mame82

When I wrote the 'LockPicker' payload for P4wnP1, the intention was how things could be combined. Cracking isn't the best idea on neither of the two devices. Btw. I used JtR Jumbo in its default setting, which means it isn't a pure dictionary attack, but goes on with pattern based bruteforcing. In fact the behavior of JtR could be modified per config file, which I haven't done for the LockPicker demo. Now as P4wnP1 is able to join an Internet connected WiFi AP and connect to an external SSH server, it wouldn't be a big problem to load up a captured hash to a more powerfull applience. The remotely cracked credentials could than be downloaded again and used to unlock the target. I'm not willing to implement such payloads for P4wnP1, as it is meant to be a framework. A demo using the AutoSSH feature to bring up a remote shell (only communicating through a USB HID interface with the target) and relay it to an external SSH server is in the P4wnP1 repo, which shows the basic capabilities. This unfortunately can't be done with BB due to its hardware limitations. Here's a tweet with a picture on the basic idea

Beside the fact that I brought up P4wnP1, before BashBunny was there, the devices are comparable. In fact there's a feature comparison in the P4wnP1 readme. So there're two things P4wnP1 could do, which BB isn't capable of: - bring up an USB HID device which serves as covert backchannel to get networkless remote shells - relay this shells to built-in WiFi AP Okay, maybe there's more in the future (bluetooth support, CDROM emulation, pivoting by tunneling TCP sockets through HID device). P.S. P4wnP1 has a payload to unlock boxes, after a hash has been fetched:

@qdba Although I'm still waiting for the bash bunny to arrive, two ideas come into mind in order to achieve what you want. We known Python Responder is available (for Quick Creds)... 1) Use pre-installed python with python -m SimpleHTTPServer 2) As responder is able to deliver a custom HTTP error page, change the error page to deliver your powershell payload and you should be able to access it (no matter what target URI your victim client is using). To change the HTTP header of the Responder error page, some code manipulation is needed (change content-type from "text/html" to "application/octet-stream"), but you're basically able to deliver a custom HTTP page

@Darren Kitchen Maybe we should get in touch, according the composite device configuration which is needed to make Windows enumerating the interfaces in correct manner. Feel free to copy the setup from my repo, otherwise. Would love to see this PnP capability for RNDIS+UMS+HID in Bash Bunny firmware, too. I'm looking forward for the arrival of my bash bunny. I'm really interested in how you managed to get the device to act as insanely fast 2GBit adapter. Could you give details on the UDC of bash bunny?

@Darren Kitchen Your statement on the need of manual driver installation for a RNDIS composite device is wrong. My already mentioned project P4wnP1 works as composite RNDIS, USB Mass Storage, HID keyboard and CDC ECM without installing custom drivers on Windows 7 to 10 (Plug and Play). Its a matter of having the right USB configuration to force Windows to enumerate the composite interfaces one by one and install a driver for each single interface. BTW. Although I'm doing exactly the same on a 5$ device, I ordered a bash bunny - I like the work of hak5 ... Keep on going. See here for details: P4wnP1