PoSHMagiC0de

Welp, I know you can get HID ECM_ETHERNET to work with the below command and VID, I used the VID that came up in linux lsusb for the device in ECM_ETHERNET mode. ATTACKMODE HID ECM_ETHERNET VID_0XF000 PID_0XFF13 Windows with the HID RNDIS_ETHERNET are no joy no matter what I try. Notice that the device when ran by itself doesn't match any of the devices in the wiki list. In windows up comes up as: VID_0X04B3 PID_0X4010 I tried to append that on at the end since when I did HID RNDIS_ETHERNET it was the ethernet that was off but then the opposite happened. The ethernet came on but HID never does work. In Linux under lsusb I only see the 1 device which is the one above for ECM. In Windows I see the same as 1 device comes up but the quack commands I have in place to test never type out. In fact it seems to stick with the light after the attackmode before the quack commands which make me thing quack is getting stuck cause the HID mode driver never loads for some reason. Conflict? Just for kicks I did the ecm one on Windows and the expected happened, no drivers for the CDC_ECM but the keyboard did type. Wonder if there is a CDC_ECM driver built inside windows, get the device ID of that I wonder if the dual command will work without having to load drivers.

I think the issue is not that it is missing initialization but that when used in combination the rndis is not seen as the standard IBM device anymore but takes on another ID. One thing I can try is the PID/VID options, get the deviceID from the known driver and see if they can be spoofed to work in combination. Hmmm, will have to try tomorrow morning unless someone gets the bug and beats me to it before then and finds out. :-P

I asking in another thread with others about combo attackmodes not working like HID RNDIS_ETHERNET and so forth. There is a bug we are being told will be sorted out in 1.3 so the dynamic attack modes may have to wait. The dual attackmodes could really help out my payload/tool.

I am assuming you mean QuickCreds. Did you install responder too. Quickcreds requires that. Responder is easy to install being you just need to clone their repo and copy that folder into your tools folder so it is loaded on next loading of the bunny in load mode. If you mean dumpcreds then that needs impacket which is trickier since it has to be added a certain way to work. Someone built packages for both of them to do clean installs of them for you into your tools folder. I took the standard approach and installed them but now my path to the tools is different than other people's who installed them in a way they are still in the tools folder so don't follow my way for impacket unless you know how to remove it in case you want to. I have to modify payloads path to those tools if they use them now. Little inconvenience, makes me examine the payloads. Of course next flash will probably start us back over again. :-) Just copying responder repo works fine, install is needed after the BB moves it over.

That one melting you had was enough for me to consolidate the tool approach hehe. I had to install mini heat sinks and fans in my raspberry pi rats I have because if I work them those chips heat would skyrocket. I assume if you put a load on this thing, it would probably melt any of them over time. I think you said you had your just chilling there. hehe

So that is is how you do Unicode base64 encoding in bash. :-) I can see myself using this instead of encoding commands myself when I want to use them via a quack. Only things I would change would be to make it have an extra parameter that I can use to add a string of parameters to be prepended before the encoded command like if I wanted to hide the powershell window or make it non interactive, etc. Second is I would make it just out put the powershell command. no gui r or anything. Reason being is most have been doing prep work before running their script like from the run command getting a UAC bypassed cmd shell to run their powershell in.

Nice simple keylogger. A cool addition I can think of is have an optional parameter for a remote location in case you have to disconnect the BB. When it detects it cannot save to the BB anymore it can start saving to the remote location if it is set. If that vanishes then it can quit or quit if there is no optional remote and BB disconnects. I always consider the BB as a tool not to be left for too long (especially with the heat it builds up).

apt install bettercap on Kali and give it a try. I have MiTMf too and used it forever, recently tried Better and it works awesome. It is missing some of the cool modules like filep0wn, HTA attack and a few others but still awesome. You may...I say may, can pull this off by doing mitm manually. dnsspoof, some firewall rules, ipv4 forward enabled, sslstrip+ and some kind of proxy llike mitmproxy or something. Question is will the machine use the BB first and will it tunnel through it or will it default to the onboard NIC. We know responder works because the machine tries the BB first. Mitmf maybe too much for the BB since the new version needs to be install with virtualenvwrapper. You could try bettercap. Create payload with just the ECM_ETHERNET for linux or RNDIS_ETHERNET for windows in the payload file, and maybe some leds to let you know it is ready. ssh to the BB and create a test folder under root. (this is how I test tools). scp the folder with the program you clones to that folder on the BB and then try and run it (no install, you want to avoid extra stuff being dumped on the BB where you will have to find it and remove it). I would look on Bettercap's site for their dependencies too which can help. With any mitm program, you should not have to spoof icmp or arp since you are directly connected. Will not do any good since the BB will be on a different subnet than your network. This is all speculation. The bug to try and do this has not hit me yet. Rather build a payload to add a ca cert and change their gateway to my mitm machine or change their proxy and point it to a burp proxy. Using the BB for a mitm would require me leaving the bunny. Rather run and go.

