Jump to content

SWITCH 1 adb usb | adb tcpip 5555 payload build help


D14b0l1c
Go to solution Solved by dark_pyrro,

Recommended Posts

In the below post I mentioned the project I had built I decided to incorporate bash bunny as a means to get server running. I was able to get my adb installed onto my bash bunny.

After some additional research I was trying to attempt my first payload:

SWITCH 1/Payload
ATTACKMODE HID
LED SETUP
adb usb
adb tcpip 5555
LED FINISH

When I plug my phone into usb and run:
adb usb
adb tcpip

I connect via the below app, and I am able to run all my "adb shell" commands. I would like to be able to use the bash bunny payload, so I don't have to connect to a laptop.

ADB Shell - Debug Toolbox - Apps on Google Play

2uSNfx4bYzXQdGCb6ezD-XKILeDrRmvsAU48TIh4

 

Please help and thank you in advance,
-D14b0l1c

Link to comment
Share on other sites

1 hour ago, D14b0l1c said:

After some additional research I was trying to attempt my first payload:

SWITCH 1/Payload
ATTACKMODE HID
LED SETUP
adb usb
adb tcpip 5555
LED FINISH

When I plug my phone into usb and run:
adb usb
adb tcpip

I connect via the below app, and I am able to run all my "adb shell" commands. I would like to be able to use the bash bunny payload, so I don't have to connect to a laptop.

Not sure how the app is relevant to it all. Makes me a bit confused. Isn't the goal to be able to use adb to control the phone from another device (in this case the Bunny instead of a laptop)? I would base the use case on "How am I doing all of this using a laptop?" since it's the laptop that you want to replace with the Bunny (I assume that you aren't running such kinds of apps on a laptop and I haven't investigated further into what it might do since the GitHub page wasn't in English and I don't have time to translate, etc.).

Regarding the payload code posted, I assume that it's not working since it's not in a format that the Bunny would fully understand and be able to execute. The lines that contains strings that the Bunny should type needs to start with QUACK STRING followed by a line with QUACK ENTER. I would probably add some delays as well.

Link to comment
Share on other sites

The app just allows me to run adb shell commands from the phone after I set up the connection from the laptop using the following commands:

adb usb
adb tcpip 5555

I am able to disconnect phone from laptop after doing this and use the app to conduct adb shell commands, problem comes when phone dies or restarts. Then I have to plug it back into laptop to restart server and I don't always have a computer with me.

What I would like to do is alleviate the laptop and have the bash bunny restart the server. 

ATTACKMODE HID
LED SETUP

while [ ! -d /media/BASHBUNNY ]; do
    sleep 1
done

QUACK STRING "adb usb"
QUACK ENTER
sleep 2
QUACK STRING "adb tcpip 5555"
QUACK ENTER

LED FINISH

Link to comment
Share on other sites

Wait for bash bunny to be recognized before executing the commands. I am going to assume based on you asking it's not needed.

ATTACKMODE HID
LED SETUP

QUACK STRING "adb usb"
QUACK ENTER
sleep 2
QUACK STRING "adb tcpip 5555"
QUACK ENTER

LED FINISH

Save this as adbpayload.txt in switch1/payload?

 

Link to comment
Share on other sites

I'm asking because I need to get an understanding of what you want to happen when running the payload.

I can't see that the while loop would work in any way, partly because the payload code is executed on the Bunny. In this case the Bunny would wait for the Bunny (unless there's some storage device on the Android device that is labelled "BASHBUNNY" that is automatically mounted to the Bunny in some way). Another thing stopping such a scenario to even happen is that the Bunny is just running as a HID device based on the ATTACKMODE used. There is no storage functionality involved. But, I can't see that happen despite using the storage mode for the Bunny. To get that idea to work, the device to which the Bunny is connected has to identify itself to the Bunny in some way for the Bunny to know that it's ready for input.

1 hour ago, D14b0l1c said:

Save this as adbpayload.txt in switch1/payload?

