Jump to content

Deploy Bashbunny Payloads Remotely via Pinapple?


Ashura

Recommended Posts

Hi I'm new to the forums and learning about the tools, and I want to know if it is possible to remotely deploy any of the bash bunny payloads to a device that is connected to Pinapple Mark VII. (This is for a demonstration at work to raise awareness).

If this is possible, any guides/advice/tips would be much appreciated.

Link to comment
Share on other sites

Can you provide a more detailed scenario. Do you want the Bash Bunny to be attached to the Pineapple and execute payloads (via the Pineapple) on targets connected to the Pineapple? What kind of payloads? How are you intending to delay the execution of any payloads on the Bunny until any appropriate target has established a connection to the Pineapple? (etc)

Link to comment
Share on other sites

Hi, sure.

Well I was thinking of the following story:

1. Wi-Fi SSID for the target computer to access and be infected (explain the need to not trust random wifi networks and be careful about public wifi when working)
2. Executing the following payloads (to contextualize user credential theft for phishing attacks)

3. Explain how these credentials can be abused by bad actors to infltrate a system and access sensitive data

4. Introduce solutions (this is covered on my end)

In terms of the logistics of how the execution via connecting the BashBunny and how the payloads would be delayed are new to me so that is something that I want to learn on my environment.  My assumption is that the bashbunny scripts can be edited to adjust the runtime delay or there is a mechanism on Pinapple's WebGUI to execute payloads.

I've only just managed to get the WebGUI set up so, I'm still a noob, so any adivce from the pros would be highly appreciated.  m(._.)m

Link to comment
Share on other sites

All of those payloads are using ATTACKMODE HID (keyboard) and the Bunny will just try to execute them on the target to which it is connected, in this case the Pineapple and that will cause them all to fail. You will also need to establish what kind of OS the targets (connecting to the Pineapple) are running since the payloads you wish to use are for different target platforms. This combo isn't a "natural" one when it comes to these two products. Passing Bunny payloads via the Pineapple to a target is outside the scope of these products. The Bunny is supposed to be attached directly to the target device.

Link to comment
Share on other sites

Fair enough. I can limit myself to just windows and ditch Sudosnatch. However, if these payloads ar HID based, would it be possible to either

1. Convey a story that similar HID based attacks can be executed remotely  (saves time to find similar payloads compatible with Pinapple and I can just leverage both tools to save time for demoing)

OR

2. Look at payloads that achieve a similar result of extracting user credentials that are Pinapple compatible. If so, which ones are they?

The latter would be much cooler and get audience attention 😛
 

Link to comment
Share on other sites

If using the Pineapple only, there are no payloads that can interact with the target like the Bunny is capable of in terms of actual keystroke input. Hence difficult to plant things on the target from the Pineapple. Specifically when it comes to "injecting" things and circumvent security measures (it's one of the "Bunny powers" being able to act like a keyboard). One way of obtaining credentials is to combine some sort of evil portal with social engineering and fool/force the user to connect to the Pineapple and get the credentials in some sort of login scenario. It's not a "smooth and easy" road forward though and not with a guaranteed success on every attempt. It's also possible to sniff traffic that passes from the target via the Pineapple, but that is depending on what you want to achieve and how you define "user credentials" and also what you actually can get from those traffic dumps (for example when it's encrypted which most traffic is today).

Link to comment
Share on other sites

Fair enough. Well the victim will be one of my own test rigs so that is not a concern, but like you mentioned, considering that most traffic is encrypted, it would not be a realistic / pratcial MITM attack.

The objective that I am trying to achieve is to create a compelling story that addresses the issues of using public networks to do remote work, while also simulating how a bad actor can obtain and misuse login credentials to gain access to and exfiltrate sensitive data. 

Considering this, would reverting to option 1 and finding a realistic link that would be compelling enough to convey the techical feasibility of executing Bunny-based payloads remotely be plausible?

Link to comment
Share on other sites

Hi apologies for the delayed response. I'm limited to the number of messages per day on the forum.

Well the typical kind of scenario that I am thinking would be some kind of means where administrator account credentials are compromized and alerts go off on a SIEM about suspicious activity of a particular user.

So when I refer to the idea of "remotely executed Bunny payloads", I was thinking along the lines of some means of gaining remote access into the target computer via Pineapple and then gaining sensitive administrator credentials. e.g. via a key logger, backdoor, fake login screen, something along the lines of that.

However, having spent a little more time learning, I realized that Pinapple is limited to Honeypotting and MITM, which would be useful for recon and pre-attack phases for gathering info such as unencrypted communications within a network, potential devices with open ports, etc. (please correct me if I am wrong)


Considering this, I would need to construct some pretext to how a piece of malware such as the following had infected a host machine.


My options are as follows
1. Malicious insider with bunny or similar loaded tool (on-premise)
2. Phishing attack which would have loaded these scripts as hidden files / attachments (remote)

If there are any other technically feasible approches (preferrably remote) that can help to create a compelling story, ideas would be much appreciated.
 

Link to comment
Share on other sites

If you want to use Hak5 products, I'd suggest sticking to the features of each product and use what's already available in terms of payloads (if you aren't developing any of your own). Outside that scope, anything available on the cybersec scene is a possible attack scenario. You have to decide what you want to do and get it working in a way that is relevant to the demo (or such) that you want to perform. If those payloads are the ones that you find most interesting, then use them, but you have to accept the scenario in which they can be used (or do some R&D yourself and come up with something else). It's also about doing "recon" in advance. Are there already flaws in the infrastructure that is allowing attacks? It's important to bring forward obvious things where the organization might be failing. Lack of local storage encryption, possible to boot alternative media to use tools like KonBoot or steal vital information such as Registry hives (or any other type of information). Lack of defense measures when it comes to incoming email and phishing (that might lead to remote access and or obtain credentials). Is 2FA/MFA used? So, unless you are working with a "black box", and instead have knowledge and insight in what shortcomings the organization has, then that's a good starting point to build a scenario that would be an eye opener for the audience (hopefully relevant decision makers in the organization). Then add the business layer (or whatever aspect that is driving the organization forward) and explain what impact individual vulnerabilities might have to organization goals and success.

Link to comment
Share on other sites

Thank you so much for your guidance and insight! It makes sense to work within the intended usecases that Pinapple and Ducky payloads can do.  And like you mentioned, it would be wise to do the preliminary audit and investigation of the organization's environment in order to frame the problem(s) from a technical and business perspective.

Thank you so much once again! I have much to learn but, this is exciting 😄

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...