SWITCH 1 adb usb | adb tcpip 5555 payload build help

[D14b0l1c]

I removed adb tcpip 5555 and included sleep 10.

 

ATTACKMODE ECM_ETHERNET

sleep 5

TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt
adb connect ${TARGET_IP}

sleep 10

adb shell dumpsys battery > /root/battery.txt
LED FINISH

[D14b0l1c]

With the following I am able to SSH into bashbunny from phone using termius app, but still not getting anything from adb shell dumpsys -l. I know debugging is enabled and the command dumps I did it already through laptop. 

ATTACKMODE ECM_ETHERNET

sleep 5

TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt
adb connect ${TARGET_IP}

sleep 20

adb shell dumpsys -l > /root/dumpsyslist.txt
LED FINISH

[dark_pyrro]

I can't recreate that scenario. If adding adb shell dumpsys -l to the payload (and write the output to a file on the Bunny), it works.

[D14b0l1c]

11 minutes ago, dark_pyrro said:

I can't recreate that scenario. If adding adb shell dumpsys -l to the payload (and write the output to a file on the Bunny), it works.

You're getting data in your file? I am getting file created but nothing is in it. Looking at the output of each line the connections isn't working.

 

Edited March 4 by D14b0l1c

[dark_pyrro]

17 minutes ago, D14b0l1c said:

You're getting data in your file?

 

23 minutes ago, dark_pyrro said:

If adding adb shell dumpsys -l to the payload (and write the output to a file on the Bunny), it works.

 

[D14b0l1c]

5 minutes ago, dark_pyrro said:

If adding adb shell dumpsys -l to the payload (and write the output to a file on the Bunny), it works

I don't understand how you're getting a connection. My daemon starts on 5307. The connection defaults to 172.16.64.10:5555 and I get an error. I even tried doing it from with bunny directly connected to phone. I ssh from phone into bunny.

[dark_pyrro]

I guess you have to investigate what capabilities your phone has. Obviously the Bunny is capable of doing this (since my tests are successful), and if it's not working, it's logic to assume that any limitations are on the "phone side". I've successfully recreated this on 3 different Android devices now.

[D14b0l1c]

On 3/4/2024 at 11:35 PM, dark_pyrro said:

I guess you have to investigate what capabilities your phone has. Obviously the Bunny is capable of doing this (since my tests are successful), and if it's not working, it's logic to assume that any limitations are on the "phone side". I've successfully recreated this on 3 different Android devices now.

It is an older model phone, Pixel 2 XL. I'll try on other devices when I get a chance. I am able to execute once USB Debugging services are running but I can't get the bunny to restart adb services after device reboot. Thank you.

Are your devices rooted? Did you reboot phone and use bunny to see if it executed without reestablishing USB debugging connection over Wi-Fi or USB?

This is me attempting it again and outputting the connection error. There is something on the phone side that is enabled when a typical USB plugged in that enables the session. I am looking at ways to enable the connection over ethernet.

Keep in mind once the connection is started, I can maintain it. I primarily need bash bunny to restart this client server connection after phone reboot, secondary is to run adb shell <command>.

login as: root
root@172.16.64.1's password:
           _____  _____  _____  _____     _____  _____  _____  _____  __ __
 (\___/)  | __  ||  _  ||   __||  |  |   | __  ||  |  ||   | ||   | ||  |  |
 (='.'=)  | __ -||     ||__   ||     |   | __ -||  |  || | | || | | ||_   _|
 (")_(")  |_____||__|__||_____||__|__|   |_____||_____||_|___||_|___|  |_|
 Bash Bunny by Hak5     USB Attack/Automation Platform

Last login: Wed Feb 28 15:36:05 2024 from 172.16.64.10
root@bunny:~# dir
adb_7.0.0+r33-1_armhf.deb                connection.txt
android-libadb_7.0.0+r33-1_armhf.deb     dumpsys.txt
android-libbase_7.0.0+r33-1_armhf.deb    ip.txt
android-libcutils_7.0.0+r33-1_armhf.deb  udisk
android-liblog_7.0.0+r33-1_armhf.deb     version.txt
root@bunny:~# cat connection.txt
unable to connect to 172.16.64.10:5555: Connection refused
root@bunny:~# cat ip.txt
172.16.64.10
root@bunny:~# cat dumpsys.txt
root@bunny:~#
 

ATTACKMODE ECM_ETHERNET HID

DELAY 2000

QUACK STRING adb kill-server
QUACK ENTER
DELAY 1000

QUACK STRING adb start-server
QUACK ENTER
DELAY 1000

sleep 5

TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq > /root/ip.txt

adb connect ${TARGET_IP}
adb connect ${TARGET_IP} > /root/connection.txt

sleep 20

adb shell dumpsys > /root/dumpsys.txt

LED FINISH

[D14b0l1c]

Thank you @dark_pyrro, I have tried this on a few devices and it only works if I plug in a USB trigger the debugging and then remove, but once device reboots, I am unable to get it to work again.

After asking around, a pentester I know mentioned to try the USB Armory MkII - Hacker Warehouse it does have the additional feature to attach the phone via USB and this might be what is needed to trigger the debugger listener to activate on a non-rooted phone.