Jump to content

[PAYLOAD] USB_Exfiltrator


Darren Kitchen

Recommended Posts

Posted

Can there be a version that snags also images, address books,emails, bookmarks, passwords,etc.  an AIO (all-in one) that takes anything remotely interesting =)

Posted
5 minutes ago, peterkozmd said:

Can there be a version that snags also images, address books,emails, bookmarks, passwords,etc.  an AIO (all-in one) that takes anything remotely interesting =)

You can adapt it really easy.

xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul

Just change the *.pdf in line 22 of the e.cmd file to whatever you want.

Posted

Though as @Seczilla said the payload can be modified the bash bunny only has 8GB of storage and an all in one of those might possibly become full VERY quickly.  I think it would be more practical to do like with the Rubber Ducky where it extracts to a separate USB with a specific file name.

Posted

Yeah i realize grabbing images might be a problem given time and not to mention space requirements ie: some people might have gigs of them. The alternative being to set them to upload to a server

Posted

I must be doing something wrong.  I get the flashing white " Dependencies not met. Responder not installed in /pentest "  

I tried loading the tools and think I did it right.  Also the Bunny does not show up as a WiFi device when I run that script.

 

Posted

I have not received my bunny yet (march 10th batch) but had an idea for this, because of the limited space on the bunny 8 GB SSD would it be possible to reroute the loot file directory onto another usb drive then

 cd /media/usr_name/drive_name/loot

then store files on the other larger/faster driver? would have to have a variable for the usr_name then once found use that to cd onto the other drive I will try to develop farther once I receive mine but anybody got any ideas for this?

Posted

I managed to get this to work just fine, I tested with the default code provided and I saw files and folder structure being copied across, a little confused however at the fact I see people posting it has an 8gb storage yet mine only says 1.99gb when I plug it in with arming mode or with a payload set to storage.

Posted

Something I noticed and perhaps done by design.  After running this payload on a windows 10 system:

  • the 'loot' is captured as expected however the files 'd.cmd e.cmd and i.vbs are now located on the root of the BashBunny in arming mode.
  • in the 'switch2' the install.sh is appended -INSTALLED

Does anyone else observe this on theirs and is that done by design?

Posted
10 hours ago, gmonk said:

Something I noticed and perhaps done by design.  After running this payload on a windows 10 system:

  • the 'loot' is captured as expected however the files 'd.cmd e.cmd and i.vbs are now located on the root of the BashBunny in arming mode.
  • in the 'switch2' the install.sh is appended -INSTALLED

Does anyone else observe this on theirs and is that done by design?

Yup, that's by design. I believe the logic being that the Powershell command needs to know the path that it is executing the cmd file from, so it finds the drive letter of the storage with the name "BashBunny", and then appends d.cmd to it (I think it was d.cmd anyway... it's whichever one kick starts it all).

If it didn't copy the files into the root, then it may make it more difficult to know where the files are, due to it being potentially in two different locations (i.e. switch1 or switch2). I might see if it's possible to run it all within a switch folder instead of moving them, but I suspect it might not be doable!

The appending of "INSTALLED" is to prevent the install.sh file being executed a second time for subsequent payload executions, as all the files are in the place they need to be.

Posted

I have this attack working on my rubber ducky but for some reason I am not cracking the code on how you got this to work on the bash bunny.

What were the steps you followed to get this payload to work because I am not understanding what needs to go where?

1. Move switch to ARM

2. Navigate to Switch# folder

3. Drop d.cmd, e.cmd, i.vbs, payload.txt into folder

4. Eject the device

5. Move switch to Switch#

6. Insert device

7. Profit

I modified the payload so I could see what it is hanging up on and it is not getting the switch value from bunny_helpers.sh:

powershell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_POSITION\d.cmd')
. : The term 'D:\payloads$SWITCH_POSITION\d.cmd' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_ ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (D:\payloads$SWITCH_POSITION\d.cmd:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

 

Does bunny_helpers.sh need to be somewhere special?

Posted
12 minutes ago, TTommy said:

I have this attack working on my rubber ducky but for some reason I am not cracking the code on how you got this to work on the bash bunny.