Payloads should be named payload.txt specifically, nothing else (as per the documentation).

https://docs.hak5.org/bash-bunny/writing-payloads/payload-development-basics

  • Thanks 1
Link to comment
Share on other sites

ATTACKMODE HID
LED SETUP

QUACK STRING "adb usb"
QUACK ENTER
sleep 2
QUACK STRING "adb tcpip 5555"
QUACK ENTER

LED FINISH

Pushes the commands "adb usb" and "adb tcpip 5555" to phone (I have screenshots).

What I am trying to do is to have the bash bunny be read as if it's a usb device to enable usb debugging (same as if I am plugging my laptop or pi into the phone).

Run on bash bunny as if I am on the laptop or pi command line (I have screenshots):
adb usb
adb tcpip 5555

Then on phone I am able to physically click the adb toolbox app connect and unplug usb. This command line interface allows me to run adb shell commands such as adb shell dumpsys -l (I have screenshots of this). 

I am attempting to figure out how to get bash bunny to be detected and enable the usb debugging feature then locally exectue the "adb usb" and "adb tcpip 5555".

If I figure this out before any response I will respond with the solution, but any guidance and help is very much appreciated. 

Thank you in advance,
-D14b0l1c

 

 

 

Link to comment
Share on other sites

I am still unable to get the device to work as needed. I read the readme.txt file and it mentions:
ECM_ETHERNET   ECM     Ethernet Control Model        Linux/Mac/Android 

I started building using ATTACKMODE ECM_ETHERNET, but still no luck on getting it to trigger the phones USB debugging. 

The phone is in developer mode and has USB debugging enabled. I am able to do USB debugging from my laptop via USB, I am able to do Wi-Fi debugging on the same network with only two phones, and I am able to plug the phones directly into each other via USB and trigger the USB debugging. But for whatever reason when I plug bash bunny in, it does not work. I am aware it's most like something I am doing incorrectly.

But my intention is to be able to trigger the phone to read the bash bunny as another device so I can create payload to execute:
adb tcpip 5555 

The other alternative I seen is to reflash the bash bunny to run a different operating system, but there's so much that goes into that. I can't seem to understand or find why bash bunny can execute onto the Android device, but the Android doesn't read the bash bunny in a way to trigger the USB debugging. Attached are 

Attachments Explanation:
bash bunny payload - screenshot of payload pushing the text to the phone, connection not working.

After USB-C connection between laptop and phone:
laptop command line - me executing adb commands laptop.
USB connection working - showing on the phone that the connection established.
display of USB debugging triggered via USB cable - display of USB debugging being activated when USB cabble plugged in

 

Please help and thank you in advance,
-D14b0l1c

 

 

bash bunny payload.png

laptop command line.png

USB connection working.png

display of USB debugging triggered via USB cable.png

Link to comment
Share on other sites

So far this is what I have built out I think I am off with my IP connection. I am able to get daemon to start on tcp:5307
My "adb connect 172.16.64.1:5555" times out

# Set Bash Bunny to ECM Ethernet mode
LED B SLOW
ATTACKMODE ECM_ETHERNET
ATTACKMODE HID

DELAY 2000

QUACK STRING adb kill-server
QUACK ENTER
DELAY 1000

QUACK STRING adb start-server
QUACK ENTER
DELAY 1000

adb usb
ENTER
adb tcpip 5555
ENTER

QUACK STRING adb connect 172.16.64.1:5555
QUACK ENTER

LED FINISH

Link to comment
Share on other sites

9 minutes ago, D14b0l1c said:

ATTACKMODE ECM_ETHERNET
ATTACKMODE HID

Using ATTACKMODE this way will kill the network on the Bunny straight away and it will just work as a HID device for the rest of the payload.

If you want HID (keyboard) and network at the same time, you need to specify it on the same line, such as:

ATTACKMODE HID ECM_ETHERNET

From the docs: "ATTACKMODE is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions."

https://docs.hak5.org/bash-bunny/writing-payloads/attackmode

I would really advise you to read the documentation instead of blindly executing commands. It will save you time.

15 minutes ago, D14b0l1c said:

adb usb
ENTER
adb tcpip 5555
ENTER

Not sure what you want ENTER to do here. It's not a DuckyScript command and it's not Bash.

