Jump to content

bg-wa

Active Members
  • Posts

    85
  • Joined

  • Last visited

  • Days Won

    5

Everything posted by bg-wa

  1. @anao00 Yes, you are correct DNS is a fragile system (in more ways than this example). Regardless of where you intercept, it can be difficult to detect. One thing not mentioned is SSL... you can use this method to host https://amazon.com at https://my-custom domain.com or http://amazon.com, but you wont have the right cert on your middleware machine to host https://amazon.com. Its subtle, but browsers are doing a better job of pointing out non-secure sites lately.
  2. I made this a few weeks ago. https://github.com/bg-wa/rails_in_the_middle Set up the app and point your DNS to it, point the app to the site you want to modify, and inject whatever code you want before it's sent to the user (also works the other direction, sending data to the original server). *Also not sure how practical this is, but its possible.
  3. Kinda late, so maybe you already got this working, but I use codemirror a lot: https://github.com/fixlr/codemirror-rails Working example with file access here: https://github.com/bg-wa/bash-bunny-studio
  4. I started this quick POC, which uses Rails as a web-content proxy to allow intercepting and modifying html pages. [End User Request > My Bad URL > Actual server > My Bad URL > Nokogiri (modify response) > End User Response] It's pretty bare bones and allows you to browse any website at your own URL, modifying the response in the middle. https://github.com/bg-wa/rails_in_the_middle Seems like an interesting loophole. Even with CORs set up properly, assets could be stored and re-served to the end user.
  5. Hey Luca, You can cut down this code, by putting your file types into an array, then loop through that array, executing at each object your if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.[YOUR FILE EXTENSION FROM ARRAY] %dst% >>nul) https://stackoverflow.com/questions/8880603/loop-through-an-array-of-strings-in-bash This will trim up your code for each location. To make it even smaller, you should throw that line into a new function, then call it, passing your location and file-type. As a positive side effect, will also make the script much easier to test and maintain. https://stackoverflow.com/questions/6212219/passing-parameters-to-a-bash-function
  6. Boom! HID only Optical Exfiltration Payload PR#316 https://github.com/hak5/bashbunny-payloads/pull/316/commits/84808baec72ccfcf16b8abe864b00ce4c784eb1e @Darren Kitchen Good idea! Maybe match it up with this OpenCV QR Reader!? https://github.com/christiansiegel/video-qr-code-scanner
  7. Just added a customizable playback option... I think this is now a viable working solution. I think this could be compressed and run on a rubber ducky that just writes an index.html file and opens a browser!
  8. Fun problem.... Here is my solution: https://github.com/bg-wa/QRExtractor
  9. Yes. When I took the time to write a test, it makes more sense... Basically I had locked myself out of the BashBunny partition where the loot and payload folders live. I couldn't sudo chmod them from the machines I tried, so I had to reset them on the Bunny itself... Somewhere along the lines of the hundreds of times I plugged and unplugged this device, into everything in my house that has a USB port, permissions got changed. Here is a script I wrote after the fact in case it happens again: # At this point I could not write to /root/udisk/loot # or /root/udisk/debug as I could before LED G mkdir /root/udisk/debug touch /test # File 'test' written touch /root/test # File 'test' written touch /root/udisk/test # File NOT written touch /root/udisk/loot/test # File NOT written touch /root/udisk/debug/test # File NOT written touch /root/udisk/payloads/test # File NOT written touch /root/udisk/payloads/switch1/test # File NOT written # Then I ran: # mount -o sync /dev/nandf /root/udisk # chown root:root /root/udisk -R # chmod 777 /root/udisk -R touch /test # File 'test' written touch /root/test # File 'test' written touch /root/udisk/test # File 'test' written touch /root/udisk/loot/test # File 'test' written touch /root/udisk/debug/test # File 'test' written touch /root/udisk/payloads/test # File 'test' written touch /root/udisk/payloads/switch1/test # File 'test' written # Here I could write to my Bunny again LED R G B https://github.com/bg-wa/bashbunny-payloads/blob/bunny_permissions_checker/payloads/library/bunny_permissions_checker/payload.txt Hope that helps someone else along the line.
