Jump to content


Dedicated Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by PoSHMagiC0de

  1. It has been a long while since I used this payload but I knew the gist of how it functioned. Didn't bunnytap point to http version of sites in a list? Back then, that was a thing before HSTS. With HSTS if you are trying to get session keys/cookies of https sites with HSTS, you will fail through http because the browser will say it is an https site and refuse. If you do go https then you will need to get your own CA cert trusted on the victim or for that user. Then you can have the api on the bunny respond to names with a signed cert for it signed by a trusted CA and then the secrets will be revealed. That maybe the issue why Bunnytap is not working anymore. Just an idea.
  2. If you are using the MKII then I would suggest using a blank microSD formatted for fat32, cause the BB MKII does not do exfat yet. FAT32 has a 4GB file size limit. If there are any files bigger then 4GB, they will throw errors. You will have just the payload.txt in the switch folder you desire but all other files like the ps1 file will be on the MMC you made. You payload.txt will first run: udisk mount to mount the MMC and then you will run attackmode HID and STORAGE. I am pseudo coding here so you can write it yourself. The mounting above will mount the MMC and switch out the nandf and we want to do this before the STORAGE attackmode else your nandf will be mounted as storage and AV will probably go nuts due to you probably have all the hak5 repo payloads on it. The next commands will be you either running the file directly in powershell, quacked out to run, or running a downloader quacked out in powershell command line to pull said file and run it as string (IEX method). In said Powershell file you will need the root where you are searching for files. If you say whole disk you are in for a long wait and a ton of junk coming over. If you are looking at users folder then you will need the path to that. If you want that auto, you will need to learn how to browse registry with powershell to get the default profile path to start from. Next, split-path command works wonders cause you can grab the leaf (ending part of file path), parent (full path of what folder leaf resides in) and NoQualifier (which removes the drive name so you can replace it with BB drive.) Get-Childitem or GCI works like dir and ls. You have a "Path" param to put in the root folder to start searching, a recursive param to browse sub folders and you can use -filter or -include params to put in the wildcard files as a list you are looking for (*.xdoc,*.pdf). You can use what GCI returns to loop through and use the variable source itself as source for copy-item and for destination you can get the leaf of your root, combine that with the bunny drive and then replace the fullname of the file you are copying (fullname is in variable from gci) using the full name of your root to be replaced by the combined path to your bunny thus making the path point to your bunny with file name. You may have to use "-force" with the copy-item cmdlet if the path does not exist so it can create it else it will error about the path not existing. If you want the full path from the drive then for destination you can split-path the fullname of file with "NoQualifier" to remove drive letter and combine it with the drive letter for bashbunny and this will get you the source to copy to. This is a brief overview. You can learn about pulling files from the BB or downloaders from other payloads on the site which will include how to get drive letter of bashbunny using powershell. The only new thing you will be doing here is using the MMC instead of nandf.
  3. Warning with the forums and Hak5 discord. No one likes "It's not working" followed up by "It's not doing what I want it to do" when asked what is happening. Folks need to know what is actually going on to fix it. I have not met a psychic hacker yet. If they exist, I am sure they are really epic.
  4. Warning, do not update the firmware on MKII. The updater does not distinguish so using it to update the fw will mess up the MKII. I would consider the updater only safe for the legacy bunny only due to you maybe accidentally flashing the new one with the wrong firmware. Do not know if they are going to make a new version of tool to detect if the MKII is being used or not to prevent this but I would avoid it in the meantime. I am in the habit of doing my flashing and loading payloads manually so I have not played with the updater.
  5. To add to the above member answers. I have been ignoring these post as I answered the first one that came across years ago saying the same thing about none of the payloads working or outdated. 1) Hak5 is responsible for the platform being the BashBunny, that is it. They supply you a platform with features to build your own payloads with only your skill and imagination being the limiting factor. 2) Payloads that are on the github site are created by members of the Hak5 community. They are presented as they are and are not supported by the Hak5 team. They have nothing to do with them except supplying a central repo to host them from if the authors want it. 3) Never assume payloads will work on first try without modifying, especially when QUACK is involved. QUACK only has the ability to send keystrokes, it does not read them. The only read method it has in that app is to read arguments and read from a file that is written when the numlock keycodes are sent. The method in the file converts strings to keycodes and sends them all at once to the HID dev per line. It does not read from it, check if it worked, nothing. So, as someone mentioned, you may have to play with delays in the quack text files for some payloads depending on the victim machine and its speed. 4) When using payloads, find out how they work because there is a high chance you will have to fix any issues you come across because the author may not be available or not available in the time you expect or probably wants nothing to do with the payload anymore. To me, the BB is a platform for me to make my own stuff so I do just that. If I want to use a payload by someone else, I make sure I know what it is doing and how because I want to make sure it does what I want and helping to figure out what I need to do to fix any issues that arise from it. And....as I mentioned in a previous post a long time ago. The Bashbunny, as far as payloads are concerned, is not plug n play. The attackmodes are but never the payloads. Do not expect them to be perfect on all machines or point in time.
