Dave-ee Jones

Ah so kind of like an FTP server but not...Interesting. I've been using Powershell's webserver capabilities which don't easily allow you to access the files...Can you set up HTML/CSS styles for the python server or no?

Yes well, congratulations :) Lots of people are a bit too keen to use their BB instantly and they can get a bit excited, skipping out on some things if the BB does fail/drivers aren't installed properly, which can make things worse. It just depends on how your computer takes the BB (does it install correct drivers, does it even check the BB for drivers etc.), if your BB is faulty or not and things like that. Enjoy your new BB and learning how to pentest with it :)

Simple but effective. Utilising simple powershell commands and functions is definitely one of the best things about Ducky script...

Rightio. Fair enough...I guess?

That's the best way to go. Also, make sure the Windows has set the correct drivers for the BB. If it comes up as Gadget Serial or something like that and not Unknown Serial USB it will work fine. If it is unknown, update the drivers manually and select the BB as the driver. It should fix it fine.

Download the repo. Go to bashbunny.com and click on Payloads underneath the BB picture. Then download the whole repo and copy it raw to your BB's main directory. Should work fine. Just a question: why would you delete everything?!

Yes that's all well and good..with PHP. JavaScript doesn't allow you to do half of that. Only way to really do it is run a powershell script from JS and do the copies that way. What I might do is use your GitBunnyGit to update the repo.

How would you access the file via a server on the BB? I'm interested to know as I'm making a webserver payload, and I want it to be able to access files on the BB and client.

Well, if that were the case, what would be the point of it having an Ethernet adapter attackmode? Think about it logically, it would be useless as a pentesting tool if it couldn't even auto configure it's drivers. I've found that it works fine on any other Windows computer after you have set the drivers on the first computer, probably because it sets up the driver on the USB and Windows reads it and goes, "Oh, you have drivers on you! Great! Lemme just install them.." You have to think logically, don't just go "pfft, this thing is useless if I have to set it up on every PC I use it on!" Yes, it would be, but guess what? It isn't! :D

I have that same issue. OTG cables seem fine most of the time, but are a bit fiddly too.

Pfft, messing with you, yeah why would I-why would-pfft-no. Seriously though, it is a pretty big issue to get around. You more than likely incorporated your own GitBunnyGit which means you didn't do it the way I want to do it I was hoping there was a way to do it all with JavaScript but atm all I have it do is download the repo and not do anything with it. Extracting a ZIP is far easier with PHP but then if you want to move files or anything like that you would need to use JavaScript or something else other than PHP. Easiest thing I can think of is make JavaScript run Powershell which can then do anything you need it to, but you have to make sure it is all client side and not run by the Bunny (otherwise it be like "What is this .zip you keep speaking of? I don't have anything like that!"). Swapping out Payloads is probably not going to happen with my webserver though, if that makes you feel any better...

Yo, it is quite neat and all, but what do you mean faster than HID strokes? Once you've opened powershell all you need to do is tell it to run a .ps1 script sitting right next to the payload and it'll do the rest without HID strokes. How is it faster?

Powershell would probably be the best way. Maybe not the most efficient... Create a powershell script that is run by the payload.txt that says something like: Copy-Item -Path "/root/testing/test.txt" -Destination [Environment]::GetFolderPath("MyDocuments") -Force Not sure if that will actually work as "/root/testing/text.txt" is a *nix path for the BB, you can't really access it from Windows Explorer...

Bunny can do everything a Ducky can AND have more functioning in terms of general programming. E.g. If statements, while loops, python, powershell etc. Not to mention you can also turn it into an Ethernet Adapter and storage device (and all 3 in one...). It is far more useful as a pentesting tool.

Hey, I am trying to download a folder (not a .zip) from a GitHub repository and save it the contents to a local folder from inside PHP/JavaScript. The contents are other folders and text files. I know how to download specific files or zips from GitHub but downloading a folder that has other folders in it...Would be easier to just download the .zip of it but unfortunately it is a folder, not a .zip. Any possible way anyone can think of to achieve this? Would be great :)

I would try it but I don't have a spare 3-way USB port handy, let alone 3 devices... Well, I guess I could use 2 Android phones connected on OTG... Also, anyone got any ideas as to how I would download a GitHub repository of the payloads and replace the current library folder with the downloaded library folder inside the whole GitHub repo? Would be much simpler if Darren made the folders in the repo zips...

Sayon, RNDIS and Serial isn't immediately recognised by Windows. You need to set it up first. On the USB there should be a windows config file, which allows you to update the USB's driver (Serial and RNDIS) and instead of choosing 'Check online for driver' or 'Check windows update for driver' select 'Manually choose a driver' and select the BashBunny USB. That'll fix most of your problems. Also, if you want to use SERIAL and STORAGE don't use a payload to do it, just use Arming mode, which is made for that sort of thing.

Yeah, exec() seems to be the easiest way to go, and in some ways the nicest. In regards to connecting to the BBs webserver, the computers that are being hosted by the BB can, right? As in, if you had a 3-way USB port from the BB to the computers (DHCP server giving them the 172.16.64.10-12) all of them could access it via 172.16.64.64:8080 (or whatever port you are using, I am assuming it's 80 or 8080) right?

I'm confused. Is it fixed or no?

I think the main reason for this is you would have no idea what holding down the key would actually do. Say, if I held down a key on my PC for 5 seconds, it might make a whole wall of text in a single character. If I held down the key on a lower end PC (or even a phone), it might only do half as much. This means you have no idea how many times that button was actually inputted. So therefore, even if you create a loop to press the button 100 times, you still know it attempted to press the button 100 times. Very tempted to say 'speed is key' but I figured it wouldn't go down well as a pun...

Bunny :D

Or just > Payloads? :P +1

Neatly done. Although, people are rarely going to whitelist SN_DEADBEEF :P

Oh. Well RIP. I thought it was different... Well, similar can also mean the same virtually, I guess. I cannot run commands on it, if that makes you feel any better! I do have a question though...For some reason any devices connected to the same network as the webserver cannot connect to the webserver. May have to wait until I port it to the BB. Oh, another question, how did you get the Bunny to take commands? Or is it just a web-based console that the webserver acts on, not the BB?