Metasploit Framework with db_autopwn module on BashBunny

[Mohamed A. Baset]

Hi Guys, 
I started this thread to have more discussion about automating similar attacks, in this video i managed (after lots of work and fight) to first get ruby run properly then Metasploit framework installed and running + connected it to Postgresql database + db_autopwn running properly on my BashBunny, scanning the bunny IP range 172.16.64.0/24 with db_nmap, then pass the scan results to metasploit exploitation module and bingo, we can exploit a fully locked devices which running vulnerable OSes/Services.

Warning: The video is super long (you are free to escape some minutes) because of the humble specifications of the BashBunny device (i wish we can get an upgraded BashBunny 2.0 with at least 1 or 2 GB of memory and more faster processor for these kind of heavy stuff)

Any questions i'm ready to answer!

Enjoy watching

https://youtu.be/b6U_t8HPKNk

[Just_a_User]

2 hours ago, Mohamed A. Baset said:

Any questions i'm ready to answer!

I had no problems with ruby, but installing metasploit and setting it up with postgresql has been a PITA.

I tried watching the movie but even with my laptop on fullscreen the text is pretty small so cant fully see everything. Do you just run the module in the movie? or are you showing the installation process also? I would be interested in the installation step - especially the postgresql setup. would you show this part in more detail please?

Thank you for your contribution!

[Mohamed A. Baset]

Sorry my bad, my screen resolution is so high. Yes only running the module not the installation process. But what problems are you facing?

Installing postgresql is super easy, just the normal installation process but after finishing the setup there is a trick to add the "postgres" user to the network group so it will be able to listen on the port and access the socket. (This is the trick that costed me lots of time)

+ i did a lot of "sleep"s to avoid the memory issues because of the limitations on the Bunny.
 

[i8igmac]

I have a suggestion. metasploit I'm sure is painfully slow to run on this device.

(I don't own one)

 

You can turn this device into a reverse proxy and run metasploit from a remote machine and tunnel exploits threw.

 

I have been wanting to write a tutorial on how to do this.

[Just_a_User]

1 hour ago, Mohamed A. Baset said:

But what problems are you facing?

I didn't install postgresql as it was already present on the BB, maybe that was the issue, or one of them. I was getting an error when trying to do anything with the postgresql database like it wouldn't connect. I documented my efforts here along with other stuff.

I will look into the postgres user thing like you suggest.

34 minutes ago, i8igmac said:

I have been wanting to write a tutorial on how to do this.

Woo sounds cool. If you would write it I would deffo try it.

[Mohamed A. Baset]

5 hours ago, i8igmac said:

I have a suggestion. metasploit I'm sure is painfully slow to run on this device.

(I don't own one)

 

You can turn this device into a reverse proxy and run metasploit from a remote machine and tunnel exploits threw.

 

I have been wanting to write a tutorial on how to do this.

I don't know if you are familiar with other Hak5 products or not but LanTurtle would be more reliable in the attack scenario you are describing here!

 

[Mohamed A. Baset]

5 hours ago, Just_a_User said:

I didn't install postgresql as it was already present on the BB, maybe that was the issue, or one of them. I was getting an error when trying to do anything with the postgresql database like it wouldn't connect. I documented my efforts here along with other stuff.

As i mentioned before this might be a 99% an issue with the user priveleges because "postgres" user is not added to the user groups where it can access network, Try: 

usermod -a -G netdev,systemd-network,net_raw postgres

Then tell me if it works or not + the exact problem if exist!

[Just_a_User]

6 hours ago, Mohamed A. Baset said:

Then tell me if it works or not + the exact problem if exist!

That totally solved my issue! I had given up on a full MSF install but this will allow me to continue. Big thanks!

[Mohamed A. Baset]

Quote

That totally solved my issue! I had given up on a full MSF install but this will allow me to continue. Big thanks!

 

Glad to hear that, I suffered too to finally figure out the real problem. Now we have lots of attack possibilities, Share with me the good stuff you're thinking about tho :)

I'm planning to release my Metasploit Autopwn bashbunny payload very soon.

[Mohamed A. Baset]

@Sebkinne @Darren Kitchen
This must be configured in the next bunny update to add "postgres" user in the network user group

usermod -a -G netdev,systemd-network,net_raw postgres

What do you think?

[Mohamed A. Baset]

And finally i did the PR: https://github.com/hak5/bashbunny-payloads/pull/242

Waiting for approval!

[b0N3z]

@Mohamed A. Baset how did you install metasploit to the /tools folder?  I installed manually and used the .deb file from rapid7 neither worked.

[Mohamed A. Baset]

1 hour ago, b0N3z said:

@Mohamed A. Baset how did you install metasploit to the /tools folder?  I installed manually and used the .deb file from rapid7 neither worked.

