Concealed Exfiltration with the Bash Bunny - Hak5 2202 [Cyber Security Education]

No video

Concealed Exfiltration with the Bash Bunny - Hak5 2202 [Cyber Security Education]

Рет қаралды 102,519

Күн бұрын

Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
____________________________________________
An educational look at cyber security, this time on Hak5:
Check out the SMB Exfiltrator payload from the Bash Bunny github:
github.com/hak...
Bash Bunny: www.bashbunny.com
Hack Across The Planet: www.hackacrosst...
-------------------------------
Shop: www.hakshop.com
Support: / threatwire
Subscribe: / hak5
Our Site: www.hak5.org
Contact Us: / hak5
Threat Wire RSS: shannonmorse.p...
Threat Wire iTunes: itunes.apple.c...
------------------------------
~-~~-~~~-~~-~
Please watch: "Bash Bunny Primer - Hak5 2225"
• Bash Bunny Primer - Ha...
~-~~-~~~-~~-~
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong.

Пікірлер: 207

@DarrenKitchen 7 жыл бұрын

Hopping on this Bash Bunny video ;-)

@akbarrmd7714 7 жыл бұрын

Darren Kitchen are you in indonesia right now?

@akbarrmd7714 7 жыл бұрын

Darren Kitchen thats indonesian kindness for you. welcome to indonesia darren

@FredHilbert 7 жыл бұрын

Hi Darren, great demo and explication, as usual. But why subtitles are not activated under your videos? Me and some friends we would like to subtitle some of your video in French.

@freecode.ai- 7 жыл бұрын

Darren Kitchen I have been watching since day one, I just want to say thanks for all the hard work and dedication. I have learned so much and still learn everyday. Totally digging the urban pop sound beats and scenic cut aways. Totally reminds me of another famous KZfaq channel.

@tehtron 7 жыл бұрын

Wouldn't their be audit logs in windows to show a connection being made to SMB server/client?

@f35t3r6 7 жыл бұрын

Love the Hackers quote in there.... And glad to see you are feeling better!!

@olliversmith8261 7 жыл бұрын

I find it awesome that Darren would take his time to read and respond to these comments. Thanks for being such a good host Darren!

@connerallen642 6 жыл бұрын

Really clear way of explaining things, these v-logs are pretty helpful. Definitely would like to see more. Changing the flashing color of the bash bunny was a really nice additition, well done. Thanks

@alxhotel 7 жыл бұрын

We need more hak5darren vlogs :)

@ladykilla85 7 жыл бұрын

Why not -windowstyle hidden instead of -windowstyle minimized?

@rubenbest1 7 жыл бұрын

Lee Young I love hidden PowerShell.

@hak5 7 жыл бұрын

This is exactly the kind of community development I'm talking about! I just tested and you're right -- the hidden WindowStyle works BEAUTIFULLY! Now there's even less visual impact on the system while the documents are being liberated ^_^ Surrealalucard sent a pull request to the git repo making just this change :) Thanks! ~Darren

@ladykilla85 7 жыл бұрын

No problem at all. Keep the quality videos coming. Enjoy them all! Enoyed the new format of this one as well.

@PassFissn 7 жыл бұрын

It's a funny business concept you got on these products not really open source but need help from who ever These script containers are pretty pricey

@007order007 7 жыл бұрын

If you use -windowstyle hidden in powershell the window doesn't show up at all, rather than minimized

@sleepyxuras91 7 жыл бұрын

Beautiful video editing on this video, really enjoyed it not been in studio but just wondering around blogging with really good examples. Thanks!

@DarrenKitchen 7 жыл бұрын

Glad you liked. This is what I'll be doing for a while :)

@johnfavalorojr.4169 7 жыл бұрын

In theory, Pineapple + Bunny = Max Pwnage for Windows Boxes? I'm coining it Hawaiian Rabbit. Shakka Brah! :D

@vhcxhbvg 7 жыл бұрын

can someone tell me what I need to start working with a bash bunny? I have a window PC and some background in Excel and Access lol

@johnfavalorojr.4169 7 жыл бұрын

Brett Tickell Not to sound cliche, but curiosity and interest is all it takes. The rest is up to you.

@TurtleSauceGaming 6 жыл бұрын

How exactly do you mean to use them together?

@peregrinusoblivione4967 6 жыл бұрын

What is the point of staying with Windows? You obviously know enough about computers to use linux effectively. Unless you bought 145 dollars of hacking gear for no reason. :P I suppose i can see it if youre big gamer. But id rather rely on a bunch pf people making software out of the love for it than a gigantic corporation always in my computer. But to each their own. Just keep your notepad++ payloads off my hard drive. ;P

@TurtleSauceGaming 6 жыл бұрын

I think he means against Windows. Personally, I have a linux live usb for pen testing and data recovery (super easy to get into a hdd w/ corrupted boot drive, rather than taking it out). I use windows because I game a lot, do A/V editing, and, like my reason for using vegas over premiere, I'm far more used to it, and can work quick in windows, but not linux.

