Jump to content


Dedicated Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by PoSHMagiC0de

  1. If you want to test smbserver.py, a good way is to test it by itself. Make a new payload.txt and in it just put these lines. LED SETUP ATTACKMODE RNDIS_ETHERNET sleep 5 LED ATTACK When it is ready connect to it with putty from the Windows machine to ssh and login. At the login change to the root of the bashbunny "cd /". Type the below. python /tools/impacket/examples/smbserver.py 'test' './' If you have to, add the smb2support param to the above line too. Now, while smbserver has the terminal bust launch an explorer window and try to connect to the bashbunny ip and share. \\bashbunnyip\test You should be browsing the root of the bunny. If you are, even with the smb2support switch then impacket is working. The issue might be the last param the way it is formatted which it is very picky about. Always use full path for smbserver to server like "/root/udisk/payloads/$SWITCH_POSITION/" or "/root/udisk/look/etc/etc../". When you connect to smbserver, you have to use the share name you specified as the parameter.
  2. Oneliners got you down? Trying to type out all that text and including escapes getting confusing and then modifying later on is even more frustrating? Well, lets try having our one liner a multiliner in the beginning and encode it, all from bash. Complete with all the bash variables you want to pass and powershell variables you want to be unharmed. The original premise is from @elkentaro post about PowerRun he wrote using iconv. This can convert files to whatever encoding you want. Well, we are not converting files here, we will be converting echoed text...or echoed variable. Lets do the example as a payload since most of you may not run linux or if you do, do not run Powershell 6 on it to test seamlessly. This is a hacky way of doing it but it works. LED SETUP MYTEXT="Charles" MYSCRIPT=" \$name = \"$MYTEXT\"; cls' Start-Sleep -s 2 Write-Host \"Hello there, \$(\$name).\"; " ENCODED=$(echo $MYSCRIPT | iconv -t utf-16le | base64 -w 0) ATTACKMODE HID Q DELAY 5000 LED ATTACK GUI r Q STRING "cmd" Q DELAY 500 Q ENTER Q DELAY 2000 Q STRING "powershell -E \"$ENCODED\"" Q DELAY 700 Q ENTER LED FINISH So, you still have to escape (") when inside quotes or use single quotes instead but isn't that much easier to follow? You also still need to escape ($) where you want to them passed to powershell rather than bash replace with its own value it has. Also, since bash concatenates each line, you will have to add a semicolon to each line except where a loop starts and begin or statement like below. MYTEXT=" while \$true { Start-Sleep -s 1; Write-Host "Running loop"; } " #or MYTEXT=" if(\$i -eq 4) { Write-Host \"Item is 4.\"; } " Now, if you do not need to pass any values to from bash then you can have all your Powershell in a file all neat and formatted without all the escapes and stuff and then use the PowerRun method to encode. This is a lost gem I decided to resurrect and show a spin on.
  3. Hmm, on your computer when you hit "windows key + r" what happens? If nothing, you have a keyboard like mine that can disable the windows key and that also stops the BB GUI command. If not, try opening notepad and set a payload to just type string to see if anything is coming across at all.
  4. Grrr.. So, I knew trying to go the Python route would hurt. Right now I have the pythonists at the hackerspace I going into scratching their heads on slack on how to exit BaseHTTPServer.BaseHTTPRequestHandler class. I mean, seriously. I can exit in node by just exiting. In python I get a python error dump and I am still stuck in serve_forever. Even built my own exception to try and raise but seems like it doesn't exit the server_forever. Hell, even handle_request() is not acting right. Soooo, I told my pythonists friends that I am scratching the python language server and going back to what I know works great...node. So, new server will still be in nodejs.
