Jump to content

USB partition corrupted; yet another, "real problems with the bashbunny" thread


TeCHemically

Recommended Posts

I have been troubleshooting issues with the bashbunny for as long as it has been available. I got mine as soon as it was released; and it has been nothing but problematic from day one; which is a shame. The device, in theory, is probably the best thing Hak5 has ever come out with; but it practice, it has been the least usable in my experience. Many payloads will not run consistently; if they run properly at all. Every payload that makes use of the USB partition (the one thing that should really allow us to accomplish truly amazing feats) is problematic for many of its customers. The bashbunny forum is littered with threads full of people who cannot get any credential payloads to work because USB writing fails; among other problems. Simple ducky payloads that execute fine on the ducky or on nethunter's duckhunter will not inject properly a fair percentage of the time on the bashbunny. I see mixed character case issues where they shouldn't be and other anomalies. I am really hoping the USB corruption issues and the bizarre injection problems I am having is due solely to the fact that I adopted so early and the rest of the devices are not plagued with these issues; as they make the device unusable. I am pleading with Hak5 support here to please provide me with a replacement. I and my friends have poured countless hours of time and ulcers into trying to get this device to work; with, very little and, no lasting success. Anything we get to to work once or twice is quickly broken by yet another USB corruption issue or other strange injection anomaly. Please help me. I have gone through every unbricking, reflashing, updating, and udisk reformatting operation that support has given and have tried every firmware available. Nothing seems to be able to salvage this bunny. Help me technolust-ken-obee. You're my only hope...

Link to comment
Share on other sites

A good place to start would probably be a ticket https://hakshop.zendesk.com/hc/en-us/requests/new

You sound like you have lots of repeatable scenarios to describe to them so shouldn't be an issue to demonstrate.  Obviously most payloads are  community built so cant really be a warranty issue. but if the issue lays with hardware or is maybe a bug in the bashbunny FW/OS then I'm sure Hak5 will sort it out. I have seen great support from them here in the forums and also on IRC. So far I haven't personally needed support but its nice to know they are there just in case.

Link to comment
Share on other sites

Thanks for your reply. I have gone through several rounds of troubleshooting with this device with Hak5 support. I'm kinda feeling out the community wondering if my issues are being felt elsewhere. I can see many more problem threads in the BB forums than I remember seeing in any of the other Hak5 device forums I have participated in. I am REALLY hoping this is just an issue with my device and that I'll be able to get a replacement and get this working. I am a huge fan of what this device is supposed to be able to do and I would love to start sharing my payloads and begin singing its praises as I had hoped I would be by now. The ducky is a great stable tool for me and I have 3 different pineapples (along with other random hakshop accessories); the bunny is the only device that has been this problematic. I have been a Hak5 since they were on the east coast. So, I'm no stranger to the scene. Please, any who are having no issues with their bunny, do weigh in! I'd love to hear that I am an isolated incident.

Link to comment
Share on other sites

7 hours ago, TeCHemically said:

I have gone through several rounds of troubleshooting with this device with Hak5 support

So i assume each time the issue was resolved?

7 hours ago, TeCHemically said:

I'm kinda feeling out the community wondering if my issues are being felt elsewhere

Well, maybe just me but its seems a bit more than that. e.g. the title of this thread seems quite passive aggressive and not just asking if others are having similar issues...

7 hours ago, TeCHemically said:

I can see many more problem threads in the BB forums than I remember seeing in any of the other Hak5 device forums

Do they have the exact same issue as you? there has been an issue with firmware updates that has been discovered and resolved, an issue with strings ending with .txt that is also sorted. Anything else seems tied to community payloads and not the bashbunny itself. I think during the evolution of the bashbunny fw they had to make some changes to the firmware which may have borked some original payloads written for FW 1.10/1.1 but the changes are for the best in the long run. This is the issues with early adoption, but to some it is also quite a fun stage of the process. I'm sure the ducky may have also had initial issues before being as solid as it is today.

7 hours ago, TeCHemically said:

I have been a Hak5 since they were on the east coast. So, I'm no stranger to the scene. Please, any who are having no issues with their bunny, do weigh in! I'd love to hear that I am an isolated incident.

I have had a Bashbunny since release, granted I haven't used many of the cred stealing payloads but I have been using mine almost daily in combination with my tetra. it has been reset and reinstalled more times than i can shake a stick at. It still does what it is supposed to. I'm sure your maybe just venting some frustration but I am unsure a new bunny will resolve the issues your experiencing.

