Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Posts posted by oXis

  1. `get_facebook_cookies.ps1` is a Powershell script that creates two functions ( Get-FacebookCreds-Firefox  and Get-FacebookCreds-Chrome). If you import this script inside one of yours, or if you import this script inside a Powershell shell you can then use those functions.

  2. A couple of time ago I posted this script on Evil Portal's topic. The PineAP works with openwrt, so the iptable chains are a little bit different than the ones in Debian for example, so it's hard to use a Pi to prototype the rules.

    Here is my script, https://pastebin.com/zZhzqf91 the init section shows the rules to redirect traffic. HTTPS is hard to redirect because of HSTS and Certificates, either you drop it or you expect clients to authorised the self signed certificate (doesn't work with HSTS).

    Hope it helps.

  3. 3 hours ago, sudovader said:

    it's stored in sd because Nano doesnt have enuff space for that.


    You should have a folder /sd/portals, the symlink is from /root/portals to /sd/portals (ln -s TARGET LINK), so the command is 

    ln -s /sd/portals /root/portals

    Hope it helps

    • Upvote 1
  4. 1 minute ago, newbi3 said:

    That saves me a ton of time! I noticed you are allowing and denying clients based on mac-address. From what I remember when moving away from NoDogSplash this required a kmod to be installed which wasn't compiled for the pineapples architectures at the time. Have you been able to get this to run on the pineapple?

    It works on my Nano, so I bet it's in the kernel now. Take the last version, I've changed something (HTTP input ACCEPT)

  5. Hi @newbi3,

    I've been looking at the iptables rules to create a captive portal. Because the PineAP runs OpenWrt, there are some predefined rules that interfere with yours. So I've written a script that creates the iptables rules.


    ./portal.sh init -> will initialise the captive portal

    ./portal.sh purge -> remove all the rules, but keep OpenWrt ones

    ./portal.sh add/remove IP -> authorise a user


    HTTP (80) is successfully redirected to port 80 on the PineAP. HTTPS (443) is dropped and DNS is accepted (you can also redirect locally). I can't find a way to have HTTPS redirections to work without a certificate error or a protocol error if you redirect to port 80.


    Hope it helps :)



    (I fixed SSH and PineAP manager address, now it works)

    • Upvote 1
  6. Ding ding, it's payload time :grin:


    This is a two stages payload.

    First you use the 'injector' that will install a small bash script which is a wrapper for sudo. The script will store the passwords.

    Second, you use the 'cleaner' to get the passwords back and clean the backdoor.


    So basically, you get access to a computer running MacOS or Linux (you can config the payload by setting mac=true) and you install the backdoor. A couple of hours/days/weeks later you comme back, grab the passwords and erase traces. Easy :ph34r:


    Link: https://github.com/oXis/bashbunny-payloads/tree/master/payloads/library/credentials/SudoBackdoor

    I'll submit a pull request but first I need people to test this on MacOS and Linux. It works on my Linux Mint.


    Ninja! :ph34r:

    • Upvote 2
  7. I've been also working with a HTTP Python server with firmware 1.1 of the Bunny and I discovered that sometimes, when you reach the end of the payload, the server stop working. But it doesn't happen all the time, it's like the bunny kills the payload. If it happens, you can see the LED switched off.

    Put a "sleep 60" a the end of the payload and see if this is the same error.


  8. I had the same problem. Your solution seems fine

    I rewrote the password grabber for firefox because the powershell script is detected by kaspersky. Instead of grabbing the password and decrypt it using powershell, I copy key3, cert8, and logins in the loot folder and use a python script to decrypt the password within the BB.

    • Upvote 1
  9. Hi,
    Based on the powershell script written to extract creds from Google Chrome, I made a script to read the SQLite database where the cookies are stored and extract Facebook session cookies. It uses no library, like in the ChromeCreds payload, I use regex to search for the cookies. I haven't written any payload, and I also want to do the same with Firefox.
  10. Thanks, I haven't thought about looking for Ducky scripts..., I actually found a script to bypass the lock screen, can't test it now though.

    3 minutes ago, VincBreaker said:

    find a way to unlock your phone / byass the lock screen to enable the debug mode

    Yes, that's what I'm looking for.

  11. Hi,


    I just ordered my Bash Bunny, and while I'm waiting for it, I'm gathering info for my project.

    On the github, there is a payload to loot data from a Windows host and I would like to do the same for an Android phone. The idea will be to use adb to extract the data, but if the Debug Mode is not on (mostly the case for normal users) you can't really use adb.

    I have a Galaxy S5 mini (Android 4.4 I think) to test my code on. The idea is to proceed like below:

    1/ Being able to steal data from an -unlocked- phone with Debub mode enable (I think this part is easy :) ).

    2/ Being able to steal data from an -unlocked- phone with Debub mode disabled.

    3/ Being able to steal data from a -locked- phone with Debub mode disabled.



    Do you people have some kind of idea about how to do it? Like exploit a flaw to use adb or inject an app. I'm sure we can find something :)

  • Create New...