Yeah, noticed this bug too. I wanted to do combo but looks like it doesnt find drivers for the NIC if you use it with another mode. Notice this in the load mode the serial is not recognized. Using HID and ethernet I am waiting for to, It will make the BBTPS I have built more responsive instead of a download cradle having to check for when the server is available I could launch the HID when the IP is available leaving just the load time for the js server which is very quick. From what I see it takes longer for the attack mode to switch. Waiting for the Target and Host IP to available would fix waiting for the drivers to install and what not.

If it is unmanaged code, you can do it with Powersploit's Invoke-ReflectivePEInjection.ps1. The exe will need to be read in as a byte array to be used. You can load the Powersploit module into memory and then load your own script that will handle pulling down the exe that you already converted to byte array and then to base64 encoding to transfer. Decode back to byte array and then inject into your current process or select one with the arguments of the exe if any. If it is managed. You might can do it with reflections assembly but I only done this with .NET DLLs, do not know if it works with .NET exes. If you really want the shellcode, it has to be unmanaged code (C, C++, no .NET). You can use a disassember to get the op codes or use a c compiler to dump the object which will have the op codes. There are tutorials online on how this is done in more detail both ways. Anyway it goes, you may have to mess with it to get rid of nulls for it to be workable shellcode. The first 2 options involve no shellcoding and no disk touching. It looks like the primary use of this topic is to use meterpreter shellcode which msf can create for you easily. If you want to easily create shellcode to execute something, take a look at msf's payload windows/exec which can compile an unmanaged exe or even shellcode I believe.

Only way I can even imagine this, especially with the changing of the ethernet mode would be extremely hard in HID but here is a shot. Do not know the outcome. 1) HID mode and USB storage needs to be on. 2) HID mode will run 2 different lines, both will feed output back the the usb storage with a filename based off of the OS that line is built for. Example of this is try running the powershell line to get you back the OS name with WMI. (I do believe you need admin to read WMI). You will need to execute an escape to close whatever pops up on a box other than Linux and then turn the keystrokes for linux to get the OS name to be piped back to BB USb storage file and then the same for OSX. In the end you should end up with only 1 file with valid entries. Test for those valid entries and switch attack modes and what not based on that. You could also run each command and test before running the next one to save time in case the OS you are on matches the first command. This is all in theory as I have not tried it yet.

So far just the BB and the Rubber Ducky. I actually plan on getting the Pineapple Nano Tactical Elite kit. Want the portability to use from my cell. BB has enough features to keep me as busy as a Raspberry Pi Zero would. Darn things are forever sold out.

Sorry, fan of your works. Good to see you on here with the BB. Looking forward to see what you do with this. Now I just need to see if Jacck pops up sometime too. :-)

100% agree. I will never say to not rewrite something to learn about it or improve it. I rewrite scripts all the time to better suite me and it helps me understand what is going on. I rewrote reflectivedllinjection and several other inject scripts dozens of times just to see what is happening and trying to duplicate it to see if I understand what is happening. It is what separates you from being a script kitty. Keep on scripting everything. Hard part you will come across (if you are running Powershell higher than 2.0) is making your scripts 2.0 compatible which is ideal for exploiting since you are not sure what PSVersion the victim is on but know 2.0 is installed by default on all Win7 and higher machines (exception to Windows 10 which has the option to remove it and comes with PS5 by default). To test your code in a 2.0 environment when you are on PSVersion 4.0 or 5 you will have to start the environment with: powershell -version 2.0 Then when you run your code you will see what is not PSVersion2 compliant. Keep at it. :-)

Powershellmafia did something like this here in Powersploit under "Out-EncryptedScript.ps1". https://github.com/PowerShellMafia/PowerSploit/tree/master/ScriptModification I used their out-encodedcommand.ps1. Used parts on it in the BBTPS project I built and made a utility script people to use that will output just the base64 of the compressed script. PowershellMafias encoded scripts uses a password and a salt to encrypt it. The output is a function that when ran with the password and salt will expose the plaintext script on output. Run the output with invoke-expression and there is your script.

