I hadn't really heard of p0f before, and am excited to try that out! :D
In regards to the exfil, since the BB is quite the little gadget ( thank you so much for this, Darren :] ) there's possibility to add some smarts. Keep a directory listing/db for each box the BB has hit, as well as a lookup of each file that was successfully exfilled, along with some metadata about that file. (Either a hash, or TimeStamp) If it sees it's the same box, only exfil new documents, or ones that have been modified?
This also may be the wrong thread and I'll move it if I need to, but the RNDIS/ECM switching occurred to me yesterday and I got so amped about it I had to give it a shot. On my OSX the RNDIS failed (should'a guessed that one) and the payload switched to ECM. The issue is that after sourcing bunny_helpers and attempting the nmap payload, the hostname was "nobody", and the nmap showed 0 open ports (after scanning for 3 seconds vs ~200 I would expect). Running the same payload but reversing the order of Ethernet adapters to ECM first conducted a successful sweep.
Tha