  • Thanks 1
Link to comment
Share on other sites

Posted (edited)

Thank you for the addressing my ATTACKMODE syntax, my mistake I overlooked that being impatient.

ADB consists of three components:

Client: The client runs on your development machine (your computer). You can invoke it from a command-line terminal by issuing an ADB command.

  • Essentially want to execute adb usb and adb tcpip 5555 as if it is from the bunny terminal. After reading readme.txt this is what made me think to include ECM_ETHERNET.
  •  The HID was included later on when I thought I needed to manually start the adbd server, so I added QUACK STRING adb kill-server; QUACK ENTER; DELAY 1000; QUACK STRING adb start-server; QUACK ENTER. 

Daemon (adbd): This runs on the Android device itself. It executes commands sent from the client.

  • Typically, this starts when I start running the commands from the Client

Server: The server manages communication between the client and the daemon. It runs as a background process on your development machine.

When you start an ADB client, it checks if there’s already an ADB server process running. If not, it starts the server. The server binds to local TCP port 5037 and listens for commands from ADB clients. It sets up connections to all running devices (physical devices or emulators). ADB locates emulators by scanning odd-numbered ports in the range 5555 to 5585. Each emulator uses a pair of sequential ports: an even-numbered port for console connections and an odd-numbered port for ADB connections.
For example:
Emulator 1, console: 5554
Emulator 1, ADB: 5555

Based on what you mentioned above and what I read I didn't even have my ATTACKMODE syntax correct. For the other part I wanted to execute as a command line command not the Android phone, but on the bunny. 

 

Please help and thank you in advance,
-D14b0l1c

Edited by D14b0l1c
Link to comment
Share on other sites

On 3/1/2024 at 5:04 PM, dark_pyrro said:

Using ATTACKMODE this way will kill the network on the Bunny straight away and it will just work as a HID device for the rest of the payload.

If you want HID (keyboard) and network at the same time, you need to specify it on the same line, such as:

ATTACKMODE HID ECM_ETHERNET

From the docs: "ATTACKMODE is a DuckyScript command which specifies which devices to emulate. The ATTACKMODE command may be issued multiple times within a given payload. For example, a payload may begin by emulating Ethernet, then switch to emulating a keyboard and serial later based on a number of conditions."

https://docs.hak5.org/bash-bunny/writing-payloads/attackmode

I would really advise you to read the documentation instead of blindly executing commands. It will save you time.

Not sure what you want ENTER to do here. It's not a DuckyScript command and it's not Bash.

The ENTER was from when I had QUACK in front I just removed QUACK and left the ENTER there.

Link to comment
Share on other sites

The following GitHub is the closes example of what I am looking to do bashbunny-payloads/payloads/library/mobile/android/fireytv/payload.txt at master · hak5/bashbunny-payloads · GitHub.

My focus is an android phone, and I don't want to upload an APK. I do want to run adb commands. Based on my understanding of reading this my payload would look something like:

LED SETUP
GET TARGET_IP
GET SWITCH_POSITION
ATTACKMODE ECM_ETHERNET
adb tcpip 5555
adb connect ${TARGET_IP}
LED FINISH

Or would creating a Bash script executing the commands be a better alternative or even possible? Based on reading the rdp_checker bashbunny-payloads/payloads/library/recon/rdp_checker/payload.txt at master · hak5/bashbunny-payloads · GitHub, it appears I could create a script store it in /tools and call it in the payload.txt. 

Please help and thank you in advance,
-D14b0l1c

Link to comment
Share on other sites

I'm rather skeptic when it comes to the use of GET TARGET_IP before issuing ATTACKMODE ECM_ETHERNET. I can't see how the Bunny would be able to get the target IP before the Bunny is in a mode allowing it to act as an Ethernet "device" (and make the target connect and obtain a DHCP lease from the Bunny).

Link to comment
Share on other sites

  • Solution

I temporarily switched over to the Key Croc since it makes it easier to develop/test payloads instead of blindly run things using the Bunny with the help of LEDs, log files, etc.