  5. @Darren Kitchen I got your response on youtube and sent you it already awhile back. Thanks. 🙂
  6. Since it has been so quiet in the BashBunny forums...... So, adding on to the BBTPS is becoming challenging where I began multiple rewrites to make it modular and due to pressure from my local hackerspace (mainly the python group as something to talk about when done) the server that used to be nodejs will be done in python2. Due to the massive rewrite and additional features though will look oddly the same, the BBTPS new version will be called the BBMPS (BashBunny Mutli Payload Stager). Its category is still the same. It is a tool, not a payload. Listening to criticism about the BBTPS, mainly it being hard to understand and so many config files, I broke it down to fewer. Hey, when you make something that can serve up multiple scripts and stuff you cannot have 1 config file. So, most of the work will be in payload.txt. You still will need to implement a json job file in the folder with your scripts except there will be 1 extra option in the json file. You will have the ability to specify if a job needs admin to run or not. This is identified in the job json file. If the agent (which is still powershell for windows)is elevated then it will run that script else it will skip it. This leads to autoadmin. Yelp. This will add multiple stages though. Instead of you specifying in the BBMPS you want admin or not it will check in the first stage it downloads if you can have it. If the account it is run under is admin and have not been elevated then through a process it will launch a new stager to grab the agent as elevated and signal the bunny to hit alt-y to get past the prompt with no exploit being ran to trigger anything suspicious. If you cannot get admin then it will launch the agent in userland and run only payloads that do not require admin. This leads into the Powershell agent. Because it has been long enough, the agent will no longer work on machines with Powershell version less than 4. The BBTPS will be archived as the Powershell 2.0 version. The agent will be faster as I finally figured out how to get jobs to kill themselves when done so no more constantly check for stuck and finish jobs in a cycle except to see if it is time to download more or kill the bunny because all jobs are gone and nothing is on the BB server. The agent will also automatically run a job to gather machine info though still working on how much I can get between running in userland and running as elevated admin. Since I will be doing this in python, I will be able to integrate impacket's smbserver directly into the web api that the agents will be using. The smbserver will be part of the web api, so logging and stuff can be controlled more granularly. The impacket tool will still be a requirement. I have given up on autodetecting OS in a fast way. There are ways but this tool is meant to spin off a bunch of payloads as fast as possible so to offset this I am working through implementing hoppeye8x still so if you enable it you will have choices for on the fly moments but the first iteration will not have multi-OS nor 8x still as I am working through how to handle auto-admin for linux and Mac. Last, since I made the no-express branch the default branch for the BBTPS repo (that is the newest version that I rebuilt that does not require any node dependencies) BBMPS may take a bit to release. Like with the node api server in the BBTPS, I am trying to keep with the core packages already on the bunny for building the python web api. That means no flask or other packages that makes building those apis easier with less code. More code means more time and I have a busy couple months so lets see how long it takes me.
  7. Hmm, so I have a thought. Since this is only for one payload, why not try just using the module for eternal blue and the user's custom shellcode to execute code? The Bunny setup would be easier and the spinup would be a lot faster and less extensive for the BashBunny.
  8. Hmm, I have never done an update to the BashBunny using aptitude. I just upgrade firmware and use tools package seb dropped in. I try and keep anything I build to the base packages like with node I do not use express package. For python don't use django, etc. If I want to add a tool I will try the tools method first. Only reason is so I do not change the version accidentally of some of the base packages or configs default on the BB and break something. Also, when I keep payload installations simple, I get asked less questions on how to install and use them.
  9. Took me a bit to get it to go into firmware recovery mode but got'er done and re-updated and looks to be functioning again. Thanks,
  10. So, last night I decided to mess with my Pineapple Nano at the hackerspace and saw there was an update so I updated. It reset everything which is no biggie so I get everything set back up again. Ran PineAP, captured some old phones in the hackerspace. Good times. While running PineAP I decided to do a recon. Recon ran with the status bar and then when done nothing was found. Hmm...I thought that was odd seeing my phone and airmon-ng on my laptop was picking up a lot. I ran it a few more times and even rebooted my pineapple to see if that would clear things up but nothing. Anyone run into this yet?
  11. That is because those \" are escaping the double quotes on the bash bunny so if you are doing it without the Bunny then it will look like this in the run command prompt. powershell -C "start-process powershell -verb runas -argumentlist '-C set-executionpolicy unrestricted'" If you do it from the Bunny it will look like my previous post.
  12. Hmm, wonder if encryption software people who have no way of decrypting customer data can just not offer their products to Australia to avoid breaking their software? I would.
  13. Hmm, when you use the -C or the -E parameter (those are short for command and encodedcommand) it is a bypass as long as any additions are sucked in as a string to be invoked. But, since you want a disabler you can combine the powershell part into one run command. GUI r DELAY 700 STRING "powershell -C \"start-process powershell -verb runas -argumentlist '-C set-executionpolicy unrestricted'\"" DELAY 700 ENTER DELAY 2000 ALT y Of course even with the policy restricted you will see the powershell command will run the C argument, in both instances when it is called.
  14. Use a raapberry pi as replacement for laptop. I use one as a brain to handle all the heavy lifting the nano can't. Most of the MitM happens on the pi like bettercap. Meta could be hosted from it as well.
  15. Soooo @Darren Kitchen I was going to send you a solution but YouTube comment space is too small for what I was posting and you do not take PMs here. Totally understandable. 😛 Actually, I wanted to post it silently because if I win and the prize is a BB, I already got one and would rather the second runner up get it. I just like solving the problem. 🙂 Now, if you want to start a Hak5 credit account for me so I can earn up to the amount I need to get a Tetra, well I am down heheh. How do I send you a solution silently?