1. Installed ruby via "rbenv" (2.4.1 armhf is preferred)
2. Cloned Rapid7's metasploit repo inside /tools/
3. cd to /tools/metasploit-framework/
4. gem install bundler
5. bundle install
7. Bingo!

[thatalbinofrog]

On 9/1/2017 at 6:15 PM, Mohamed A. Baset said:

Hi Guys, 
I started this thread to have more discussion about automating similar attacks, in this video i managed (after lots of work and fight) to first get ruby run properly then Metasploit framework installed and running + connected it to Postgresql database + db_autopwn running properly on my BashBunny, scanning the bunny IP range 172.16.64.0/24 with db_nmap, then pass the scan results to metasploit exploitation module and bingo, we can exploit a fully locked devices which running vulnerable OSes/Services.

Warning: The video is super long (you are free to escape some minutes) because of the humble specifications of the BashBunny device (i wish we can get an upgraded BashBunny 2.0 with at least 1 or 2 GB of memory and more faster processor for these kind of heavy stuff)

Any questions i'm ready to answer!

Enjoy watching

https://youtu.be/b6U_t8HPKNk

Hey, thanks so much for the work on this payload. I'm having issues using metasploit, it tells me my database.yml file is not found. Is there any way I can fix this?

[lengquan]

On 2017/9/1 at PM4点15分, Mohamed A. Baset said:

嗨大家好， 
我开始这个帖子有更多关于自动化类似攻击的讨论，在这个视频我管理（经过大量的工作和战斗）首先让ruby正常运行然后Metasploit框架安装并运行+连接到Postgresql数据库+ db_autopwn运行正确地在我的BashBunny上，使用db_nmap扫描兔子IP范围172.16.64.0/24，然后将扫描结果传递给metasploit利用模块和宾果游戏，我们可以利用运行易受攻击的操作系统/服务的完全锁定的设备。

警告：由于BashBunny设备的简单规格，视频超长（你可以自由地逃脱几分钟）（我希望我们能够获得升级的BashBunny 2.0，其中至少有1或2 GB的内存，以及更快的处理器）那种沉重的东西）

我准备好回答任何问题！

喜欢看

https://youtu.be/b6U_t8HPKNk

I encountered the same problem using msf5 WARNING: No database support: No database YAML file,,How to fix this problem

[i8igmac]

I run a desktop at home. Linux mint with all my favorite tools like metasploit and ports cinfigurednto accept reverse tcp oayloads on port 4444.

 

Your looking to get a device on a network and then launch post exploitation modules or a better term is pivot your exploits onto the network.

 

The device you place on the network could be anything like a android phone, raspberry pi, bash bunny, network turtle or any device that can run meterpreter_reverse_tcp. 

 

Long story short, you have a device on the target network, install meterpreter on your device and connect back to your metasploit desktop at home. meterpreter already has pivot functionality that would allow your desktop to launch exploits like autopwn onto the target network using your bash-bunny-meterpreter as a tcp pivot point.

 

DESKTOP-> (Exploit-code:445)-> bashbunny

Bashbunny-(exploit-code:445)-> [node-10.0.0.105]

[Node-10.0.0.105]->(payload-shell:4444)-> DESKTOP

 

the point of this, your little devices trying to run metasploit is like a slug racing a rabbit... its just not practical. The performance gains of simply using your turtle as a tcp relay point are huge.

[PoSHMagiC0de]

21 hours ago, i8igmac said:

the point of this, your little devices trying to run metasploit is like a slug racing a rabbit... its just not practical. The performance gains of simply using your turtle as a tcp relay point are huge.

Give up explaining this.  I did on several different threads about meta on the BB.  All for people experimenting but I always said you will be there for a minute just for Meta to spin up...maybe 2 and another 4-5 for it to get done doing what it is doing.  I know this because I tried running Meta and PowerShell Empire (which is much lighter than Meta) from a Raspberry Pi 3 and Zero.  It takes a bit on the Zero that has more horse power than BB and even took awhile on the Pi 3 (new one) so I know it drags on the BB.

I mentioned this before, it is much better to figure out what you want out of Meta and Bunnyize it to a much smaller the payload designed for just that autopwm and not the autopwn plus the whole huge library Meta brings with it.  Ruby has more overhead on load too so yeah.

So, proceed at your own peril.  Not a project I am persusing since I have lots of Pis and stuff around me I can use as a USB rat or network rat plus other Hak5 products to do that stuff with...like the Lan Turtle with a remote C2 which can be a Pi sitting on the network somewhere.

In my opinion, the BB was meant for quick in and out.  Payloads should take that into consideration.