I just have some documentation tweaks and a few code tweaks here and there I see to do. Other than that, any further development of this project depends on what the community sees this tool mostly as. Is it good as a payload to be in the switch directories or do you rather see it as a tool. If you see it as a tool, I will begin to work on it being used as a tool to be installed and function properly versus being served in the payload switch directory.

Update... Just updated the BunnyAgent. It is Powershell 2.0 compliant now. I went through the code and found the issue. I had 2 condition statments using the "-in" condition to see if an item was in an array. "-in" does not exist in 2.0. Switch around the condition statement to use "-contains". Works fine in 2.0 now. Enjoy.

Okay all, I finally finished this thing well enough for me to release but more work yet to be done. It works. Try it out and let me know what you think. I got tired of fiddling with it and just decided to get something out there. https://github.com/PoSHMagiC0de/BBTPS Oh, my first time actually using github too. I usually have friends in town who does pushed on my behalf..cause I am lazy. I decided to learn git and do it myself.

If you like debugging you will love this agent then. It has write-verbose all over the place so it is testable. Issue is the function doesn't even load in 2.0. Just a general error about needing something after the "-". I was like huh? I have no empty dashes sitting nowhere. Works fine in 4.0. Just loading the agent with invoke-expression without running it throws this error. I am going to have to throw parts of it into a 2.0 session to see which part breaks but pretty soon others will be able to debug it too. The verbose parameter is there for people to debug their own payloads through the agent to see if there are issues. Yeah, I did some light debugging. Too bad once you go up in Powershell version it becomes harder to troubleshoot any 2.0 scripts due to most tools natively support the version of Posh you are on. I always had this issue even when developing payloads for Empire. I might have to bust out an old copy of Windows 7 without upgrades into a VM to do some debugging but I am prepping documentation for what is done now to release. MS was very anxious to ditch 2.0 after 3 and especially after 4 that they made it optional in Windows 10 hehe. Maybe after I release I will undo it as a function with some hard coded values to see where 2.0 is complaining at.

Update on module. I been sick all last week so didn;t get to do much with it. Today, though. I finished Powershell Agent. I finished server and just have to add in the light procedures where I have them marked, make a payload.txt for this thing, test it on an actual BB and then release. I stomach is still raw so going to chill for a bit. In my test environment this thing works good, and fast. I decreased the sleep timer between checks to 1 second. It is wigging out when I tell it to run under Powershell version 2.0 but cannot find where since there is no debugger for 2,0 out there. Gives me an error that is none existent on my line 1. Never seen it before since Powershelling. Works fine under any other versions. I will work on the 2.0 error some other time and release as is. Maybe someone else will see what I do not. When I get it working on my BB with a payload.txt I will release as is. Detailed instructions will come later.

I wondered what would happen if it stayed plugged in too long. I noticed it gets warn really fast when I have it plugged in. I also noticed some off the videos of it exposed and it has a heat sink on but would need air flow (vents like you mentioned) for the heat sink to serve any purpose but I guess it would buy you some time. Thanks for the warning. Confirms my suspicions.

After the upgrade I blindly blew away the old libraries on my BB and put the new ones...which did not have the old tools prepackaged. I ended up having to clone the current repos of impacket and Responder and put them in the tools on the usb partition and followed directions of safe unmounting, unplugging and replugging in BB. It copies them to the linux partition under /tools. Responder just worked when I tested on SSH. impacket stuff did not until I did the install which it then placed stuff in /usr/local/bin and and all the scripts began to work. See this as a cross board compatibility issue with only paths like when someone does SMB exfiltration or Quickcreds they will probably have to modify the path to their tools. The extension for RequireTools will not work for all since their tools maybe not in the /tools folder on the linux partition. Seen the linux partition apt folder has a sources.list to debian. Does that mean you can apt update and upgrade the BB or will it break their image doing so?

