hak5 / bashbunny-payloads Goto Github PK
View Code? Open in Web Editor NEWThe Official Bash Bunny Payload Repository
Home Page: https://bashbunny.com
The Official Bash Bunny Payload Repository
Home Page: https://bashbunny.com
Feature Idea: It'd be pretty cool to make use of the TARGETs env variables in our scripts.
FILES=(a.txt b.txt c.txt)
QUACK STRING tar -cf $USER.tar.gz $FILES
QUACK ENTER
End desired results in TARGET's Terminal:
tar -cf $USER.tar.gz a.txt b.txt c.txt
Which would leave us with a file called bob.tar.gz
I think the title says enough. Thanks in advance!
While running GET SWITCH_POSITION in ssh I am able to get the variable:
root@bunny:~# GET SWITCH_POSITION
root@bunny:~# echo $SWITCH_POSITION
switch3
But when using the new WAIT
extension I realized that when running an attack I could not get $SWITCH_POSITION
. WAIT
would not wait and completely skip the line (@hak5darren). I am also running 1.5_298
(@sebkinne)
My code is as follows:
GET SWITCH_POSITION
TEST=$SWITCH_POSITION
ATTACKMODE HID
Q STRING Test: $TEST and SWITCH_POSITION: $SWITCH_POSITION
This results in Test: and SWITCH_POSITION:
which is not a great response.
Any help would be greatly appreciated.
~
s resolve to root
, not current user on macOS
paths resolve with double dashes //
volume doesn't mount as /Volumes/BashBunny
lootdir points to nonexistent path
Edit: After speaking with other users, stock BBs do mount as /Volume/BashBunny
. My bad.
I have a file called ducky.txt which contain's
STRING \
When I call it using:
ATTACKMODE HID STORAGE
LANGUAGE='uk'
LED R
QUACK switch1/ducky.txt
This would then output a "#"
I've also tried setting the language to US but the outcome is the same.
"/root/udisk/payloads/$SWITCH_POSITION/git.log" gets moved by line 48, which makes "payloads/$SWITCH_POSITION/git.log" an invalid path until line 58.
Would it be possible to allow the BB to operate the USB device in host mode. This would help facilitate some other attacks on mobile devices, and other devices.
More of a suggestion really but may i suggest running payload.txt through either of the following before execution?
cat $payloadfile | dos2unix -U > /tmp/payload.sh && chmod +x /tmp/payload/sh && /tmp/payload.sh
cat $payloadfile | sed 's/\r$//' > /tmp/payload.sh && chmod +x /tmp/payload/sh && /tmp/payload.sh
tr -d '\r' < $payloadfile > /tmp/payload.sh && chmod +x /tmp/payload.sh && /tmp/payload.sh
I keep getting the file not found error (blue flashing) when trying to run the RAZ_ReverseShell script.
I have sshed into the bunny and I do not see anything in /root/udisk
I ran the following in the bunny in switch mode 3 connecting using screen:
Linux bunny 3.4.39 #130 SMP PREEMPT Fri Feb 10 14:24:25 CST 2017 armv7l
_____ _____ _____ _____ _____ _____ _____ _____ __ __
(\___/) | __ || _ || __|| | | | __ || | || | || | || | |
(='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _|
(")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_|
Bash Bunny by Hak5 USB Attack/Automation Platform
root@bunny:~# ls
ATTACKMODE LICENSE.txt bash_bunny.sh ducklog.txt tools
EULA.txt Q bootcount g_ether.ko udisk
LED QUACK do_post_update.sh private version.txt
root@bunny:~# ll udisk/
total 8
drwxr-xr-x 2 root root 4096 Feb 9 2017 ./
drwx------ 6 root root 4096 Dec 31 16:00 ../
root@bunny:~#
I also found that the payload script was run in /tmp do all the other files in the switch folder get coppied to /tmp when said switch is active?
Due to windows 7 to select network location, QuickCreds Can't Working.
I'm using the payload QuickCreds and I'm having issues getting it to work, I installed responder on the BashBunny and it's in the right folder, getting FAIL2, not sure what Target did not aquire IP address means. Sorry I'm new.
Just a general suggestion...
