PoSHMagiC0de

Actually RTFM should be pinned at the top. Or RTFW with W standing for wiki. I do not know how many times I seen folks regurgitating tge wiki here for most of the questions asked. I guess reading instructions is old school. New school thing is to dive into it and then nake your own faq by asking questions in the forum that is in the manual. I am beginning to no longer replay or answer questions if it is in the wiki. Feed a man a fish and feed him for a day, teach him to fish and feed him for a lifetime. You know the saying.

Wanted to add too. You can make a payload with just ATTACKMODE RNDIS_ETHERNET and see if the victim machine gets the RNDIS interface installed. If it does, use putty to ssh into the bashbunny and run the commands by hand...without the attackmode, changing attackmodes while on ssh will drop you. I accidentally found that out testing a payload locally and running it before remarking out the attackmodes. :-P Anyway, you can SSH in and then run the get command and check to see if you get and IP, switch position, etc, etc, etc.

So, I am assuming you are using this on a Windows box. With that said I never used the GET with the TARGET_IP parameter but here is what I would do to test. I would test for TARGET_HOSTNAME also just to make sure it works and I would check a few times to give the bunny time. Example of a below script that should work for you to test. I Included HID to quack out the results too. LED SETUP ATTACKMODE HID RNDIS_ETHERNET LED STAGE1 COUNT=0 while [ -z $TARGET_HOSTNAME ] && [ $COUNT -lt 5 ]; do GET TARGET_HOSTNAME COUNT=$(($COUNT + 1)) sleep 1 done RUN WIN notepad Q DELAY 3000 if [ ! -z $TARGET_HOSTNAME ]; then Q STRING "Hostname of computer is: $TARGET_HOSTNAME" Q DELAY 500 Q ENTER else Q STRING "Target Hostname was not found." Q DELAY 500 Q ENTER fi LED SPECIAL1 COUNT=0 while [ -z $TARGET_IP ] && [ $COUNT -lt 5 ]; do GET TARGET_IP COUNT=$(($COUNT + 1)) sleep 1 done if [ ! -z $TARGET_IP ]; then Q STRING "IP of computer is: $TARGET_IP" Q DELAY 500 Q ENTER else Q STRING "Target IP was not found." Q DELAY 500 Q ENTER fi LED FINISH Pretty much you will loop through so many times to see if it is taking some time for the bunny to issue the IP. I know I always get a hostname. IP I don't use but this should work the same. The LEDs will let you know which part it is checking for and the bunny should open notepad and type out results as it gets them.

+4

He can make it hybrid. His perimeter should be hard lined. Some important cameras can be hard lined and then any extas he can go wireless. I convinced a small business here to go that route to save on money and cover the important basis. They were all wired alarm and wireless cameras. Should they not have a big enough buffer and jammed long enough, you will lose the footage of the crime. They now switched some of the important cameras with good coverage to wired. So, even with their hybrid system, their few wireless cameras I made sure had fat buffers. So, going completely wireless maybe a bad idea, having non-critical areas on wireless may not be a bad idea for cost savings.

Actually, that is not a bad idea. Try FruityWifi to see if its captive portal works. Reason is when I had issues with Fluxion back when I first switched to Parrot, I also had issues with wifiphisher, reaver and wash. It turned out to be an issue in the Parrot distro that was resolved soon after. One thing that did work that I tried out was FruityWifi with captive portal. It gave me no issue and worked fine. So, it would be a good comparison test for the sign in prompt for captive portal. For that flok is trying to do it will take him some custom coding to accomplish what Fluxion does. I like FruityWifi because it was my PineAP before I got a wifipineapple nano. Just some info on wifiphisher and Fluxion in case you do not know. wifiphisher is a wifi social engineering tool. It doesn't beacon probes it receives like mana/pineap/karma. You target an ap, it duplicates its name (not it's bssid) and then brings up a false ap with same name while jamming the real one by bssid. It requires the victim to actually still connect to the open ap of same name where they will be prompted they need to sign in by captive portal. Captive portal has several templates, one to try and coax wifi password or one to try to get user to download and run an app. After the password one, it displays it to the attacker and drops the attack on ap. Of course you have to trust the victim put in the correct password since there is no verification. Fluxion is the same thing but has 2 different modes. It has fake ap mode like wifiphisher but for it to run it needs a capture file with handshake from the victim ap to use for comparison. It will not run without it. The second mode is to assist you in getting that capture file by either doing a monitor only or intrusive(deauth) to get handshake. It even checks for the handshake while working to get it and stops when it knows it got it. With the handshake you can go back to the fake ap to do the attack. It does the same attack as wifiphisher with the fake ap of same name but deauth bssid of real ap and a template for a captive portal trying to coax the user's wpa password. Difference is when the user puts it in, Fluxion uses aircrack or pyrit to verify it with the hash, if it doesn't match, it tells them the password is wrong and attack continues. Only if the attacker manually stops it or the correct password is entered on the captive portal does the attack cease. So it is wifiphisher with verification so to speak. I actually think both these projects can come together (wifiphisher and fluxion) as they are almost identical in what they do just one added verification.

