Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Posts posted by Scriptmonkey_

  1. This works beautifully btw. I've been using this for exactly what you suggest @Jenny_b against hosts with a removable storage exclusion applied.

    I've nicknamed it "the Exfiltrator", basically configured a DHCP server, nfs server, SMB, ftp and a simple php webpage offering upload and download, with the DHCP server, it's an awesome little beastie for that and some other things ;)


  2. Not had any issues here, but I'm primarily accessing it from an Ubuntu 18.04 base. I have ssh'd to it using Windows 10 and had no issues but I'm off on leave now for the holidays so no access to it at the moment but will double check when I can.

    Just to eliminate the obvious, it isn't just taking a while to regenerate its keys is it? It happens on connection so it could just be taking a while maybe?

  3. 10 hours ago, McFly said:

    Is there really nobody there who can help me? What for is the reset button? I wrote to the support but the last sound I heard of them was 4 days ago and I answered instantly and since then nothing. 

    Honestly the only thing I can offer is "Try Harder" to coin a phrase.

    It took me a few attempts to get the reset function to trigger but it worked for me. If there are LEDS flashing patterns that aren't related to network activity, then I'd say there is clearly something running and its down to you to figure it out. I figured out the above, you may need to do some other incantation. There are other rescue modes advertised on the openwrt docs, perhaps you booted into one of those.

    Here LMGTFY: https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset
    Your description sounds like you've got it booting into the first example given.

  4. On 8/26/2019 at 6:37 AM, hierophant said:

    I especially need a good way to discover all ips and new ips on my network. I tried a nmap internal network scan and arp and a broadcast address. 


    netdiscover, arp-scan, nmap -sn (or for that matter: https://nmap.org/book/man-host-discovery.html

    Also perhaps you should review some of the lovely free educational material published by Hak5... in particular this one may be of use:

    On 8/26/2019 at 6:20 AM, hierophant said:

    Only real connection is through the blinking blue light on all switches. I followed the instructions to update the firmware. Maybe I need to make my usb ext4?

    Do I need to SSH to it? Because I have other HAK5 products and the default ip assigned is not the right one. So I can't see if there's a shell I can do networking input for getting the packet squirrel online in payload 1 mode. 

    I tried arp -a. I tried ifconfig getting the broadcast of my wlan0 and br-lan, ping, than arp -a, to see what ip's there were but nothing but the obvious established devices. 

    Anyhelp would be amazing I'm exhausted with work. 

    Also, DNSPOOF. So the first domain in the config is where you want the target to be sent? And once executed after following the config instructions in the manual. It's specific to the target's nameserver right? It's not gonna start messing DNS all over the network?

    Thanks for anything you can give me everyone. 

    From the manual itself:


    The Packet Squirrel supports USB flash disks formatted with either EXT4 or NTFS file systems.

    This is of particular importance since most USB flash disks come pre-formatted with FAT32 file systems and must be reformatted before use with the Packet Squirrel.

    I would recommend reading more of the manual: https://docs.hak5.org/hc/en-us/categories/360000982574-Packet-Squirrel

    The default IP, credentials and operation of the device is explained in full there.

    As for DNSSPOOF, that's a tool built by someone else. Read it's manual too.

    On 10/10/2019 at 7:50 PM, hierophant said:

    Wow awesome super supportive hacker community we got here.
    I can't find another thread about connection loss moving from arming to TCPDUMP?
    I've seen other people complaining but there situation was different. I already called my ISP to see if it was getting knocked off. But nope
    But anyways thanks for the help on this crap forum. I just bought 7 devices from HAK5 and I can't even getting any motherfuckign Customer Service?
    Forget it anyways, I already just bridge a connection like I always do. Thought it would be cool to put the squirrel right on the ethernet line
    BUT OH WELL, Might as well throw this piece of garb in the trash. 

    What are you trying to even?
    Instead of losing your temper, stop trying to run before you can walk, read the manuals that are provided for your products (because by your own admission you've not done this), then come to the forum with actual output from what you're seeing, try logging your script output for example - the packet squirrel will write to its local flash if you're having issues with USB keys.

    If you're a "newbie" theres no shame in it, and people will want to help you. Everybody has to start somewhere, but I would say buying 7 rather expensive products without a use case is probably the first mistake you've made. These products use mostly publicly available tooling essentially putting them in nicely designed little packages and wraps them with some extra bits and pieces that make them worthwhile buying.

    You can do all of the packet squirrel's attacks with a laptop and two network cards. I'd suggest getting your attack working there, then transferring it to the packet squirrel platform, as by trying to dev directly on the platform you're going to be pulling your hair out especially if you've not figured out how to SSH to it yet.

    On 10/10/2019 at 8:00 PM, hierophant said:

    What's the point of the packet squirrel when you can do so much more bridging your own device and running those types of pcap commands?

    The point of the packet squirrel?

