Gunky Posted November 24, 2019 Share Posted November 24, 2019 Is it possible to "step" attack modes so that on a single switch position it connects as one device, performs an attack then connects as an additional device type? My idea was to launch an attack on the AV using only HID then mount the storage and run further attacks with the AV work around already in place so the malware remians undetected. Alternatively is it possible to have two seperate partitions so we can launch a HID + STORAGE attack on the first switch with no recognised malware in the first storage partition and then switch to the other payload which launches an attack where the malware is now accessible. I am aware that this could be acomplished using two seperate devices, I'm just trying to figure out if it's possible using just one. Link to comment Share on other sites More sharing options...
kuyaya Posted November 27, 2019 Share Posted November 27, 2019 Sure it is. Try this payload LED SETUP ATTACKMODE RNDIS_ETHERNET LED R Q DELAY 3000 ATTACKMODE HID STORAGE LED B RUN WIN "notepad" LED FINISH As you can see, it goes first into rndis_ethernet and then opens notepad in hid storage. I saw in your 2 posts you made, that you don't have much experience with the Bunny. Please be sure that you watch all the BashBunny Videos Hak5 made for us, because all the things I said are in the videos even better explained Link to comment Share on other sites More sharing options...
Gunky Posted November 27, 2019 Author Share Posted November 27, 2019 Thanks bunnylover. In that example is RNDIS_ETHERNET still running in addition to the HID and STORAGE or does specifying the attack mode again cancel any existing attack modes? Link to comment Share on other sites More sharing options...
kuyaya Posted November 28, 2019 Share Posted November 28, 2019 It canceles the RNDIS_ETHERNET mode. In my payload here, as soon as the line "attackmode hid storage" comes, it becomes a hid storage device, and cancelles the RNDIS_ETHERNET attackmode. You can check that if you simply let the payload run until it's finished, and then go to "Control Panel\Network and Internet\Network and Sharing Center" -> Change Adapter Settings. In Attackmode RNDIS_ETHERNET the bunny would show up there (e.g. Ethernet 2). But it doesn't. That means that if you do another attackmode in the same payload, the original attackmode canceles. But that doesn't mean you can't run HID and ETHERNET at the same time. Just write all the attackmodes you want to combine in the same line and there you go. Example: ATTACKMODE HID STORAGE RNDIS_ETHERNET Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.