My bunny already went through a recovery cycle and it blinks the led red for a couple of minutes during that time. Shortly after that recovery was successful, I was trying out quick creds, which also uses a blinking red led to show failure. I waited a good ten minutes to make sure it wasn't going through a recovery mode before I unplugged it, because of the double use of the error state. I think that the recovery mode blink should be some sort of pattern (like morse code 'sos') to differentiate it from a standard blinking red light, that might be frequently used in these payloads.
I think it's a better design to keep all payload files in their respective switch folders so the root folder doesn't get super cluttered. With something like a switch position #4, it's easier to path to the payload folder. This line in usb_exfiltrator would change
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'d.cmd')"
to
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\$SWITCH_POSITION\d.cmd')"
install.sh would no longer be necessary for this payload and the root would no longer be cluttered :)
@ralphyz
where do i get the nc.exe and where will I put it ?
I'm not sure if this is the place for this but it's more of a recommendation than an issue. Most of the payloads in this library use Powershell, but many companies block Powershell from running on most endpoints, or under normal user privilege. Anyone written any solid exfil / system info / loot collection payloads without using Powershell?
Thanks!
E.g.
HOLDDOWN/ALLDOWN/etc... A,B,C 0.5 # press A B and C and the same time for 0.5 seconds
DELAY ...
OR
KEYDOWN A
KEYDOWN B
KEYDOWN C
DELAY ...
KEYUP A
KEYUP B
KEYUP C # or just KEYUP with no args for all keys up
There is an error when running the bb script on linux (not sure if it affects macOS). I'd like to help fix it but I don't know where the source is kept outside of bashbunny.com/bb.sh
Would it be helpful to have a top level tools/ or utilities/ folder to keep handy scripts and things that aren't payloads in this repo too?
As of 10.9.5, the default path for Chrome's goodies is not where the script directs us: /Library/Application\ Support/Google/Chrome/Default/Cookies
The correct path is as follows:/Library/Application\ Support/Google/Chrome/Profile/Cookies
Here's the rub- that cute little "Profile" folder always has a number associated with it; Profile 2 , Profile 3 etc. If the variable could be set to download the payload of said Profile folder then it should work. I don't know how to write the code. Help me make this better for all of us!
Special keys like æ ø and å is missing from no.json and dk.json. QUACK is unable to read æ ø and å from script files and responds width this error after my attempt to add the keys to .json file
Traceback (most recent call last):
File "/usr/local/bunny/bin/QUACK", line 182, in
run_script(input_line, language)
File "/usr/local/bunny/bin/QUACK", line 158, in run_script
context = run_ducky_line(context, line, lang_file)
File "/usr/local/bunny/bin/QUACK", line 82, in run_ducky_line
elements = lang_file[char].split(",");
KeyError: '\xc3'
The bunny is also reluctant to accept special characters over serial and ssh.
If the UAC window does not have focus, the bypass UAC will not work (as the Alt-o will not take affect.
Good day guys,
Great work with all the payloads guys.
I just noticed the "macDesktop" payload.
It's script makes use of wget which is not include in OSX operating system.
You can use brew or something to install it but your assuming the system your going in this case Prank has it installed
I'm from Mexico, and the keyboards here are Spanish ISO (Latin) so my BashBunny isn't working here, I got a working .properties
file for the Rubber Ducky keyboard, but that is not the expected format for the BB.
Any plans of doing this keyboard? I'd like to help but need to know how. I've been searching but no clues.
Thanks!
Yay first github issue post :p Found some minor typos in the wiki.
form should be from
http://wiki.bashbunny.com/#!././index.md#Firmware_Recovery
This process takes about 3 minuites. should be minutes
If a payload requires executing, by the host, a file either from the internet or the BashBunny, or storing such a file on the host, the readme for the payload should document it, as well as a description of the file and a link to virustotal. Note, this should include not only binaries but also scripts, such as .ps1-files (for example due to AMSI).
For example:
File | Path | Description | VirusTotal |
---|---|---|---|
Mimikatz | ./mimikatz.exe | Mimikatz binary, used for automated password backups | https://www.virustotal.com/en/file/c3c336a23021b68b026bdf1642b220d88037039aa6d7f8e7d4d576cc38063088/analysis/1470356182/ |
This could help avoid issues pointed out by @hak5darren on Hak5 2305
Hey all!
I like the new 1.1 structure of creating enhancements, it can be used for creating a specific loot folder.. doing several fun stuff like for example start up an apache server, etc.
