Jump to content
Mohamed A. Baset

Metasploit Framework with db_autopwn module on BashBunny

Recommended Posts

Hi Guys, 
I started this thread to have more discussion about automating similar attacks, in this video i managed (after lots of work and fight) to first get ruby run properly then Metasploit framework installed and running + connected it to Postgresql database + db_autopwn running properly on my BashBunny, scanning the bunny IP range 172.16.64.0/24 with db_nmap, then pass the scan results to metasploit exploitation module and bingo, we can exploit a fully locked devices which running vulnerable OSes/Services.

Warning: The video is super long (you are free to escape some minutes) because of the humble specifications of the BashBunny device (i wish we can get an upgraded BashBunny 2.0 with at least 1 or 2 GB of memory and more faster processor for these kind of heavy stuff)

Any questions i'm ready to answer!

Enjoy watching

https://youtu.be/b6U_t8HPKNk

Share this post


Link to post
Share on other sites
2 hours ago, Mohamed A. Baset said:

Any questions i'm ready to answer!

I had no problems with ruby, but installing metasploit and setting it up with postgresql has been a PITA.

I tried watching the movie but even with my laptop on fullscreen the text is pretty small so cant fully see everything. Do you just run the module in the movie? or are you showing the installation process also? I would be interested in the installation step - especially the postgresql setup. would you show this part in more detail please?

Thank you for your contribution!

Share this post


Link to post
Share on other sites

Sorry my bad, my screen resolution is so high. Yes only running the module not the installation process. But what problems are you facing?

Installing postgresql is super easy, just the normal installation process but after finishing the setup there is a trick to add the "postgres" user to the network group so it will be able to listen on the port and access the socket. (This is the trick that costed me lots of time)

+ i did a lot of "sleep"s to avoid the memory issues because of the limitations on the Bunny.
 

Share this post


Link to post
Share on other sites

I have a suggestion. metasploit I'm sure is painfully slow to run on this device.

(I don't own one)

 

You can turn this device into a reverse proxy and run metasploit from a remote machine and tunnel exploits threw.

 

I have been wanting to write a tutorial on how to do this.

Share this post


Link to post
Share on other sites
1 hour ago, Mohamed A. Baset said:

But what problems are you facing?

I didn't install postgresql as it was already present on the BB, maybe that was the issue, or one of them. I was getting an error when trying to do anything with the postgresql database like it wouldn't connect. I documented my efforts here along with other stuff.

I will look into the postgres user thing like you suggest.

34 minutes ago, i8igmac said:

I have been wanting to write a tutorial on how to do this.

Woo sounds cool. If you would write it I would deffo try it.

Share this post


Link to post
Share on other sites
5 hours ago, i8igmac said:

I have a suggestion. metasploit I'm sure is painfully slow to run on this device.

(I don't own one)

 

You can turn this device into a reverse proxy and run metasploit from a remote machine and tunnel exploits threw.

 

I have been wanting to write a tutorial on how to do this.

I don't know if you are familiar with other Hak5 products or not but LanTurtle would be more reliable in the attack scenario you are describing here!

 

Share this post


Link to post
Share on other sites
5 hours ago, Just_a_User said:

I didn't install postgresql as it was already present on the BB, maybe that was the issue, or one of them. I was getting an error when trying to do anything with the postgresql database like it wouldn't connect. I documented my efforts here along with other stuff.

As i mentioned before this might be a 99% an issue with the user priveleges because "postgres" user is not added to the user groups where it can access network, Try: 

usermod -a -G netdev,systemd-network,net_raw postgres

Then tell me if it works or not + the exact problem if exist!

  • Like 1

Share this post


Link to post
Share on other sites
6 hours ago, Mohamed A. Baset said:

Then tell me if it works or not + the exact problem if exist!

That totally solved my issue! I had given up on a full MSF install but this will allow me to continue. Big thanks!

Share this post


Link to post
Share on other sites
Quote

That totally solved my issue! I had given up on a full MSF install but this will allow me to continue. Big thanks!

 

Glad to hear that, I suffered too to finally figure out the real problem. Now we have lots of attack possibilities, Share with me the good stuff you're thinking about tho :)

I'm planning to release my Metasploit Autopwn bashbunny payload very soon.

Edited by Mohamed A. Baset

Share this post


Link to post
Share on other sites

@Mohamed A. Baset how did you install metasploit to the /tools folder?  I installed manually and used the .deb file from rapid7 neither worked.

Share this post


Link to post
Share on other sites
1 hour ago, b0N3z said:

@Mohamed A. Baset how did you install metasploit to the /tools folder?  I installed manually and used the .deb file from rapid7 neither worked.

