D14b0l1c Posted February 29 Share Posted February 29 In the below post I mentioned the project I had built I decided to incorporate bash bunny as a means to get server running. I was able to get my adb installed onto my bash bunny. After some additional research I was trying to attempt my first payload: SWITCH 1/Payload ATTACKMODE HID LED SETUP adb usb adb tcpip 5555 LED FINISH When I plug my phone into usb and run: adb usb adb tcpip I connect via the below app, and I am able to run all my "adb shell" commands. I would like to be able to use the bash bunny payload, so I don't have to connect to a laptop. ADB Shell - Debug Toolbox - Apps on Google Play Please help and thank you in advance, -D14b0l1c Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted February 29 Share Posted February 29 1 hour ago, D14b0l1c said: After some additional research I was trying to attempt my first payload: SWITCH 1/Payload ATTACKMODE HID LED SETUP adb usb adb tcpip 5555 LED FINISH When I plug my phone into usb and run: adb usb adb tcpip I connect via the below app, and I am able to run all my "adb shell" commands. I would like to be able to use the bash bunny payload, so I don't have to connect to a laptop. Not sure how the app is relevant to it all. Makes me a bit confused. Isn't the goal to be able to use adb to control the phone from another device (in this case the Bunny instead of a laptop)? I would base the use case on "How am I doing all of this using a laptop?" since it's the laptop that you want to replace with the Bunny (I assume that you aren't running such kinds of apps on a laptop and I haven't investigated further into what it might do since the GitHub page wasn't in English and I don't have time to translate, etc.). Regarding the payload code posted, I assume that it's not working since it's not in a format that the Bunny would fully understand and be able to execute. The lines that contains strings that the Bunny should type needs to start with QUACK STRING followed by a line with QUACK ENTER. I would probably add some delays as well. Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted February 29 Author Share Posted February 29 The app just allows me to run adb shell commands from the phone after I set up the connection from the laptop using the following commands: adb usb adb tcpip 5555 I am able to disconnect phone from laptop after doing this and use the app to conduct adb shell commands, problem comes when phone dies or restarts. Then I have to plug it back into laptop to restart server and I don't always have a computer with me. What I would like to do is alleviate the laptop and have the bash bunny restart the server. ATTACKMODE HID LED SETUP while [ ! -d /media/BASHBUNNY ]; do sleep 1 done QUACK STRING "adb usb" QUACK ENTER sleep 2 QUACK STRING "adb tcpip 5555" QUACK ENTER LED FINISH Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted February 29 Share Posted February 29 What are you trying to accomplish with the while loop? Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted February 29 Author Share Posted February 29 Wait for bash bunny to be recognized before executing the commands. I am going to assume based on you asking it's not needed. ATTACKMODE HID LED SETUP QUACK STRING "adb usb" QUACK ENTER sleep 2 QUACK STRING "adb tcpip 5555" QUACK ENTER LED FINISH Save this as adbpayload.txt in switch1/payload? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted February 29 Share Posted February 29 I'm asking because I need to get an understanding of what you want to happen when running the payload. I can't see that the while loop would work in any way, partly because the payload code is executed on the Bunny. In this case the Bunny would wait for the Bunny (unless there's some storage device on the Android device that is labelled "BASHBUNNY" that is automatically mounted to the Bunny in some way). Another thing stopping such a scenario to even happen is that the Bunny is just running as a HID device based on the ATTACKMODE used. There is no storage functionality involved. But, I can't see that happen despite using the storage mode for the Bunny. To get that idea to work, the device to which the Bunny is connected has to identify itself to the Bunny in some way for the Bunny to know that it's ready for input. 1 hour ago, D14b0l1c said: Save this as adbpayload.txt in switch1/payload? Payloads should be named payload.txt specifically, nothing else (as per the documentation). https://docs.hak5.org/bash-bunny/writing-payloads/payload-development-basics 1 Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted February 29 Author Share Posted February 29 ATTACKMODE HID LED SETUP QUACK STRING "adb usb" QUACK ENTER sleep 2 QUACK STRING "adb tcpip 5555" QUACK ENTER LED FINISH Pushes the commands "adb usb" and "adb tcpip 5555" to phone (I have screenshots). What I am trying to do is to have the bash bunny be read as if it's a usb device to enable usb debugging (same as if I am plugging my laptop or pi into the phone). Run on bash bunny as if I am on the laptop or pi command line (I have screenshots): adb usb adb tcpip 5555 Then on phone I am able to physically click the adb toolbox app connect and unplug usb. This command line interface allows me to run adb shell commands such as adb shell dumpsys -l (I have screenshots of this). I am attempting to figure out how to get bash bunny to