I would doubt it. If it is possible it would be news to me. Best way to look at it is this. Is it possible to hook up a usb mouse through some sort of reverse USB hub to multiple PCs? I am not talking about a KVM. That still requires switching for each machine. From what I know you cannot and first and foremost the attack the Bunny does is USB. I only know of USB hubs hooking many USB devices to 1 host.

So, finally finished the No_Express version of the BBTPS. This means no npm install before adding to your BashBunny. Just can add it and begin using it. I also post a pull request to have it included in the Hak5 payloads under the general since it is mainly a tool/utility. Later I will work on refactoring it into submodules since the payserver code has increased with absence of Express but overall project is smaller without Express' overhead. The update is on the No_Express branch of the BBTPS. When I clean it up I will merge it with master and do a pull request to update the Hak5 repo again.

@digip He is trying use a project called Fluxion which does this too for the purpose of social engineering the wifi password from someone. It is a batch of scripts with one script to run them all type of project too. Been using the project for a bit. Have had issues in the past with it and recently but was able to resolve them or the dev resolved it. It prompts me that I need to sign in when I connect to rogue ap like it suppose to but flok seems to be having issues with this part. @flok You may have to post your issue to the developer's github issues section. Like what digip mentions above, if all your DNS queries end up resolving to your machine running fluxion and you can open the portal from the victim then all should be good. Beyond that, I do not have a clue why you aren't getting the same results.

I think a web manager is on everyone list haha. It is on my list eventually for bbtps. I think Davee is the only one to beat us to the punch with some kind of web manager. Bbtps is nodejs (with express, soon to remove express for vanilla http module), the server that runs on the bunny is. I use powershell as the agent and payload preference.

If running a pentest framework you should have an app called hashid or idhash, forgot the name order. It will let you know what things it looks like to give you an idea.

To figure out the communication flow, proxy yourself through Burp Suite. Turn interception off so it doesn't stop the request and work with the site and look at the request/response flows.

So, I guess I will be making a minor update but will appear in a different branch. This new version will simplify installation. In otherwords I am removing express module from the project and going with the vanilla http module. Reason for his is some may not be able to install the express dependency that is needed to run the BBTPS. Also, the current format is not conducive to be merged into the Hak5 Bashbunny repo due to the dependency needing to be installed. This update is still 1.6 since the usage will be the exact same. This will be just the version I will be submitting to the Hak5 Bb repo. I will be keeping and updating this one along side the original. I plan on submitting it under the general section since it is mainly a tool for people to add their own payloads to use. The payloads that come with it are for examples though some like to use it as is just changing which payloads are ran.

I am not online when using fluxion since its use is to trick the user into thinking their router is having issues and need their wifi password again. Internet access is not required. The iptables flush is to make sure I am not blocking any of my ports from the victim so they can resolve DNS and get redirected properly to the fake router page. I believe captive portal is pretty standard. Your phone when it gets online on wifi it tries and hit some of its sites. The redirected response and not their site tells them they might need to sign in to get access to the internet. If DNS goes nowhere, it will make the phone think there is no internet. If it is able to get to its service then internet is on. My browser doesn't open manually but it does give a notification that I have to sign in to get internet access. if you as a victim get the portal when you try and browse anywhere then it is working. Your phone should prompt, if it tries and reach out on its own to get to the internet, as I understand it. Have not seen a phone fire off a browser automatically, unless I click on the notification. Seen a windows machine do it though. From that point if nothing is blocking DNS nor the portal from the victim talking to them on your machine then the above should work.