@thecalabiyaumanifold 7 жыл бұрын

how many times did you crash your computer forgetting to exit loops?

@DarrenKitchen 7 жыл бұрын

Surprisingly none. I did forget to put an exit statement after the robocopy and ended up exfiltrating the PDF files from my Documents folder to the Bash Bunny a few hundred times ;-) Ahh that moment of "Oh crap!" ^C ^C ^C ^C ^C

@andybarr2406 7 жыл бұрын

Is the git repository updated or is it still flawed, just before I fill up my bunny

@s379Ox 7 жыл бұрын

Very informative video thank you! Loved the 'Hackers' reference!!

@NateCrownwell 7 жыл бұрын

what happens if the rabbit is in arming mode and don't take the bunny out and switch it to attack mode?

@techreflection1749 7 жыл бұрын

2:08 Oh Hai!

@christianhernandez4573 6 жыл бұрын

Thank you so much for your contribution your tutorials are amazing

@tzisorey 7 жыл бұрын

Sorry, I really don't get why you're specifying the guest/guest creds in the NET USE command. If the SMBServer/impacket will accept any credentials, why specify guest/guest? Omitting those arguments will still work, it just sends through the current users creds. I know it only saves a dozen characters. Or is there a benefit I'm not thinking of. Also, Robocopy

@DarrenKitchen 7 жыл бұрын

I haven't fully debugged it. I was surprised that smbserver.py wasn't accepting connections without credentials too. It'll accept any credentials you give it - but that means caching them on the Windows host side. I have a feeling a proper samba server running on the Bash Bunny might be more robust. Thanks for the tip on Robocopy. /MT[:n] : Multithreaded copying, n = no. of threads to use (1-128) # default = 8 threads, not compatible with /IPG and /EFSRAW

@supersciencounet 7 жыл бұрын

it's 1970, not 1960 :) man date says: "%s seconds since 1970-01-01 00:00:00 UTC" Thanks for this video, very cool payload !!!!

@scottluker4337 7 жыл бұрын

This was a great episode

@JoeMorrison 7 жыл бұрын

Thinking about document exfiltration, can the BashBunny emulate a USB printer, either as a generic printer or some form of HP laser printer. If it can make itself the default printer it could be days before people notice that they didn't just select the wrong printer when printing corporate documents.

@therealalanlee 7 жыл бұрын

People in corporate env. are more aware than you think. Most users are going to fix the default printer, and not send anything to your printer, as they don't know what it is, so they aren't going to remove it. The other thing is, if the printer they print to isn't printing docs, here comes IT to the rescue.

@DarrenKitchen 7 жыл бұрын

Funny you should mention. Have already been working on the payload. Film at 11

@whalespotter8085 7 жыл бұрын

For people on the cheap, this can all be done on a rpi zero(and/or W). Keep in mind the boot time of the rpi0 is much slower, around 30 seconds. So you will need to bring your social engineering distraction A-Game

@DaWeknd 7 ай бұрын

Using these payloads wouldn’t edr or amsi detect bash bunny as a hacking device ?

@elypelowski5670 7 жыл бұрын

Unix time (also known as POSIX time or epoch time) is a system for describing instants in time, defined as the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC), Thursday, 1 January 1970

@DarrenKitchen 7 жыл бұрын

Dangit! 1970, not sometime in the 60s. So close! ^_^

@TheFinalMB 7 жыл бұрын

Hackers quote, heard acknowledged and heart warmed :p also love the attack, simple and useful and shows off the bunny's skills nicely :)

@bobkmak3470 7 жыл бұрын

You should do a video show casing some payloads from the repo!

@daviana.4160 7 жыл бұрын

Bob Kmak Yes!!

@DarrenKitchen 7 жыл бұрын

Planning on it :)

@katherineservheen582 7 жыл бұрын

If you want to detect when the copying is done, you could pipe the output of the smb server to a FIFO and then grep through it for a disconnect message...

@freecode.ai- 7 жыл бұрын

Did you update notepad ++ to resolve the CIA zero day? lol

@cybercat1531 7 жыл бұрын

No the CIA updated it for him ;)

@DarrenKitchen 7 жыл бұрын

In Soviet Russia, Notepad++ updates YOU!

@isaaccool3183 6 жыл бұрын

Darren Kitchen in hacker world notepad++ updates Soviet Russia

@peregrinusoblivione4967 6 жыл бұрын

@@isaaccool3183 Ayyyyyy

@larsbrentzen5546 7 жыл бұрын

If you wanted to save a little space you could use 10.0.0.1 which compresses to 10.1, \\10.1\share works in cmd and so on. Might overlap the PCs subnet tho.

@JAFOpty 7 жыл бұрын

Darren, an unrelated question, what antivirus/malware are you using in windows?