be detected and enable the usb debugging feature then locally exectue the "adb usb" and "adb tcpip 5555". If I figure this out before any response I will respond with the solution, but any guidance and help is very much appreciated. Thank you in advance, -D14b0l1c Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 1 Author Share Posted March 1 I am still unable to get the device to work as needed. I read the readme.txt file and it mentions: ECM_ETHERNET ECM Ethernet Control Model Linux/Mac/Android I started building using ATTACKMODE ECM_ETHERNET, but still no luck on getting it to trigger the phones USB debugging. The phone is in developer mode and has USB debugging enabled. I am able to do USB debugging from my laptop via USB, I am able to do Wi-Fi debugging on the same network with only two phones, and I am able to plug the phones directly into each other via USB and trigger the USB debugging. But for whatever reason when I plug bash bunny in, it does not work. I am aware it's most like something I am doing incorrectly. But my intention is to be able to trigger the phone to read the bash bunny as another device so I can create payload to execute: adb tcpip 5555 The other alternative I seen is to reflash the bash bunny to run a different operating system, but there's so much that goes into that. I can't seem to understand or find why bash bunny can execute onto the Android device, but the Android doesn't read the bash bunny in a way to trigger the USB debugging. Attached are Attachments Explanation: bash bunny payload - screenshot of payload pushing the text to the phone, connection not working. After USB-C connection between laptop and phone: laptop command line - me executing adb commands laptop. USB connection working - showing on the phone that the connection established. display of USB debugging triggered via USB cable - display of USB debugging being activated when USB cabble plugged in Please help and thank you in advance, -D14b0l1c Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 2 Author Share Posted March 2 So far this is what I have built out I think I am off with my IP connection. I am able to get daemon to start on tcp:5307 My "adb connect 172.16.64.1:5555" times out # Set Bash Bunny to ECM Ethernet mode LED B SLOW ATTACKMODE ECM_ETHERNET ATTACKMODE HID DELAY 2000 QUACK STRING adb kill-server QUACK ENTER DELAY 1000 QUACK STRING adb start-server QUACK ENTER DELAY 1000 adb usb ENTER adb tcpip 5555 ENTER QUACK STRING adb connect 172.16.64.1:5555 QUACK ENTER LED FINISH Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 2 Share Posted March 2 9 minutes ago, D14b0l1c said: ATTACKMODE ECM_ETHERNET ATTACKMODE HID Using ATTACKMODE this way will kill the network on the Bunny straight away and it will just work as a HID device for the rest of the payload. If you want HID (keyboard) and network at the same time, you need to specify it on the same line, such as: ATTACKMODE HID ECM_ETHERNET From the docs: "ATTACKMODE is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions." https://docs.hak5.org/bash-bunny/writing-payloads/attackmode I would really advise you to read the documentation instead of blindly executing commands. It will save you time. 15 minutes ago, D14b0l1c said: adb usb ENTER adb tcpip 5555 ENTER Not sure what you want ENTER to do here. It's not a DuckyScript command and it's not Bash. 1 Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 2 Author Share Posted March 2 (edited) Thank you for the addressing my ATTACKMODE syntax, my mistake I overlooked that being impatient. ADB consists of three components: Client: The client runs on your development machine (your computer). You can invoke it from a command-line terminal by issuing an ADB command. Essentially want to execute adb usb and adb tcpip 5555 as if it is from the bunny terminal. After reading readme.txt this is what made me think to include ECM_ETHERNET. The HID was included later on when I thought I needed to manually start the adbd server, so I added QUACK STRING adb kill-server; QUACK ENTER; DELAY 1000; QUACK STRING adb start-server; QUACK ENTER. Daemon (adbd): This runs on the Android device itself. It executes commands sent from the client. Typically, this starts when I start running the commands from the Client. Server: The server manages communication between the client and the daemon. It runs as a background process on your development machine. When you start an ADB client, it checks if there’s already an ADB server process running. If not, it starts the server. The server binds to local TCP port 5037 and listens for commands from ADB clients. It sets up connections to all running devices (physical devices or emulators). ADB locates emulators by scanning odd-numbered ports in the range 5555 to 5585. Each emulator uses a pair of sequential ports: an even-numbered port for console connections and an odd-numbered port for ADB connections. For example: Emulator 1, console: 5554 Emulator 1, ADB: 5555 Based on what you mentioned above and what I read I didn't even have my ATTACKMODE syntax correct. For the other part I wanted to execute as a command line command not the Android phone, but on the bunny. Please help and thank you in advance, -D14b0l1c Edited March 2 by D14b0l1c Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 3 Author Share Posted March 3 On 3/1/2024 at 5:04 PM, dark_pyrro said: Using ATTACKMODE this way will kill the network on the Bunny straight away and it will just work as a HID device for the rest of the payload. If you want HID (keyboard) and network at the same time, you need to specify it on the same line, such as: ATTACKMODE HID ECM_ETHERNET From the docs: "ATTACKMODE is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions." https://docs.hak5.org/bash-bunny/writing-payloads/attackmode I would really advise you to read the documentation instead of blindly executing commands. It will save you time. Not sure what you want ENTER to do here. It's not a DuckyScript command and it's not Bash. The ENTER was from when I had QUACK in front I just removed QUACK and left the ENTER there. Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 3 Author Share Posted March 3 The following GitHub is the closes example of what I am looking to do bashbunny-payloads/payloads/library/mobile/android/fireytv/payload.txt at master · hak5/bashbunny-payloads · GitHub. My focus is an android phone, and I don't want to upload an APK. I do want to run adb commands. Based on my understanding of reading this my payload would look something like: LED SETUP GET TARGET_IP GET SWITCH_POSITION ATTACKMODE ECM_ETHERNET adb tcpip 5555 adb connect ${TARGET_IP} LED FINISH Or would creating a Bash script executing the commands be a better alternative or even possible? Based on reading the rdp_checker bashbunny-payloads/payloads/library/recon/rdp_checker/payload.txt at master · hak5/bashbunny-payloads · GitHub, it appears I could create a script store it in /tools and call it in the payload.txt. Please help and thank you in advance, -D14b0l1c Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 3 Share Posted March 3 No real need to use any separate Bash script file since it's possible to run Bash in the payload.txt file (it's treated as a Bash file itself by bunny_framework). Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 3 Share Posted March 3 I'm rather skeptic when it comes to the use of GET TARGET_IP before issuing ATTACKMODE ECM_ETHERNET. I can't see how the Bunny would be able to get the target IP before the Bunny is in a mode allowing it to act as an Ethernet "device" (and make the target connect and obtain a DHCP lease from the Bunny). Quote Link to comment Share on other sites More sharing options...
Solution dark_pyrro Posted March 3 Solution Share Posted March 3 I temporarily switched over to the Key Croc since it makes it easier to develop/test payloads instead of blindly run things using the Bunny with the help of LEDs, log files, etc. Got it to work in the Croc and then went back to the Bunny (used a Mk1 Bunny, but that won't make any difference compared to using a Mk2 one). This is the payload I used. The payload can for sure be a bit more "pretty" (while loop to wait for target IP address, etc.) but it works for a PoC scenario. Getting the target IP can instead be made in the more "usual" way (i.e. using GET TARGET_IP) ATTACKMODE ECM_ETHERNET sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) /usr/bin/adb tcpip 5555 sleep 1 /usr/bin/adb connect ${TARGET_IP} LED FINISH 1 Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 4 Author Share Posted March 4 (edited) 10 hours ago, dark_pyrro said: ATTACKMODE ECM_ETHERNET sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) /usr/bin/adb tcpip 5555 sleep 1 /usr/bin/adb connect ${TARGET_IP} LED FINISH I am able to execute via bunny command line but it's not connecting or showing any signs to connect, the phone isn't recognizing the bunny as a client the same way it does my pi and laptop, so when the commands execute its not working. Afterwards I added the adb usb below is demonstration of what happens when my laptop usb has been successfully recognized and adb usb works. Laptop before (no devices/emulators found) and after usb is plugged in (restarting in USB mode connecting the device and running adb devices displaying the serial number of phone the laptop is connected too): Microsoft Windows [Version 10.0.22631.3235] (c) Microsoft Corporation. All rights reserved. C:\Users\Stude>adb usb error: no devices/emulators found C:\Users\Stude>adb usb restarting in USB mode C:\Users\Stude>adb devices List of devices attached 710KPZK0409189 device Do you think it would be a good idea to export the following commands to a text adb usb > adbusb.txt, adb devices > device.txt, and adb tcpip 5555 > tcpip.txt. The below is what bunny will look like if the bunny and phone are not seeing each other. login as: root root@172.16.64.1's password: _____ _____ _____ _____ _____ _____ _____ _____ __ __ (\___/) | __ || _ || __|| | | | __ || | || | || | || | | (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _| (")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| Bash Bunny by Hak5 USB Attack/Automation Platform Last login: Wed Feb 28 16:29:06 2024 from 172.16.64.64 root@bunny:~# adb usb error: no devices/emulators found root@bunny:~# adb devices List of devices attached root@bunny:~# Your thoughts: ATTACKMODE ECM_ETHERNET STORAGE sleep 5 /usr/bin/adb usb > /loot/adbusb.txt sleep 1 /usr/bin/adb devices > /loot/devices.txt sleep 1 /usr/bin/adb tcpip 5555 > /loot/tcpip.txt LED FINISH Please help and thank you in advance, -D14b0l1c Edited March 4 by D14b0l1c Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 4 Share Posted March 4 (edited) Using "adb