Jump to content

Is it just me-or are almost all the bash bunny scripts useless for Windows 10?


KRAZYPENGWIN
 Share

Recommended Posts

I've run over a dozen of Hak5's github scripts on Windows 10-it seems the only ones that work are ones that require only an HID and enter a string of text, or the prank folder. Anything that actually deals with pentest or other attacks, ironically, have no real use. In fact, just about every one that requires a loot folder that I've tried, save the nmapper, has come up empty. This is pretty annoying-I picked this up mostly for the robust library available, and I work almost exclusively with windows machines. It seems to me that outside of the occasional computer that is still running Windows 7, I picked up a very expensive toy to write on notepads really fast. 

Ones I've tried that worked:

nmapper

notepad_fun

single-character-quack

 

Ones I've tried that have yielded absolutely nothing of value:

passwordgrabber

DumpCreds

QuickCreds

WiPassDump

WifiGrabber

WifiPass

WindowsCookies

Browserdata

simple-usb-extractor

usb_exfiltrator 

Link to comment
Share on other sites

You need to modify the delays and add delays.  Take a payload you want to run, make it painfully slow, and verify each step.  Then when it works, start to speed it up until it no longer works.  99% of these payloads are too aggressive and never work for me out of the box.  I always have to slow them down a bit.  If you search around in this section of the forums or even the rubber ducky part, you'll see me say that a bunch of times.

  • Upvote 1
Link to comment
Share on other sites

@Bob123so I went ahead and added a painful amount of delays and still got nothing. Perhaps I'm not getting the hang of the Bunny Script? For example, this is what I used for the usb exfiltrator: 

GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE
RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
Q DELAY 10000
Q DELAY 10000
Q DELAY 10000
Q DELAY 10000
Q DELAY 10000
LED FINISH

 

Link to comment
Share on other sites

Ok I really hope your take away from my helpful hint wasn't to only do what you did above.  There are several payloads that you mentioned didn't work.  Several of those use ducky script or have many commands tight together which is why I mentioned adding some delays between the commands.  You do understand that what you did above will do absolutely nothing right?  Did you see the part where I said verify the code works?  USB exfiltrator by itself copies only pdfs and works just fine.  Do you have pdfs in your documents folder?  Did you try doing an xcopy from your bb to see if you could even copy those pdfs to your bb?  Comment out or delete the hidden commands in the files and watch what powershell does.  Are you getting errors?  You could also remove the whole caps lock blinking.  I usually do.  Makes it a bit more stealthy.  

Link to comment
Share on other sites

  • 4 months later...

Just managed to get a stable and persistent reverse shell, from real Windows 10 to virtualized Kali 2021.1, in about just 1 or 2 minutes. And without putting so much effort. 

You have to study, experiment and try and try and try...
Read code written by others, try it after you have understand what it does, apply it to your needs.

I used to try my BB on two different machines, one was really slow, so even though on the other one was all running fine, on this one there was no way to get anything useful.
Every command was simply out of phase, trying to write directly on the desktop, because it was taking something like three minutes only to open cmd.exe (I'm not joking, that pc had experienced more of 10 years of stress).

If you're looking for a magical hacking tool that you set one time and "pwn 'em all" I'm sorry to disappoint you. These devices are built to get repeatedly modified.

  • Upvote 1
Link to comment
Share on other sites

  • 2 months later...

I found that a lot of scripts started working when I changed the -f into -filter in the folowwing line:

RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"

Link to comment
Share on other sites

2 hours ago, Casss said:

I found that a lot of scripts started working when I changed the -f into -filter in the folowwing line:

RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"

Changing that parameter shouldn't make any difference. I have executed payloads very recently with that line of code.

Link to comment
Share on other sites

  • 4 weeks later...

To add to the above member answers.  I have been ignoring these post as I answered the first one that came across years ago saying the same thing about none of the payloads working or outdated.

1) Hak5 is responsible for the platform being the BashBunny, that is it.  They supply you a platform with features to build your own payloads with only your skill and imagination being the limiting factor.

2) Payloads that are on the github site are created by members of the Hak5 community.  They are presented as they are and are not supported by the Hak5 team.  They have nothing to do with them except supplying a central repo to host them from if the authors want it.

3) Never assume payloads will work on first try without modifying, especially when QUACK is involved.  QUACK only has the ability to send keystrokes, it does not read them.  The only read method it has in that app is to read arguments and read from a file that is written when the numlock keycodes are sent.  The method in the file converts strings to keycodes and sends them all at once to the HID dev per line.  It does not read from it, check if it worked, nothing.  So, as someone mentioned, you may have to play with delays in the quack text files for some payloads depending on the victim machine and its speed.

4) When using payloads, find out how they work because there is a high chance you will have to fix any issues you come across because the author may not be available or not available in the time you expect or probably wants nothing to do with the payload anymore.

 

To me, the BB is a platform for me to make my own stuff so I do just that.  If I want to use a payload by someone else, I make sure I know what it is doing and how because I want to make sure it does what I want and helping to figure out what I need to do to fix any issues that arise from it.

 

And....as I mentioned in a previous post a long time ago.  The Bashbunny, as far as payloads are concerned, is not plug n play.  The attackmodes are but never the payloads.  Do not expect them to be perfect on all machines or point in time.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...