Alt VID/PID SN for RNDIS_ETHERNET

[Struthian]

I want the Bash Bunny to work reasonably well with Windows but not have the same identifiers it comes with.   Can Hak5 recommend an alternative VID/PID or SN to use in an attack that disguises the Bash Bunny in a cromulent manner?

I like the OS determination method represented in the WIN93 prank and other payloads.   However, in a windows computer already set up with the Bash Bunny for Ethernet sharing, this does not work well.  I also imagine it might not work well in a computer that is actually using the embiggened  blue vendor products that you are spoofing instead of the Bash Bunny.  I wonder if, during the development of the Bash Bunny, you had some VID/PID that worked sort of OK which I could spoof, thus having an alternative ethernet RNDIS device. This could be useful for other payloads too.  I'd like to enhance the OS determination of the WIN93 prank to take another try where if not windows or linux, try an alt vid pid sn mix.  I will experiment with this as well.

[Struthian]

I tried using ATTACKMODE RNDIS_ETHERNET SN_0x12345678 in the WIN93 prank.  This worked, evidently it didn't show up as the Windows Sharing Internet connection.  Removing the SN caused the payload to fail on a PC with Bunny Windows Internet sharing.  So, using the serial number allowed me to play with the prank on a machine that was set up for Windows Internet Sharing.

I then tried ATTACKMODE RNDIS_ETHERNET VID_0x07B2 PID_0x5120 this is for a "Motorola Surfboard" RNDIS device, I got from a list of USB ID's. This worked in testing on the WIN93 prank payload.  However, it created an additional Ethernet device called "Remote NDIS Compatible Device"  instead of the "IBM USB Remote NDIS Network Device".  I have Bunny Version 1.4_284.

Somewhere in all this, I tried ATTACKMODE STORAGE RNDIS_ETHERNET ... this too created another Ethernet device also called "Remote NDIS Compatible Device".   This caused Windows sharing to fail because it was set up with the original Ethernet device.  I will see if I can get this working though, and do further experiments.  It's  a bit odd and I think this should be considered a bug in the Bunny.  Also the VID/PID was not the normal one for the Bunny. USB\VID_F000&PID_FF20&REV_0333&MI_00  What's up with this?

Any thoughts from Hak5 Staff?  Any experiments to try?

To anyone intending to fool with this stuff - make sure you know how to remove an unwanted driver.  You will get a few.

 

 

 

[Dave-ee Jones]

On 11/18/2017 at 1:51 PM, Struthian said:

I tried using ATTACKMODE RNDIS_ETHERNET SN_0x12345678 in the WIN93 prank.  This worked, evidently it didn't show up as the Windows Sharing Internet connection.  Removing the SN caused the payload to fail on a PC with Bunny Windows Internet sharing.  So, using the serial number allowed me to play with the prank on a machine that was set up for Windows Internet Sharing.

I then tried ATTACKMODE RNDIS_ETHERNET VID_0x07B2 PID_0x5120 this is for a "Motorola Surfboard" RNDIS device, I got from a list of USB ID's. This worked in testing on the WIN93 prank payload.  However, it created an additional Ethernet device called "Remote NDIS Compatible Device"  instead of the "IBM USB Remote NDIS Network Device".  I have Bunny Version 1.4_284.

Somewhere in all this, I tried ATTACKMODE STORAGE RNDIS_ETHERNET ... this too created another Ethernet device also called "Remote NDIS Compatible Device".   This caused Windows sharing to fail because it was set up with the original Ethernet device.  I will see if I can get this working though, and do further experiments.  It's  a bit odd and I think this should be considered a bug in the Bunny.  Also the VID/PID was not the normal one for the Bunny. USB\VID_F000&PID_FF20&REV_0333&MI_00  What's up with this?

Any thoughts from Hak5 Staff?  Any experiments to try?

To anyone intending to fool with this stuff - make sure you know how to remove an unwanted driver.  You will get a few.

I'm confused. When you plug the BB into a PC with an Ethernet mode up it will create the Ethernet adapter, because it's saying "hey, there's an ethernet adapter plugged in". Are you saying that there are 2 different adapters popping up each time you do it?

You also need to keep in mind that the device you're emulating needs to be installed beforehand..I think.

[Struthian]

Just try it.  Try a payload with ETHERNET_RNDIS.   Then try a payload with STORAGE ETHERNET_RNDIS  Go to the Device Manager. in the "View" menu, choose "Show Hidden Devices".  You will see there are two ethernet devices (in addition to what the computer already has) "IBM USB Remote NDIS Network Device" is the former attack mode.  "REMOTE NDIS Compatible Device" is the second attack mode (with storage).

If you follow the instructions for "Sharing an  Internet Connection from Windows"  in the Documentation for the BB, you will see that payloads that use the same attackmode will not work.   If you do the sharing with a different attackmode than the payloads, the payloads will work.  OR you can add SN_0x12345678 to the attack mode and that will also force a different ethernet device and all will also be well.

Does this make sense?   Try it, you will see that there are different devices in different scenarios.  This can also be used to advantages because you may not want to use the BB Ethernet feature the same way all the time.

[Dave-ee Jones]

5 hours ago, Struthian said:

Just try it.  Try a payload with ETHERNET_RNDIS.

Wait, what?

RNDIS_ETHERNET you numpty! :P

Unless it was changed without my knowledge..

Also, you may notice it's called a Linux Gadget when it has multiple modes running (Ethernet, Storage, Serial etc.), because that's what it's using to run those modes.

[D31M0Z]

On 11/22/2017 at 6:38 PM, Dave-ee Jones said:

Wait, what?

RNDIS_ETHERNET you numpty! :P

Unless it was changed without my knowledge..

Lol impossiblerrr! :) i lolol'd so hard