What were the steps you followed to get this payload to work because I am not understanding what needs to go where?

1. Move switch to ARM

2. Navigate to Switch# folder

3. Drop d.cmd, e.cmd, i.vbs, payload.txt into folder

4. Eject the device

5. Move switch to Switch#

6. Insert device

7. Profit

I modified the payload so I could see what it is hanging up on and it is not getting the switch value from bunny_helpers.sh:

powershell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_POSITION\d.cmd')
. : The term 'D:\payloads$SWITCH_POSITION\d.cmd' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_ ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (D:\payloads$SWITCH_POSITION\d.cmd:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

 

Does bunny_helpers.sh need to be somewhere special?

I tested using the previous version of the payload, that installs the cmd files and vbs file into the root. It looks like you're using the latest version which is supposed to keep everything inside the switch* folder.

If you want to use the previous version, you can grab the files from commit dcace71 on GitHub / this link: https://github.com/hak5/bashbunny-payloads/tree/dcace71e99bfb9e69cd02c30b4bb6db60f93d9d4/payloads/library/usb_exfiltrator

I'll give the new version a test too, and see if I can replicate the problem / try to fix it :)

 

Posted
11 hours ago, rastating said:

Yup, that's by design. I believe the logic being that the Powershell command needs to know the path that it is executing the cmd file from, so it finds the drive letter of the storage with the name "BashBunny", and then appends d.cmd to it (I think it was d.cmd anyway... it's whichever one kick starts it all).

If it didn't copy the files into the root, then it may make it more difficult to know where the files are, due to it being potentially in two different locations (i.e. switch1 or switch2). I might see if it's possible to run it all within a switch folder instead of moving them, but I suspect it might not be doable!

The appending of "INSTALLED" is to prevent the install.sh file being executed a second time for subsequent payload executions, as all the files are in the place they need to be.

Def good to know, thanks for explaining!

Posted

Hey guys quick question,

May be a noob question but I'm trying to get this payload to work. Where do i put d.cmd, e.cmd, and i.vbs files? do they go in the switch1 folder along with the payload or do they go in the library folder?

Thank you,
kpeezy

Posted
1 hour ago, kpeezy said:

Hey guys quick question,

May be a noob question but I'm trying to get this payload to work. Where do i put d.cmd, e.cmd, and i.vbs files? do they go in the switch1 folder along with the payload or do they go in the library folder?

Thank you,
kpeezy

Yes!  Copy the contents of the folder over to the switch folder.  They call each other, and each one assumes the next one is in the same location.  Good luck!

Posted
3 hours ago, Black_chameleon said:

Yes!  Copy the contents of the folder over to the switch folder.  They call each other, and each one assumes the next one is in the same location.  Good luck!

Thanks alot! Just got er workin! BADASS! :ph34r:

Posted

I altered this script to copy a folder from appdata. It copied OK and worked fine, light turned green, safely removed, etc. Problem now is when I go to delete the folder, nothing happens in Windows explorer. The stuff in question is the Chrome folder from %appdata% - I can delete individual files within subdirectories on my Bash Bunny, but when I try to delete or access certain folders in my loot, I get no activity or a message saying

Location is not available - The file or directory is corrupted and unreadable.

What gives? What can I run via cmd line to delete these ghost folders now?

PS: Every time my script finishes, I hear a Ghostbuster saying "light is green; trap is clean"

Posted

Is there a log file or anything to see results on what occurred? Just tested this payload and while it created the folder of my machine it never copied any documents into that folder. Yes, there are .pdf files in the documents folder. Just trying to figure out why nothing copied over the the loot directory when the folder got created with my machines hostname.

Thanks!

Posted
On 3/15/2017 at 0:01 PM, nutt318 said:

Is there a log file or anything to see results on what occurred? Just tested this payload and while it created the folder of my machine it never copied any documents into that folder. Yes, there are .pdf files in the documents folder. Just trying to figure out why nothing copied over the the loot directory when the folder got created with my machines hostname.

Thanks!

I have yet to see any log file. Though, I suppose you could have it write one along-side what it's doing.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...