0dyss3us Posted January 5, 2018 Share Posted January 5, 2018 Windows Persistent Reverse Shell for Bash Bunny Author: 0dyss3us (KeenanV) Version: 1.0 Description Opens a persistent reverse shell through NetCat on victim's Windows machine and connects it back to host attacker. Targets Windows 10 (working on support for older versions) Connection can be closed and reconnected at any time Deploys in roughly 15-20 sec Works with NetCat Requirements Have a working Bash Bunny :) STATUS LED STATUS Purple Setup Amber (Single Blink) Installing and running scripts Green Finished Installation and Execution Plug in Bash Bunny in arming mode Move files from WindowsPersistentReverseShell to either switch folder Edit the persistence.vbs file and replace ATTACKER_IP with attacker's IP and PORT with whichever port you like to use (I use 1337 ?) Save the persistence.vbs file Unplug Bash Bunny and switch it to the position the payload is loaded on Plug the Bash Bunny into your victim's Windows machine and wait until the final light turns green (about 15-20 sec) Unplug the Bash Bunny and go to attacker's machine Listen on the port you chose in the persistence.vbs file on NetCat Run the command nc -nlvp 1337 (replace the port with the port in persistence.vbs) If using Windows as the attacker machine, you must install Ncat from: http://nmap.org/dist/ncat-portable-5.59BETA1.zip and use the command ncat instead of nc from the directory that you installed ncat.exe. Wait for connection (Should take no longer than 1 minute as the powershell command runs every minute) Once a Windows cmd prompt appears...YOU'RE DONE!! ? and you can disconnect and reconnect at any time as long as the user is logged in Download Click here to download Link to comment Share on other sites More sharing options...
ItsMe0k Posted January 9, 2018 Share Posted January 9, 2018 Going to play with this. Just curious, how come you don't do a pull request and have it put in the main GitHub? Link to comment Share on other sites More sharing options...
0dyss3us Posted January 11, 2018 Author Share Posted January 11, 2018 Actually, I just did :) it just hasn't gotten accepted yet. Apparently binaries are not accepted so I've made a couple changes. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted January 11, 2018 Share Posted January 11, 2018 I just saw your project. Some other advice with executables is you should not include programs from other programs..like netcat.exe is part of nmap licensed to them. If you want your thing to be binary-less, look at Powercat. Nishang also as a script or two in there for netcat compatible reverse shells. Link to comment Share on other sites More sharing options...
InfoSecFresh Posted January 3, 2020 Share Posted January 3, 2020 Every time I try to run this on Win10 the ps script runs and once cmd.exe pops up there is an error message stating that Windows can not find the persistence.vbs file. I checked in the AppData directory referenced by the ps script and it is indeed not there. Even when I attempt to manually place it there it still doesn't work. Any idea why? Link to comment Share on other sites More sharing options...
defaltConnexion Posted January 15, 2020 Share Posted January 15, 2020 On 1/3/2020 at 12:32 PM, InfoSecFresh said: Every time I try to run this on Win10 the ps script runs and once cmd.exe pops up there is an error message stating that Windows can not find the persistence.vbs file. I checked in the AppData directory referenced by the ps script and it is indeed not there. Even when I attempt to manually place it there it still doesn't work. Any idea why? I too am having this problem. It worked the first time on my standard windows 10 PC, but the more recent version of windows 10 is not working. Link to comment Share on other sites More sharing options...
EKwOrld Posted July 24, 2021 Share Posted July 24, 2021 Any ideas on how to stop the automatic connection once it has started? Link to comment Share on other sites More sharing options...
nobbythenoob Posted November 28, 2021 Share Posted November 28, 2021 On 1/3/2020 at 7:32 PM, InfoSecFresh said: Every time I try to run this on Win10 the ps script runs and once cmd.exe pops up there is an error message stating that Windows can not find the persistence.vbs file. I checked in the AppData directory referenced by the ps script and it is indeed not there. Even when I attempt to manually place it there it still doesn't work. Any idea why? Most likely Windows Defender. When I ran the bashbunny with this payload, it worked the first time, and then after that Windows defender did not like it. But that is trivial to get around, just rename some fields and file names and it works fine. Link to comment Share on other sites More sharing options...
nobbythenoob Posted November 28, 2021 Share Posted November 28, 2021 On 7/24/2021 at 2:19 AM, EKwOrld said: Any ideas on how to stop the automatic connection once it has started? Go to : AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Delete the vbs script. Delete c:\temp\ncat.exe Kill the ncat process if it is still running. Link to comment Share on other sites More sharing options...
jpm11 Posted February 6, 2022 Share Posted February 6, 2022 Windows defender is blocking the persistence file from being placed in the roaming startup folder. What should I do about this? Link to comment Share on other sites More sharing options...
dark_pyrro Posted February 7, 2022 Share Posted February 7, 2022 I would probably seek another way of doing this. The payload isn't limited to have a possible SPoF (Single Point of Failure), but several. First, using Netcat at all is a trick in the bag that is most likely going to be picked up by Defender. Then, using vbs files is a second way of getting noticed and/or blocked. Letting Netcat touch any storage device is a possible third. If I would do that operation I would most likely skip using vbs and Netcat. Running the target side entirely in PowerShell could be an alternative and live off the land instead. Persistence could be achieved by using scheduled tasks. Will require that the logged on user is a member of the local Administrators group, but it won't trigger any uac prompt that needs to be dealt with. In the end, it all depends on the target and how hardened it is. Some use payloads that disable Defender (or any A-V), but that is not realistic in my opinion since it will create "noise" in any environment worth mentioning. It's possible of course for some targets in less managed and "not looked after" environments, but for a black box engagement, I would most likely not include it in my plan. Link to comment Share on other sites More sharing options...
Gikone Posted October 19, 2022 Share Posted October 19, 2022 I tried this payload today, in my BB MKII and it doesnt work anymore. The led turn purple and you can see how the cmd opens and close, but after 5 seconds the led turn green and the bashbunny folder appers like in arming mode. Don't know why and how i can solve this Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 19, 2022 Share Posted October 19, 2022 What target are you using the payload on? Link to comment Share on other sites More sharing options...
Brotai Posted June 5, 2023 Share Posted June 5, 2023 Defender or any AV must be disabled for this to work. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.