As always every contribution to the any of the products is always valuable and im sure yours are also valuable. It would be amazing if you could find the exact issue where something could be done about it other than general not working statement. You know dmesg, logread, what payload/action, etc etc maybe there is a common factor that's being overlooked

Link to comment
Share on other sites

Welp....

First thing first, Hak5 provides us just the tool to do the job, not the payloads.  Payloads are provided by the community.  Hak5 offers a repo for those payloads to make it easier for people to have a 1 stop shop to download them.  They do not guarantee their functionality.  If there is an issue with a payload, it is best to hit up the author who signs their name in the payload.txt.  If they are active still on the forums or still supporting it is a totally different story.

There is a known thing with USB drives with a process called ejecting, especially on windows machines.  If USB drives are not properly ejected before being removed, over time the data on them can become corrupted to the point the drive will need to be reformatted.  This is no exception to the BB in storage mode.  Many contributors that use the storage mode have came back to adapt their payloads to this by adding routines to eject the BB after file copy operations.  Also the readonly storage mode is immune to this if you do not need to copy anything to the BB.

I have opted to change payloads.  Those that don't work, I make work if they can.  Storage payloads, if I like their routine, I switch their delivery or exfiltration to SMB.

WIndows 10 issues.  A whole lot of credential payloads will not work on Windows 10.  The current version of the Powershell version of Mimikatz does not contain the updated binary to work on Windows 10 so most payloads that utilize it will not work.  I think the best you can hope for is hashes from the sam.  Using out-minidump and even sysinternals procdump are ineffective to get lsass memdump which is how mimi works.  The new version was adjusted to be able to do this again but not incorporated in the powershell version and I tried incorporating it to no avail as far as automation goes.  Detection by defender is still there too, even if done all in memory.  So, WIndows 10 is hardened.  Clear text credential dumping is hard from it and best you can do is go after credentials from other programs like browsercreds and stuff.

 

Ultimately, Hak5 just provides us the base tool.  The usage of it is in the beholder's hands.

Link to comment
Share on other sites

Thanks for all of your feedback. The payloads I am using have ejecting routines built in for this very purpose; but since the storage corruption issues prevent the payloads from executing properly it nullifies the effect the routine is intended to have. I am quite frustrated; and I am sure that is coming across in my conveyance. I don't mean to be passive aggressive at all. That is contrary to my nature. I am just trying to figure out what needs to be done to resolve these seemingly unsolvable issues. My email communications with Hak5 support have not resolved these issues. The bunny has been reformated, reflashed, etc. several times over the course of the past few weeks and its performance seems to only be getting worse. If it was as simple as that I would be ecstatic right now; but unfortunately, that has not been the case. Every payload, to some degree, is failing with this unit. This is why I believe its an issue with the device itself. I understand the payloads are community driven and not the responsibility of Hak5; but when nothing works consistently, then the only other place to look is the device itself.

Link to comment
Share on other sites

Welp, to fix your udisk being corrupted, if you can ssh into the BB there is a command you can run to reformat the udisk.  It will erase everything on it and make it default so will need your payloads again but will get it uncorrupted.

On the BB run:

udisk reformat

That will reformat the arming partition you see as USB storage.

Link to comment
Share on other sites

18 minutes ago, PoSHMagiC0de said:

Welp, to fix your udisk being corrupted, if you can ssh into the BB there is a command you can run to reformat the udisk.  It will erase everything on it and make it default so will need your payloads again but will get it uncorrupted.

On the BB run:


udisk reformat

That will reformat the arming partition you see as USB storage.

I ran that; and after the reboot as soon as it booted and i tried to unmount the device, I got an error that said files were in use. I'm investigating potential issues with my PC. It's the only other common item in these situations. Making sure all related hotfixes for USB drivers, updated drivers, etc. are installed. Hopefully this resolves the issue and I'll be able to reformat and get this bunny going again. I'll report back. Thanks for the feedback guys! :)

Link to comment
Share on other sites

6 hours ago, PoSHMagiC0de said:

You run Avast or some other AV?  I know with Avast if you have it set it will scan any USB drive you connect automatically.  I predominantly work with the BB from a *Nix setup to avoid Windows getting in the way on its on fruition.

I updated all related USB drivers and installed all MS USB, RNDIS, and any other "recommended" fixes that sounded like they could even be remotely related just to be sure it wasn't my machine causing this.

