Jump to content

Notepad from Locked PC? Possible?

WilliamNoGoodDonkey

By WilliamNoGoodDonkey
in Payloads

 Share

Recommended Posts

WilliamNoGoodDonkey Newbie

WilliamNoGoodDonkey

Posted
Posted

So a friend of mine demo'd this very thing using his BB. Now that I have my own, he's apparently overwritten the script or lost it somehow. 

I'd like to demonstrate this use case, but cannot find anything similar to this. It seems almost based on my reading that this shouldn't be possible, considering HID attacks require the machine to be unlocked. I'm rather lost here.  Simply put I want a payload that opens up a text file stating "LOCKING YOUR COMPUTER WON'T KEEP YOUR PC SAFE". 

 

Can someone assist me with this? 

Link to comment
Share on other sites
Dave-ee Jones Newbie

Dave-ee Jones

Posted
Posted

From what I know of locked Windows machines is that you can't run Notepad (or any program) from the logon screen.

There is, however, the known "Sticky Keys backdoor" which allows you to replace the Sticky Keys program with CMD, Notepad or whatever so that when you trigger Sticky Keys (press Shift 5 times) it opens a CMD prompt, Notepad or whatever on the logon screen allowing you to do all kinds of things, all malicious of course.

Other than that I know of no way of running a program from the logon screen without first doing some stuff to it while it's unlocked (of course, there are other interesting ways like booting to a Linux iso, HBCD etc.).

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted

I can see the confusion with some people and their vision of the Bash Bunny due to it being able to be a keyboard, networkcard, serial or USB storage.  Although it seems like it, the extent of the trust the BB has to the system you are plugging into is the extent of access the device you are pretending to be.  Let me summarize why you will not be able to do much with a locked machine with the BB.

Let say the machine is locked and you wanted to use the BB, lets look at the attack modes and what they can do with a locked machine.

HID\Keyboard:

On the locked machine, can you do anything from the keyboard that is attached to the machine to launch notepad?  If not then BB HID attack mode will not either as it is emulating a keyboard its access to the system is as far as what a keyboard can do.

USB Storage:

On the locked machine, if you plugged in a USB memory stick, will you be able top launch notepad on the locked machine?  If it is updated you shouldn't be able to read that USB stick until you unlock the machine.  Also, autorun is disable for USB Storage sticks so no dice there.

Network:

This can best be described as this.  If you hooked a Linux machine onto the network on the same subnet as the victim computer and you have the IP can you make notepad pop up on the victim machine while it is locked?  Well, you could if you had the right network credentials to remotely launch it but if you are trying to launch something without unlocked the machine with the BB I am assuming you do not have credentials.  The BBs network connections is like that.  It is a machine on another subnet on 172.16.64.0/24 network.  The BB does not automatically have access inside the machine but has a network connection to it.  But logically, it is another machine connected via network to the victim machine so all firewall rules and network rules apply still.  The only stuff that will work are network attacks like QuickCreds that uses responder which also work on a PC connected to the same network if we can get the victim to fat finger a resource name not on the internet or on the subnet.  So most you can do is fiddle with the network traffic though I have seen locked machine go silent on networks.

Serial:

If you plug a serial connection between one computer to the victim can you remote control it.  Well, you cannot unless there is a service listening on that port that allows you to.  Since the com port is created when the driver is installed, that will be a big no.

 

So, the type of attacks you can do are in essence another machine connected logically by traditional connections.  The purpose of the BB in a pentest is to execute payloads quickly on a vulnerable machine...most likely one that is unlocked.  It uses HID to speedily type commands on the victim machine in combination with the other attack modes for delivery, exfiltration or manipulation.  It is up to your imagination what you can do.

Link to comment
Share on other sites
Dave-ee Jones Newbie

Dave-ee Jones

Posted
Posted
17 hours ago, quentin.lamamy said:

On windows you can't, but on unix and osx you can open a invited user i think with some tab and enter input and open a text editor

I think that first has to be enabled by the Administrator on the Mac (correct me if I'm wrong) but knowing Mac they would have that so tightly locked down you couldn't call "echo hello world".

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...