But it would be nice if we could share eachothers idea of generic functions, so i would like to have a folder to share extensions as well. I couldn't find the folder on this git.
So I tried to create a bridged interface on the interface file and when I rebooted, I lost the ability to SSH into the USB or even via serial.
Is there a way to reimage/revert/recover the usb so that the network configuration is back to its original state?
FYI I came across
Can Drive letter support be added to bunny_helpers.sh so that ducky scrips can be ran as something like $drive_letter/payloads/$switch_position/
I accidentally formatted bashbunny, what to do now?
As per the title - if we are creating a new payload that we intend to contribute to the main repository, how would you prefer us to tackle dependencies which could be used across multiple payloads in the future?
Should we add the dependencies to the tools_installer
payload and refer users to run it via the README, or should we be creating a copy of the install.sh
file in our own payload directories and handling it within our own payload execution?
I thought personally the best way to do it would be via the tools_installer
payload, as to not duplicate code in various different payloads, but wanted to verify before submitting anything that relies on other Python libraries to those already present.
After looking through the payloads, it's not always imeediatly obvious which platform the payload is for. I think it would make sense to organize them into Windows/Linux/Mac/Other folders.
Hi there,
I haven't been able to figure out how to actually submit a Payload to the Bash Bunny repository... I haven't been able to submit a Pull Request (if that's even the way you're supposed to submit your written payload).
Anyway, if someone could please upload my Payload for me, that'd be great: https://github.com/0xCoto/bashbunny-payloads/tree/master/payloads/library/DuckyTemplate
Thank you. :)
Hi! I'm experiencing some issues with the extensions and i dont really know what i'm doing wrong.. According to the documentation of the bash bunny i can just invoke the commands but that leads to no results.
./payloads/switch1/payload.txt
LED Y
FOLDER
./payloads/library/extensions/folder.sh
function FOLDER() {
LED G
}
The led won't turn green. I also tried to do a RUN instead.. also not working.
When testing the smb_exfiltration payload, I noticed that the BB didn't correctly switch from HID to RNDIS... I decided to make a new payload with just this:
LED R
ATTACKMODE HID
LED G
ATTACKMODE RNDIS_ETHERNET
To my surprise, it actually didn't work (on multiple Windows 10 machines).
When plugging the BB in, it first shows up as a keyboard in the device manager, then the keyboard disconnects. After that I can hear a "there has been a connection" sound from Windows, but nothing shows up in device manager or adapter settings. Not even an unidentified device.
[EDIT]
It does show up in the device manager, however it is still shown as a keyboard.
GitBunnyGit payload <-----
followed the instructions precisely:
tail -f /var/log/git.log
to montior progress)but still gives red led & indicates no internet though i am able to ssh & preform apt-get update with
no problems.
any thoughts ? BTW .. i`m using Debian
thx in adv
Currently, when merging Pull Requests, the changes are "merged" by the collaborators, however, the commits by their original authors are not preserved and therefore not given credit.
Example: Merge PR from mrt0mat0 (here)
@mrt0mac0's changes are merged into the main repo, however, he is not credited with the commit.
My proposal: instead of merging changes, choose "rebase and merge". This will preserve the original author's commits and give them credit in the commit history.
All of my nmap scans on multiple computers (ECM_ETHERNET and RNDIS_ETHERNET) return:
MAC Address: 00:11:22:33:44:55 (Cimsys)
for the mac address. What is going on here?
So my bash bunny came yesterday and I tried USB_exfiltration, everything goes OK but it would not save any documents to loot.
While developing a payload that creates a webserver on the BB, I noticed it takes 12+ seconds for any request to bind a port on the BB.
Using ECM_ETHERNET attack mode and sshing in, all of the following command are affected:
python -m SimpleHTTPServer 8888
nc -nvlp 8888
ruby -run -e httpd . -p 8888
These same commands work as expected (sub 1 second response) when connected to the bunny in serial mode.
Creating a payload that starts the server on the bunny and then uses HID to make the victim curl the bunny fails because the server hasn't bound to the socket yet.
Recording of the issue - https://asciinema.org/a/arrd1giatg2w5gb8bme0ct7py
The current Ethernet modes are situated behind being faster than the current internet adapters, however doing so tends to cause the target machine to loose connectivity.
Is it possible to add a feature that would set the bunny to have say a dialup connection to allow for attacks to function without dropping internet connectivity.
