[Upgrade] Dynamic Switching

[mrt0mat0]

So, I've made a payload to upgrade the bash bunny to allow for switching on the fly. I'm not posting it yet, because it seems that the PRs are piling up and don't want it lost in the shuffle. i currently have it so that it runs the payload on the switch you switch it to, but feel it could eventually be used to register commands to the script. Would anyone find this useful? Any ideas on other uses detecting the switches could do?

[bg-wa]

Sounds useful!  So you could change from switch1 to switch2 payload without unplugging the BB?

[mrt0mat0]

yes. that's what it currently does. it saves about 4 seconds from just popping it out. you'd think it would be instant, but it has to disable dhcp, mounts, and all that stuff, so it takes a bit of time. i'm working on speeding it up. I also want to add a feature that will pause the payload until you hit the switch. allowing you to possibly pretend that it's a usb flash drive, and then when they step away, switch it and make it run the payload. still deciding what would be worth doing.

[bg-wa]

I'd be interested in checking it out if you want to share a link to a branch. Is there any way it could be abstracted to a helper, so we could call a method like `wait_for_switch_change` from any payload?

[mrt0mat0]

I will create a branch soon, and push it. I'm setting up configuration files to allow to enable it so it doesn't always have to be active if you don't want to. that has created a problem, as each payload is actually moved to tmp and ran from there. i'll have to do the same with the config. once i finish all of that, I don't think i'd be able to abstract the whole functionality, but adding a helper would be possible. my initial install breaks up the bash bunny into smaller pieces. once that's done, you could manipulate the listener and the payload activation independently. 

[bg-wa]

Looking forward to seeing what you come up with!

[Dave-ee Jones]

Instead of disabling DHCP etc. when switching on the fly why not just make both switches refer to a different payload.txt in the one switch folder? That would mean that switch1 and switch2 are just text files and not folders, so it would just run the text files without changing DHCP and mounts etc.

Would be quicker, don't know how easy it would be to redo that system...

[nwlutz]

On 3/28/2017 at 9:35 PM, Dave-ee Jones said:

Instead of disabling DHCP etc. when switching on the fly why not just make both switches refer to a different payload.txt in the one switch folder? That would mean that switch1 and switch2 are just text files and not folders, so it would just run the text files without changing DHCP and mounts etc.

Would be quicker, don't know how easy it would be to redo that system...

This would be awesome! So a payload.txt and switch1.txt and switch2.txt in each switch folder allowing a single Bunny to carry 4 live payloads. Also could leave a single switch.txt blank in each and have to payloads that delay til you flip the switch.

[mrt0mat0]

Yeah, so after hearing about the new firmware release, I've decided to do basically what Dave-ee said. I will also be moving it to an extension instead of modifying the bash bunny software. that way it won't be wiped going forward. I'll let you guys know when I'm all done. I can't guarantee it will work as I plan though. We'll see

[PoSHMagiC0de]

I am attempting to add dynamic-ness to the BB a different way.  I am working on a server agent type setup withthe server being nodejs.  I listed what it entailed in the payloads sub forum. I am pretty close to finishing phase 1 which will do multipayloads and dynamically queue new payload pulls that are available like you only want to pull and run this script based off the results of a job.  That job can have the server queue up a new job with parameters based on results of the job calling it.

Phase2 will be multistage agent, ie launch one agent with a job that runs exploit to launch stager2 agent that has jobs meant to be ran in an agent served as an exploit.  Man that was a tongue twister.  Phase 2 will also have dynamic pull of extras like your script needs to pull a cert file..or dll, etc from the server.  Server will base 64 encode it and send it.

First agent will be Powershell.  I am hoping others who like it will create their own agents for other OSes like maybe Python agent for mac and Linux?  I am weak on handling Python threading to mimic the same thing I am doing in the PoSH agent with jobs.

smb server will be running too for jobs that want to exfiltrate files or what not.  Server handles text results from jobs.

[jafahulo]

6 hours ago, nwlutz said:

This would be awesome! So a payload.txt and switch1.txt and switch2.txt in each switch folder allowing a single Bunny to carry 4 live payloads. Also could leave a single switch.txt blank in each and have to payloads that delay til you flip the switch.

I want to see this happen so badly! If anyone is working on this and wants some help, let me know and I'll see what I can do!