Update: I finally got time to put some serious work in on this thing. I have been thinking about making it a tool instead of it being use as a payload. Anyway, js server itself works. It serves jobs, it receives jobs. You can push jobs to it and you can send a quit command to stop the js server. The purpose of that is the server is suppose to be a stopping point where you do all your work via payloads. When they are done, the agent will send the server the quit command before doing garbage cleanup and exiting. This can signal whatever else you want to happen after all payloads are done to happy on the BB. I would say the server is 99% done minus me redoing the leds for the new update inside the js server itself. Powershell Agent I spent all day on today and it is working. I wanted the handling of all jobs completed to or failed/blocked to be handled asynchronously via job events but seen why the Powershell Empire guys chose to do polling of jobs and server instead. Makes it more simple and scoping is a mother when it comes to jobs. So the agent still does jobs but has a polling that goes off every 2 seconds to poll its jobs for any that are completed, failed or blocked and process them plus cleanup job queue and to check the server for any new jobs. When the server had no more jobs and the agent job queue is empty, it will continue the poll cycle 4 more times before calling it quits and sending the quit command to server before cleanup. Took me a bit to find out what was going on hence when I am done you will see I added a lot of verbose to the agent that you can trigger to test your own troubled jobs by hand firing the again with the -verbose parameter and you will get information overload on what is happening as the server and agent does their thing. The json serializer needed to be enlarge so accommodate large scripts. I send everything as json to prevent too much back and forth. To help with obfuscation or shrinking your payloads, the agent understand jobs that are regular text, base64 and compressed. I will have some functions I redid and made in Powershell that will help in making your scripts in those formats. Agent is about 99% also. So far I know the server works on the BB. No compatibility issues there. I just have to package up the agent with the server and create a stager for it. I also have to workout the whole payload.txt to make everything work. I was going to have smbserver.py in there but since the change, where impacket structure is now for everyone depends on their preference on how they included it in their tools folder or if they hand added it via ssh so that part I leave to you to add if you have payloads need to deliver or pickup files. Scripts have to have their contents encapsulated as functions like in Powersploit. This makes it so you can server the command in the joblist. This makes your scripts transportable to be used in other scripts easier but also I plan on making the commandline variable for the job have some dynamic fields that can be pulled from the environment sometime in the future. I will be refining the payload.txt and testing with a live machine (versus using my linux box to run the server and my Windows VM to run the agent and payloads) to get cohesion down with the bunny and the system. Last thing. I have been giving it some thought and see this looking more like a tool than a payload. After people get their hands on it and play with it, I will let you decide. Would not be hard to modify to look at switch payload folder for payloads and agents and lootfolder. It right now is configured all by exported environment variables or defaults if none. no change directories, it uses absolute paths. My only concern is how easy would it be to update tools on the BB. I know about the tools folder and the autocopy it does, does it replace folders when one of the same name is present? Future plan: After I get this out there, I am going to go back to looking at the eventing for the job states again. I liked it before I noticed the thing threw up 100 empty jobs on my test machine when it only should have been running 3. Found out it was scoping so will need to trace that out to see if I can nail it down so the agent polling cycle will be only to throttle how fast it hits the BB server to check and get new/next job and seeing if the local job queue is empty for some time before killing server and agent. The events will handle, when the job finishes, processing the data and returning it. Funny story. I was finishing up the agent and doing some final testing. I was using the original Invoke-Mimikatz. It is a big script and caused by json to break so was fixing my code around it. When I finally got it to work, the Avast on my test machine went off like a Christmas tree during downloading of the script. I laughed. I always run an AV on my test VM and rigs to let me know when something I am doing may trigger alerts or get stopped. I then decided now was a good time to test my encoding so I just did a simple base64 encoding which enlarge the payload but the json sizing I did worked and it still deserialized and it ran with no AV incident. I just have to test the compressed encoding now, would help with those big scripts. Another reason why your scripts should be a function. So you can encode, encrypt or whatever. The script will be turned to its original form in the end and your command to run it will be appended to the end and ran as an asynchronous job.

I believe if you enclose your command in double-quotes then the only thing you will have to escape is double-quotes you want to show up in typing and $.

Blinking Amber means it is scanning. if it is working is questionable. When it is running and the network screen you specify pops up. Ignore it and get to command prompt to see if you can ping the bunny IP. ipconfig to see if you have another adapter with IP on bunny range. Last, with responder you need some kind of traffic that can be tricked to making windows cough up creds. One sure way to test for discrepancies with responder is while the quickcreds is running, open up file explorer and browse to a false network path "\\nowhere\junk". If it goes green and you get a prompted for your creds, then we know it is working just Win10 might have had some improvements, or your installation has the settings, to not share creds with untrusted sources. MS been working with security guys from Metasploit and Empire to fix some of these security issues like blantantly sharing creds with anyone who asks and injection which is why you will notice reflectiveinject fails on windows 10 if you disable Powershell version 2. Windows 10 will be a constant moving target in this area due to forced autoupdates too.Very rare to find an out of date Win10 machine. last thing to try is load an empty payload that puts BB in ethernet attack mode and then ssh to it and run responder directly with -A command and see if it is able to analyze traffic. You can also run responder commands directly under SSH and see it is outputting stuff to the screen. I have a feeling it maybe a security feature.