Got it to work in the Croc and then went back to the Bunny (used a Mk1 Bunny, but that won't make any difference compared to using a Mk2 one).

This is the payload I used. The payload can for sure be a bit more "pretty" (while loop to wait for target IP address, etc.) but it works for a PoC scenario.
Getting the target IP can instead be made in the more "usual" way (i.e. using GET TARGET_IP)

ATTACKMODE ECM_ETHERNET

sleep 5

TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)

/usr/bin/adb tcpip 5555
sleep 1
/usr/bin/adb connect ${TARGET_IP}
LED FINISH

 

  • Thanks 1
Link to comment
Share on other sites

Posted (edited)
10 hours ago, dark_pyrro said:
ATTACKMODE ECM_ETHERNET

sleep 5

TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)

/usr/bin/adb tcpip 5555
sleep 1
/usr/bin/adb connect ${TARGET_IP}
LED FINISH

I am able to execute via bunny command line but it's not connecting or showing any signs to connect, the phone isn't recognizing the bunny as a client the same way it does my pi and laptop, so when the commands execute its not working. 

Afterwards I added the adb usb below is demonstration of what happens when my laptop usb has been successfully recognized and adb usb works.

Laptop before (no devices/emulators found) and after usb is plugged in (restarting in USB mode connecting the device and running adb devices displaying the serial number of phone the laptop is connected too):

Microsoft Windows [Version 10.0.22631.3235]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Stude>adb usb
error: no devices/emulators found

C:\Users\Stude>adb usb
restarting in USB mode

C:\Users\Stude>adb devices
List of devices attached
710KPZK0409189  device

 

Do you think it would be a good idea to export the following commands to a text adb usb > adbusb.txtadb devices > device.txt, and adb tcpip 5555 > tcpip.txt.

The below is what bunny will look like if the bunny and phone are not seeing each other. 

login as: root
root@172.16.64.1's password:
           _____  _____  _____  _____     _____  _____  _____  _____  __ __
 (\___/)  | __  ||  _  ||   __||  |  |   | __  ||  |  ||   | ||   | ||  |  |
 (='.'=)  | __ -||     ||__   ||     |   | __ -||  |  || | | || | | ||_   _|
 (")_(")  |_____||__|__||_____||__|__|   |_____||_____||_|___||_|___|  |_|
 Bash Bunny by Hak5     USB Attack/Automation Platform

Last login: Wed Feb 28 16:29:06 2024 from 172.16.64.64
root@bunny:~# adb usb
error: no devices/emulators found
root@bunny:~# adb devices
List of devices attached

root@bunny:~#
 

Your thoughts:

 

ATTACKMODE ECM_ETHERNET STORAGE

sleep 5

/usr/bin/adb usb > /loot/adbusb.txt
sleep 1
/usr/bin/adb devices > /loot/devices.txt
sleep 1
/usr/bin/adb tcpip 5555 > /loot/tcpip.txt

LED FINISH

Please help and thank you in advance,
-D14b0l1c

Edited by D14b0l1c
Link to comment
Share on other sites

Using "adb usb" on the Bunny will probably not work since the Bunny isn't acting as a USB host (? - not 100% verified, but likely). The Bunny is just using USB as a hardware interface for the different modes it can emulate (HID, STORAGE, SERIAL, *NETWORK...) So, it might be easy to try to be "logic" and think "hey, the Bunny has a USB port, therefore it's USB in all ways and forms". But that might not be fully true, it's most likely a USB device (with no host capabilities) at best. This is a possible reason to why "adb usb" works on a device that acts as a USB host (for example a computer), but not on the Bunny. Using the network based approach to connecting using adb (like my payload example does) would be the path I would continue on. Especially since "adb usb" doesn't seem to work, and the network alternative does (at least when I try it).