  6. smbexfil may take care of what you want to do. Sleeping machines that lock will not work on. You will need to get past the lock with a known password or manually. If you are signing on to the machine as local admin to grab all profiles then admin will be needed and your script will have to identity ever user folder under c:\users. If profile is not on C then you will need to go into the registry to get each of the user hive paths to pull from there. It is some thinking and scripting for both. Please do not hit me up in PM to build you payloads. Usually I have been batting 10/10 of user I respond to in forum hammering me in PM to do stuff for them, etc....that I ignore. I prefer you figure it out yourself as I have a job and paid well. I do not need a second income or job, especially not an illegal one. I have to put that in my messages cause it is better safe that sorry and prevents you from sitting there wondering why I did not respond to your PMs if you send them.
  7. This will not work because I do not see an SMB server running on the bunny yet. You will need impacket installed. Do not ask me how to install the newest version on MKII as I have not been successful so built an alternative network way. So, no SMB server seen and no network attackmode I can see to even get network connectivity going to even get SMB going in the first place. Read through docs and see how to get network attackmode going and maybe try the old impacket install to get you going. If you need more examples, lookup the smbexfil payload. It is the same thing except they are pushing files to the BB, in your case, you will be calling from the BB.
  8. Without taking all day to make payloads, here is a quick example. Make a file called qcmd.txt and put it on the root of the MMC card. You will need to load the BB in arming mode with MMC inserted to do this. Make a payload.txt file in the root of the switch position on the bunny you are going to use. You will have to load the BB in arming mode with the MMC NOT inserted to do this part. Now, the normal way with no modifications with normal operation, here is how the payload.txt should look. LED SETUP ATTACKMODE HID # The below will mount the MMC if it is inserted at the time. udisk mount # After mount, nandf (where your payloads are located) will not be accessible from /root/udisk nor the loot of anything for that drive. /root/udisk now points to root on MMC. LED ATTACK QUACK /root/udisk/qcmd.txt LED FINISH #The above will quack the qcmd.txt you put on the root of the MMC. Now if you want access to nandf still and MMC then that is where my extension comes into play. Create bash file from the function above in previous post and put in extension folder and keep everything else the same. LED SETUP ATTACKMODE HID #Now we are going to mount the MMC into a separate path. mount_udisk2 #now /root/udisk still contains your nandf drive with all the payloads, extension and what not and MMC is mounted to a new path at /root/udisk2 QUACK /root/udisk2/qcmd.txt LED FINISH # The above accesses the quack file that was created from the MMC at its new path. You can still access what is on the internal nandf with the $SWITCH_POSITION variable and what not but anything on the MMC will have to be referenced directly with /root/udisk2. It is that straight forward.
  9. I am working on something that will exfil back to the bunny via http. There is an smbexfil payload by darren that uses impacket to exfil back to the BB via SMB.
  10. Not supported but we have been talking about the MKII microSD storage on Discord. To put it procedural like, the BBMKII will never launch a payload.txt from the microSD. By default, it mounts nandf to /root/udisk. That is what you see when in arming with no microSD. This is always the case. Even in storage with the microSD in, you will see the microSD as USB but internally via the payload.txt context it only has nandf mounted as udisk. MicroSD will only be mounted to the usb storage gadget driver as the drive, not to the OS. Now, if you want to turn stuff off the microSD or use it for storage, here is what I am using and came up with. One way and the non-modify way is after your attackmodes are set...or before and if a microSD is mounted then in the payload.txt put in udisk mount. This will mount the microSD, if inserted, as udisk. I do not know what witchcraft is happening here the udisk command doesn't do a umount before mounting so I do not know how the nandf is being unmounted but it happens. This will make it so if you have other stuff in the payload.txt referencing the /root/udisk, it will now be referencing the microSD. So, make sure your directory structure is in order. Second way, involves adding a folder to the /root folder of he BBMKII system drive. You can create a udisk2 folder under /root on the bunny system drive. You can then have a mount command to mount the microSD to that udisk2 so your udisk is not replaced. Now you can reference /root/udisk2 for the second storage to run payloads or (what I use it for) to store loot. mount_udisk2() { if [ -b /dev/mmcblk0p1 ]; then mkdir -p /root/udisk2 mount -o sync /dev/mmcblk0p1 /root/udisk2 }
  11. If you install tools, they will be on the local Bunny drive located at: /tools They will each have their own folder. Delete what you do not want in there.
