Soultouche Posted May 8, 2017 Share Posted May 8, 2017 let me explain myself, Would it be possible to plug in the bash bunny. and make it execute $SWITCH_POSITION\test.bat since its bash and people do pretty much like it with rndis ethernet attack / storage why couldnt it be possible to just execute a file on the bash bunny without the need of HID ? so no user interaction ? is that doable ? Thanks Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted May 8, 2017 Share Posted May 8, 2017 2 hours ago, Soultouche said: let me explain myself, Would it be possible to plug in the bash bunny. and make it execute $SWITCH_POSITION\test.bat since its bash and people do pretty much like it with rndis ethernet attack / storage why couldnt it be possible to just execute a file on the bash bunny without the need of HID ? so no user interaction ? is that doable ? Thanks No, unless you know of an automatic way that executes a file from mass storage. The reason HID is used is often just to initiate a script that will handle the rest in the background. Ideally you'd want to keep the hid attack to a minimum (possibly disable hid after the script is launched). Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 9, 2017 Share Posted May 9, 2017 Since the Bunny is a Linux box, it can't exactly integrate well with Windows scripts (e.g. Powershell, Batch etc.) and therefore it won't be able to run them on itself. The easiest way to integrate the Bunny with a Windows machine (and scripts) is to tell the Windows machine "Hey, I'm a keyboard. I'm telling you to run this script!" and the Windows machine runs the script and that's how you can gather data/information. Quote Link to comment Share on other sites More sharing options...
Soultouche Posted May 9, 2017 Author Share Posted May 9, 2017 Well, i mean we can run a complete nmap scan and save the output on the bash bunny, i know its all inside, but i thought that starting from there, there could be a way to just run a program ( other than nmap on the linux that would... i dont know run a script or something ) we can also get passwords from a locked machine, so the bash bunny can interact with the machine without hid and save the information. if it can nmap why cant it run a Python or something from the inside ? Thanks for your info guys ! Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 9, 2017 Share Posted May 9, 2017 I think the correct question is how can you get your payloads on the Bunny to run on the machine it is connected to? Think through all the possibilities and you will end at one, HID. USB with autorun will not work, machines don't look at autorun on USB drives. Even if a CD has an autorun.inf you will still get prompted on what to do on the screen at which point you will need HID. If you hit it as a network service, you will need a way to access the service from the machine. Think of the BB as a foreign object or machine to the victim. Even standing there at the machine the BB is foreign (all USB devices are including storage). HID is the only thing that is not in most cases and even in those cases if you spoof the approved HID devices it will work. So, for the BB to run itself the best way is as an ethernet device and to attack a vulnerable service on the network side with an exploit to get remote access to run stuff, or have the login to the service/machine. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 9, 2017 Share Posted May 9, 2017 Most machines (especially Windows) rely on their network to do most of the thinking for them (Group Policy, Active Directory, etc.), so using a network attack is one of the most powerful tools to use, because your essentially making a small network between the Bunny and the PC, the PC thinks "Oh, the Bunny is a higher level on the network than me, so therefore I have to obey what it tells me to do". This makes these attacks very powerful. Just had a thought...(@Sebkinne / @Darren Kitchen, tell me if this idea would never, ever, work) I wonder if you could get the Bunny to pass login credentials to the PC (like Active Directory would when you put the PC on a domain) so that a user could log in as a Network Administrator over the Bunny's network? That would be a pretty crazy attack, as you could access any files on the PC and do anything to it without it caring (because your logged in as a Network Administrator on a network between Bunny and PC). Spoofing ADDS, basically... Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 9, 2017 Share Posted May 9, 2017 (edited) 7 minutes ago, Dave-ee Jones said: I wonder if you could get the Bunny to pass login credentials to the PC (like Active Directory would when you put the PC on a domain) so that a user could log in as a Network Administrator over the Bunny's network? That would be a pretty crazy attack, as you could access any files on the PC and do anything to it without it caring (because your logged in as a Network Administrator on a network between Bunny and PC). Spoofing ADDS, basically... Nope. You are talking about something like a SMBRelay attack. On a Linux PC you can use Responder in conjunction with smrelay to bounce SMB credentials from one machine to another but those credentials need admin rights. What you want to do is a SMB reflect attack. MS patched that. You cannot deflect credentials back at the originating machine. Well, what you are doing is passing the NTLMv2 hash. Edited May 9, 2017 by PoSHMagiC0de Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.