Mohamed A. Baset Posted March 11, 2017 Share Posted March 11, 2017 (edited) HI Guys, This topic is not about a problem in bash bunny or something more than discussing future ideas to make the bash bunny more malicious. 1. What about installing Metasploit framework on the bunny and automatically launch it with aux/browser_autopwn with a proper payload and combining this scenario with captive_portal bunny payload, plug the bunny to a locked machine, the machine automatically launch the captive_portal which in fact is the browser_autopwn aux module link and take over the machine and the best part is "MACHINE IS LOCKED"! 2. If time is not relevant because this requires time, then we can NMAP the $Target_IP, Get all the opened ports, Pass it to metasploit for auto pwning per service/opened port. Just an ideas, Let me hear yours and Happy Bash Bunning.... Edited March 14, 2017 by Mohamed A. Baset refreshing the thread Quote Link to comment Share on other sites More sharing options...
MrSnowMonster Posted March 11, 2017 Share Posted March 11, 2017 Sounds cool, but the hard part is to make it work ? Quote Link to comment Share on other sites More sharing options...
CnetExpo Posted March 12, 2017 Share Posted March 12, 2017 Plugging into iPhones ? Quote Link to comment Share on other sites More sharing options...
Mohamed A. Baset Posted March 12, 2017 Author Share Posted March 12, 2017 (edited) Could be! FIrst i want to be sure if the Captive portals fires automatically even if devices are locked or not? This is for scenario #1, For the second scenario it doesn't matter! Edited March 12, 2017 by Mohamed A. Baset Quote Link to comment Share on other sites More sharing options...
Just_a_User Posted March 12, 2017 Share Posted March 12, 2017 Another idea would be evilgrade - although Im not sure if this would be too obvious to the user if you plugged this in and update messages started to appear. But would perhaps be more effective once the bashbunny is combined to the wifi pineapple. https://github.com/infobyte/evilgrade Quote Link to comment Share on other sites More sharing options...
Mohamed A. Baset Posted March 12, 2017 Author Share Posted March 12, 2017 4 minutes ago, Just_a_User said: Another idea would be evilgrade - although Im not sure if this would be too obvious to the user if you plugged this in and update messages started to appear. But would perhaps be more effective once the bashbunny is combined to the wifi pineapple. https://github.com/infobyte/evilgrade Interesting! If captive portals fires automatically in the background on a locked machine then there will be unlimited forms of exploitation, I just want to be sure Quote Link to comment Share on other sites More sharing options...
Mohamed A. Baset Posted March 16, 2017 Author Share Posted March 16, 2017 Okay, as per @Sebkinne's clarification that the captive portals won't be able to open the web browser automatically while the machine is locked, What about combining both Samy Kamkar's PoisonTab and metasploit aux/browser_autopwn script (if the Bash Bunny will be able to hold metasploit run and steady) or running pre-plugging it in (the idea of the battery + bash bunny) to exploit the opened browser in the background which of course doing some ajaxed requests or any background activity (the idea of PoisonTab)?!! :D Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted March 16, 2017 Share Posted March 16, 2017 1 hour ago, Mohamed A. Baset said: Okay, as per @Sebkinne's clarification that the captive portals won't be able to open the web browser automatically while the machine is locked, What about combining both Samy Kamkar's PoisonTab and metasploit aux/browser_autopwn script (if the Bash Bunny will be able to hold metasploit run and steady) or running pre-plugging it in (the idea of the battery + bash bunny) to exploit the opened browser in the background which of course doing some ajaxed requests or any background activity (the idea of PoisonTab)?!! :D I should clarify again, sorry. The portal most likely pops up, but you cannot interact with it. You could execute Javascript, download a file, etc, but no other interaction. I thought the question was if it popped up visibly when locked. This also depends on OS. Quote Link to comment Share on other sites More sharing options...
Mohamed A. Baset Posted March 16, 2017 Author Share Posted March 16, 2017 11 hours ago, Sebkinne said: I should clarify again, sorry. The portal most likely pops up, but you cannot interact with it. You could execute Javascript, download a file, etc, but no other interaction. I thought the question was if it popped up visibly when locked. This also depends on OS. Of course i know that captive portals won't show or popup on top of the lock screen :D but since it pops up in the background and the executed page is controlled by the Bash Bunny attacker then the first scenario mentioned in the original post is possible on one condition (if the bash bunny will be able to run Metasploit) then our captive portal url will be the final url of aux/browser_autopwn metasploit module which will exploit the machine's browser (default if found old) silently. What do you think? Quote Link to comment Share on other sites More sharing options...
quack Posted March 16, 2017 Share Posted March 16, 2017 some improvements ideas for V2: - rechargeable battery for instant attacks (already asked on another post) + rtc clock - microsd reader - wifi chip 1 Quote Link to comment Share on other sites More sharing options...
Mohamed A. Baset Posted March 19, 2017 Author Share Posted March 19, 2017 UPDATE: Future Bash Bunny 2.0 and Remote bluetooth controller, Plug it into a locked victim machine, once come back, in a glimpse send a command to act as a duck to implant reverse shell or add admin user, send another command to act as unknown device. Boom done. Many ideas here for sure! Wish you guys be more creative than me :D Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.