  10. Wondering if anyone has figured out how to dictate the keypress duration... I've got my windows mouse control payload working but it would be more useful if I could hold a key down instead of pressing it 100 times in a loop. I think the end goal will be to emulate something you can't do with a keyborad, like a signature in an HTML5 canvas. Thanks!
  11. You should just copy everything you need for your payload to switch1 or switch2 folders. Meaning if you are using a helper, you should also copy that helper to the switch folder next to your payload.txt. `source bunny.sh` is a relative path (just looking in the switch folder). /root/udisk/payloads/library/bunny_helpers.sh is just a hard coded, long hand, version of the same pointer. hope that helps explain what you're seeing
  12. So after a week of clean testing I managed to break my bash bunny, somehow messing up the mount point /root/udisk/ (It would not auto-mount and was read-only when manually mounted)... Thanks to @Foxtrot I was able to regain access by re-mounting and changing the permissions: mount -o sync /dev/nandf /root/udisk chown root:root /root/udisk -R chmod 777 /root/udisk -R I still can't write to my individual payload switch folders like I previously could, so I've updated my debug helper to reflect a more accessible directory (/root/udisk/debug): https://github.com/bg-wa/bashbunny-payloads/blob/bunny_debug_helpers/payloads/library/bunny_debug_helpers.sh Again, to use this script: 1.) Include the helper at the top of your script: source bunny_debug_helpers.sh 2.) Pepper your script with log entries to see where events succeed. debug_log "Attack Mode Set" #ln. 41 debug_log "IP Address : ${TARGET_IP}" #ln 92 3.) Plug in Bunny... bash bash bash... 4) When finished, set the Bunny to arming mode and view your debug logs in the newly created "Debug" folder (/root/udisk/debug).
  13. @Dave-ee Jones I'm sure ours are the same, as I have not modified mine. I'm wondering if I need to create a new "ALT SHIFT NUMLOCK" command, or if I can accomplish this task with the existing keyboard methods.
  14. Got it form here: wondering if I need to add another command to my json file.... Should that process be scripted or submitted in a PR? @elkentaro any insight?
  15. It would also be nice to hold down a key (numpad) to take advantage to the mouse acceleration property if anyone knows if that is possible!!
  16. Hi Dave, I've checked the registry entries and all edits are successfully being changed. Just this one key combo is not being sent correctly. For PR simplicity, I've removed my debugging helpers but I know the script succeeds at all points ACCEPT sending the above key combo. https://github.com/bg-wa/bashbunny-payloads/blob/develop/payloads/library/bunny_debug_helpers.sh
  17. http://tldp.org/LDP/Bash-Beginners-Guide/html/sect_03_03.html
  18. I'm having trouble getting the following the key combo to work: Left SHIFT + Left ALT + NUMLOCK If I press these keys manually at the end of my payload I have mouse control with the keyboard on windows... https://github.com/bg-wa/bashbunny-payloads/blob/windows_mouse_control/payloads/library/windows_mouse_control/payload.txt I have tried the commands in different orders, and the ALT-SHIFT variation.
  19. This payload opens a URL on the default browser on an unlocked android... quickly. https://github.com/bg-wa/bashbunny-payloads/tree/feature/android_open_url/payloads/library/android_open_url More shortcut documentation here: http://freaktab.com/forum/tv-player-support/general-tv-player-dicussions/19428-android-external-keyboard-shortcut-keys-documentation
  20. Sounds like you put your Bunny in recovery mode (Unplugging it quickly 3+ times). http://wiki.bashbunny.com/
  21. Try something like QUACK DELAY 500 after setting your attack mode, and make sure your cursor is in a text area (notepad, word etc.) when you plug in the bash bunny. I wrote this simple, working, script for a friend, but it should give you an idea of how to get your test working as well. https://github.com/bg-wa/bashbunny-payloads/blob/feature/issue_79/payloads/library/payloads/example/multi_hid_storage_example.txt
  22. Looking forward to seeing what you come up with!
  23. I'd be interested in checking it out if you want to share a link to a branch. Is there any way it could be abstracted to a helper, so we could call a method like `wait_for_switch_change` from any payload?
  24. Sounds useful! So you could change from switch1 to switch2 payload without unplugging the BB?
×
×
  • Create New...