  16. There area couple of ways I know to bypass this. Everyone knows I do not give out answers right out but one way that would not be too hard for you would be to look at the Hak5 videos, especially one featuring VIS on disabling defender. It is loud and noisy and you need admin rights but it works. I know of a second way but involves more knowledge, code and following strict procedures. Positive part is it doesn't require admin rights and is completely silent. You should try VIS method first since it involves less code. The silent way only affects the powershell session you run it in. If you spawn a new one, you will have to do it again for that session.
  17. That right there is when you email Hak5 support at their shop. That definitely is a hardware issue. Your BB is shorting. Either something fried inside of it (maybe bad solder connection, not trying to say the guys at Hak5 cannot solder..just anything can happen) or literally the firmware flash has somehow set the current draw on the chip the BB uses too high. I would be afraid to even plug that into USB power because if it is drawing too much it will definitely get your BB smoking but the Hak5 folks can confirm that. Also, check and make sure there isn't any debris in the USB connector of the BB that maybe shorting out some pins to each other or the the USB shield.
  18. SERIAL attackmode puts the bunny in Serial mode...like a com port. The original payload you posted looks for the Bunny to be mounted as a USB stick (STORAGE). If it is not mounted as storage, there is no drive labeled BASHBUNNY. The only way you will get your files you are accessing with SERIAL is you will have to do it serially. Pretty much have to make a serial server on the BashBunny in Python or whatever to serve/communicate/etc and a serial receiver agent on the victim to receive it to run it. Do not ask how to do it the serial way I mentioned, it is a long topic best self journeyed to understand and involves programming. So, HID puts the BB in keyboard mode, STORAGE puts the BB in USB Storage mode, ECM_ETHERNET puts BB in network mode as a ECM compatible network device (mostly Macs and Linux machines), RNDIS_ETHERNET put the BB in network mode RNDIS driver compatible (mainly Windows machines).
  19. And what I wrote earlier is ignored. You can say PineAP crashes if toi much is going on. PineAP is not at fault for the failed associations. That is your phone manufacturer doing their damn job and protecting you. I notice questions on the BB forum and here always pop up after a vendor fixes their bug like MS been doibg against a lot of the BB payloads and like Google and Apple are doing against PineAP, Mana and Karma. They are not sending out the name of the APs they are probing. It is a blank probe. Use wireshark and look for yourself. Fire up scapy, add a filter for probes and see for yourself. The firmware to pineap did not break it, the firmware update to the phones added protection against it. There are work arounds but for all those updated phones expect pineap to not work for them the same again. Do what a hacker does....adapt.
  20. Hmm, I only seen PineAP crash on me if I turn everything on and I get a ton of captured ssids. The issue with the modules not working, you may have to hit up the contributors for that. As far as PineAP not working as far as capturing phones, are you on the newest firmware of the phones? If so, there you go. I posted awhile back about PineAP, Mana and Karma attacks are going to have issues in the future. Reason? My Pixel and my wife's work IPhone do not probe for specific wifi names anymore. They do a wildcard probe. With a wildcard probe, all access points in listening range respond. If one of the APs is the one in its list then it will attempt to connect to that one. Since you not know what it is probing for, there is nothing to capture from it to respond back to hence no capture. Keep in mind the AP it responds to has to be an open AP, no wep or wpa. Anyway, a work around would be to load a list of known open access point ssids in the area and probe them to see if the phone connects to one of them. A cool feature would be if PineAP gets a wildcard probe to respond with all the SSIDs it has stored. Do not know if that is possible with a large list. I'm ill today so going back to bed. 😐
  21. So, I have not tried on windows but translating the instructions and my experience with the BB and Linux I see these things. 1 set payload.txt to: ATTACKMODE RNDIS_ETHERNET 2. Discover what interface comes up for the BB. It will be a new one. I would inspect interfaces before the BB and interfaces after to see what comes up. 3. Right-click the interface that connects your machine to the internet and select properties. 4. Select the sharing tab and set to allow users to use this internet connect and select the BB interface in the list of interfaces. 5. Change the ip on the BB interface to and subnet try and ping the bb at ssh to it at that ip if pingable. The script for the BB does kind of the same with setting the IP on the interface that connects the BB and enables forwarding.
  22. Hmm. You tested inet sharing in arming? There is your issue. Don't switch from switch one. Instead after the last boot, stick to switch 1. The BB will have an ip. Forgot the range, it is in tue docs. You can ssh to the bunny by its ip now. When you switched to arming you killed the network connection.
  23. That will get the udisk back to default state with no payloads. That is the mounted partition you see in arming mode and USB mode and where all your payloads are stored and ran from. If you are talking about redoing the root OS. That will take a flash or a recovery. Unless you know the BB root system is having issues, this is not necessary. A udisk reformat is all that is needed to clean up the payloads partition and get it back to being readable by all the OSes again.
  24. Have not done internet sharing with Windows on the BB but one question. How does your payload.txt look for the switch position you are running it in?
  25. SSH into the BashBunny and type: udisk reformat
  • Create New...