Jump to content
maehko

Combo Attack Mode - Net/Storage/Serial

Recommended Posts

I've been trying to setup the bunny to work with RNDIS_ETHERNET STORAGE Serial but without success.  The combination of any two of those selections works as expected, but any ordered combination of those 3 fails to mount any one of the three devices on M$ Surface, Win10 10.0.14393

Using the Payload.txt below, after the 7 second boot cycle, the LED turns purple and stays purple for 113 seconds, after which the LED turns white, but no storage, serial, or network device is present.  After the LED has turned white however, device manager appears to refresh every so often like it's trying to enumerate new devices, but none show up. I'm not finding any relevant event log entries.

Are their any persistent logs available via arming mode serial?

 

#!/bin/bash
LED R B
ATTACKMODE STORAGE SERIAL RNDIS_ETHERNET
LED R G B

 

Share this post


Link to post
Share on other sites
On 3/4/2017 at 5:25 PM, Darren Kitchen said:

The default switch2 payload recognizes as storage but not Ethernet on Windows. Same thing with Mac. Go figure - it works on my development Linux box. The issue has to do with composite devices and Windows ability to recognize RNDIS as one.

When combining attack modes the Bash Bunny registers as a composite device. Windows doesn't recognize RNDIS_ETHERNET as a composite device by default. Drivers could be installed, but that defeats the purpose in many instances. Alone ATTACKMODE RNDIS_ETHERNET works without drivers on Windows hosts. Thankfully the ATTACKMODE command can be run subsequently to change the state to other modes later on in payloads conditionally.

As for the USB disk - when the payload executes it can access the storage from /root/udisk. At the moment this gets unmounted from the Linux side when payload execution completes. So if you terminal in and ls /root/udisk you won't see anything. 

 

This should answer some of your issues you are having. At the moment it looks like we are not able to combine RNDIS_ETHERNET with another attack mode. Sounds like you will have to perform each attack mode as needed and switch when you need another attack vector.

Share this post


Link to post
Share on other sites

I did see Darren's post before posting this thread and I have been able to duplicate that behavior.  

The problem described here though is affecting switch 1 as well and is NOT that the RNDIS doesn't automatically install due to it being a composite device.

The problem that is occurring in both switch positions is that Windows cannot enumerate the composite devices when all three devices are specified via the ATTACKMODE command. Can someone else run the following payload and report your experience?

LED R B
ATTACKMODE STORAGE SERIAL RNDIS_ETHERNET
LED R G B

 

Share this post


Link to post
Share on other sites
28 minutes ago, maehko said:

Can someone else run the following payload and report your experience?


LED R B
ATTACKMODE STORAGE SERIAL RNDIS_ETHERNET
LED R G B

Results in no devices at all in Windows. No, serial, storage, or rndis is available. Does not even register as a USB device!

Share this post


Link to post
Share on other sites

I just switched to ECM_ETHERNET and verified the same behavior on MacOS

Edited by maehko

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...