    I use my packet squirrel all the time:

    • As a OpenVPN tunnel for my laptop/switch.
    • Diagnostics for my familie's PCs (here plug this in when you get home... i'll RDP in)
    • or on jobs where I want to surrepticiously gather packets from a host to another host.

    e.g. MFPs that scan, fax and print are a perfect use case. I can get documents both scanned and printed along with NTLMv2 credentials when the printer auths to something to either do an address book lookup or dump a file on a file share. It all fits together with a small USB power bank, into the floor panel. Out of sight, out of mind.

    Yeah I can do all that with just my laptop, but it packages it all up very nicely in a tiny piece of kit.

  5. 1 hour ago, Jtyle6 said:

    Na, you just need a paper clip or a SIMcard eject tool to do it...

    Thanks, I was using a pin and it just kept missing it or slipping off 🙂 Wrote up the recovery guide into another thread but yeah, looks like firmware upgrade is basically scp firmware file to /root/ boot cycle it into arming mode and wait for LEDs to stop doing the hokey cokey.

  6. So anyone who's seen the other firmware post has probably seen my adventures in trying to figure out the firmware upgrade process as the suggested tool in the post just doesn't exist, is available on github if you need it, but the links in the download center appeared to be broken earlier.

    I ended up bricking my shark to some degree - Turns out though as it's based on openwrt it has the inbuilt recovery features.

    So these are the steps I took to restore its functionality - you can follow, but it is by no means the official help, nor is it without massive risk. I was willing to chalk my jack up to being a lost cause.

    1. Charge it - You probably won't have LEDS here to help you out (no charge level indication) but you only need sufficient power to "wait" for it to actually boot, so plug it in for 5 minutes and just let it charge.

    2. Using either a pin*, sim-card removal tool, etc locate the hole on the back of the case and insert it most of the way, you should feel a button at the end of the travel. Rest it on it, but do not depress it.

    *I found it difficult to "aim" my pin, at the button as it's tiny... so I removed the casing of the shark jack... there are no screws, it comes apart with a spudger inserted down the side, really easily.

    3. Power on the device to ARMING mode (middle position). Depress button using your pin now. Count 1000, 1, 1000 2... etc until 1000 7. remove pin!

    4. Plug device into your Network Jack within a minute or so you should see green lights, indicating activity on the network port.

    5. Set your host's IP to and attempt to browse using a web browser to you should see a screen like the following:


    6. Once you've proven connectivity to the recovery webpage, PLUG IN YOUR USB-C... KEEP THE SHARK JACK POWERED THROUGHOUT THIS PROCESS.

    7. Select the OS tab.

    8. Using a normal "upgrade-*.*.bin' firmware file available from the hak5 download center (download it, check the checksum),  browse to the firmware.

    9. CONFIRM YOU ARE ON THE OS TAB AND IT SAYS "e.g: OpenWRT.bin" DO NOT DO ANY OTHER TAB or you will be on your own. - select "start upload file".

    10. Page will switch to a loading screen informing you to wait until the device reboots.

    11. Once the device has rebooted you should notice this... the LEDs will have done their boot cycle (flashing greens) and turned to either flashing amber, indicating arming mode, or flashing/static blue to indicate the device is either charging or charged.

    12. Set your host's IP to and attempt to SSH to the device. You may get prompted about the SSH host key having been changed and may need to delete it from your known_hosts file, but once done... you can log back into the device using the default credentials of root:hak5shark.


    Now go get a celebratory beverage of your choice and get your hack on.


    • Like 2
  7. Well... snifflebiscuits.

    I believe I've done did broke it.

    Lost network connectivity as the file was transferring (not sure why, it was there, I wasn't touching it, just SCP stopped transferring the file and said connection reset by peer).

    Next boot, I can only assume it tried to take to the partial file that I'd uploaded and appears to have flashed that. All switch modes are unresponsive.

    I don't suppose there is a "Users Be Stupid, Factory Reset" magical on-off-switch-button combination in order to restore the firmware?

    Edit2: I've actually managed to recover this myself. I've taken the liberty of writing up the procedure I took in a forum post and deleted some of my posts from here as it was just cluttering up the place.


  8. I concur. The shark jack gets incredibly hot when charging. Still seems to work however, but I would definitely listen to the advice of DO NOT LEAVE IT CHARGING.

    Also working on it, I think there is a thermal cutoff being reached or something. I plugged it into a network port and had the USB-C connected from a reliable power bank as I was doing some dev on it and despite it continuing to flash the green LED the entire device became unresponsive. It was again, incredibly hot, like trying to hold a cup of coffee without a handle.

  9. On 10/11/2019 at 12:48 PM, Jtyle6 said:

    I'm getting on when downloading.

    {"error_message":"tool version not found"}

    On https://downloads.hak5.org/shark When downloading the helper tools.

    Can confirm I'm getting the same issue.

    Edit: Don't think I need to do it manually. Reviewing the binaries on the host I found /usr/bin/shark_framework which has some interesting lines in. Looks like if you copy the firmware file to /root/, have the switch in arming mode... it'll autodetect and apply the firmware.