  12. Yes you can. You need a way to server the scripts and conditions setup either in the cradle that handles running the script on the local machine or code at the end of each script to run the next. I hate tooting my own horn but that is exactly what the outdated BBTPS does. You can use it or use it as an example of something like that would work. Of course it is just an automated way how other post exploit frameworks work like Empire, Metasploit or Convenant. You create a server with node, python, etc that runs on BB, you quake a command to call server to get first script which should be the agent that will negotiate the whole procedure. That is it in a nutshell without writing a whole dissertation on it.
  13. So the man got himself a new pineapple. No better person for it. Now with Zylla having his early Xmas gift, the module repo may start growing heheh. Yeah, when it came to bettercap I have only used it outside of the pineapple. Like on the machine the pineapple is tethered to and just using the natural MiTM already there to use for bettercap (no arp spoof, no need). Just have to remember to override the interface with the pineapple interface and the gateway with my real gateway. Will through an error about not finding MAC of gateway but ignore since only needed for arp-spoofing. Since bettercap is Go, be interesting to see how it performs on the Mark VII. I have not tried it on the Nano due to having to mess around with storage when I played with modules.
  14. Hey, posted this on Discord but the wp7.sh script has a couple of typos. At the top here are the variables it is using. wpver=7.0 spineapplenmask= spineapplenet= spineapplelan=eth1 spineapplewan=wlan0 spineapplegw= spineapplehostip= spineappleip= sfirsttime=1 But under the connect function the pineapple netmask variable is missing the "s". function connectsaved { if [[ "$sfirsttime" == "1" ]]; then printf "\n Error: Settings unsaved. Run either Guided or Manual setup first.\n"; menu fi ip addr add $spineapplehostip/$pineapplenmask dev $spineapplelan <=======used pineapplenmask instead of spineapplenmask ip link set $spineapplelan up printf "Detecting WiFi Pineapple..." until ping $spineappleip -c1 -w1 >/dev/null do printf "." ip link set $spineapplelan up sleep 1 done printf "...found.\n\n" printf " $(tput setaf 6) _ . $(tput sgr0) $(tput setaf 7)___$(tput sgr0) $(tput setaf 3)\||/$(tput sgr0)\n" printf " $(tput setaf 6) ( _ )_ $(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 7)[___]$(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 3),<><>,$(tput sgr0)\n" printf " $(tput setaf 6) (_ _(_ ,)$(tput sgr0) $(tput setaf 7)\___\\$(tput sgr0) $(tput setaf 3)'<><>'$(tput sgr0)\n" ip addr add $spineapplehostip/$pineapplenmask dev $spineapplelan <=====used pineapplenmask instead of spineapplenmask ip link set $spineapplelan up echo '1' > /proc/sys/net/ipv4/ip_forward # Enable IP Forwarding iptables -X #clear chains and rules iptables -F iptables -A FORWARD -i $spineapplewan -o $spineapplelan -s $spineapplenet -m state --state NEW -j ACCEPT #setup IP forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE ip route del default #remove default route ip route add default via $spineapplegw dev $spineapplewan #add default gateway printf "\n Browse to http://$spineappleip:1471\n\n" exit } I put arrows...which are hard to see but there are at the two lines that near "ip addr add".
  15. The BBTPS I wrote has a means for you to report back to it from your payload to grab additional jobs/payloads. Good for cases where you want to check if it is safe to pull down possible detectable code if it is safe..like no AV. Also to check if a victim meets conditions before pulling down a larger script to run. I been sidetracked and done very little with newer version converted from nodejs to golang for the server and the update the SMB part for file exfiltrations but that should give you some ideas for what to do with it. Also wanted to add quack back for smarter Admin detection like run and if admin is detected then send command to BB to get ready to send alt-y in 5secs and then try and launch new download cradle with admin privs. When UAC kicks off the BB within 5 seconds of command will alt-Y it and there you go. If no admin, then the download can request non-admin jobs/payloads. So there is some ideas for ya.
