Hak5 Bash Bunny

From Embedded Lab Vienna for IoT & Security
Revision as of 20:08, 21 October 2020 by Cskallak (talk | contribs) (→‎LED)
Jump to navigation Jump to search
Bash Bunny and Field Guide

Summary

This documentation is about the Bash Bunny from Hak5. This device is an multi-purpose USB Attack platform that combines a Rubberducky and a Debian based micro computer to perform a wide range of attacks.

General Information and File System

Bash Bunny Payloads

Switch Positions

The Bash bunny has 3 Switch positions to switch between Arming mode and the two Attacks Payloads. The most left position sets the Bashbunny in arming mode, as shown in the figure. If the device is in this mode, its filesystem will be accessible and the user can edit the Payloads as well as the config.txt.

File System

The filesystem is as shown below. Where config.txt is used to set the global configuration for all payloads like the language with the DUCKY_LANG EN. The payload.txt files contain the executed ducky script and bunny script commands for their corresponding switch position.

Bashbunny
 |- docs
 |   |- EULA, License, this readme.txt
 |   |- License
 |   |- readme.txt
 |
 |- languages
 |   |- HID languages that are placed here will installed at boot in arming mode.
 |
 |- loot
 |   |- Where the stolen date can be saved.
 |
 |- payloads
 |   |- extensions
 |   |   |- Additional Bunny Script commands/functions.
 |   |
 |   |- library
 |   |   |- Payloads backups.
 |   |
 |   |- switch1
 |   |   |- payload.txt
 |   |
 |   |- switch2
 |   |   |- payload.txt
 |   |
 |   |- arming
 |       |- payload.txt
 |
 | -config.txt  Global config script Sourced by all payloads

Bunny Script

Bunny Script is an simple easy to learn programming language with a small set of commands


COMMAND Description Example
ATTACKMODE Specifies the USB device or combination of devices to emulate. ATTACKMODE RNDIS_ETHERNET
DUCKY_LANG Set the HID Keyboard language DUCKY_LANG US
LED Control the RGB LED. Accepts color and pattern or payload state. LED SETUP
QUACK Injects keystrokes (ducky script) or specified ducky script file. QUACK STRING Hello World
Q Alias for QUACK Q STRING Hello World

Attack modes

The Bash Bunny can be used as many attack modes simultaneously, like an USB Rubber Ducky, LAN adapter, or storage device.

Attackmodes VID / PID (Vendor ID/Product ID)
SERIAL 0xF000 / 0xFF11
ECM_ETHERNET 0xF000 / 0xFF13
RNDIS_ETHERNET 0xF000 / 0xFF12
AUTO_ETHERNET
STORAGE 0xF000 / 0xFF10
HID 0xF000 / 0xFF01

SERIAL

Opens an serial console interface. This interface can be used to access the Bash Bunny and configure it or to perform an attack with it.

ECM ETHERNET

Ethernet Control Model (ECM) is an driver model for USB Ethernet adapter that work on Linux, Android and MAC

RNDIS ETHERNET

Remote Network Driver Interface Specification (RNDIS) is the proprietary counterpart devolved by Microsoft and work only on Windows 7 and newer machines.

AUTO ETHERNET

This Ethernet attack modes combines both by first trying to deploy an ECM Ethernet and if it is not successful changing to RNDIS.

STORAGE

The Storage attack mode let the Bash Bunny act as an USB Mass Storage (UMS). This method is manly used to transfer data to the victim device, like an image for an background change prank.

HID

Human Interface Device (HID) lets the Bash Bunny act as an self typing Keyboard also called USB Rubber Ducky.

Combinable Attack Modes

The Bash Bunny allows us to combine some of the attack modes, which combinations are valid is shown in the table below. The attack modes and their combinations can be changed multiple times during the attack with the bunny script.

Attackmodes VID / PID (Vendor ID/Product ID)
SERIAL STORAGE 0xF000 / 0xFFF0
HID SERIAL 0xF000 / 0xFF14
HID STORAGE 0xF000 / 0xFF02
HID RNDIS_ETHERNET 0xF000 / 0xFF03
HID ECM_ETHERNET 0xF000 / 0xFF04
HID STORAGE RNDIS_ETHERNET 0xF000 / 0xFF05
HID STORAGE ECM_ETHERNET 0xF000 / 0xFF06
SERIAL RNDIS_ETHERNET 0xF000 / 0xFF07
SERIAL ECM_ETHERNET 0xF000 / 0xFF08
STORAGE RNDIS_ETHERNET 0xF000 / 0xFF20
STORAGE ECM_ETHERNET 0xF000 / 0xFF21

LED

The bash bunny owns a RGB led to indicate the current status of the payload script. The status can be set via the LED <Colors> <Pattern> or the LED <Predefined State> command.

