Jump to content

Recommended Posts

Posted (edited)

===========================SOLUTION==============================

Generate the following payload without STORAGE in the attackmode.

#!/bin/bash
LED G
ATTACKMODE ECM_ETHERNET

Thanks to Fang_Shadow, I've learned that using storage in concert ECM_ETHERNET prevents the system from pulling an IP (for what reason I still don't understand - I'm guessing it's just a bug).

I have had some issues with SSH but according to ifconfig (on local system) I see the interface is up and nmap scans show port 22 is open on the new IP, I'll update this post if anything changes.

===================================================================

Endgoal: I want to ssh from host machine into my BashBunny, then pivot from my BashBunny to a remote cloud hosted webserver, and write a testfile to that server.
Host System Used: Debian Linux
Crux: I am unable to acquire an ip address for my BashBunny using bb.sh

Attempts:
1. I tried to perform these actions from Arming Mode using the serial connection, however I learned that I am not able to share my network connection from serial mode and that Arming Mode only allows: Serial and Storage

2. I attempted to run the default payload in order to gain network connectivity:

#!/bin/bash
LED G
ATTACKMODE ECM_ETHERNET STORAGE

My understanding of this code is that it will indicate it is ready when there is a solid green light (LED G) and that it will facilitate Ethernet connectivity and Storage (Last line), it is also my understanding that this initializes a new network interface that can be seen with the commands "ip addr" or "ifconfig -a".

However this new interface does not appear to be configured yet and attempting to run the command

ssh root@172.16.64.1

does not result in the expected login prompt and eventually times out.

3. I've also attempted to run the bb.sh in order to share my hosts network connection, despite not being able to ssh into 172.16.64.1 IP. The script appears to work until you attempt to connect with it, and then it just hangs.

Any ideas on how to ssh into the BashBunny?

 

Thanks, Jay
 

Edited by Jay314
Solution found.
  • Upvote 1
Posted

switch your attackmode to STORAGE ECM_ETHERNET

  • Upvote 1
Posted
8 minutes ago, b0N3z said:

switch your attackmode to STORAGE ECM_ETHERNET

I changed the payload to read:

ATTACKMODE STORAGE ECM_ETHERNET

There doesn't appear to be any change, and I am curious why the ordering would matter?

Posted (edited)

@Lord_KamOS

When mounting /dev/sdb (the BB) to /mnt/external/, the full path to the Payload is:

/mnt/external/payloads/switch1/payload.txt

The contents of the payload reads:

#!/bin/bash
LED G
ATTACKMODE STORAGE ECM_ETHERNET

ifconfig -a entry for the new interface reads:

eth1      Link encap:Ethernet  HWaddr 00:11:22:33:44:55  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 

Edited by Jay314
  • Upvote 1
Posted
9 minutes ago, Jay314 said:

When mounting /dev/sdb (the BB) to /mnt/external/, the full path to the Payload is:

/mnt/external/payloads/switch1/payload.txt

The contents of the payload reads:


#!/bin/bash
LED G
ATTACKMODE STORAGE ECM_ETHERNET

ifconfig -a entry for the new interface reads:


eth1      Link encap:Ethernet  HWaddr 00:11:22:33:44:55  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 

Strange, i did the exact same thing and got a IP address.

 

Posted

Firstly, what you could do is a live LED update. E.g.

LED W
ATTACKMODE ECM_ETHERNET STORAGE
LED G

Or you could use 'udisk_mount' to mount storage without using the STORAGE attackmode. This however does not allow you to access it at a USB.

I can SSH into my Bunny fine on Windows with RNDIS_ETHERNET, I'm not familiar with ECM_ETHERNET for Linux though. Also, there are some driver issues occasionally with ETHERNET modes and STORAGE mode.

Posted
Just now, Lord_KamOS said:

Strange, i did the exact same thing and got a IP address.

 

Can I ask what Operating System you are using?

Posted
Just now, Dave-ee Jones said:

Yeah, so more than likely it's a driver issue...

Driver issue isn't likely, we're talking linux here, I'm on a debian system and the BB runs on debian also...

Posted
Just now, Lord_KamOS said:

Debian 8 

Can you try re-flashing the firmware.

Sure, I'll let you know the results.

  • Upvote 1
Posted
2 minutes ago, Lord_KamOS said:

if that does not work, can you try it on a different computer?

 

 

Sure

  • Upvote 1
Posted
26 minutes ago, Lord_KamOS said:

if that does not work, can you try it on a different computer?

 

 

I just updated to version 1.3, but that didn't seem to make any difference, still not pulling an IP.

Just booted up my other linux system now, I'll let you know whether that solves the problem.

Posted (edited)
46 minutes ago, Lord_KamOS said:

if that does not work, can you try it on a different computer?

 

 

Same results on a different machine (diff processors, diff Network Interface Card, diff mobo, same OS)

It starts a new interface but doesn't generate an IP

Edited by Jay314
  • Upvote 1
Posted

Remember that linux uses both RNDIS_ETHERNET and ECM_ETHERNET, since it wants to be compatible with both windows and unix(mac). Has the usage of both storage and another attack mode work at the same time before on linux, or could be something different.

  • Upvote 1
Posted
1 hour ago, HeadScratchCode said:

If you're doing it on Linux Debian, you should set the payload to RNDIS_ETHERNET

From my experience it doesn't work if I use ECM

It should be the other way around. RNDIS is a windows specific protocol that has support in Linux (though if you look at the source files, you will find comments on how it's kind of hacky). ECM ethernet is the way to go on Linux operating systems.

I have yet to see a full distribution that doesn't support ECM out of the box but supports RNDIS.

  • Upvote 2
Posted

Try taking off STORAGE.  I have done all other combos, including the newly working HID RDNIS_ETHERNET but never ethernet with storage.  In fact, I can't ssh into my bunny while in arming mode. :-P  I have to make a payload.txt for just the ethernet type of the OS I am on to get an IP.

Posted
3 hours ago, PoSHMagiC0de said:

In fact, I can't ssh into my bunny while in arming mode. :-P  I have to make a payload.txt for just the ethernet type of the OS I am on to get an IP.

That's because arming mode doesn't start Ethernet. Once we have AUTO_ETHERNET working that will change. 

  • Upvote 2
Posted
27 minutes ago, Sebkinne said:

 Once we have AUTO_ETHERNET working that will change. 

Is this what I think it is?  An attack mode that will auto detect the best use ETHERNET attack mode.  

Posted
2 minutes ago, b0N3z said:

Is this what I think it is?  An attack mode that will auto detect the best use ETHERNET attack mode.  

Yup, that's it. I have it working but it's a bit slow. There are some tricks to speed it up though, so once I finish that, I'll push out a new firmware. 

  • Upvote 5
Posted
On 19.6.2017 at 2:51 AM, Jay314 said:

Same results on a different machine (diff processors, diff Network Interface Card, diff mobo, same OS)

It starts a new interface but doesn't generate an IP

Did you get a shell?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...