I only use MBAM for AV and it has rules not to mess with certain drive letters where my tools mount. I ran udisk reformat again today. Then was able to unmount properly. Plugged it back in, and no power. It didn't come on at all. I unplugged then plugged it back in and it booted up. I ran the bunny updater, it found a new firmware version which I thought was odd because I didn't think udisk reformat was supposed to revert it back to an older firmware. I have been on version 1.4. This has happened before as well. I have also gone through the unbricking process after being on 1.4 and afterwards it was NOT on an older firmware; something I thought WAS supposed to happen as a result of that process (correct me if I am mistaken guys). So, after the bunny updater pulls down the firmware it tells me to eject. I try and again it fails just as before: "'BashBunny (O:)' is currently in use. Save any open files on this disc, and then close the files or programs using the files before trying again. If you choose to continue, the files will be closed, which might cause data to be lost." So, whatever corruption issue I keep seeing over the past few weeks is not being resolved by udisk reformat. This thing has me wanting to tear out my hair. 

Link to comment
Share on other sites

Just tried to run my first payload after the reformat and it failed on the first operation where the payload creates a directory because it says the file system is corrupted. I even got it to unmount successfully after I put the payload on there before I ran it. If I open a powershell window and try to create the directory I get the same error. This is what fails:

 

Q DELAY 6000
Q GUI r
Q DELAY 1000
Q STRING POWERSHELL
Q ENTER
Q DELAY 1500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 1500

Q STRING \$LOOTDIR2 \= \"\$\(\$Bunny\)\\loot\\JackRabbit\\\$\(\$env:computername\)-\$\(\$env:username\)\"
Q ENTER
Q DELAY 1500
Q STRING md \$LOOTDIR2\\
Q ENTER
Q DELAY 1000

 

This is the command that fails: Q STRING md \$LOOTDIR2\\

Link to comment
Share on other sites

5 hours ago, TeCHemically said:

ran the bunny updater, it found a new firmware version which I thought was odd because I didn't think udisk reformat was supposed to revert it back to an older firmware

It tried to do the same with me, I assumed it was just checking for the presence of the file in the root of the bunny storage dir and removed the fw file (I was just testing it out). I usually do it manually anyway.

5 hours ago, TeCHemically said:

o, after the bunny updater pulls down the firmware it tells me to eject. I try and again it fails just as before: "'BashBunny (O:)' is currently in use.

You are using the "safely eject" right? On my Linux OS especially on larger files I have to wait a few seconds before all activity has ended and I can unplug. if your not safely ejecting the drive that could be causing the corruption. Also like @PoSHMagiC0de says your AV could also be running a drive scan which could also extend the safe ejection process.  It wouldn't surprise me if its windows/AV causing this, so feel free to try a live Linux distro, it would be interesting to see if that resolves your issue on the setup side. Not sure about the payload side as i would need to test myself.

5 hours ago, TeCHemically said:

This thing has me wanting to tear out my hair. 

Dont do that, no bunny is worth going bold for :)

Link to comment
Share on other sites

On 11/8/2017 at 1:34 AM, Just_a_User said:

It tried to do the same with me, I assumed it was just checking for the presence of the file in the root of the bunny storage dir and removed the fw file (I was just testing it out). I usually do it manually anyway.

You are using the "safely eject" right? On my Linux OS especially on larger files I have to wait a few seconds before all activity has ended and I can unplug. if your not safely ejecting the drive that could be causing the corruption. Also like @PoSHMagiC0de says your AV could also be running a drive scan which could also extend the safe ejection process.  It wouldn't surprise me if its windows/AV causing this, so feel free to try a live Linux distro, it would be interesting to see if that resolves your issue on the setup side. Not sure about the payload side as i would need to test myself.

Dont do that, no bunny is worth going bold for :)

Thanks for your reply. Yes, I am safely ejecting; and my AV is set to not interact with the drive letters that my externals mount to.

Link to comment
Share on other sites

Well, I have some ok news and some great news guys. Firstly, thanks to all who assisted me in troubleshooting my issues with my bashbunny. The "ok news" is that I am not crazy, or just plain dumb in the head, and the bashbunny that I have is indeed defective. The "great news" is that Hak5, the kind folks that they are, have been able to verify my suspicions and are getting me a replacement device. Seriously, thanks again to all who helped me troubleshoot this device. I am sincerely grateful for all of your time and suggestions. I am looking forward to my bunny's arrival so I can get to work on the new payloads I have cooking up. I think I have a pretty nice recipe brewing here! :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...