Bash Bunny on Serial Console/PuTTy

[BrickTop]

Hey guys,

For a project I'm currently doing, I am wanting to open a PuTTy session, access the console and then run a script on a Cisco device, most probably a router. I want to do this either via Serial or SSH. I can edit a payload to change the filepath so that it exuctues PuTTy, but how would I edit the payload in such a way to get it to select the COM port, change the speed, open the terminal and then execute the script? I have looked through payloads on here and github but can't find anything 😕

Thanks 🙂

[dark_pyrro]

OK, just to "enhance" the scenario; since you mention PuTTy, I guess you are on Windows 10. If you find it difficult to set COM port, speed, etc. and also mention ssh, why not totally skip serial and go "all in" using ssh instead. It decreases the number of ingredients that might make it more complex. Using ssh also makes it possible to skip PuTTy since ssh is available at the command line in Windows 10 nowadays.

[BrickTop]

@dark_pyrro Thanks for that useful tip. I'm still in the process of learning this stuff. 🙂 Could you explain how I would go about doing it using that method please?

[dark_pyrro]

I would probably create a payload script that starts a command prompt or a PowerShell prompt and then ssh into the device and then use the Bunny to QUACK whatever you want to happen. In this case it seems as if you want to start some script on the Cisco device after logon.

[BrickTop]

@dark_pyrro Ok, I can get it to start in PowerShell that won't be an issue, but yes ultimately I need it to be able to open the console on a Cisco router and then type and execute a script... 

[BrickTop]

Where you mention SSH into the device and then use the Bunny, can I not use the Bunny to run all of these tasks?

[dark_pyrro]

Yes, you should be able. The Bunny has several features, one of them is the HID functionality. If you can do the steps you want to do with your regular keyboard, the Bunny will most likely be able to pull it off since the HID mode is a..... keyboard. Described in pseudocode I would make the Bunny start Powershell (or the regular Command prompt), then I would make the Bunny start ssh against the desired device (Cisco or whatever), then I would start the script on the device also using the Bunny. So, to repeat, if you can do it with a keyboard you can (most possibly with a high probability) do it with the Bunny. It's however a bit difficult to give any guarantees since there aren't any details known about the use case scenario (and we all know that the devil is in the details).

[BrickTop]

Ok thanks a lot for that. 🙂 You don't fancy helping me on this do you?? 😂 I reckon I can get it to start in PowerShell, however you can't just ssh 192 "" "" "" straight into a console can you? Don't you need to go via a terminal emulator such as PuTTy to reach the console? So I would need a command that can open PuTTy and then select the right options for the session no? Yep the devil is definitely in the details lol. 

[dark_pyrro]

Can you ssh into the device and do everything you need (or not)?

[BrickTop]

I've SSH'd into a router and switch before but always used PuTTy. I have the stuff here though to try. A Cisco Router, Cisco Switch, Bash Bunny, Win 10, Kali Linux VM, and console cable.

[dark_pyrro]

OK, but as I said before, skip PuTTy/serial and go with ssh instead if ssh is possible.

[BrickTop]

Ok, how do I bypass PuTTy then and go directly to the console via SSH? Is it simply a matter of executing a command within PowerShell?

[dark_pyrro]

Yet again, as I said before, ssh (the command) is native in Win10 since a while back, so it's just to execute ssh [user]@[address of device]. I created a test payload now that (I think) does what you want to happen. But, since not having the exact setup/scenario as you have, it's not going to be 100% the same. I used a Win10 box. Started powershell. Opened an ssh session to a network device. Started/executed a script on the device. All of it using the Bunny.

[BrickTop]

Ok, sorry I haven't done much involving SSH before, only stuff in Uni so I'm still learning this stuff. So you have a payload that is doing exactly what I want it to do including running a script on the console of the Cisco IOS? Albeit minor a few adjustments which would be required to match the working environment?

[BrickTop]

Could you send me a sample of the payload please so I can match it to what I currently have. I can see where I've been going wrong then 🙂

[dark_pyrro]

Why not post yours here instead.....

[BrickTop]

I only have a basic script at the moment whereby I am trying to do the basics, which is literally just opening up a program. Such as notepad, but here's the code...

 

#!/bin/bash
LED Y
DUCKY_LANG gb
ATTACKMODE HID

RUN WIN notepad.exe
Q ENTER

LED G

 

However, although this payload ran fine when tried on the computers in Uni, it doesn't run on my personal machine (Win10).

[dark_pyrro]

Well, that's not really doing what you want. It's some kind of start though. Adding some delays is my first suggestion. Then continue to script what you actually want to happen. In general, delays needs to be matched against target computer performance and some operations needs longer delays than other. In this case, I would wait a bit extra when starting powershell and during the ssh logon process.

[BrickTop]

Ok, how would I go about this though? This is all extra stuff to demonstrate, my main goal is the Cisco stuff as mentioned above, so this notepad stuff doesn't really matter. You mention time delays, however, the script should still run shouldn't it?

[dark_pyrro]

Of course, it will run (if you mean the Bunny payload script), but at a pace that the target computer perhaps can't match. If you just bombard the target with commands that it is not ready to execute, then the payload will render useless in the end. You have to time things.

[BrickTop]

Ah ok, I see what you're saying. Could you send me the payload that you tested or give some guidance as to what I would need to change?

[dark_pyrro]

OK, let us be honest here, you don't really want to do the job, do you?! Sorry, I don't do charity payload development. I'm all positive to sharing knowledge (and I have actually shared some fair amount of knowledge in this thread already), but this is a good "first challenge" for you to learn how to develop payloads. It's simple as 123. Learn the Ducky script basics and mimic the steps you would do using a regular keyboard (as I've already mentioned in this thread). It's not a complex thing to achieve at all and if you are in a position of doing some project involving network devices, I'm very sure you have the mental capacity of getting it all to work. Over and out.....

[BrickTop]

Bit abrupt to say the least. Of course I want to do this job, I'm not after charity or someone to do the work for me. I am looking to get into cybersecurity and I am committed to learning, but because time is limited at the moment, it means I am having to move faster than I would like in order to achieve this. I'm just after guidance at the end of the day. If my questions are bothering you then I'll look elsewhere for help. Thanks for all your help though. 

[Nunamabidenz]

You know what?   I totally understand both of your situations from my perspective and I just wanted to add that you both handled yourself well polite and just. Also it's so interesting reading this and seeing the making of one.... thank you both for the contribution! I'm wrapping my head<slowly> around duckylang and the use of it to play a roll in true offensive defense. I'm (as a result of this particular thread)  thinking something like a wireless deployment in which a wireless network (pineapple perhaps mark v )injects duckylang by having a storage attachment (via usb)  that automounts (a bash bunny)  when we want it to. 

 

[Nunamabidenz]

I like  the idea of this challenge and I'm going to do this first then see how it works on a windows system.  Any suggestions on deployment without knowing which platform/system you will have to  deploy on?  Like a master key of sorts?