Jump to content

how to open folder on target as decoy then script?


Samyo
 Share

Recommended Posts

Hello, Can someone please help me code the following.

Upon inserting the BB, I would like a folder to open with my pictures in it (not copied into the target), so someone could look at them. While this is happening I want to run a script (that part is fine). This is on a Windoze 10 system. 

I am also very happy for a direction to this info.

Thank you in advance.

Link to comment
Share on other sites

Hi @Samyo,

so you want to insert the BashBunny to the victim and show the user some pictures on the STORAGE (ATTACKMODE STORAGE), right? I did a "Social Engineering Wait" which you can find on Github:

https://github.com/hak5/bashbunny-payloads/pull/328

Link to comment
Share on other sites

Issue I see is how are you going to execute your script when the picture or whatever has focus.  At any time if the victim is watching their machine they will see the quack commands because you will need the window you are typing them in to have focus.  Them clicking off the window will break focus and break the payload.

Link to comment
Share on other sites

21 minutes ago, Dave-ee Jones said:

One question - how do you put the Bash Bunny into their PC while they're using it without them noticing? It's not like a small bluetooth adapter for a mouse/keyboard, it's pretty big and has flashing LEDs..

The user is aware of the bunny. Samy here has pictures in his bunny. He is making the guy beleive its a normal USB. He wants to excecute payloads while showing pictures in the bunny. His best bet is using vbs. It can be hella silent but ofc you need powershell to launch it..

Link to comment
Share on other sites

9 minutes ago, Rinilyn said:

The user is aware of the bunny. Samy here has pictures in his bunny. He is making the guy beleive its a normal USB. He wants to excecute payloads while showing pictures in the bunny. His best bet is using vbs. It can be hella silent but ofc you need powershell to launch it..

vbs, ps1, compiled exe in native or .net, you can make them all silent.  Question is how is the payload firing off while they are looking at pictures?  I avoided this topic because I knew it would be a rabbit hole.  Here is why.

So, how are the pic folders going to display.  USB storage shows the whole UDisk and autorun no workie on USB flash drives.  So, you need them to browse pictures on BB and not payloads or loot or all the other folders.

Next, you need a way to execute the script.  Quacking it will take control of the keyboard and start popping up stuff and typings.  Only way I can see is tricking the user to click on a shortcut which would launch your payload and then show the pic folders but the question becomes how does the shortcut lnk file know what drive the BB was assigned to point at everything correctly.  Of course you could use powershell to load an ad-hoc agent (yes I love calling the code that starts or facilitates a whole remote process as the agent) of your making to get the drive and all that, fire off the payload and then fire of an explorer process pointing to the now known drive of the BB and pictures.

Ultimately, the BB is going to have to quack the payload or the user is going to have to click on a payload/launcher that maybe disguised as a pic to initiate the malware.

Link to comment
Share on other sites

20 minutes ago, Rinilyn said:

The user is aware of the bunny. Samy here has pictures in his bunny. He is making the guy beleive its a normal USB. He wants to excecute payloads while showing pictures in the bunny. His best bet is using vbs. It can be hella silent but ofc you need powershell to launch it..

4 minutes ago, PoSHMagiC0de said:

So, how are the pic folders going to display.  USB storage shows the whole UDisk and autorun no workie on USB flash drives.  So, you need them to browse pictures on BB and not payloads or loot or all the other folders.

Create a separate partition, make the Bunny mount that instead of the default USB storage (which causes it to hide the default USB storage where all the suspicious files are), and let it act as a normal USB while doing stuff in the background. You can do all this by not setting an ATTACKMODE and doing it manually via a payload script (because that's what payload scripts are for, they run on startup..).

5 minutes ago, PoSHMagiC0de said:

Next, you need a way to execute the script.  Quacking it will take control of the keyboard and start popping up stuff and typings.  Only way I can see is tricking the user to click on a shortcut which would launch your payload and then show the pic folders but the question becomes how does the shortcut lnk file know what drive the BB was assigned to point at everything correctly.  Of course you could use powershell to load an ad-hoc agent (yes I love calling the code that starts or facilitates a whole remote process as the agent) of your making to get the drive and all that, fire off the payload and then fire of an explorer process pointing to the now known drive of the BB and pictures.

One thing you've forgotten is the Bash Bunny is a PC all on it's own, so it doesn't have to rely on another PC to do something for it to have to do something. It can still execute scripts and things on itself while the payload is running. While it might mean you can't use HID to do anything, you can still do other network-based stuff. Other things like responder, HTTP/Python servers (still can't do much with them but you could potentially figure something out) and other stuff like that. If you could mount the PC as a client of the BB then you could do a bit more, like copying files to it or whatever.

Link to comment
Share on other sites

Still, no can do without noticeable interaction.  The PC will need to be told to be a client some how on the pc.  You can run all the stuff you want on the bunny but it is like another machine physically separated from the PC even though it is plugged into the usb port.  Unless there is a service on that PC that is looking for something to come up on the USB port that it wants to interact with.  Network is same thing, you need a network service to interact with, credentials most likely for that service or an exploit.  Only device that can immediately interact directly with the PC the BB can do is HID but it is visible.

Link to comment
Share on other sites

Hello, and a big thank you GermanNoob, Rinilyn, Dave-ee Jones, PoSHMagiC0de for your contribution to the solution.

Rinilyn is correct in that the user will be passed the USB to view the pictures.

I'm hoping I can use your input and device a solution. ALL your input has been very valuable to me in further understanding the BB and its functions.

I sincerely thank you all.

Regards, Samyo

Link to comment
Share on other sites

@PoSHMagiC0de,

for sure you are right... What I'm doing in the social engineering attack is:

  1. ask the legit user to print a file for me, that's on the BB
  2. connecting the BB with ATTACKMODE STORAGE and SEWAIT
  3. getting the legit user to pick up the print out or talking about something completely different (i.e. getting his attention away from the display)
  4. changing switch position to get the payload executed
Link to comment
Share on other sites

Hello again, @GermanNoob, @Rinilyn , @Dave-ee Jones , @PoSHMagiC0de and greetings to my fellow aliens.

What I initial hoped to do was to place a folder with the images in the same switch as the code and open the folder with some programming voodoo (when the BashBunny is inserted), so the images can be selected at will.I gather though, from the suggestions here, that this is not possible.

I again thank you for putting your minds to this. As an amoeba-noob (had to distinguish myself from @GermanNoob, who is far beyond my noobness), your suggestions and critiques have set me in new directions and understandings. Since a relative small number of people respond to these chats, I am positive that there are many out there reading these thoughts and leaning from them as well.

 

Regards,

Samyo

Link to comment
Share on other sites

33 minutes ago, Sebkinne said:

Having a decoy partition with STORAGE_DECOY makes a lot of sense to me and we will be adding this to the firmware soon.

Yeah, that's what I was thinking of, and I was reminded of a rumour about this previously but I'm not sure where from.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...