usb" on the Bunny will probably not work since the Bunny isn't acting as a USB host (? - not 100% verified, but likely). The Bunny is just using USB as a hardware interface for the different modes it can emulate (HID, STORAGE, SERIAL, *NETWORK...) So, it might be easy to try to be "logic" and think "hey, the Bunny has a USB port, therefore it's USB in all ways and forms". But that might not be fully true, it's most likely a USB device (with no host capabilities) at best. This is a possible reason to why "adb usb" works on a device that acts as a USB host (for example a computer), but not on the Bunny. Using the network based approach to connecting using adb (like my payload example does) would be the path I would continue on. Especially since "adb usb" doesn't seem to work, and the network alternative does (at least when I try it). 7 hours ago, D14b0l1c said: The below is what bunny will look like if the bunny and phone are not seeing each other. login as: root root@172.16.64.1's password: _____ _____ _____ _____ _____ _____ _____ _____ __ __ (\___/) | __ || _ || __|| | | | __ || | || | || | || | | (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _| (")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| Bash Bunny by Hak5 USB Attack/Automation Platform Last login: Wed Feb 28 16:29:06 2024 from 172.16.64.64 root@bunny:~# adb usb error: no devices/emulators found root@bunny:~# adb devices List of devices attached How did you execute these commands if your Bunny was connected to the phone? From the phone itself via serial or ssh? Edited March 4 by dark_pyrro Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 4 Author Share Posted March 4 9 hours ago, dark_pyrro said: How did you execute these commands if your Bunny was connected to the phone? From the phone itself via serial or ssh? I had the bunny connected to my laptop same time as phone and was going to attempt to see if I could share the connection through my windows box, then I found few links (example of video below) and forums on how to ssh over Bluetooth, this will be a different project. I tried the code you provided, and I am still having issues with connection to the phone. When you ran your code were you able to execute adb shell commands like "adb shell dumpsys -l"? Please help and thank you in advance, -D14b0l1c Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 4 Share Posted March 4 1 hour ago, D14b0l1c said: When you ran your code were you able to execute adb shell commands like "adb shell dumpsys -l"? I added adb shell dumpsys battery > /root/adb_batt.log to my previously posted payload code and it worked as expected. Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 4 Author Share Posted March 4 (edited) 5 minutes ago, dark_pyrro said: I added adb shell dumpsys battery > /root/adb_batt.log to my previously posted payload code and it worked as expected. Did you have to do USB Ethernet tethering in your phone? I see what you did, and it makes sense. I even see that the phone reads the ethernet connection for the bunny in the USB tethering settings it goes from greyed out to black for enablement. Edited March 4 by D14b0l1c Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 4 Share Posted March 4 10 minutes ago, D14b0l1c said: Did you have to do USB Ethernet tethering in your phone? No, just enabling adb over network in the developer settings Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 4 Author Share Posted March 4 19 minutes ago, D14b0l1c said: I added adb shell dumpsys battery > /root/adb_batt.log to my previously posted payload code and it worked as expected. I got the file created but it was empty, I am getting closer. I am not sure if the connection is working. I added the battery so if can get at least that one to work I can get the bigger adb shell dumpsys -l and adb shell dumpsys. ATTACKMODE ECM_ETHERNET sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) adb tcpip 5555 sleep 1 adb connect ${TARGET_IP} adb shell dumpsys battery > /root/battery.txt LED FINISH Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 4 Author Share Posted March 4 (edited) battery.txt gets created in root directory but not data is being stored to it. I am getting an IP, so that's a plus! ATTACKMODE ECM_ETHERNET sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt adb tcpip 5555 sleep 1 adb connect ${TARGET_IP} adb shell dumpsys battery > /root/battery.txt LED FINISH login as: root root@172.16.64.1's password: _____ _____ _____ _____ _____ _____ _____ _____ __ __ (\___/) | __ || _ || __|| | | | __ || | || | || | || | | (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _| (")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| Bash Bunny by Hak5 USB Attack/Automation Platform Last login: Wed Feb 28 15:34:59 2024 from 172.16.64.64 root@bunny:~# dir adb_7.0.0+r33-1_armhf.deb battery.txt android-libadb_7.0.0+r33-1_armhf.deb ip.txt android-libbase_7.0.0+r33-1_armhf.deb udisk android-libcutils_7.0.0+r33-1_armhf.deb version.txt android-liblog_7.0.0+r33-1_armhf.deb root@bunny:~# cat ip.txt 172.16.64.10 root@bunny:~# cat battery.txt root@bunny:~# Edited March 4 by D14b0l1c Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 4 Share Posted March 4 let it sleep for a while after the adb connect, you need to let it have enough time to connect before running any adb commands Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.