    	UPGRADE_FILE=$(ls /root/upgrade-*.bin 2>/dev/null | tail -n1)
    	LOG="logger -t Shark [*]"
    LOG_ERR="logger -t Shark -p 3 [!]"
    	function upgrade_leds() {
            /usr/bin/LED OFF
            while true
                    echo 1 > /sys/class/leds/shark:red:system/brightness
                    sleep 0.2
                    echo 0 > /sys/class/leds/shark:red:system/brightness
                    echo 1 > /sys/class/leds/shark:blue:system/brightness
                    sleep 0.2
                    echo 0 > /sys/class/leds/shark:blue:system/brightness
    	function execute_upgrade() {
            $LOG "Checking for firmware upgrade"
    	        [[ -f $UPGRADE_FILE ]] && {
                    $LOG "Firmware upgrade found"
                    upgrade_leds &
    	                cp $UPGRADE_FILE /tmp/upgrade.bin
                    rm $UPGRADE_FILE
    	                sleep 2 && kill $led_pid
    	                $LOG "Executing UPGRADE"
                    /usr/bin/LED B && echo "sysupgrade -n /tmp/upgrade.bin" | at now
            } || {
                    $LOG "No firmware upgrade found"
                    return 1

    Giving it a shot now.

  10. 19 hours ago, dustbyter said:

    This is an interesting idea. Not sure on the extensibility of it through scripting. 

    I guess I don't see the purpose of this device with its limited space. How has anyone used this so far other than running nmap really easy.

    I have a few ideas in mind for it, beyond just "quick!!!! make the SOC go red!" Hoping to get one progressed today and will submit it to the github payloads when it's ready for sharing.

    Also, for a device that can quickly check if there is a sterile area in the visitor areas of buildings when on an Phys SE job, this tool is pretty damn discrete. Certainly more so than "hey can I just er do some work! thannnnkkkss!" and whipping out a laptop with an ethernet cable.

    • Like 1
  11. Phew thank goodness for the manual install, I rarely use my pineapple but when I do I invariably always end up factory resetting it due to forgotten passwords thanks Darren for providing the infusions for manual installation.

    I'm wondering if simply upgrading the openssl libraries on the underlying operating system should be enough to get this working again with firmware v2.4. not played too much with openwrt, but curious.

  12. On 20/04/2017 at 11:21 AM, chrisaw said:

    Does anyone have any additional advice to get this working?

    I have managed to get two different results:


    1.) Connected to BashBunny (network info populated in panel) which results in the Mac not being able to access the Internet (I assume routing is pointing towards the BashBunny instead of the WiFi router. As such - neither device gets Internet access.

    2.) Connected to BashBunny (network info NOT populated in panel - only manual IP) which results in the Mac being able to still access the Internet properly (yay!) but still no Internet connectivity for the BashBunny.


    In both configurations I can SSH to the BashBunny but neither provide it with an Internet connection which is a bit of a pain.


    I know I could likely get this working easily with a Ubuntu VM but I'd rather avoid that if possible since it adds additional faff needed to configure the BB for a pentest situation.



    So I was in a similar situation.

    1. BashBunny info populated as per the OP screenshots - You're correct, the RNDIS Ethernet adapter comes above the wifi in the stack and OSX sets the BB as the default GW for the machine, no internet for anyone but you can ssh to the BB just fine.

    Correcting the derp with a route -n delete default gw command and netstat -nr confirming the routing for IPv4 is correct at least, still does not restore the internet however for some unknown reason.

    What did fix it... hitting "assist me" in the network settings dialog and allowing it to configure the wifi network as an internet connection. That then reordered all my network adapters in the graphical listing of the network settings pane and now I can plug the BB in without losing internet on the host.

    However, despite following all the instructions in the OP and deleting the crazy route for the default gw to on the BB and replacing it with a (the ip of my mac) still doesn't give me network connectivity.

    No idea why the ip on the BB for its default route is 64.64 either.

    Would definitely appreciate any help trying to get this working, would like to update the OS.

  13. So managed to win a Bash Bunny as a prize in a CTF competition at a local conference over here and its day 1 of ownership. Have upgraded the firmware to version 1.3 and having a blast playing about with it over the serial console.

    I was thinking of porting a payload I use based on work I did with an old friend of mine called "Blinking Hell" (http://blog.scriptmonkey.eu/bsides-london-2013-blinking-hell-extracting-data-using-keyboard-lock-states/) which allows for export of data via the "lock" keystates. I'd say we got there first in 2011 using a teensy, but we didn't go public until 2013 :'( and it kinda just got left in the weeds other than our own private developments as we were using it in a very niche manner to suit our work. Any way bitter tears aside :) I'd like to port it over to the bunny.

    I've had a good root about using google and searching the forums and cannot see for the life of me how I can create ducky script to read the state of the various "lock" keys. I see people talking about it happening and asking "if it can" but no idea "how" to do it. I am assuming from reading the ducky script git pages its going to be some obscure command that isn't covered in the usual manual/howto.


  • Create New...