Jump to content

The HID is coming from inside the Bunny!


Matt Neimeyer

Recommended Posts

Is there a way from the Bash Bunny shell to control what the Bash Bunny "does to" the host?

For example, if my payload just checks the OS version, connects to a Bash Bunny shell and starts a new script based on that? As one simple example, determining Windows XP (UAC evasion not required) vs Windows 7+ could be useful. Another case might be defaulting to, and then unloading, the ECM_ETHERNET module and replacing it with the RNDIS if we detect that we are on Windows.

I realize that the latter case might be better handled using the Switch to change payloads... but doing something like I'm thinking could give me, effectively, more than 2 payloads.

If I'm not using the right terminology I apologize... I'm just getting started. I can't find anything by searching but I could be looking for the wrong thing... In the long run some way to control what the Bunny does based on the Host OS would be useful.

Thanks!

Link to comment
Share on other sites

Only way I can even imagine this, especially with the changing of the ethernet mode would be extremely hard in HID but here is a shot.  Do not know the outcome.

1) HID mode and USB storage needs to be on.

2) HID mode will run 2 different lines, both will feed output back the the usb storage with a filename based off of the OS that line is built for.

Example of this is try running the powershell line to get you back the OS name with WMI. (I do believe you need admin to read WMI).

You will need to execute an escape to close whatever pops up on a box other than Linux and then turn the keystrokes for linux to get the OS name to be piped back to BB USb storage file and then the same for OSX.

In the end you should end up with only 1 file with valid entries.  Test for those valid entries and switch attack modes and what not based on that.  You could also run each command and test before running the next one to save time in case the OS you are on matches the first command.

 

This is all in theory as I have not tried it yet.

  • Upvote 1
Link to comment
Share on other sites

Okay... a little bit of research answered part of my own question and then my head exploded...

If I log into the Bunny Shell, at least in Arm Mode, I can indeed issue the command QUACK WINDOWS r and my run dialog box pops up on the host...

However, I might have over complicated my original idea. If I just need OS detection and if payload.txt is really just a shell script, as the bang line at the top of the some of the examples implies, couldn't I add a loop there to wait for a file and act on it? So in theory...

  1. Main payload.txt starts, executes a.vbs, begins to loop while waiting.
  2. a.vbs determines the OS and writes osversion.txt back to the same directory as itself
  3. payload.txt now sees osversion.txt and continues with the appropriate actions.

This doesn't help with adjusting ATTACKMODE on the fly but it would help.

As far as switching the attack mode I tried this... An "empty" payload with just SERIAL and HID modes, then from inside a shell over the serial I issued another "ATTACKMODE HID STORAGE SERIAL" to add the storage option (presuming I need to keep my existing options). This locked up my session and things were not happy... Similarly "ATTACKMODE STORAGE" also failed. Fundamentally I'm assuming that ATTACKMODE is a one time only thing. It would be really nice if it could be reinvoked to change or add the chosen modes. Say, start with Storage and HID, determine the lay of the land and then remove Storage (once osversion.txt is written) and add RNDIS_Ethernet. This would allow us to use, but then hide, the mounted drive from the view of the user.

Link to comment
Share on other sites

I asking in another thread with others about combo attackmodes not working like HID RNDIS_ETHERNET and so forth.  There is a bug we are being told will be sorted out in 1.3 so the dynamic attack modes may have to wait.  The dual attackmodes could really help out my payload/tool.

Link to comment
Share on other sites

8 hours ago, PoSHMagiC0de said:

I asking in another thread with others about combo attackmodes not working like HID RNDIS_ETHERNET and so forth.  There is a bug we are being told will be sorted out in 1.3 so the dynamic attack modes may have to wait.  The dual attackmodes could really help out my payload/tool.

Do you think it would be worth it to put in a feature request now? Or presume that there is a bug and wait and see?

Link to comment
Share on other sites

This is an extension waiting to happen. I'd imagine DETECTOS would spit back version based on a scan. We're looking at building an AUTO_ETHERNET ATTACKMODE which will try ECM_ETHERNET then fail over to RNDIS_ETHERNET if the target does not obtain an IP in X seconds (or possibly the other way around). 

nmap can do an OS scan, as can p0f (included in the firmware). I agree that this sort of extension would be really useful in having more complex and intelligent payloads that make decisions based on various conditions including OS version. I'm keen on seeing its development.

