Jump to content
Hak5 Forums

PoSHMagiC0de

Active Members
  • Content count

    187
  • Joined

  • Last visited

  • Days Won

    3

1 Follower

About PoSHMagiC0de

  • Rank
    Hak5 Zombie

Contact Methods

  • Website URL
    https://github.com/PoSHMagiC0de

Profile Information

  • Gender
  1. Maybe a nice tool for pentesters...

    You may be able to do the same with a wifi extender or a few of these spaced apart. https://eero.com/ The above are wireless mesh devices for extended wifi. Have not tried them.
  2. How to start with bash bunny?

    Okay, I came up with some steps for the new comers to get up and going on their BBs. This includes testing your BB after you got it to make sure it is working and then updating. 1) After you get your bunny, stick it in arming mode. Switch position closest to the USB port. 2) Put BB in computer. It should come up as a USB storage device. 3) Inspect the device has a loot, tools and payload folder 4) In the payload folder go into switch1 folder. 5) In the payload.txt file clear all text out of it and put the following. This for windows machines. ATTACKMODE HID LED G R Q DELAY 5000 Q GUI R Q DELAY 500 Q STRING notepad Q DELAY 500 Q ENTER Q DELAY 2000 Q STRING "Hello World" Q DELAY 500 Q ENTER LED B R ATTACKMODE RNDIS_ETHERNET LED G 6) On windows the above should open up notepad and type hello world. After that it will switch to attackmode ethernet for windows. 7) At this point you can try and ping 172.16.61.1. If you get a ping back, ethernet seems to be up. Now, try and use putty to ssh into the BB using root as login name and hak5bunny as password. If you get in, your bunny should be golden at default. Now, time for the fun part. On this part you are going to firmware upgrade the Bunny. Only a few people have had bad luck with this, most of the issues have been from lack of patience. It takes awhile, on mine it took 5-10mins so make sure your machine is plugged into live power and the USB port you are using is good. You want no interruptions. Kill that USB powersave mode too. Now, download the firmware from here and do check checksum, it is there for you to make sure your download was not corrupted. https://wiki.bashbunny.com/#!downloads.md Unplug the bunny and switch it back to arming mode, switch position closest to USB port and put back in. When the storage for it comes up, copy the file still compressed to the root of the bunny storage folder (not in loot, not in tools and not in payloads). Safely eject bunny from Windows and unplug the bunny from the usb port, wait 5-10 seconds and plug it back in and do the hardest part.....wait. If upgrading from 1.0, the led will flash red while it is flashing. It will flash red for awhile. Let it flash red, leave it alone, do not do stuff on computer that it is plugged into, go do something else. When it is done it will flash blue and your BB storage will show up again. From this part you copy the tools from this forum thread to the tools folder on the BB storage drive. After you have done that, tell Windows to eject the BB drive so it is sure to sync and not create a dirty bit. (whenever you are going to disconnect in arming mode, always eject the BB) Wait 5 seconds and plug it back in and wait. When the BB is done installing the tools, the storage drive will show up again for the BB. At this point you should be updated and ready to go. Go grab some payloads and try them out. Copy the contents of one of the payload's folder to a switch folder. Do not copy the folder itself into the switch folder, just what i inside the folder (contents). If you storage folder is operational but empty like it has gotten erased, you will have to serial into the BB while in arming mode and do a " udisk reformat". Adding folders by hand back in will not work due to permission differences. Serialing into the BB can be found on the wiki here, along with SSH instructions and emergency firmware recovery. https://wiki.bashbunny.com/#!index.md
  3. Notepad from Locked PC? Possible?