7 hours ago, D14b0l1c said:

The below is what bunny will look like if the bunny and phone are not seeing each other. 

login as: root
root@172.16.64.1's password:
           _____  _____  _____  _____     _____  _____  _____  _____  __ __
 (\___/)  | __  ||  _  ||   __||  |  |   | __  ||  |  ||   | ||   | ||  |  |
 (='.'=)  | __ -||     ||__   ||     |   | __ -||  |  || | | || | | ||_   _|
 (")_(")  |_____||__|__||_____||__|__|   |_____||_____||_|___||_|___|  |_|
 Bash Bunny by Hak5     USB Attack/Automation Platform

Last login: Wed Feb 28 16:29:06 2024 from 172.16.64.64
root@bunny:~# adb usb
error: no devices/emulators found
root@bunny:~# adb devices
List of devices attached

How did you execute these commands if your Bunny was connected to the phone? From the phone itself via serial or ssh?

Edited by dark_pyrro
Link to comment
Share on other sites

9 hours ago, dark_pyrro said:

How did you execute these commands if your Bunny was connected to the phone? From the phone itself via serial or ssh?

I had the bunny connected to my laptop same time as phone and was going to attempt to see if I could share the connection through my windows box, then I found few links (example of video below) and forums on how to ssh over Bluetooth, this will be a different project.

 

I tried the code you provided, and I am still having issues with connection to the phone. When you ran your code were you able to execute adb shell commands like "adb shell dumpsys -l"?

 

Please help and thank you in advance,
-D14b0l1c

 

 

 

Link to comment
Share on other sites

1 hour ago, D14b0l1c said:

When you ran your code were you able to execute adb shell commands like "adb shell dumpsys -l"?

I added adb shell dumpsys battery > /root/adb_batt.log to my previously posted payload code and it worked as expected.

Link to comment
Share on other sites

Posted (edited)
5 minutes ago, dark_pyrro said:

I added adb shell dumpsys battery > /root/adb_batt.log to my previously posted payload code and it worked as expected.

Did you have to do USB Ethernet tethering in your phone? I see what you did, and it makes sense. I even see that the phone reads the ethernet connection for the bunny in the USB tethering settings it goes from greyed out to black for enablement. 

Edited by D14b0l1c
Link to comment
Share on other sites

19 minutes ago, D14b0l1c said:

I added adb shell dumpsys battery > /root/adb_batt.log to my previously posted payload code and it worked as expected.

I got the file created but it was empty, I am getting closer. I am not sure if the connection is working. I added the battery so if can get at least that one to work I can get the bigger adb shell dumpsys -l and adb shell dumpsys.  

ATTACKMODE ECM_ETHERNET

sleep 5

TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)

adb tcpip 5555
sleep 1
adb connect ${TARGET_IP}
adb shell dumpsys battery > /root/battery.txt
LED FINISH

Link to comment
Share on other sites

Posted (edited)

battery.txt gets created in root directory but not data is being stored to it. I am getting an IP, so that's a plus!

ATTACKMODE ECM_ETHERNET

sleep 5

TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt
adb tcpip 5555
sleep 1
adb connect ${TARGET_IP}
adb shell dumpsys battery > /root/battery.txt
LED FINISH

login as: root
root@172.16.64.1's password:
           _____  _____  _____  _____     _____  _____  _____  _____  __ __
 (\___/)  | __  ||  _  ||   __||  |  |   | __  ||  |  ||   | ||   | ||  |  |
 (='.'=)  | __ -||     ||__   ||     |   | __ -||  |  || | | || | | ||_   _|
 (")_(")  |_____||__|__||_____||__|__|   |_____||_____||_|___||_|___|  |_|
 Bash Bunny by Hak5     USB Attack/Automation Platform

Last login: Wed Feb 28 15:34:59 2024 from 172.16.64.64
root@bunny:~# dir
adb_7.0.0+r33-1_armhf.deb                battery.txt
android-libadb_7.0.0+r33-1_armhf.deb     ip.txt
android-libbase_7.0.0+r33-1_armhf.deb    udisk
android-libcutils_7.0.0+r33-1_armhf.deb  version.txt
android-liblog_7.0.0+r33-1_armhf.deb
root@bunny:~# cat ip.txt
172.16.64.10

root@bunny:~# cat battery.txt
root@bunny:~#
 

Edited by D14b0l1c
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...