PoSHMagiC0de is correct that it could be done via powershell commands - though I think the less hacky way would be to scan the target via the pocket network in the first stage, then launch the appropriate second stage depending on the results.

  • Upvote 1
Link to comment
Share on other sites

30 minutes ago, Darren Kitchen said:

This is an extension waiting to happen. I'd imagine DETECTOS would spit back version based on a scan. We're looking at building an AUTO_ETHERNET ATTACKMODE which will try ECM_ETHERNET then fail over to RNDIS_ETHERNET if the target does not obtain an IP in X seconds (or possibly the other way around). 

nmap can do an OS scan, as can p0f (included in the firmware). I agree that this sort of extension would be really useful in having more complex and intelligent payloads that make decisions based on various conditions including OS version. I'm keen on seeing its development.

PoSHMagiC0de is correct that it could be done via powershell commands - though I think the less hacky way would be to scan the target via the pocket network in the first stage, then launch the appropriate second stage depending on the results.

AUTO_ETHERNET with a preferred setting set by a parameter, maybe?

+1 to the idea of a DETECTOS extension as well. Would be quite nice.

You can't exactly test which Mac/Linux version your victim is running with Powershell though... :P

Link to comment
Share on other sites

Nope, you cannot test those two with Powershell (nix and Mac), but you can launch python against them.  That is why it will be a multiple QUACK commands.  1 in Powershell, if it works then it is windows else the next will be a python command....or even just a uname >> path to bunny.  The outcome should be only 1 file since Powershell will only work in Windows (and Linux if you are doing what I am doing and testing Powershell 6 for Linux.).

NMap would be a good option.  Of course that depends if it comes back accurate.  I mostly use what ports I see open to determine the OS and use the OS detection as a hint.  I have seen it come back with nothing so I guess it depends if there is a firewall blocking your scans.

I would also say something like responder with its finger option but that may take too long to get something unless you taunt it by maybe launching a web browser or file browser and in either put in a bad url or path to get responder to respond to it and nothing else to respond in time.  I would say imagine the Bunny is an outside machine, not actually in the machine.  It has to contend with all the same security when talking from the outside in through the network.  So, most of the stuff to get it to hurry up or get data from will probably have to be done with QUACK to force a packet to the BB in a reasonable amount of time or launch a network app on the machine.

I think the best bet is to launch attack modes and test for target IP in each and after a set time if nothing then switch modes and test again.  This would have to be done at setup through in the beginning before initiating any attack to cut down on time between running the quack commands and then switching to nic mode unless your quack script has a long enough wait after being launched for all the testing to get done.

This is making my head hurt.  I will let someone else think on this one hehe.

Link to comment
Share on other sites

On 4/27/2017 at 9:32 PM, Darren Kitchen said:

This is an extension waiting to happen. I'd imagine DETECTOS would spit back version based on a scan. We're looking at building an AUTO_ETHERNET ATTACKMODE which will try ECM_ETHERNET then fail over to RNDIS_ETHERNET if the target does not obtain an IP in X seconds (or possibly the other way around). 

nmap can do an OS scan, as can p0f (included in the firmware). I agree that this sort of extension would be really useful in having more complex and intelligent payloads that make decisions based on various conditions including OS version. I'm keen on seeing its development.

PoSHMagiC0de is correct that it could be done via powershell commands - though I think the less hacky way would be to scan the target via the pocket network in the first stage, then launch the appropriate second stage depending on the results.

https://media.blackhat.com/us-13/US-13-Davis-Deriving-Intelligence-From-USB-Stack-Interactions-Slides.pdf

Page 27 of this research from NCCGroup may be of interest in doing OS detection. There are apparently some slight differences in how the USB enumeration process happens between the various OS's.

I'm not sure if the Bash Bunny can view the USB protocol at such a low level, but if it can, this approach would certainly be optimal. Opening up another powershell/python or whatnot just to do OS detection increases the time required to exploit, and potentially increases the chances of being caught.
 

Link to comment
Share on other sites

The USB probing is interesting. If the hardware can handle that sounds like a promising route.

Another method may be pointing the system you are attacking at a web service running on the bunny via a browser or curl and getting the useragent. The likelihood of someone spoofing their agent is unlikely. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...