Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Posts posted by uintdev

  1. For rooted, zANTI is good. zANTI 2 has a lot of nice functionality regarding MITM (including being able to modify requests and responses without a proxy). zANTI 3 kind of removes some features like the one I explicitly mentioned but adds in nmap integration (you can use nmap in Termux anyway, among other typical and popular packages that will not require root). Do note that I have not checked out the latest version being offered by default (if any newer was release ever since), so I have no idea how it is at the moment.

    There are other software out there which can have similar features or functionality on Android (all requiring root), but as far as I am aware, the ones I have in mind are long no longer supported by their developers since a very long time ago.


    For non-root, something like PortDroid might be of interest in regards to port scanning (presets, custom ranges) if you want a simple mobile UI rather than CLI, local network scanning, among other functionality.

    Want something for Bluetooth? BLE Scanner should be some good help. It is able to pick up on Bluetooth services, which when it comes to IoT device Bluetooth services, can involve a DFU (Device Firmware Upgrade) mode.

    There are Bluetooth serial 'shell' applications out there. Yup, even USB.

    For Bluetooth file management, Bluetooth File Manager is an old classic that has been updated a while back to work correctly with the latest version of Android (well.. before Android 11, anyway). I once used this to access the storage of a 'dumbphone' (of the SD card and some other files [not file system]) remotely.

    For SSH & MOSH, I use JuiceSSH. I found it to be the best application available on Android all around. I did try Termius (not Termux) but I did not find it to be worth using, especially with the monthly subscription.

    WiFi analysis? WiFiAnalyzer. Very detailed information about found access points, mentions vendors based on the beginning of each MAC address (the usual), vendor lookup, helps find the best channels to use (least busy within the range), graphs because why not. (WiGLE looks interesting, seeing that it maps out the networks..)

    Bonus app for WiFi analysis: 'Wi-Fi AR'. If you want a fancy way to visualise things such as where the access point signal is weakest. May or may not find it to be practical.

    For accessing an Android device via ADB, there is the app named 'Remote ADB Shell'. It does the job but it is not perfect and very limited (ADB shell only). For that reason, if possible, since you have Termux, you're *way* better off using something way more raw (it includes fastboot too -- I have not tested if USB functionality works at all.. I have only tested it with an Android Smart TV that allows wireless ADB): https://github.com/MasterDevX/Termux-ADB

    For a keyboard with full keys (ESC, CTRL, full arrow keys), the old "hacker's keyboard" will help out. It does not have that great of an appearance (gingerbread-ish), but when you need the additional buttons to do what you need to do like over SSH, you can quickly switch to it and back.

    If you do not mind using a Google service, Chrome Remote Desktop is very useful should you need to securely remote into your PC from anywhere.


    Not all of this can be used for out-right pen-testing, though they could be useful in specific cases.

    • Upvote 1
  2. To make this barebones as possible, here is a working example but in cURL (note: this is a POST request -- it checks if the CSRF cookie value matches up with what is POSTed):

    curl 'https://samperson.itch.io/desktop-goose/file/1957163' -H 'Cookie: itchio_token=a' --data-raw 'csrf_token=a'

    If successful, this would return a JSON response. This includes the key named 'url' and 'external'. The 'url' key will have a value containing the 'generated' valid URL to the download (it does expire). You would then use that URL to download the archive.

    Do note that as itch does use Cloudflare, it is possible for the request to be blocked due to missing headers such as the user agent.


    This is only one piece of the puzzle. As this is a USB Rubber Ducky, a script that does all of that either has to be typed out or you'll have to use the 'twin duck' firmware (for simultaneous [slow] mass storage) and create the software / script so that the payload is way more sped up (by directly executing it [on the USB Rubber Ducky] rather than typing it out).

  3. Bruteforcing hasn't really been effective since many major Android versions ago (bad attempts eventually adds on to the lock-out time).

    These days, user data on Android devices is encrypted with either full-disk or file-based encryption. When booting up and reaching the lock screen, you need to enter the pin or password to decrypt that data with the information you provided (hence why biometrics cannot be used at that stage). This means, unless you can figure out the correct code.. well.. just hope that Google helped out with backups.

  4. From my experience, not even formatting it to ext4 worked. As others had suggested, going in via SSH and using the 'reformat_usb' command did the trick. Although that resulted in me having to copy the upgrade file over as root to the flash drive on a standalone PC using a GNU/Linux distro (Virtualbox was being a little buggy with mounting the drive to begin with).

    Or just use the manual upgrade method for the WiFi Pineapple as suggested above. Less effort.

    • Like 1
  5. Update on this. rt3070 rt5370 rt28xx (Needs firmware v1.1.)


    • Upvote 1
  6. With a firmware update, it's technically possible. Although there might be limitations (i.e. storage being too small to install the appropriate kernel module(s)).
    Even if it was 100% possible to add such support without issues, would those who are developing for the Packet Bunny find it to be worth adding in for this specific product when it's mainly for USB mass storage?

