fusionjj Posted June 20, 2018 Share Posted June 20, 2018 I am quite new to the Bash Bunny and programming in general - I am literally a n00b, so any feedback or advice would be helpful. I am trying to create a payload that can potentially increase the number of switches which may be useful in particular environments such as when you don't have direct access to your own computer, specifically without using STORAGE. The way it works is the following: In the UDISK directory \payloads\, by default there are only two switches; Quote switch1 switch2 with Nswitch, you can potentially have any number of switches (restricted by the storage of course); so in addition to the above directories, you can also create: Quote switch3 switch4 ... switchN Now switch1 is the Nswitch controller - the Nswitch can be changed in two ways, depending on whether you have a lockscreen or not. It is also able to detect the state of the lockscreen (which may be useful in other applications where you can set up two different attacks depending on the state) If there is no lockscreen - then the Bash Bunny will run a HTTP server, and you can set the switch number from http:\\172.16.64.1 directly. If there is a lockscreen - then the Bash Bunny will simply increase the value of N incrementally by 1, i.e each time you plug in the device N:=N+1. This also works if you don't have direct access to a computer, you can simply change the switch by repeatedly plugging it into a USB Power Bank (although this may take some time to reach switch6 as you would have to wait for the Bunny to boot up and the LEDs to flash and repeat this 6 times which isn't ideal in every situation) #!/bin/bash LED SETUP ATTACKMODE HID RNDIS_ETHERNET GET TARGET_IP GET HOST_IP GET SWITCH_POSITION cd /root/udisk/payloads/$SWITCH_POSITION if [ -z "${TARGET_IP}" ]; then LED FAIL2 exit 1 fi if [ ! -f Nswitch.txt ]; then echo 0 > Nswitch.txt fi LED STAGE1 #Detecting lockscreen tcpdump -l -i usb0 'icmp and icmp[icmptype]=icmp-echo' -vv > ping & # Windows OS specific, can change to RUN OSX or RUN UNITY RUN WIN ping $HOST_IP -n 1 sleep 1 if grep "ICMP" ping > /dev/null then echo 1 > lockscreen # Unlocked LED G DOUBLE #Try Captive portal to overcome some restrictions? python -m SimpleHTTPServer 80 & while ! nc -z localhost 80; do sleep 0.2; done else echo 0 > lockscreen # Locked LED R DOUBLE N=0; for i in `cat Nswitch.txt`; do N=$((1 + $i)); done; echo $N > Nswitch.txt fi cp /root/udisk/payloads/switch$N /root/udisk/payloads/switch1 with <form name=”web_form” id=”web_form” method=”post” action=”post.php”> <p><label>Nswitch:</label><input type=”number” name=”N” id=”N” /></p> <input type="submit" value="Ammend"> </form> and <?php $N = $_POST[‘N’]; $fp = fopen(”Nswitch.txt”, “a”); $savestring = $N; fwrite($savestring); fclose($fp); ?> It still isn't complete yet but I have been able to detect the lockscreen state successfully. I did have some issues with the web server at first but this has been mostly resolved, I just need to finish off the code. Before I do, I thought I would get some advice from the Hak5 community on whether this payload would even be useful to other people, and how I could optimize the code or make it better. I should mention, that once you set the switch number N it will automatically copy the files of the directory from \payloads\switchN to the other switch (i.e switch 2 in the example above) and once you unplug the Bunny, change the switch and replug it, it will run the payload from switch N on switch 2. Link to comment Share on other sites More sharing options...
fusionjj Posted June 20, 2018 Author Share Posted June 20, 2018 Sorry for reposting this, I didn't see this subforum earlier. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.