if you are running Fluxion I suspect you are on Linux or Mac. Since I only know Linux when it comes to Fluxion and run on a Debian distro (which should not matter much) the command above I gave should list your tables. Your IP tables should be empty with the input, output and forward to accept by default. This means there are not rules blocking anything from your computer. If in doubt, the below command will wipe the tables clean. If they are autopopulated, they should come back after reboot (simplest way without going into discovering how your iptables are set since there are several firewall things out there with Ubuntu having one other than iptables too that I normally just dump.) sudo iptables -F sudo iptables -X Pretty much, if you have their latest pull from github and make sure it is from deltaflux (there are a lot of forks out there, the real one was buried in the noise for awhile before they ended up on top again), and if you run it and it says all dependencies are checked...and you make sure before you run it you kill apache, nginx and any web services that maybe running, and for safe measure I would do: sudo airmon-ng check kill Though I have ran it without doing this but only did it once cause I am lazy, I would still kill competing services to be sure with above command. So, flush tables, kill web services that maybe running (Kali sometimes have packages running web services in the background if you messed with the tools any you may have inadvertently got one going on autostart), use aircrack to kill any network services that may interfere with fluxion. At the end, do a sudo netstat -tulnp and see if anything is using 80 or 443 (those would be most likely web services still running). If it is all clear, try running fluxion and do not forget sudo. it needs admin priviledges. Test and see if you get the portal. If not, test and see if you can ping the gateway from victim or see if anything resolves an IP address if pinged, should resolve back to attacker. If it does, try browsing by hand to IP and see if you get portal. You may can run wireshark on attacker too to see if the packets are getting to the page. I have not tried but you probably can browse from the attacker machine to portal on same machine to see if it pops up to determine if it is even running the portal. What you are trying to find out is if the portal is running, if the dns services are pointing you to it and if victims are not blocked from it. Steps I went through but didn't have to get to the part to see if the portal was running. netstat told me that. I didn't even have to go into wireshark. I just had an epiphany that I have custom firewall rules that i would need to remove to allow users to portal.

Yeah, a lot of people are having issues using their bunny. From what I can see from your post things are working inside the bunny as far as creating folders and stuff. It just looks like payloads are returning nothing, etc. When it comes to Win10, a lot of payloads may not work. It is because of the added security with MS recent updates to Win10. I have been busy lately with work so have not had time to test other folks payloads on a Win10 machine to see if there are changes or if they are not going to work anymore. The best test I can say for you to see if the BB works is write a simple payload with HID and STORAGE. Have the BB type out a command to copy a file you know exists to the BB USB drive. Or if you prefer, have it just arm itself and see if you can see the drive under your list of USB drives and see if you can copy to and from it. You can try to have the Bunny do it next using Quack commands in the payload.txt if the manual way works. Never use someone else's payload as a test of a functioning Bunny. It was written by that person and will work for them under their situation which may not be everyone's situation. Example, Mr. Robot. Awesome payload. Works great on Windows 7. Will not do a thing on Win10. Not the payload creator's fault. Win10 is just secured against mimikatz type attacks in recent updates. Another example. Everyone loves fodhelper now for Win10. Did you know there is the eventviewer bypass too. Some virus scanners see the attempt as malicious now so might be stopped. Won't be home until fodhelper falls into the same boat. Those that got the update if it happens it will not work for them anymore, for those that don't they will think everything is fine and others are trippin. Also if the system is set to always prompt on UAC and has secured desktop then both of the bypasses will not work on those systems. I can only safely say if you want to use existing payloads as tests, use them on a Win7 machine since that is the time period they were conceived and mostly geared towards unless they specify in their payload otherwise.

What digi said...or you may have to take this to the programming section to write some custom code in Python or Node to communicate with that wss service and parse the output you want. You will need to know how the service uses wss. Burp may help with dubugging the traffic and seeing what you have to send/receive in the app/script.

I hadn't install Fluxion on my new ParrotOS system in a bit. i would say a few months ago it didn't even work. Before then I used it heavily on Kali and it worked fine then. Recently like within the month I downloaded it and it worked with my cards again as far as even starting up without complain about unsupported devices even though I ran the same cards on the same machine I ran it before when I had Kali. Issue I ran into for a day was people would connect but not get the Capture Portal page. Was driving me nuts until I realized I was having a doh moment. Maybe my doh moment is yours too. Check your firewall. Yelp, I forgot I run with aggressive iptable rules but I have a master rule I run when pentesting to drop them all. So, i did that and there was my capture portal and the message telling me I needed to sign in. So, if you are on Linux, check your iptables. sudo iptables -L if on Mac..well, someone else may be able to help you there.

Fluxion does this now. It has a mode for you to capture the wpa handshake that you can then turn around and use for the evil AP. The evil AP part will bring up an AP with same name as target AP but 1 MAC number off. It will bring up dhcp and DNS sink-holing you to the capture portal. It will then deauth the legit AP. People are not forced to you but decide on their own to connect to you since they cannot connect to their own AP. Your AP is open. Once they connect, they will be greeted that they need to sign in (if on phone, believe on windows too) like at a hotel. This is where fluxion shines. It will ask you for your wifi password. When you put it in, it will use aircrack or pyrit to check and see if it is correct. If not, it will say it is incorrect and the attack will continue. Once someone puts in the correct wifi password that checks with the handshake, it will say they connected successfully and stop the attack. https://github.com/FluxionNetwork/fluxion I know a lot of people have been requesting this on the wifi pineapple. I completely agree. It is one of the best wifi social engineering attacks i have seen, only one i seen that will do validation of credentials.