    I can see the confusion with some people and their vision of the Bash Bunny due to it being able to be a keyboard, networkcard, serial or USB storage. Although it seems like it, the extent of the trust the BB has to the system you are plugging into is the extent of access the device you are pretending to be. Let me summarize why you will not be able to do much with a locked machine with the BB. Let say the machine is locked and you wanted to use the BB, lets look at the attack modes and what they can do with a locked machine. HID\Keyboard: On the locked machine, can you do anything from the keyboard that is attached to the machine to launch notepad? If not then BB HID attack mode will not either as it is emulating a keyboard its access to the system is as far as what a keyboard can do. USB Storage: On the locked machine, if you plugged in a USB memory stick, will you be able top launch notepad on the locked machine? If it is updated you shouldn't be able to read that USB stick until you unlock the machine. Also, autorun is disable for USB Storage sticks so no dice there. Network: This can best be described as this. If you hooked a Linux machine onto the network on the same subnet as the victim computer and you have the IP can you make notepad pop up on the victim machine while it is locked? Well, you could if you had the right network credentials to remotely launch it but if you are trying to launch something without unlocked the machine with the BB I am assuming you do not have credentials. The BBs network connections is like that. It is a machine on another subnet on 172.16.64.0/24 network. The BB does not automatically have access inside the machine but has a network connection to it. But logically, it is another machine connected via network to the victim machine so all firewall rules and network rules apply still. The only stuff that will work are network attacks like QuickCreds that uses responder which also work on a PC connected to the same network if we can get the victim to fat finger a resource name not on the internet or on the subnet. So most you can do is fiddle with the network traffic though I have seen locked machine go silent on networks. Serial: If you plug a serial connection between one computer to the victim can you remote control it. Well, you cannot unless there is a service listening on that port that allows you to. Since the com port is created when the driver is installed, that will be a big no. So, the type of attacks you can do are in essence another machine connected logically by traditional connections. The purpose of the BB in a pentest is to execute payloads quickly on a vulnerable machine...most likely one that is unlocked. It uses HID to speedily type commands on the victim machine in combination with the other attack modes for delivery, exfiltration or manipulation. It is up to your imagination what you can do.
  4. BashBunny (Hardware 2.0) Maybe?

    So, I saw this on Youtube. https://www.youtube.com/watch?v=FsTeedpYeg4 I immediately thought to myself, the BB would benefit from this. This mode could be a 4th switch position or even an initialize mode like BLUETOOTH_ACTIVE. Of course either way you go it would be a new BB since it would need a Bluetooth module. How many things you would have available through the bluetooth I do not know but the remote control ability of that SupremeDuck made me curious.
  5. [PAYLOAD] macWallpaper

    I'm curious if this is a stand alone or requires bunny connection to run. Cool feature is to have ti stand alone and run in background, pull the pic, save a copy under a different name and then use a copy of under the original name as the wallpaper. Check in a certain time interval if the wallpaper has been changed from what you had and if so then use the backup to make a copy to the original d/l name and set it as wallpaper again. :-P I would make it a two fer. Get 2 pics, second is the original modified with text saying "and the ponies keep on coming" or "Stampede". That will be the pic that will be set after the first is unset as wallpaper...or tile it :-)
  6. Interesting sector with iffy response to secuirty...

    It would be interesting to find out. of course only way would be to get one and play with it. It says it uses GPS. Maybe you can jam it to make it go nuts. Do not know if there is a way to override GPS with your own signal which may be able to spoof it to move by makin it think it is somewhere else. I heard he controlled it from his phone. Is it using a cell data card to connect to a cloud that you connect to to control it or direct connection? If direct then is it bluetooth or wifi? If wifi, is it open or involves the device to login somehow..same goes for bluetooth and if/how it is pairing to your phone. With bluetooth, maybe you can get a pair with it on a laptop? If Wifi, maybe can connect to it with a laptop...similar to the open wifi the dones have/had. Yeah, reusing their software is not considered a security feature unless that is a proven hardened piece of code. If they have a bug in that package then all software they have that package in will have the same bug.
  7. Quickcreds Stays on Red forever

    According to the payload this happens when the bash bunny does not get and IP of the machine. This payload looks to be updated to use firmware version 1.3 due to the GET extensions it is using. It also uses responder, so. Your bunny will need to be updated to firmware 1.3. You will need to make sure you have responder installed, see the tools pinned post for the package and installation instructions. With those, the quickcreds should go to yellow until you get creds. Other than that, maybe the machine is failing to install the RNDIS driver. If you are running this on Windows make sure the RNDIS_ETHERNET attack mode is used, not ECM_ETHERNET.
  8. Windows 7 "was unable to install your CDC Serial"

    Windows 10 can handle 2 attack modes. I use HID RNDIS_ETHERNET all the time, I just append on RNDIS_SPEED_10000 so Windows 10 uses the REAL network connection to the internet to use Windows update to get the new drivers. May have to do the same with your combo to get drivers.
  9. {PAYLOAD] MrRobot