1. Installed ruby via "rbenv" (2.4.1 armhf is preferred)
2. Cloned Rapid7's metasploit repo inside /tools/
3. cd to /tools/metasploit-framework/
4. gem install bundler
5. bundle install
7. Bingo!

Edited by Mohamed A. Baset
  • Upvote 1

Share this post


Link to post
Share on other sites
On 9/1/2017 at 6:15 PM, Mohamed A. Baset said:

Hi Guys, 
I started this thread to have more discussion about automating similar attacks, in this video i managed (after lots of work and fight) to first get ruby run properly then Metasploit framework installed and running + connected it to Postgresql database + db_autopwn running properly on my BashBunny, scanning the bunny IP range 172.16.64.0/24 with db_nmap, then pass the scan results to metasploit exploitation module and bingo, we can exploit a fully locked devices which running vulnerable OSes/Services.

Warning: The video is super long (you are free to escape some minutes) because of the humble specifications of the BashBunny device (i wish we can get an upgraded BashBunny 2.0 with at least 1 or 2 GB of memory and more faster processor for these kind of heavy stuff)

Any questions i'm ready to answer!

Enjoy watching

https://youtu.be/b6U_t8HPKNk

Hey, thanks so much for the work on this payload. I'm having issues using metasploit, it tells me my database.yml file is not found. Is there any way I can fix this?

Edited by thatalbinofrog

Share this post


Link to post
Share on other sites
On 2017/9/1 at PM4点15分, Mohamed A. Baset said:

嗨大家好, 
我开始这个帖子有更多关于自动化类似攻击的讨论,在这个视频我管理(经过大量的工作和战斗)首先让ruby正常运行然后Metasploit框架安装并运行+连接到Postgresql数据库+ db_autopwn运行正确地在我的BashBunny上,使用db_nmap扫描兔子IP范围172.16.64.0/24,然后将扫描结果传递给metasploit利用模块和宾果游戏,我们可以利用运行易受攻击的操作系统/服务的完全锁定的设备。

警告:由于BashBunny设备的简单规格,视频超长(你可以自由地逃脱几分钟)(我希望我们能够获得升级的BashBunny 2.0,其中至少有1或2 GB的内存,以及更快的处理器)那种沉重的东西)

我准备好回答任何问题!

喜欢看

https://youtu.be/b6U_t8HPKNk

I encountered the same problem using msf5 WARNING: No database support: No database YAML file,,How to fix this problem

Share this post


Link to post
Share on other sites

I run a desktop at home. Linux mint with all my favorite tools like metasploit and ports cinfigurednto accept reverse tcp oayloads on port 4444.

 

Your looking to get a device on a network and then launch post exploitation modules or a better term is pivot your exploits onto the network.

 

The device you place on the network could be anything like a android phone, raspberry pi, bash bunny, network turtle or any device that can run meterpreter_reverse_tcp. 

 

Long story short, you have a device on the target network, install meterpreter on your device and connect back to your metasploit desktop at home. meterpreter already has pivot functionality that would allow your desktop to launch exploits like autopwn onto the target network using your bash-bunny-meterpreter as a tcp pivot point.

 

DESKTOP-> (Exploit-code:445)-> bashbunny

Bashbunny-(exploit-code:445)-> [node-10.0.0.105]

[Node-10.0.0.105]->(payload-shell:4444)-> DESKTOP

 

the point of this, your little devices trying to run metasploit is like a slug racing a rabbit... its just not practical. The performance gains of simply using your turtle as a tcp relay point are huge.

Share this post


Link to post
Share on other sites
21 hours ago, i8igmac said:

the point of this, your little devices trying to run metasploit is like a slug racing a rabbit... its just not practical. The performance gains of simply using your turtle as a tcp relay point are huge.

Give up explaining this.  I did on several different threads about meta on the BB.  All for people experimenting but I always said you will be there for a minute just for Meta to spin up...maybe 2 and another 4-5 for it to get done doing what it is doing.  I know this because I tried running Meta and PowerShell Empire (which is much lighter than Meta) from a Raspberry Pi 3 and Zero.  It takes a bit on the Zero that has more horse power than BB and even took awhile on the Pi 3 (new one) so I know it drags on the BB.

I mentioned this before, it is much better to figure out what you want out of Meta and Bunnyize it to a much smaller the payload designed for just that autopwm and not the autopwn plus the whole huge library Meta brings with it.  Ruby has more overhead on load too so yeah.

So, proceed at your own peril.  Not a project I am persusing since I have lots of Pis and stuff around me I can use as a USB rat or network rat plus other Hak5 products to do that stuff with...like the Lan Turtle with a remote C2 which can be a Pi sitting on the network somewhere.

In my opinion, the BB was meant for quick in and out.  Payloads should take that into consideration.

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...