D14b0l1c Posted March 4 Author Share Posted March 4 I removed adb tcpip 5555 and included sleep 10. ATTACKMODE ECM_ETHERNET sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt adb connect ${TARGET_IP} sleep 10 adb shell dumpsys battery > /root/battery.txt LED FINISH Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 4 Author Share Posted March 4 With the following I am able to SSH into bashbunny from phone using termius app, but still not getting anything from adb shell dumpsys -l. I know debugging is enabled and the command dumps I did it already through laptop. ATTACKMODE ECM_ETHERNET sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt adb connect ${TARGET_IP} sleep 20 adb shell dumpsys -l > /root/dumpsyslist.txt LED FINISH Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 4 Share Posted March 4 I can't recreate that scenario. If adding adb shell dumpsys -l to the payload (and write the output to a file on the Bunny), it works. Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 4 Author Share Posted March 4 (edited) 11 minutes ago, dark_pyrro said: I can't recreate that scenario. If adding adb shell dumpsys -l to the payload (and write the output to a file on the Bunny), it works. You're getting data in your file? I am getting file created but nothing is in it. Looking at the output of each line the connections isn't working. Edited March 4 by D14b0l1c Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 4 Share Posted March 4 17 minutes ago, D14b0l1c said: You're getting data in your file? 23 minutes ago, dark_pyrro said: If adding adb shell dumpsys -l to the payload (and write the output to a file on the Bunny), it works. Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 4 Author Share Posted March 4 5 minutes ago, dark_pyrro said: If adding adb shell dumpsys -l to the payload (and write the output to a file on the Bunny), it works I don't understand how you're getting a connection. My daemon starts on 5307. The connection defaults to 172.16.64.10:5555 and I get an error. I even tried doing it from with bunny directly connected to phone. I ssh from phone into bunny. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 5 Share Posted March 5 I guess you have to investigate what capabilities your phone has. Obviously the Bunny is capable of doing this (since my tests are successful), and if it's not working, it's logic to assume that any limitations are on the "phone side". I've successfully recreated this on 3 different Android devices now. 1 Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 8 Author Share Posted March 8 On 3/4/2024 at 11:35 PM, dark_pyrro said: I guess you have to investigate what capabilities your phone has. Obviously the Bunny is capable of doing this (since my tests are successful), and if it's not working, it's logic to assume that any limitations are on the "phone side". I've successfully recreated this on 3 different Android devices now. It is an older model phone, Pixel 2 XL. I'll try on other devices when I get a chance. I am able to execute once USB Debugging services are running but I can't get the bunny to restart adb services after device reboot. Thank you. Are your devices rooted? Did you reboot phone and use bunny to see if it executed without reestablishing USB debugging connection over Wi-Fi or USB? This is me attempting it again and outputting the connection error. There is something on the phone side that is enabled when a typical USB plugged in that enables the session. I am looking at ways to enable the connection over ethernet. Keep in mind once the connection is started, I can maintain it. I primarily need bash bunny to restart this client server connection after phone reboot, secondary is to run adb shell <command>. login as: root root@172.16.64.1's password: _____ _____ _____ _____ _____ _____ _____ _____ __ __ (\___/) | __ || _ || __|| | | | __ || | || | || | || | | (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _| (")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| Bash Bunny by Hak5 USB Attack/Automation Platform Last login: Wed Feb 28 15:36:05 2024 from 172.16.64.10 root@bunny:~# dir adb_7.0.0+r33-1_armhf.deb connection.txt android-libadb_7.0.0+r33-1_armhf.deb dumpsys.txt android-libbase_7.0.0+r33-1_armhf.deb ip.txt android-libcutils_7.0.0+r33-1_armhf.deb udisk android-liblog_7.0.0+r33-1_armhf.deb version.txt root@bunny:~# cat connection.txt unable to connect to 172.16.64.10:5555: Connection refused root@bunny:~# cat ip.txt 172.16.64.10 root@bunny:~# cat dumpsys.txt root@bunny:~# ATTACKMODE ECM_ETHERNET HID DELAY 2000 QUACK STRING adb kill-server QUACK ENTER DELAY 1000 QUACK STRING adb start-server QUACK ENTER DELAY 1000 sleep 5 TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt adb connect ${TARGET_IP} adb connect ${TARGET_IP} > /root/connection.txt sleep 20 adb shell dumpsys > /root/dumpsys.txt LED FINISH Quote Link to comment Share on other sites More sharing options...
D14b0l1c Posted March 8 Author Share Posted March 8 Thank you @dark_pyrro, I have tried this on a few devices and it only works if I plug in a USB trigger the debugging and then remove, but once device reboots, I am unable to get it to work again. After asking around, a pentester I know mentioned to try the USB Armory MkII - Hacker Warehouse it does have the additional feature to attach the phone via USB and this might be what is needed to trigger the debugger listener to activate on a non-rooted phone. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.