Bumblebee08 Posted April 1, 2017 Share Posted April 1, 2017 Would it be possible to use the bash bunny for dumping the entire memory on both Windows and Linux systems (payload 1 & 2)? For example with volatility and LiME, but without installing anything on the target systems. Has anyone looked into this idea aleady? Would it be possible to install and run software from the bash bunny or use some sort of portable software that doesn't require installation? Quote Link to comment Share on other sites More sharing options...
illwill Posted April 2, 2017 Share Posted April 2, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
Bryfi Posted April 5, 2017 Share Posted April 5, 2017 On 4/2/2017 at 0:33 AM, illwill said: not enough space on the bunny What if we were to place another flash drive into the machine that has sufficient space? Quote Link to comment Share on other sites More sharing options...
illwill Posted April 5, 2017 Share Posted April 5, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 5, 2017 Share Posted April 5, 2017 Best way to do this would be to dump it to a remote storage. Maybe share windows drive or samba/smbserver.py server on a machine with more storage. On Windows you could need the out-minidump.ps1 script from Powersploit framework which can dump a process or use get-process and to get all the processes and pipe it to the cmdlet specifying the smb path and file (with credentials if necessary) to remote locate. Make sure it runs hidden and you will not have to stick around while the dump is going. For linux you will have to do it with the script language of your choice and mount to the smb machine and the you could dd the memory. Do not know a way to target a process so it will be all of it. you can use "dd if=/dev/fmem of=/smbmountpoint/linuxmem.dmp". If you run this hidden you can leave and hope it gets done. Have not tried any of this. Just know these are the ways you get memory dumps from both machines effectively. Helps if you are admin on both machines since permissions may break the process. Quote Link to comment Share on other sites More sharing options...
Bumblebee08 Posted April 6, 2017 Author Share Posted April 6, 2017 I was thinking about this idea to create some sort of forensically sounds manner to automatically create a memory dumps for incident response. So there has to be none or minimal changes to the host system and it doesn't matter if it takes some time to load and create an actual image. But I want to be able to create these memory dumps locally, instead of over the network. Of course there are already some nice tools that can do the job, but I thought it would be cool to see if the Bash Bunny could be used, because of the payload selector switch. Thanks for mentioning Powersploit, PoSHMagiC0de. Looks very interesting! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.