Darren Kitchen Posted March 3, 2017 Posted March 3, 2017 https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/usb_exfiltrator Exfiltrates files from the users Documents folder Saves to the loot folder on the Bash Bunny USB Mass Storage partition named by the victim hostname, date and timestamp.
peterkozmd Posted March 3, 2017 Posted March 3, 2017 Can there be a version that snags also images, address books,emails, bookmarks, passwords,etc. an AIO (all-in one) that takes anything remotely interesting =)
Seczilla Posted March 3, 2017 Posted March 3, 2017 5 minutes ago, peterkozmd said: Can there be a version that snags also images, address books,emails, bookmarks, passwords,etc. an AIO (all-in one) that takes anything remotely interesting =) You can adapt it really easy. xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul Just change the *.pdf in line 22 of the e.cmd file to whatever you want.
Rainman_34 Posted March 3, 2017 Posted March 3, 2017 Though as @Seczilla said the payload can be modified the bash bunny only has 8GB of storage and an all in one of those might possibly become full VERY quickly. I think it would be more practical to do like with the Rubber Ducky where it extracts to a separate USB with a specific file name.
peterkozmd Posted March 4, 2017 Posted March 4, 2017 Yeah i realize grabbing images might be a problem given time and not to mention space requirements ie: some people might have gigs of them. The alternative being to set them to upload to a server
Doctare Posted March 4, 2017 Posted March 4, 2017 I must be doing something wrong. I get the flashing white " Dependencies not met. Responder not installed in /pentest " I tried loading the tools and think I did it right. Also the Bunny does not show up as a WiFi device when I run that script.
Tylor B. Posted March 6, 2017 Posted March 6, 2017 I have not received my bunny yet (march 10th batch) but had an idea for this, because of the limited space on the bunny 8 GB SSD would it be possible to reroute the loot file directory onto another usb drive then cd /media/usr_name/drive_name/loot then store files on the other larger/faster driver? would have to have a variable for the usr_name then once found use that to cd onto the other drive I will try to develop farther once I receive mine but anybody got any ideas for this?
Mad Man with a Blue Box Posted March 7, 2017 Posted March 7, 2017 I managed to get this to work just fine, I tested with the default code provided and I saw files and folder structure being copied across, a little confused however at the fact I see people posting it has an 8gb storage yet mine only says 1.99gb when I plug it in with arming mode or with a payload set to storage.
gmonk Posted March 7, 2017 Posted March 7, 2017 Something I noticed and perhaps done by design. After running this payload on a windows 10 system: the 'loot' is captured as expected however the files 'd.cmd e.cmd and i.vbs are now located on the root of the BashBunny in arming mode. in the 'switch2' the install.sh is appended -INSTALLED Does anyone else observe this on theirs and is that done by design?
rastating Posted March 7, 2017 Posted March 7, 2017 10 hours ago, gmonk said: Something I noticed and perhaps done by design. After running this payload on a windows 10 system: the 'loot' is captured as expected however the files 'd.cmd e.cmd and i.vbs are now located on the root of the BashBunny in arming mode. in the 'switch2' the install.sh is appended -INSTALLED Does anyone else observe this on theirs and is that done by design? Yup, that's by design. I believe the logic being that the Powershell command needs to know the path that it is executing the cmd file from, so it finds the drive letter of the storage with the name "BashBunny", and then appends d.cmd to it (I think it was d.cmd anyway... it's whichever one kick starts it all). If it didn't copy the files into the root, then it may make it more difficult to know where the files are, due to it being potentially in two different locations (i.e. switch1 or switch2). I might see if it's possible to run it all within a switch folder instead of moving them, but I suspect it might not be doable! The appending of "INSTALLED" is to prevent the install.sh file being executed a second time for subsequent payload executions, as all the files are in the place they need to be.
TTommy Posted March 7, 2017 Posted March 7, 2017 I have this attack working on my rubber ducky but for some reason I am not cracking the code on how you got this to work on the bash bunny. What were the steps you followed to get this payload to work because I am not understanding what needs to go where? 1. Move switch to ARM 2. Navigate to Switch# folder 3. Drop d.cmd, e.cmd, i.vbs, payload.txt into folder 4. Eject the device 5. Move switch to Switch# 6. Insert device 7. Profit I modified the payload so I could see what it is hanging up on and it is not getting the switch value from bunny_helpers.sh: powershell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_POSITION\d.cmd') . : The term 'D:\payloads$SWITCH_POSITION\d.cmd' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:2 + .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_ ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (D:\payloads$SWITCH_POSITION\d.cmd:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Does bunny_helpers.sh need to be somewhere special?
