/pshExecFixes/payloads/library/execution/psh_DownloadExecSMB
Pull Request: https://github.com/hak5/bashbunny-payloads/pull/268