This is an extension waiting to happen. I'd imagine DETECTOS would spit back version based on a scan. We're looking at building an AUTO_ETHERNET ATTACKMODE which will try ECM_ETHERNET then fail over to RNDIS_ETHERNET if the target does not obtain an IP in X seconds (or possibly the other way around).
nmap can do an OS scan, as can p0f (included in the firmware). I agree that this sort of extension would be really useful in having more complex and intelligent payloads that make decisions based on various conditions including OS version. I'm keen on seeing its development.
PoSHMagiC0de is correct that it could be done via powershell commands - though I think the less hacky way would be to scan the target via the pocket network in the first stage, then launch the appropriate second stage depending on the results.
Page 27 of this research from NCCGroup may be of interest in doing OS detection. There are apparently some slight differences in how the USB enumeration process happens between the various OS's.
I'm not sure if the Bash Bunny can view the USB protocol at such a low level, but if it can, this approach would certainly be optimal. Opening up another powershell/python or whatnot just to do OS detection increases the time required to exploit, and potentially increases the chances of being caught.
The HID is coming from inside the Bunny!
in Bash Bunny
Posted
https://media.blackhat.com/us-13/US-13-Davis-Deriving-Intelligence-From-USB-Stack-Interactions-Slides.pdf
Page 27 of this research from NCCGroup may be of interest in doing OS detection. There are apparently some slight differences in how the USB enumeration process happens between the various OS's.
I'm not sure if the Bash Bunny can view the USB protocol at such a low level, but if it can, this approach would certainly be optimal. Opening up another powershell/python or whatnot just to do OS detection increases the time required to exploit, and potentially increases the chances of being caught.