The command you are looking for is below if you do it in powershell. (gwmi -class win32_volume -filter "label='BashBunny'").Name That should get you the drive for the bash bunny in powershell using the volume label name.

You can do it with an image file too so you do not have to use up a partition.

Just wanted to do an update. Mame82 did some updates to the installer so it works file with Raspbian Stretch Lite now. I have yet to fully test install but I got it working with Stretch before changes so it is compatible just the install had some needed tweaks to work fine. On top of that, I have given it a try with Empire Project. Since this is optimized for Windows I decided to use Empire as the companion framework with this project. It is written in Python too (so hopefully there is some way to merge them into in maybe P4wnP1 as a separate listener with stager/launcher) so figured there would be no big issue. Only issue I ran across is Empire itself needing extra dependencies that it doesn't install, probably because it was put together on Kali so some dependencies are taken for granted as already installed. I am building a list of dependencies to give to the Empire team so they can do some extra checks. Besides that I got it running relatively easy. How did I use it? I made a copy of the hid_backdoor payload. Renamed it, change PID, set RNDIS to true. Now I have hid and network ability. When P4wnP1 launches on my wifi ssh connection I create a new screens screen and launch empire. I create a listener and get the launcher. That launcher I use after I initiate a HID_Backdoor(FireStage1). I then CreateProc the launcher to get empire up. Now I can create a separate agent and turn in into a relay. That relay is used as my listener point for any other machines I get into on the network since the victim PC that pi is on is not sharing its internet with pi. Essentially, I turned the machine the pi is connected to, to a rat controlled via wifi. Want to get the connections to an outside terminal. Just fire off a launcher for the empire server that is on the outside. Doing it from the pi eliminates external connections going on reducing suspicion since most of the early warnings are connections to outside sources. I imagine you can do the same with Metasploit but I have not tried to install Metasploit separately on Pi yet, usually it comes in Parrot on Kali for Raspberry Pi when I get the full distro image which I normally do if I am just making a general, small, network accessible remote access terminal.

Not even possible with the BBTPS. It will take a procedure to do it if you can do it. The machine has to be accessible remotely through network meaning no firewall rules and possible to access admin shares and/or wmi through network. Then you would need the admin credentials of that machine. With those two it is possible to come up with a way. Man, so many people ask about interacting with a locked machine without creds. Here you go. You cannot. If QuickCreds no workie, walk away. Unless you have credentials to the machine or can get them, or have an exploit to a vulnerable network service running on that machine, you aren't doing anything without a reboot and a boot disk. Unless you pretampered with the machine so you have a backdoor like the sethc/cmd swap backdoor or something.

I just install a linux distro to a 32GB USB. Made one for my boss too. A lot of people will use the live USB with persistent storage. I made the whole thing persistent so I can treat it like a mobile linux machine. I started with Ubuntu, later had a Kali USB and in the end I have an encrypted ParrotOS USB stick. I have all the tools I have on my linux laptop on the USB and can do the same things when booting up a machine from it minus reading a drive that UEFI which is different. You can use Sleuthkit to recover files or image image the drive to another USB drive that is big enough to hold the image to inspect later. I used VirtualBox to make it. Installed the latest version, added the additions so USB would work right in it. Created a new virtual machine with no HD and the OS like ISO as my boot media. I configured USB in virtualbox and plugged in my USB stick to add it to the list in virtual box. I then booted up the VM and installed the OS to the USB like I would be installing it on a regular machine. When all done I remove the USB and boot it from a real machine (with internal HD disabled so when I do update I do not get a menu item of the local machine's OS in my grub menu) that has internet and then do my update, upgrade autoremove, extra installs, configurations, etc. When done just shutdown and the USB is ready. This helped me recover files from customers who had crashed bare metal server and other things. Been trying to find a good virus scanner that can run on Linux but understand Windows file structure to accurately find viruses but when it is that bad I recover files with the USB and then wipe the machine anyway to redo to avoid potentially missing hidden buggies.

I believe the signed with a valid cert scripts thing can be bypassed, if you are local admin, with the parameter "-ExecutionPolicy Bypass" or "-Exec Bypass" for short. Also, if the script is being typed from the command line, it does not have to be signed, only if you are running it from a file. So another way around it is to have the BB type out a download cradle for your script which will load it into memory as a string (not string array, if you are ending up with a string count of more than 1 then pipe that out the "out-string" to make it a solid here-string) where you can then execute it. Execution policy doesn't affect code in memory, only code on the disk. Take a look at other payloads, some do just this. I believe Darrin's exfiltration script does this also. The BBTPS does but maybe more confusing to read since I have it staying up for a certain number of heartbeats to give time for the BB network to come online and dying if it times out.