LowValueTarget Posted March 24, 2017 Share Posted March 24, 2017 (edited) Here's a simple payload to download and execute a powershell payload locally from the BashBunny. This payload is especially useful when running larger Powershell scripts. It's much faster than waiting on HID keystrokes. Edited April 10, 2017 by LowValueTarget Quote Link to comment Share on other sites More sharing options...
LowValueTarget Posted March 28, 2017 Author Share Posted March 28, 2017 Updated to include a proper status check and borrowed some improvements from Hak5Darren (faster_smb_exfiltrator) Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted March 31, 2017 Share Posted March 31, 2017 Yo, it is quite neat and all, but what do you mean faster than HID strokes? Once you've opened powershell all you need to do is tell it to run a .ps1 script sitting right next to the payload and it'll do the rest without HID strokes. How is it faster? Quote Link to comment Share on other sites More sharing options...
LowValueTarget Posted March 31, 2017 Author Share Posted March 31, 2017 (edited) The benefit of this approach, depending on the Powershell command, is that nothing ever touches disk and it's a little lower profile than attaching a USB mass storage drive to the computer. Hell, there may even be GP that disables that. Grabbing the script from the web server is essentially the same as grabbing it from the mass storage right? There are multiple ways of accomplishing this, however "web" deilvery is tried and true and not reliant on mass storage. Speed Scenario: You have a unicorn-encoded payload you want to execute. Instead of waiting for the entire payload to be typed out on the victim (~7K of text), you just have the HID type out the ~238 bytes of text and go. Edited March 31, 2017 by LowValueTarget Quote Link to comment Share on other sites More sharing options...
LowValueTarget Posted April 6, 2017 Author Share Posted April 6, 2017 Updated for Firmware 1.1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.