VincBreaker
-
Posts
16 -
Joined
-
Last visited
Posts posted by VincBreaker
-
-
Making the Keylogger BBTPS-Compatible is an awesome idea, injecting the keylogger into other process is even greater, but may trigger some AV's so it should be optional (and I don't think the average user would rate a process called "Windows PowerShell" suspicious). I'm also thinking about a feature to automaticly obfuscate the powershell script because I love obfuscation, but we have to keep in mind that AV's may or maynot detect the obfuscation instead of the keylogger.
Finally, I'll continue developing my java obfuscator since I had some great ideas while developing the keylogger (it's one of my "I need to think about something else than obfuscation" projects), but I'll surely will be continueing the keylogger soon :)
-
19 hours ago, jafahulo said:
I'm pumped to try it out! As an fyi, I'm going to work in my spare time on completely hiding the PowerShell window so the target will only see the Win + R box.
Thanks a lot, supressing the powershell popup would make the keylogger so stealthy that it would probably won't get noticed even when somebody sits in front of the monitor :)
I didn't quote you since your post is really long.
However, I don't see the need to turn the payload into a powershell function since you already can pass parameters to script using the param statement. That method is already used and doesn't require you to specify any method name so the Win+R box can run faster and we don't scratch the char limit that fast, which is the reason I decided to not transfer the backend's URL via a parameter. (Even though most URL's should fit within the 130 chars left)
Another possible solution would be to write the parameters into a file which then would be read by the PowerShell script, but this will lead to issues once script is downloaded and the BB no longer registeres itself as storage device.
// EDIT: SMB shouldn't work yet since I'm still working on it.
// EDIT Nr.2: I'm not a PowerShell expert, but I used C# for two years and PowerShell seems to somehow be based on .Net. My experience is to don't force garbage collect at the end of a programm since that one of the first thinks the runtime does after the programm has exited AND it's way more effective after the exit. It's just not worth locking the exit for garabe collection just to run into a way more effective garbage collection.
// EDIT Nr.3: I like that exfil-method fallback concept.
-
UPDATE: https://github.com/Vinc0682/bashbunny-payloads/tree/master/payloads/library/phishing/WinKeylogger
The payload:
- Is now faster (thanks to @jafahulo)
- Now supports exfil via a webserver, just copy the backend.php to a server supporting PHP and copy the URI into the powershell script
- Also, the've been some major changes to the keylogger to make adding future exfil methods (like the wip SMB exfil) easier.
-
2
-
10 hours ago, Dave-ee Jones said:
You could potentially turn your phone into a WiFi Pineapple with the BB plugged in using the phone's hotspot...Ooo, that could be fun...
This seems to be really powerfull when it comes to pranking friends, but since you already could have done it manually, I either didn't hear of it yet or it isn't possible or you are really the first one to think of that attack vector.
When it comes to android exfiltration, I would write an exfil app and then push it to the app like Demnsec did or register the bash bunny as storage and then manually install and use an file manager or use ADB to copy the files to the BB.
-
18 hours ago, RazerBlade said:
A improvement to this would be to add
-windowstyle hidden
During the attack phase so it looks like this
RUN WIN powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\b.cmd')"
This way the powershell script is hidden. To improve the keylogger, I think you should look into powersploits keylogger: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1
As it's able to capture the programs title (says a lot about what website a user logs in to for instance) and adds timestamps to. Maybe incorparate it? Overall your key logger is very simple and does the job very good. Impressed!
The current online version already hides the powershell window, but since @jafahulo reworked the launching, it isn't needed anymore. Your window tracking idea is really interesting, I'm gonna try it after I implemented the web (and maybe the SMB) exfil method.
-
5 minutes ago, RazerBlade said:
Instead of a smb server, just use a simple python HTTP webserver which is able to receive POST requests
I am currently coding a little PHP script which then should run on an external server so the keylogger no longer depends on the BB. (I hate PHP)
-
9 hours ago, jafahulo said:
Great idea, but I think I have a few improvements.
I cut everything down to l.ps1 and payload.txt, and made it so that only one window is opened.
I did change the parameter for CLEANUP to be 0 if you don't want it to run, and anything else if you do want it to run.
Also I noticed some general weirdness going on when I was testing, mainly when I was typing quickly it would log some of my keystrokes out of order, but 98% of the time it worked great!
An interesting feature would be to implement a SMB server instead of mass storage so that it was less obvious what was going on. I think BashBunny listed in the drives list is a bit of a dead give away, but an extra network connection would probably go unnoticed for a larger portion of the time.
Good job with this one!
Thanks, your approach to clean up lead me to an idea to make the payload even faster. Also, I'm gonna try to make the payload exfil via web and / or smb :)
The BB in general can become pretty hot and then behave strangely, one more reason to have an exfil method which doesn't depend on the BB.
-
1
-
-
Hi there,
I just finished the first version of my BB keylogger. It basicly launches a powershell which keylogs to the loot folder of the BB.
Features:
- Fast launching (thanks to USB Exfil for the one line launcher)
- Leaves no traces when cleanup is enabled.
- (Insert feature?)
Link:
https://github.com/Vinc0682/bashbunny-payloads/tree/master/payloads/library/phishing/WinKeylogger
VincBreaker
PS: I will create a push request upon positive feedback and improve the payload in the other case.
-
1
-
Hi there,
as other users already reported, payloads may get removed from the bunny since AV's can detect it when you are running in storage mode. One way to overcome this should be to simply not tell the target these payloads exist. It would be really nice if you could define your own filters to also hide other files the target shouldn't see in first place, like social engineering.
Is this feature possible or is there a risk the target may overwrite the files hidden?
VincBreaker
-
Hi there,
I got my bunny today and while developing a payload to drop my meterpreter onto the computer, it actually got detected by my AV and deleted from the storage.
At that point, I remembered a pretty boring defcon talk I once saw showing a device able to block every write / delete on an usb stick. Further it allowed to filter the data to get passed to the os so you can ultimatively hide any files until you need them which can be especially useful when you have a stick with multiple exploits / payloads on it and some of them may trigger the AV but are not necesserily needed at one stage or your usb stick get's checked when walking into a facility while pentesting (actually happened to me once :/).
So I'm kindly requesting an extension to the API which:
- Allows to block every write to the usb stick.
- Allows to filter every read / write from / to the storage. I would suggest the visitor pattern, but I guess it is not compatible to bash :(
Yours sincerely,
VincBreaker
-
I guess everyone has it's little mistakes... I once was developing a small platformer and have been reworking the basic controls. The character just didn't wan't to walk to the right, no matter how much I debugged it... After a few hours, I realized having pressed the left arrow key the whole time
-
Nice tutorial, I will surely will take use of it since I already have a fairly good enough mapping for german from my Ducky2Digi transpiler. (Since a ducky was to expensive / not worth it for me, I once bought a small crappy arduino alternative and were to lazy to translate all ducky payloads by hand so I took the definetly smaller effort of writing a small compiler :P)
[RELEASE] Bash Bunny Firmware v1.2
in Bash Bunny
Posted
THIRD! The read-only mode can be really really useful (even though I'd prefer custom filter rules). Thanks a lot for implementing it :)