Combo Attack Mode - Net/Storage/Serial

[maehko]

I've been trying to setup the bunny to work with RNDIS_ETHERNET STORAGE Serial but without success.  The combination of any two of those selections works as expected, but any ordered combination of those 3 fails to mount any one of the three devices on M$ Surface, Win10 10.0.14393

Using the Payload.txt below, after the 7 second boot cycle, the LED turns purple and stays purple for 113 seconds, after which the LED turns white, but no storage, serial, or network device is present.  After the LED has turned white however, device manager appears to refresh every so often like it's trying to enumerate new devices, but none show up. I'm not finding any relevant event log entries.

Are their any persistent logs available via arming mode serial?

 

#!/bin/bash
LED R B
ATTACKMODE STORAGE SERIAL RNDIS_ETHERNET
LED R G B

 

[Cpt.Pickles]

On 3/4/2017 at 5:25 PM, Darren Kitchen said:

The default switch2 payload recognizes as storage but not Ethernet on Windows. Same thing with Mac. Go figure - it works on my development Linux box. The issue has to do with composite devices and Windows ability to recognize RNDIS as one.

When combining attack modes the Bash Bunny registers as a composite device. Windows doesn't recognize RNDIS_ETHERNET as a composite device by default. Drivers could be installed, but that defeats the purpose in many instances. Alone ATTACKMODE RNDIS_ETHERNET works without drivers on Windows hosts. Thankfully the ATTACKMODE command can be run subsequently to change the state to other modes later on in payloads conditionally.

As for the USB disk - when the payload executes it can access the storage from /root/udisk. At the moment this gets unmounted from the Linux side when payload execution completes. So if you terminal in and ls /root/udisk you won't see anything. 

 

This should answer some of your issues you are having. At the moment it looks like we are not able to combine RNDIS_ETHERNET with another attack mode. Sounds like you will have to perform each attack mode as needed and switch when you need another attack vector.

[maehko]

I did see Darren's post before posting this thread and I have been able to duplicate that behavior.  

The problem described here though is affecting switch 1 as well and is NOT that the RNDIS doesn't automatically install due to it being a composite device.

The problem that is occurring in both switch positions is that Windows cannot enumerate the composite devices when all three devices are specified via the ATTACKMODE command. Can someone else run the following payload and report your experience?

LED R B
ATTACKMODE STORAGE SERIAL RNDIS_ETHERNET
LED R G B

 

[snowc]

28 minutes ago, maehko said:

Can someone else run the following payload and report your experience?

LED R B
ATTACKMODE STORAGE SERIAL RNDIS_ETHERNET
LED R G B

Results in no devices at all in Windows. No, serial, storage, or rndis is available. Does not even register as a USB device!

[maehko]

Thank's @snowc.  That matches my experience as well.  Does your LED change from purple to white after 2 minutes?

[snowc]

Yep

[maehko]

I just switched to ECM_ETHERNET and verified the same behavior on MacOS

Edited March 8, 2017 by maehko