WilliamNoGoodDonkey Posted August 12, 2017 Share Posted August 12, 2017 So a friend of mine demo'd this very thing using his BB. Now that I have my own, he's apparently overwritten the script or lost it somehow. I'd like to demonstrate this use case, but cannot find anything similar to this. It seems almost based on my reading that this shouldn't be possible, considering HID attacks require the machine to be unlocked. I'm rather lost here. Simply put I want a payload that opens up a text file stating "LOCKING YOUR COMPUTER WON'T KEEP YOUR PC SAFE". Can someone assist me with this? Quote Link to comment Share on other sites More sharing options...
RazerBlade Posted August 12, 2017 Share Posted August 12, 2017 Rather, it seems by locking your PC it keeps it safe from HID attack unless you the persons login. Quote Link to comment Share on other sites More sharing options...
WilliamNoGoodDonkey Posted August 13, 2017 Author Share Posted August 13, 2017 So nothing as of yet? I was thinking would it be possible to open a text file from a locked screen? Is that feasible? Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted August 14, 2017 Share Posted August 14, 2017 From what I know of locked Windows machines is that you can't run Notepad (or any program) from the logon screen. There is, however, the known "Sticky Keys backdoor" which allows you to replace the Sticky Keys program with CMD, Notepad or whatever so that when you trigger Sticky Keys (press Shift 5 times) it opens a CMD prompt, Notepad or whatever on the logon screen allowing you to do all kinds of things, all malicious of course. Other than that I know of no way of running a program from the logon screen without first doing some stuff to it while it's unlocked (of course, there are other interesting ways like booting to a Linux iso, HBCD etc.). Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted August 14, 2017 Share Posted August 14, 2017 I can see the confusion with some people and their vision of the Bash Bunny due to it being able to be a keyboard, networkcard, serial or USB storage. Although it seems like it, the extent of the trust the BB has to the system you are plugging into is the extent of access the device you are pretending to be. Let me summarize why you will not be able to do much with a locked machine with the BB. Let say the machine is locked and you wanted to use the BB, lets look at the attack modes and what they can do with a locked machine. HID\Keyboard: On the locked machine, can you do anything from the keyboard that is attached to the machine to launch notepad? If not then BB HID attack mode will not either as it is emulating a keyboard its access to the system is as far as what a keyboard can do. USB Storage: On the locked machine, if you plugged in a USB memory stick, will you be able top launch notepad on the locked machine? If it is updated you shouldn't be able to read that USB stick until you unlock the machine. Also, autorun is disable for USB Storage sticks so no dice there. Network: This can best be described as this. If you hooked a Linux machine onto the network on the same subnet as the victim computer and you have the IP can you make notepad pop up on the victim machine while it is locked? Well, you could if you had the right network credentials to remotely launch it but if you are trying to launch something without unlocked the machine with the BB I am assuming you do not have credentials. The BBs network connections is like that. It is a machine on another subnet on 172.16.64.0/24 network. The BB does not automatically have access inside the machine but has a network connection to it. But logically, it is another machine connected via network to the victim machine so all firewall rules and network rules apply still. The only stuff that will work are network attacks like QuickCreds that uses responder which also work on a PC connected to the same network if we can get the victim to fat finger a resource name not on the internet or on the subnet. So most you can do is fiddle with the network traffic though I have seen locked machine go silent on networks. Serial: If you plug a serial connection between one computer to the victim can you remote control it. Well, you cannot unless there is a service listening on that port that allows you to. Since the com port is created when the driver is installed, that will be a big no. So, the type of attacks you can do are in essence another machine connected logically by traditional connections. The purpose of the BB in a pentest is to execute payloads quickly on a vulnerable machine...most likely one that is unlocked. It uses HID to speedily type commands on the victim machine in combination with the other attack modes for delivery, exfiltration or manipulation. It is up to your imagination what you can do. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted August 15, 2017 Share Posted August 15, 2017 The best you can do is a network attack and try using Responder or something similar to do a network attack as network administrator. Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted August 22, 2017 Share Posted August 22, 2017 On windows you can't, but on unix and osx you can open a invited user i think with some tab and enter input and open a text editor Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted August 23, 2017 Share Posted August 23, 2017 17 hours ago, quentin.lamamy said: On windows you can't, but on unix and osx you can open a invited user i think with some tab and enter input and open a text editor I think that first has to be enabled by the Administrator on the Mac (correct me if I'm wrong) but knowing Mac they would have that so tightly locked down you couldn't call "echo hello world". Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted August 23, 2017 Share Posted August 23, 2017 4 minutes ago, Dave-ee Jones said: I think that first has to be enabled by the Administrator on the Mac I don't remember, but i think not. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.