Jump to content

[Nswitch] Payload to increase the number of Switches


fusionjj

Recommended Posts

I am quite new to the Bash Bunny and programming in general - I am literally a n00b, so any feedback or advice would be helpful. 

I am trying to create a payload that can potentially increase the number of switches which may be useful in particular environments such as when you don't have direct access to your own computer, specifically without using STORAGE. The way it works is the following:

In the UDISK directory \payloads\, by default there are only two switches;

Quote

 

switch1

switch2

 

with Nswitch, you can potentially have any number of switches (restricted by the storage of course);

so in addition to the above directories, you can also create:

Quote

 

switch3

switch4

...

switchN

 

Now switch1 is the Nswitch controller - the Nswitch can be changed in two ways, depending on whether you have a lockscreen or not. It is also able to detect the state of the lockscreen (which may be useful in other applications where you can set up two different attacks depending on the state)

If there is no lockscreen - then the Bash Bunny will run a HTTP server, and you can set the switch number from http:\\172.16.64.1 directly.

If there is a lockscreen - then the Bash Bunny will simply increase the value of N incrementally by 1, i.e each time you plug in the device N:=N+1. This also works if you don't have direct access to a computer, you can simply change the switch by repeatedly plugging it into a USB Power Bank (although this may take some time to reach switch6 as you would have to wait for the Bunny to boot up and the LEDs to flash and repeat this 6 times which isn't ideal in every situation)

#!/bin/bash
LED SETUP

ATTACKMODE HID RNDIS_ETHERNET 
GET TARGET_IP
GET HOST_IP
GET SWITCH_POSITION

cd /root/udisk/payloads/$SWITCH_POSITION

if [ -z "${TARGET_IP}" ]; then
    LED FAIL2
	exit 1
fi

if [ ! -f Nswitch.txt ]; then
	echo 0 > Nswitch.txt
fi

LED STAGE1
#Detecting lockscreen
tcpdump -l -i usb0 'icmp and icmp[icmptype]=icmp-echo' -vv > ping &

# Windows OS specific, can change to RUN OSX or RUN UNITY
RUN WIN ping $HOST_IP -n 1

sleep 1
if grep "ICMP" ping > /dev/null
then
        echo 1 > lockscreen
		# Unlocked
		LED G DOUBLE
		#Try Captive portal to overcome some restrictions?
		python -m SimpleHTTPServer 80 &
		while ! nc -z localhost 80; do sleep 0.2; done
else
        echo 0 > lockscreen
		# Locked
		LED R DOUBLE
		N=0; for i in `cat Nswitch.txt`; do N=$((1 + $i)); done; echo $N > Nswitch.txt
fi

cp /root/udisk/payloads/switch$N /root/udisk/payloads/switch1

with

<form name=”web_form” id=”web_form” method=”post” action=”post.php”>
        <p><label>Nswitch:</label><input type=”number” name=”N” id=”N” /></p>
        <input type="submit" value="Ammend">
</form>

and

<?php
$N = $_POST[‘N’];
$fp = fopen(”Nswitch.txt”, a”);
$savestring = $N;
fwrite($savestring);
fclose($fp);
?>

It still isn't complete yet but I have been able to detect the lockscreen state successfully. I did have some issues with the web server at first but this has been mostly resolved, I just need to finish off the code. Before I do, I thought I would get some advice from the Hak5 community on whether this payload would even be useful to other people, and how I could optimize the code or make it better. 

Link to comment
Share on other sites

I should mention, that once you set the switch number N it will automatically copy the files of the directory from \payloads\switchN to the other switch (i.e switch 2 in the example above) and once you unplug the Bunny, change the switch and replug it, it will run the payload from switch N on switch 2.

Link to comment
Share on other sites

I don't mean to discourage you but this has been done twice in a bit more effective manner that doesn't involve risking putting your BB into recovery mode.

One of them is my own - Diodamic (in my signature - it is outdated and needs a rework though, but feel free to look into it's code anyway) and the other in mind is HoppEye.

Basically what it does is uses the switch as a payload chooser. Push one side of the switch to increase the switch number and push the other side to decrease the switch number, the number is represented by the colour of the LED.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...