  7. 8 hours ago, Dave-ee Jones said:

    Could you also convert it to Base64 so it's harder to identify as code for CMD/PS? Not sure if it would shorten it or not but it would probably lengthen the time of the whole payload..

    Having the string encoded with base64 would add on more characters to type out (including the base64 decode function).

    If I were to encode the PowerShell part (without the variables becoming an IP and a port number): it would be 458 characters long base64 decoded but 611 if base64 encoded (this includes escaping so it could be slightly shorter). This is without the function required to decode base64.


    I figured having it harder to read in a small window would be somewhat good enough (won't be in full view, goes by fast, Windows may lock up cursor during keyboard input).

    It's not like we're passing over a small binary file via netcat, so my question is if it would be worth adding in the extra steps.

  8. 47 minutes ago, Darren Kitchen said:

    minimum cmd "mode" is 18,1 -- at least on my systems. Also you can pre-load the obfuscation commands on line 39 with this

    cmd /K "mode 18,1 & color FE & cd C:\ & title "


    Minimum on mine was 15. Perhaps it's to do with the display configuration.

    The changes have been made in v0.1.3. I have to say, this one really gives it a boost.

    Thanks. :happy:

  9. 1 minute ago, Dave-ee Jones said:

    Yeah, so how does that affect the payload's functionality? Can you only run non-Admin commands remotely from the Bunny or can you run Admin commands while not in ADMIN mode? Bit more documentation there would be nice :)

    It should allow commands that would be admin-only sent from the BB to work.

    Pushed out v0.1.1. It uses the shortcut @Dave-ee Jones suggested for the UAC, ADMIN is now false by default, CMD background processes created as a result of the payload now close once done and delays have been shortened.

    If the newly set delays are too short, let me know and I'll try adjusting it to something reasonable.

    If you've used the previous version of the payload on a computer, check task manager and kill "Windows Command Processor" processes that were created by the payload if you want. They use up a little RAM.

  10. 8 hours ago, reubadoob said:

    This is pretty cool. 

    I haven't gone through the entire script yet but would this require leaving the bash bunny behind? Sorry I don't own a bunny (yet!)

    It would need to remain connected. The LED will indicate once it's done.

    8 hours ago, Darren Kitchen said:

    Awesome payload. Neat concept of a powershell reverse shell stager to kick off commands by netcat.

    It's a shame the powershell netcat interpreter is 342 characters long - necessitating opening and obfuscating a cmd window. I wonder if it could be whittled down to fit in the run dialog with its 260 max length.

    Something like

    cmd /c "start /MIN powershell <command goes here>"


    Indeed it sucks for there to be such character limit. I did manage to decrease $sm to 254 characters (without IP and port) but that is definitely not enough still.

    I could use SimpleHTTPServer to host the PowerShell file on the Bash Bunny. As for being to be able to execute it as a privileged user (optionally), that could be a bit of a challenge.

    EDIT: Hello. Future me here. Dismiss that comment about using a HTTP server. Can't put the variables in the script that way.

    6 hours ago, Dave-ee Jones said:

    At line 34 onwards you will probably need to (in some cases) increase the time to wait until the UAC box comes open (first time you open it after a reboot is about 3 seconds or so), also you can replace the 'LEFTARROW' then 'ENTER' with 'ALT Y' which immediately chooses the 'Yes' option.

    They're not really needed suggestions, as this seems to work fine without. Good job :)

    What's with the ADMIN variable though? What's the limitations if I set it to false? Does it just limit what commands I push to the PC or does it change the method it uses to open CMD/PowerShell?

    Ah, yes. I heard of that shortcut but kinda forgot about it being a thing. Would speed it up a bit, so thanks for that suggestion.

    The ADMIN variable changes the method it would run the CMD. So if it were to be set to false, it won't go through the UAC at all.

  11. Discussion thread for the RevShellBack payload.

    I've seen quite a few Rubber Ducky projects to do with getting a reverse shell running on a PC so that the shell can be accessed remotely on a different computer. But what got me thinking is this: the Bash Bunny is a full-on Linux ARM computer, right? It has netcat and it can do HID and ethernet simultaneously. So.. why not use that instead?

    At first, this payload will use a bit of HID trickery to hide itself from an observer as best as it can. As soon as it has done executing the final PowerShell command, HID is no longer used. User-defined commands will be sent to the computer in the background.

    By default, 4 commands are executed as a demo:

    • Write file (with content) to the desktop
    • Eject CD/DVD tray (if it exists) -- thank PowerShell for making that possible
    • Open calculator application
    • Message box -- powered by PowerShell


    For information about the payload, the payload script itself and how to configure it, it can be found at this GitHub repository: https://github.com/uintdev/RevShellBack

  • Create New...