An example of when this could be helpful is when a has a large amount of data to pull. And the user comes back, you could collect the bunny at another time without the user visibly having connectivity issues.
Another would be when you are using a domain account that you have recovered the password for to attack a machine, however the account is not cached and needs to connect to the domain controller to authenticate. If the connection to the domain is available still, the attack would be possible. As it stands you won't be able to connect to the domain to authenticate.
If connection to the bunny over tty then running top I see that the program top itself its using 100% cpu. also the bunny gets very hot very fast. If the bunny is plugged into usb 2.0 port on my computer the bunny will freeze and crash. if the bunny is plugged into usb 3.0 port it will keep running for a undefined amount of time.
Hi all, I've updated a few keys that were not correctly configured in the PT language file when using a Portuguese Mac keyboard. It still misses a few special characters that can be used, specially the c cedilla: Ç
See file attached with the changes
Would it be possible to set the attackmode to read-only storage for computers that will scan/delete files on the storage partition automatically so your payload or other files don't get deleted?
These are some thoughts I have about how to better organize the BashBunny repository.
The problem: The issue is that people submit payloads (as they should) but the quality varies drastically. Some people put in serious time, others not so much. Some people have good ideas but don't have the knowledge or time to carry those ideas to completion. I won't mention any specific scripts but just the other day I was reviewing some exploits and I saw that they all pulled the main bit from someone else's github whose script is only partially working. This is really unfortunate; You don't want to go on there with your new bunny looking to try out some of the coolest scripts only to find that they don't work. Now just 30 minutes after you open your bunny you're already doing troubleshooting. That sucks.
The solution: I think creating a second branch (call it "dev" for example) could really help you to maintain a strict quality standard, while still allowing everyone to submit. The dev branch would be the place that all user-submitted scripts would go to and development would be had on. The Hak5 team could appoint a few trusty viewers to oversee PR's made to this branch. And periodically the Hak5 employees could check in here to see what's good and possibly bring it over to master branch. Or alternatively I could see that group of trusty people making the PRs to master for the Hak5 team to review.
Closing thoughts:
This would do a few things:
in the 28 Feb release, install.sh was in the tools_installer payload.
It is disappear in the latest commit.
my BB is now only limited to 2 GB instead of the original 8GB what is happening
due to the bash interpreting QUACK textfiles/commands literally, if you have bash special characters in your commands the ducky attack will fail. Need to escape the special chars.
I recently had an idea for a super stealthy exfil method and maybe some of you are able to implement it 😄
The bash bunny registeres itself as network printer.
The target prints everything.
Alternatively (for bigger files), you can try:
The bunny fires up an hostspot (as in UndercoverBunny)
An external device (like an RaspberryPi connects to the hotspot and registeres itself as network printer)
The bunny launches a script waiting for the Raspi to connect and then print's everything.
The alternative may (or may not) be executed with a RubberDucky instead of a BashBunny.
the wiki says that one can place payloads into "switch1/xss.txt" and that it can be called by saying:
Q switch1/xss.txt
However in practice, I cannot get this to function. I have even created a script to attempt to identify where the path is when the switch position is set to '1', and where the files live on disk. I'm getting weird mixed results.
Also, it would seem that the payloads:
<script>alert(1)</script>and
' or 1=1;--
Appear to need some heavy escaping.
Perhaps a howto for this sort of thing could be done? Or maybe a way to put the raw characters somewhere when specifying a file for reading the payload where the chars don't have to be escaped?
I'm already seeing divergence in payloads where each author has to figure out how to do things their own way. Loot stored in switch folders, random colors and blink rates for various steps, and different quacks for different locales. Now that there is a growing body of really cool payloads, this is probably a good time to learn from these lessons. I'd like to propose a common settings file, perhaps loaded in by bunnyhelper.sh, that would give developers the assistance they need.
The file would contain the following:
LED RECON
when the attack enters the recon phase. (Note these colors and phases are totally arbitrary and imaginary, I'd love someone to replace them with something better):<alt>+J
to dismiss UAC, while an English machine will expect an <alt>+Y
to do the same thing. Putting these common quacks in a config file would let a tester define the language, instead of each payload's author.I'm sure there are other lessons to be learned from the payloads that have been created so far, too, so this list isn't exhaustive by any means. But just getting payload authors used to bringing in some standardized stuff would go a long way to helping the testers in the field.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.