  16. Welp, it checks to make sure you are in the local administrators group. Now, I can see an issue ensuing in the way I am checking this since I am directly checking the local group, If you are added to Administrators group via another group, it may not see you. You can remark out the check if you want to test for yourself, the code is commented. Anyway, if your name is not in the local administrators group, it will just exit. Also, it checks for a specific version number of Windows. Will run if Win10 or greater or if version 8.1...specifically major version 6.3 it looks like. I was going off of user feedback on the 8.1 part if it worked or not for that version. If both are satisfied, it will create a powershell command to be added to the registry for the diskcleanup task with arguments, etc. It then schedules a schtask for diskcleanup, waits 5 seconds and then removes the registry entry. Similar to the eventviewer bypass in some ways. Very noticable as the script will pause and then return once the 5 secs are up and a black window will pop up briefly before notepad comes up. That is all that encoded script does in the example. I pretty much took someone else's script and cleaned it up to be more portable.
  17. Just retested. It works. You have to be a local admin on the machine first before you run this. It will not warn you or do absolutely anything if you are not. This is not a priv escalation from a unprivileged user to admin. This is to bypass UAC. UAC is that prompt you get when you are on as an admin and need to run something that requires elevated rights so it greys out the screen with that "are you sure" message. It is Windows version of sudo. For automated tasks where keyboard access is not there this is very helpful since you will not be able to click "yes" via code.
  18. Sounds like a simple masquerading NAT rule except for the forwarding part you set the default policy to drop and then set rules to allow your specific IPs through. As long as the outgoing interface is on that 10.10.10.x network, masquerade will assign it the IP of that interface. If you are blocking incoming from that outside interface by default then you will need a rule to allow the status mode of ESTABLISHED,RELATED to get through. Lookup iptables and masquerading or setting up a linux machine as a router with iptables. If you have not played with iptables to that extent. I advise you to spin up a mini network in virtualbox using 1 ubuntu server and 1 ubuntu desktop (no need to max out their resources). Have 1 internal NAT network that has no internet access and place the ubuntu desktop there. Build ubuntu server with 2 interfaces, one is bridged and the other is on the NAT with no internet access. Now you can enable forwarding on the server and use iptables to create rules to pass traffic from the internal nat to the bridged interface. In your ubuntu desktop, make the gateway the IP of the server interface that is on the NAT network. Now you can play with the tables on the server to see if you can get outside access on the desktop vm. If you already know iptables then the above will still help to experiment.
  19. Lol, this isn't a Darren issue. It is MS doing their due diligence and fixing an issue. If you want to get hashes from locked machines, you will need to come up with a new method....not Darren. He has given you the tool to use whatever you come up with. Use it damnit.
  20. Welp, I mentioned awhile back on the correct way to create Powershell payloads/scripts that are easily transportable. That method is to make them as functions. This is a function. When you ran that, it created the function and stored it in memory. To run it, you have to run the function name with the parameters. The file method needs to local location of the ps1 file to be ran. The encoded way needs the powershell commands you want to run encoded as base64 unicode encoded (like if you were going to run the encoded powershell commands with the "powershell /E" way). So, if you are trying to run notepad with this then either have a local ps1 file created with: Start-Process Notepad Or take that command above the encode it to base64 unicode and use it with the encoded method. Welcome to Powershell 101. PS: Forgot to mention you have to be a local admin to begin with. Script will do nothing if you are not. There is no privesc for normal user to admin.
  21. Don't know or remember what I added but ok.
  22. "\$" escapes question mark. "\\" escapes back slash. "\\\$" escapes back slash and question mark.
  23. I do know if the BB comes up as a new device, Windows 10 will attempt to locate drivers for it. This can include looking up on Windows update which can take some time. After the drivers are install if you do the same combo attack again, it should be faster since now the machine as the drivers. There isn't way around this unless you preload the required drives before inserting the BB. HID is is normally fast but I noticed on machines I have not inserted the BB in yet if I use the dual HID Ethernet or ethernet it will take some time to find drivers for it before it is available for use. Can take up to 30sec to a minute depending. If you are not slowing down the ethernet speed so it is not the highest connection, it may take longer since the machine will try and use the BB connection first to retrieve drivers.
  24. Try deleting the reponder folder under "/tools/" on the root of the BB system drive and then try reinstalling the responder.deb tool again by copying to the tools folder on the BB arming mode partition, safely ejecting and reinserting the bunny. File should vanish from the tools folder there an end up install in the tools folder on the BB system drive. See if that works.
  25. The P4wnpi is running raspian also so it is a general arm distro and has all the deps available for meta and stuff in their repo.
  • Create New...