= LED Colors

COMMAND Description
R Red
G Green
B Blue
Y Yellow
C Cyan
M Magenta
W White

= LED Patterns

PATTERN Description
SOLID Default No blink. Used if pattern argument is ommitted
SLOW Symmetric 1000ms ON, 1000ms OFF, repeating
FAST Symmetric 100ms ON, 100ms OFF, repeating
VERYFAST Symmetric 10ms ON, 10ms OFF, repeating
SINGLE 1 100ms blink(s) ON followed by 1 second OFF, repeating
DOUBLE 2 100ms blink(s) ON followed by 1 second OFF, repeating
TRIPLE 3 100ms blink(s) ON followed by 1 second OFF, repeating
QUAD 4 100ms blink(s) ON followed by 1 second OFF, repeating
QUIN 5 100ms blink(s) ON followed by 1 second OFF, repeating
ISINGLE 1 100ms blink(s) OFF followed by 1 second ON, repeating
IDOUBLE 2 100ms blink(s) OFF followed by 1 second ON, repeating
ITRIPLE 3 100ms blink(s) OFF followed by 1 second ON, repeating
IQUAD 4 100ms blink(s) OFF followed by 1 second ON, repeating
IQUIN 5 100ms blink(s) OFF followed by 1 second ON, repeating
SUCCESS 1000ms VERYFAST blink followed by SOLID
1-10000 Custom value in ms for continuous symmetric blinking

Gain Access to the Bash Bunny

There are three main ways to gain access to the Bash Bunny:

  • from the File System
  • with an Serial Console Interface
  • with SSH
hostname root
password hak5bunny

Serial Console Interface

The Serial Console Interface can be used when the Bash Bunny is in attack mode. It is independent from the operating system but the ways are different.

Windows (Putty)

Putty is the best way t access serial consoles when working on an Windows machine. Just download it on the manufacturer website and install it and follow the steps.

Step 1:

Get the comport by entering

[Windows key] device manager [enter] 

Extend the "Ports (COM & LPT) line and search for the "USB Serial Device(COM..)"

LAN Turtle configuration shell interface

Step 2:

Open Putty and go to the Serial TAB and enter the following parameters:

Serial line to connect to COM..
Speed (baud) 115200
Data bits 8
Stop bits 1
Parity No
Flow control XON/XOFF

LAN Turtle configuration shell interface

Go back to the session tab and check "Serial" and Open the Connection

Linux

1. When using Linux it is preffered to use the package screen install it with

sudo apt-get install screen

2. Search for the device with

dmesg | grep tty
Output:
[195.328289] cdc_acm 1-1.1.2.3:2.0: ttyACM0: USB ACM device

3. Connect with the command

sudo screen /dev/ttyAMC0 115200

SSH

Set the bash bunny in attack mode (Switch at the nearest position to the USB connector) and plug it in. Enter the device and follow the path BashBunny/payloads/switch1 (switch 2 can be used as well)and edit the payload.txt file Windows Change the third line to

ATTACKMODE STORAGE RNDIS_ETHERNET

MAC and Linux Change the third line to

ATTACKMODE STORAGE ECM_ETHERNET   

The RNDIS_ETHERNET and ECM_ETHERNET are used to display the Bash Bunny as an USB Ethernet adapter. Windows uses for this adapters proprietary drivers so it is not compatible with the Ethernet Control Model (ECM).

Connect whit:

ssh root@172.16.64.1

Connect the Bash Bunny with your internet.

The deployed internet connection is for the preparation phase only. During the attack phase the Bash Bunny is able to deploy its own little network, which does not have an gateway to the internet. But the LAN can be used to connect the victim to an Server Message Block NAS server that runs on the Bash Bunny to copy data to the victim machine. The internet connection is mainly used for downloading Debian software repository.

