Quickest Way to Fingerprint/Identify Target Host

[rynojvr]

As a brainstorming exercise, I was wondering if anyone had ideas on the quickest way to identify/fingerprint the target computer? Hypothetically, I'd be able to run the same payload against various targets, and customize the attack based on what type of computer I'm plugged in to (Windows/OSX/Win7/Win10/ElCap/Mint) and react accordingly.

Would it then also be possible to identify a known computer I was talking to? My own station, for example. Possibly using a V2 of the UsbExfiltration payload which could be used repeatedly on a range of computers. Then as soon as the BB is filled, alert the attacker and let them know it's time to offload. The attacker would then plug it into their station and either the BB gets internet to upload the docs, or just offloads them to the local system and prepares itself for more extraction. 

Having typed all that out, I suppose having an "Exfil" mode on Switch1 and an "Offload" mode on Switch2 would simplify things considerably, but the general question stands: What is the best way to quickly identify the type of Target Host to then react accordingly?

[Darren Kitchen]

So there are two parts to your query - and I love them both. This the sort of creative thinking that I'm all about. :) 

So, as for profiling a target, the ways I've considered outside the long and tedious way (nmap -O --fuzzy $TARGET_IP) is to use p0f (pre-installed). 

Another similar thought exercise is to determine whether or not a specific Ethernet attack mode was successful, and failing that switch to another. For example, first register as RNDIS - and if after N seconds the BB doesn't receive a DHCP client - switch to ECM. Now, that doesn't provide an OS fingerprint - but certain assumptions can be made. I have noticed RNDIS to be successful on most Windows and Linux machines while ECM is more prevalent on Mac, Linux and "other" (Android, Chrome) 

 

Regarding off-site transmission in switch 2 after successfully exhilarating files from your target, I believe there are many possibilities - especially if the "drop box" is preconfigured to recognize the Bash Bunny. For instance, another embedded Linux machine with either a tunneled Internet connection or a large encrypted disk drive would be an ideal platform to immediately recognize and offload data from the Bash Bunny via SCP. 

Similarly there's no reason why the "loot" folder on the BB can't be encrypted. 

Anyway - just tossing fuel on the fire. Eager to hear everyone's remarks. Cheers! 

[rynojvr]

I hadn't really heard of p0f before, and am excited to try that out! :D

 

In regards to the exfil, since the BB is quite the little gadget ( thank you so much for this, Darren :] ) there's possibility to add some smarts. Keep a directory listing/db for each box the BB has hit, as well as a lookup of each file that was successfully exfilled, along with some metadata about that file. (Either a hash, or TimeStamp) If it sees it's the same box, only exfil new documents, or ones that have been modified? 

 

This also may be the wrong thread and I'll move it if I need to, but the RNDIS/ECM switching occurred to me yesterday and I got so amped about it I had to give it a shot. On my OSX the RNDIS failed (should'a guessed that one) and the payload switched to ECM. The issue is that after sourcing bunny_helpers and attempting the nmap payload, the hostname was "nobody", and the nmap showed 0 open ports (after scanning for 3 seconds vs ~200 I would expect). Running the same payload but reversing the order of Ethernet adapters to ECM first conducted a successful sweep. 

 

Tha

[korang]

If a windows target, enum4linux is a good application to use.  

[wire_wolf]

If you are planning on plugging it in and unplugging it repeatedly you have to take in the time costs of it rebooting repeatedly for the off load and the upload.

I think that bringing a USB slitter and a 64GB USB would be more covert and faster. 

Ooo. could you hide the bash bunny in a un-powered USB hub? That would make it more covert, and give you more storage for larger involuntary backups. (My next protect)

It would also be nice if you could hook it up the BB to the internet of the host computer so you could drop the files that way. but I do suppose if you are already grabbing files you can have the host computer send the files for you.

If speed of the exploit isn't that critical you could start with the RNDIS to SCP setup to make shure it works. Then you can use nmap -O to see if it can get it.

But if it is logged in then you could try sequentially trying to write a file to the BB with some ducky script and witch ever way writes the file then you have your OS.