ADB on Bunny

[n33dsh3llz]

How would I go about getting an ARM version of ADB working on the bash bunny? I tried using Google's Python implementation of ADB, but it required libusb1 and other dependencies.

The goal is to make a payload that:

• Enabled USB debugging (HID)
• Accepts connection to device (HID)
• ADB Install's package (bash)
• ADB launches package (bash)

I had the HID payload working for enabling USB debugging, but then realized ADB was for x64 processors. I found a couple ARM versions, but couldn't get any of them working properly. Can anyone help me out with this. 

Ideally, I would like to utilize my apkwash script (https://github.com/jbreed/apkwash) to generate a lightweight payload to use for pushing onto a device. With ADB you can also attempt gaining root as well through ADB methods that otherwise wouldn't be accessible.

 

[Just_a_User]

Nice idea - I just had a play and seem to have ADB (android-tools-adb_4.2.2+git20130529-5.1_armhf.deb) installed on my bunny. I only tested basic operation while connected to client via my tetra - see below.

I used manual instructions here and here, the dependencies were already installed on the bunny - or alternatively you can just run "apt-get install android-tools-adb".

root@bunny:~# adb version
Android Debug Bridge version 1.0.31
root@bunny:~# adb connect  172.16.42.147 
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
connected to 172.16.42.147:5555
root@bunny:~# adb devices
List of devices attached 
172.16.42.147:5555	offline
root@bunny:~# adb devices
List of devices attached 
172.16.42.147:5555	device
root@bunny:~# adb shell
shell@android:/ $ 

But maybe you got this far already and had problems with operation?

Edited May 7, 2017 by Just_a_User

[LowValueTarget]

Demmsec looks to have submitted a pull request that may help

https://github.com/hak5/bashbunny-payloads/pull/135/files

Edited March 31, 2017 by LowValueTarget

[n33dsh3llz]

Thanks! I was trying to manually transfer the package over and run it. I haven't connected mine to the internet so that may be the way I go this weekend.

Also, the FireTV payload seems right where I was going with this, but for Android phones. Thanks for the heads up as this will save some time! The biggest thing with launching the default payload generated by MSFVenom is it will be flagged by AV. Calling the activity will require some work using my AV bypass script as it randomizes the naming structure, but it wouldn't be hard to explain how to get that information. 

I wasn't thinking of using the connect method with emulating a network adapter, but looks like DemmSec may have saved me some more headaches!

Justin

[n33dsh3llz]

Well, I was originally unable to get basic ADB working over the OTG like you would connected to the phone directly with USB debugging enabled. I tried the method demmsec did in that payload, but it would never get an IP address.

Come to find out, it was able to pull an address once I disabled my mobile data. I assume this is because of checks android does to make sure it is using the best network connection and the bash bunny has no actual connection to the internet.

With that, I may just need to add some extra HID commands to get the job done.

J

 

Edit:

Now I am unable to replicate the Network popup I was getting upon initially turning off mobile data. 

Edited April 1, 2017 by n33dsh3llz
Update