rastating Posted March 7, 2017 Posted March 7, 2017 12 minutes ago, TTommy said: I have this attack working on my rubber ducky but for some reason I am not cracking the code on how you got this to work on the bash bunny. What were the steps you followed to get this payload to work because I am not understanding what needs to go where? 1. Move switch to ARM 2. Navigate to Switch# folder 3. Drop d.cmd, e.cmd, i.vbs, payload.txt into folder 4. Eject the device 5. Move switch to Switch# 6. Insert device 7. Profit I modified the payload so I could see what it is hanging up on and it is not getting the switch value from bunny_helpers.sh: powershell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_POSITION\d.cmd') . : The term 'D:\payloads$SWITCH_POSITION\d.cmd' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:2 + .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads$SWITCH_ ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (D:\payloads$SWITCH_POSITION\d.cmd:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Does bunny_helpers.sh need to be somewhere special? I tested using the previous version of the payload, that installs the cmd files and vbs file into the root. It looks like you're using the latest version which is supposed to keep everything inside the switch* folder. If you want to use the previous version, you can grab the files from commit dcace71 on GitHub / this link: https://github.com/hak5/bashbunny-payloads/tree/dcace71e99bfb9e69cd02c30b4bb6db60f93d9d4/payloads/library/usb_exfiltrator I'll give the new version a test too, and see if I can replicate the problem / try to fix it :)
rastating Posted March 8, 2017 Posted March 8, 2017 @TTommy - just went to create a pull request with the fix for this and found it's already been submitted! You can find it here: https://github.com/hak5/bashbunny-payloads/pull/17 If you want to apply the changes manually in the meantime, you can see the changes made here: https://github.com/hak5/bashbunny-payloads/pull/17/files
TTommy Posted March 8, 2017 Posted March 8, 2017 @rastating - thanks for the 411. I tried it and it works.
IMcPwn Posted March 8, 2017 Posted March 8, 2017 Thanks for fixing my bug @rastating! I didn't realize you needed to escape QUACK commands... Github issue reference: https://github.com/hak5/bashbunny-payloads/issues/13
gmonk Posted March 8, 2017 Posted March 8, 2017 11 hours ago, rastating said: Yup, that's by design. I believe the logic being that the Powershell command needs to know the path that it is executing the cmd file from, so it finds the drive letter of the storage with the name "BashBunny", and then appends d.cmd to it (I think it was d.cmd anyway... it's whichever one kick starts it all). If it didn't copy the files into the root, then it may make it more difficult to know where the files are, due to it being potentially in two different locations (i.e. switch1 or switch2). I might see if it's possible to run it all within a switch folder instead of moving them, but I suspect it might not be doable! The appending of "INSTALLED" is to prevent the install.sh file being executed a second time for subsequent payload executions, as all the files are in the place they need to be. Def good to know, thanks for explaining!
rastating Posted March 8, 2017 Posted March 8, 2017 15 hours ago, IMcPwn said: Thanks for fixing my bug @rastating! I didn't realize you needed to escape QUACK commands... Github issue reference: https://github.com/hak5/bashbunny-payloads/issues/13 It wasn't me that sent the PR, I only realised there was an existing one once I was opening one haha @gmonk no problem :) got to share the knowledge!
aawawa Posted March 9, 2017 Posted March 9, 2017 Guys, anyone know if payload exist for ex-filtration / dump of all browser(s) saved usernames/passwords?
kpeezy Posted March 10, 2017 Posted March 10, 2017 Hey guys quick question, May be a noob question but I'm trying to get this payload to work. Where do i put d.cmd, e.cmd, and i.vbs files? do they go in the switch1 folder along with the payload or do they go in the library folder? Thank you, kpeezy
Black_chameleon Posted March 10, 2017 Posted March 10, 2017 1 hour ago, kpeezy said: Hey guys quick question, May be a noob question but I'm trying to get this payload to work. Where do i put d.cmd, e.cmd, and i.vbs files? do they go in the switch1 folder along with the payload or do they go in the library folder? Thank you, kpeezy Yes! Copy the contents of the folder over to the switch folder. They call each other, and each one assumes the next one is in the same location. Good luck!
kpeezy Posted March 10, 2017 Posted March 10, 2017 3 hours ago, Black_chameleon said: Yes! Copy the contents of the folder over to the switch folder. They call each other, and each one assumes the next one is in the same location. Good luck! Thanks alot! Just got er workin! BADASS!
trumoo Posted March 15, 2017 Posted March 15, 2017 I altered this script to copy a folder from appdata. It copied OK and worked fine, light turned green, safely removed, etc. Problem now is when I go to delete the folder, nothing happens in Windows explorer. The stuff in question is the Chrome folder from %appdata% - I can delete individual files within subdirectories on my Bash Bunny, but when I try to delete or access certain folders in my loot, I get no activity or a message saying Location is not available - The file or directory is corrupted and unreadable. What gives? What can I run via cmd line to delete these ghost folders now? PS: Every time my script finishes, I hear a Ghostbuster saying "light is green; trap is clean"
nutt318 Posted March 15, 2017 Posted March 15, 2017 Is there a log file or anything to see results on what occurred? Just tested this payload and while it created the folder of my machine it never copied any documents into that folder. Yes, there are .pdf files in the documents folder. Just trying to figure out why nothing copied over the the loot directory when the folder got created with my machines hostname. Thanks!
zerocooler Posted March 16, 2017 Posted March 16, 2017 On 3/15/2017 at 0:01 PM, nutt318 said: Is there a log file or anything to see results on what occurred? Just tested this payload and while it created the folder of my machine it never copied any documents into that folder. Yes, there are .pdf files in the documents folder. Just trying to figure out why nothing copied over the the loot directory when the folder got created with my machines hostname. Thanks! I have yet to see any log file. Though, I suppose you could have it write one along-side what it's doing.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.