Loot Folder / ATTACKMODE HID STORAGE ISSUE

[heartbleed]

Hi! I've started using the bash bunny and I've noticed that when I use a payload  that uses ATTACKMODE HID STORAGE and use the mkdir command to create a folder inside the loot foolder (PasswordGrabber and WiPassDump for example),  I can't see the folder created by them on the first time. If I change to arming mode and check, the folder appears but empty (and it only appears in arming mode, if i run the first time the payload and dont remove the Bash Bunny, it wont appear)! If i run the payload again, now that the folder is already created (the folder now appears on switch 1 or 2 ) everything works ok.  If I create manually the folder inside the loot folder for the payload, it will work too on the first time.  All that I said is related to ATTACKMODE HID STORAGE, because if I use a payload like QuickCreds, it will create its folder inside loot folder and everything works in the first time!   If I change the ATTACKMODE in PasswordGrabber and WiPassDump to   ATTACKMODE RNDIS_ETHERNET before the "mkdir" comand and then use ATTACKMODE HID STORAGE again right after the "mkdir" command, then these payloads will work for the first time too!! 

So is there any problem with ATTACKMODE HID STORAGE  to create folder inside loot folder for the first time you run a payload? Why this is not happening with payloads that uses ATTACKMODE RNDIS_ETHERNET?

[heartbleed]

I'm using the latest firmware (1.5_298) , I did the Bash Bunny reset procedure (unplug 3 times ,etc etc),  did the "udisk reformat" and updated everything wit Bash Bunny Updater. The payloads are working, the issue above is the only annoying thing.

[heartbleed]

I've found that, if I use ATTACKMODE  only, with no mode , before the mkdir command, and right after mkdir I use ATTACKMODE HID STORAGE, the problems is solved too...example in password grabber:

 

# Options
LOOTDIR=/root/udisk/loot/PasswordGrabber

######## INITIALIZATION ########
LED SETUP
GET SWITCH_POSITION
ATTACKMODE # <----------------------------------------------------------THIS SOLVED THE ISSUE (ATTACKMODE HID STORAGE WAS HERE IN THE ORIGINAL PAYLOAD)

######## MAKE LOOT DIRECTORY ########
# Setup named logs in loot directory
mkdir -p $LOOTDIR

######## ATTACK ########
ATTACKMODE HID STORAGE <---------------------------------- NOW I SET THE ATACKMODE HID STORAGE
LED ATTACK
RUN WIN "powerShell -windowstyle hidden -ExecutionPolicy Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\payload.ps1')"
# Wait until passwords are grabbed.
sleep 25

######## FINISH ########
LED FINISH

[Dave-ee Jones]

What happens if you don't set ATTACKMODE to nothing and don't try and get the SWITCH_POSITION variable (hardcode the directory)?

[PoSHMagiC0de]

Ahh, the Storage/USB issue again.  Not really an issue, just the way USB storage works.

Let us called the bashbunny the host for the USB storage and the PC it is connected to the client for simplicity sake.

If the client mounts the usb storage (the attackmode storage)  and the host makes changes then, the client will not see them.  For those to be seen you could unmount and remount the storage (turning all attackmodes off and on again with attack mode  and then attackmode storage).  The storage has to be resynced.  In linux this might be possible with the "sync" command but have not tried it.  Usually during setup i do all the folder creation the host is going to do before setting the attackmode.

Next, if the client writes or make changes to the storage, the guest may not see the changes until they are synced...or on windows the bunny has to be ejected before the host will see the changes.  This is the explanation why some payloads that use storage and look for changes in the file done by the client are not seen so never complete.

 

I think this topic has been beaten to death over the threads hehehe.

[heartbleed]

23 hours ago, PoSHMagiC0de said:

Ahh, the Storage/USB issue again.  Not really an issue, just the way USB storage works.

Let us called the bashbunny the host for the USB storage and the PC it is connected to the client for simplicity sake.

If the client mounts the usb storage (the attackmode storage)  and the host makes changes then, the client will not see them.  For those to be seen you could unmount and remount the storage (turning all attackmodes off and on again with attack mode  and then attackmode storage).  The storage has to be resynced.  In linux this might be possible with the "sync" command but have not tried it.  Usually during setup i do all the folder creation the host is going to do before setting the attackmode.

Next, if the client writes or make changes to the storage, the guest may not see the changes until they are synced...or on windows the bunny has to be ejected before the host will see the changes.  This is the explanation why some payloads that use storage and look for changes in the file done by the client are not seen so never complete.

 

I think this topic has been beaten to death over the threads hehehe.

I tried to mkdir before the ATTACKMODE , and it works! I did it before your post hehehe, but I had to wait 24 hours to post again hehe.... I saw that there's a pull request of PasswordGraber V2 and the position of ATTACKMODE has changed, right after mkdir. 

 

I still want to know why this doesn't happen with ATTACKMODE RNDIS_EHTERNET.  With this kind of attackmode I can create folders after ATTACKMODE with no problem, like QuickCreds.....

[PoSHMagiC0de]

On 5/19/2018 at 7:59 AM, OblivionX said:

I still want to know why this doesn't happen with ATTACKMODE RNDIS_EHTERNET.  With this kind of attackmode I can create folders after ATTACKMODE with no problem, like QuickCreds.....

Because it is not behaving like a USB storage device but like storage on a separate computer that is on the same, separate subnet as the victim.