Linux Hak5 published a shell script that guides you threw the process. It needs root privileges but only performs two iptables NAT entries. Due to the habits of the iptbales service all entries get deleted during an machine restart, if the are not saved with the iptables-persistent service. But the entered data gets saved in the script it self and connection can be rebuilt with one command.

wget bashbunny.com/bb.sh
pi@raspberrypi:~ $ sudo chmod +x ./bb.sh 
pi@raspberrypi:~ $ ./bb.sh 
This Bash Bunny Connection script requires root.


          _____  _____  _____  _____     _____  _____  _____  _____  __ __ 
(\___/)  | __  ||  _  ||   __||  |  |   | __  ||  |  ||   | ||   | ||  |  |
(='.'=)  | __ -||     ||__   ||     |   | __ -||  |  || | | || | | ||_   _|
(")_(")  |_____||__|__||_____||__|__|   |_____||_____||_|___||_|___|  |_|  
Bash Bunny by Hak5     USB Attack/Automation Platform                      
 v1

Saved Settings: Share Internet connection from eth0
to Bash Bunny at eth1 through default gateway 192.168.1.1

[C]onnect using saved settings
[G]uided setup (recommended)
[M]anual setup
[A]dvanced IP settings
[Q]uit

Make Sure that you unplug the Bash Bunny and press G to start the 3 step guided setup. Reconnect the Bash Bunny when step 3 demands it.

Bash Bunny detected. Please disconnect the Bash Bunny from
this computer and press any key to continue with guided setup.

Step 1 of 3: Select Default Gateway
Default gateway reported as 192.168.1.1
Use the above reported default gateway?             [Y/n]? Y

Step 2 of 3: Select Internet Interface
Internet interface reported as eth0
Use the above reported Internet interface?          [Y/n]? Y

Step 3 of 3: Select Bash Bunny Interface
Please connect the Bash Bunny to this computer.
................[Checking]
Detected Bash Bunny on interface eth1
Use the above detected Bash Bunny interface?    [Y/n]? Y

Settings saved.

Saved Settings: Share Internet connection from eth0
to Bash Bunny at eth1 through default gateway 192.168.1.1

[C]onnect using saved settings
[G]uided setup (recommended)
[M]anual setup
[A]dvanced IP settings
[Q]uit

Enter C to connect the Bash Bunny to the Internet

Detecting Bash Bunny.........found.

     _ .           ___         (\___/)
   (  _ )_  <-->  [___]  <-->  (='.'=)
 (_  _(_ ,)       \___\        (")_(")

Access the Bash Bunny with SSH and validate if the Bash Bunny hast access to the world wide web.

ssh root@172.16.64.1
root@172.16.64.1's password: 
           _____  _____  _____  _____     _____  _____  _____  _____  __ __ 
 (\___/)  | __  ||  _  ||   __||  |  |   | __  ||  |  ||   | ||   | ||  |  |
 (='.'=)  | __ -||     ||__   ||     |   | __ -||  |  || | | || | | ||_   _|
 (")_(")  |_____||__|__||_____||__|__|   |_____||_____||_|___||_|___|  |_|  
 Bash Bunny by Hak5     USB Attack/Automation Platform      

Last login: Fri Jun  5 01:16:09 2020 from 172.16.64.64
root@bunny:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=17.7 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=17.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=55 time=17.7 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=55 time=18.6 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 17.701/17.990/18.694/0.439 ms

Bunny Script

Todo Example Script

# Defines and creates the loot directory and filename
LOOTDIR='/root/udisk/loot/osscan'
mkdir -p $LOOTDIR
FILENAME="${LOOTDIR}/os.log"

# Setup Phase:
# Set Atackmode to Microsoft network adapter
LED SETUP
ATTACKMODE RNDIS_ETHERNET
# SGrab the targets ipaddress
GET TARGET_IP

# Logs the IP address and timestamps
echo Timestamp: `date +"%Y-%m-%d-%T"` > $FILENAME
echo Target IP: ${TARGET_IP} >> $FILENAME
echo "Starting Nmap Scan: " >> $FILENAME

# Attack Phase:
# Bash Bunny Performs an nmapt with OS guessing
LED STAGE1
nmap -O -- fuzzy $TARGET_IP >> $FILENAME
echo Timestamp: `date +"%Y-%m-%d-%T"` >> $FILENAME
LED FINISH

Used Hardware

Bash Bunny Plunder Bug

References

Category:Pentesting