    So, I did extensive testing of this payload. I have a copy of his mimidogz at the totalp0wn payload so I know the script works. 1) If on Windows 10 with creator update, forget it, it will never work. 2) If you are running a virus scanner like Avast this payload in its current condition maybe stopped. Avast I know will stop it. It doesn't stop in the bbtps because I compress and encode it before transfering from the BB to my agent running on the machine, similar to the first script that is pulled down by this payload (ps.md). If you are having issues, try disabling all virus scanners and try again. I seen red on Windows 10 machines when it pulls nothing, Red means it got nothing. Also the quack timings may need to be adjust for the machine you are adding it to. Maybe a little delay between the gui+r to give machine time to bring up run command. Some time after running powershell as admin to allow for powershell to swap and give admin prompt and even time after hitting alt-y. I also bee adding an extra return after the alt-Y pause in case it is one of those machines that do not prompt for admin permission and just runs the command prompt so I can return after my Y and have a clean commandline to run the cradle. Recommendations for improvements. Maybe compressing and encoding md.ps1 before sending it and putting in the p.ps1 file the code to put it back to english and run may help with the virus scanner issues seeing it in transit but test on win7 with all virus scanners off while this payload is in its current condition.
  10. BBTPS Release (1.6)

    I did more testing with the powercat script in the totalp0wn payload of the bbtps. On Windows 7 machines it works as intended. On a Windows 10 machine it exhibits the behavior you describe with the session opening and then closing by remote host. Hmmm. When I copy the script to the desktop of the windows 10 machine, load it into a variable as a string and invoke it and then run the function it works. I even tried to do the -NoE option but it fails on the bbtps. May have to modify the agent to not hide the process window so I can see what happens. Yeah, the Connect-Powercat2.ps1 script file is that same module on github but I unfactored it so it can be one file and be load and fired off as a payload without touching disk. I planned on doing some docs on the modules in the totalp0wn job list but originally built that joblist as an example of what I would use as a combo payload in the BBTPS. Didn't think it would be popular.
  11. CUDA

    More like a merge. Trying to decide how to decide what db data take presidency. Reason is WIGle db stores the signal strength of the AP while kismet does not what I can tell. In my kismet db the fields for signal strength show zero. I planned on using strength and time to determine if a record is to be updated. I am thinking of making the DB backend that brings them together in MongoDB for flexibility. Maybe after evolution and the structure solidifies I will go to mysql.
  12. Payload and unix command

    So...you don't want to run unix commands without a terminal?
  13. Payload and unix command

    I spent all weekend looking through those payloads figuring out which one I should update. I got overwhelmed. Going to just need people to suggest which one needs looking over the most and start there. Summary. The BB is a Arm machine running linux. It has its root partition that it boots from and a nang (i think it is called that) that is usually mapped as udisk for payloads and exfiltrated data. If you make a payload with just a network connection you can ssh into it and explore it. The BB comes with some helpers for you. Like in the shell it has the udisk command to mount and format the partition that is mounted and payloads are ran from. For the payloads themselves there are helper functions to get you ip address of the bunny and clients, switch position, and hostnames. The wiki has their uses. I looked in the past for a way to run my payloads hidden in linux and found a way but it works best when the payload is encompassed into a script ie python, perl, bash, whatever. The key here is the nohup command in linux. I do not know if it is there in MacOS but I always seen it in linux. If I use it like so against my payload script it will be. nohup bash ./myscript.sh & exit nohup keeps your script from closing when you close the terminal. Of course you can only see the process in "top", if it is still running. It also writes all output to a nohup.not file. I have foudn that while prethinking of a way to make an agent run hidden on linux since I had no takers on writing the python agent for the BBTPS for linux and OSX, I am going to have to do it as soon as I figure out how to run a separate process from python detached from the current python instance (like start-process in powershell for windows).
  14. QuickCreds .. sometimes yes, sometimes no :(

    Because the login name is used as part of the key for the hash. You need the login info, domain too if it was included. Hashes should always include the username they belong to when passed. Do not know why Quickcreds is not getting it.
  15. CUDA

    I been tinkering around with an idea I plan on writing in python. It is to query and handle the sqllite files handled by kismet and WiGle for the android. Want to be able to combine them into 1 common database and more open query options to export results to kml files.
×