@woofiewill 7 жыл бұрын

Great! One little error though... When adding light, red and blue makes magenta, not purple ;)

@thenetimp 7 жыл бұрын

Hey Darren, not sure if you're aware of the TV Show "Blacklist" Plugging and showing the USB Rubber Ducky on Season 4 Episode 6. Thought I would clue you guys into it. :-D

@lovepontuskn 7 жыл бұрын

Nice vid as always

@HackMyControlSystem 7 жыл бұрын

Thanks to Darren and thanks for PowerShell script logging. #BlueTeam

@chuxxsss 7 жыл бұрын

I through you where in Malaysia first Darren. But you are in Indonesia only a island away.

@metrix7986 7 жыл бұрын

Thx For inspiration ever since I found your channel I have been working on my own script wich is still in development but it currently can tell you about possible ways to payload the PC and shows Wi-FI, Desktop info, Firewall and a bit more I will be developing a settings menu and a bit more will publish project in some weeks. It all works through the duck using batch as the main target

@alexryder4331 7 жыл бұрын

2 questions. 1 what about file time stamps on the victim computers logs? Could we set up a time stomp like in meterpreter? 2 Is it possible to merge some of the functionality of Kali Linux with the bash bunny? Or evn replace bash bunny OS with kali and port it's functions over?

@pmc3027 7 жыл бұрын

i like how he explains what a while loop is because he knows everyone who buys the bash bunny is a script kiddie

@beelover6410 7 жыл бұрын

Hey, I'm trying to get into coding and using the ducky, but I can't find a good tutorial for people trying to learn. Can you help?

@jakobluts8463 5 жыл бұрын

You don't need any coding experience for ducky lmai

@3117master 7 жыл бұрын

Hey Darren just curious what distribution do you use? and why do you like it?

@DarrenKitchen 7 жыл бұрын

Whatever the latest Ubuntu LTS is because I find the most mainstream support. Otherwise, Kali has a lot of good tools pre-installed.

@LeviDurham 7 жыл бұрын

Unix epoch is 1 Jan 1970 00:00:00. You stand corrected.

@discipionidiscipioni9524 6 жыл бұрын

Hey... I ran the USB Exfiltrator payload on my Win10 home computer and when I took the drive to my kali box to see what I got... It said the bunny was read only and I couldn't move files or delete them or modify payloads. I've followed the instructions to fix the bunny on the forums (the restore process) and upon finishing (red blue flash goes to happy blue blink) it was still read only. Did I brick my bunny? I've only had it for 3 days!

@darkfire2703 7 жыл бұрын

How about this as a way to find out when it is done: Run a programm on the bash bunny that uses a raw ICMP socket to listen for a custom ping. And on the windows side just add the according ping command at the end of the Powershell line. Such a programm would only be a few lines in for example Go. This might be overkill, but it would be a pretty solid and way.

@synthx3058 7 жыл бұрын

at 2:08 anyone else notice the woman wave to the camera behind his right shoulder? LOL

@joeltyler3427 7 жыл бұрын

What is this white guy talking about?

@TechnomancerTheWise 7 жыл бұрын

how do you compensate for the 2gb ssd?

@marfnl2 7 жыл бұрын

im wondering i know you can magicly make usb 100TB aka fake chinise usb's but coud you do that with files. or make a file inposible / scruw up a file transfers. I think you get were im going with this. best case it woud fill up the drive as soon as its trying to coppy the file. or it shoud at least get the code to hang on file transfers. yes you coud make a .jpg 50gig but that woud hinder you. maybe a tool that works like a vm HDD just exspands and contracts wene needed. but than make fake files and junk and cleans it wene you use more space.

@fleecky7011 5 жыл бұрын

Stfu with your grammar and spelling dude it's horrible

@millerh4500 5 жыл бұрын

7:40 "We're doing a while-true" Every AP computer science teacher on the earth: AAAAAAAAAAAAAAAAAAAAAA

@haxhxm841 7 жыл бұрын

I wish if possible we all can use multi desktop feature to make it more "silent" because application will run in the second desktop or if the user has multiple screen set not to duplicate the script is run on the alternative screen

@gonespral 7 жыл бұрын

why not detect the OS over the bash bunny's network, then execute the payload according to the operating system

@jackphillips1953 7 жыл бұрын

How about doing a video to block some of these Hacks occasionally ?

@Feuermagier1337 7 жыл бұрын

Jack Phillips Lock your Computer while away.

@eviltonanimations4322 7 жыл бұрын

Valentin Metz and then they can get your password using the bunny.

@socalgeek93 7 жыл бұрын

your link is to your github is not working its 404 ing thought you might need to know this.

@itsSmc128 7 жыл бұрын

Does the target computer need to be unlocked for this payload to run?

@DarrenKitchen 7 жыл бұрын

Yes, however there's potential for a similar attack spoofing a backup server that wouldn't require the machine to be unlocked. Of course, this would require a lot of prior knowledge of the environment and would be specific to each organization -- if they automate network backups at all.

@conway642 7 жыл бұрын

Hey! I just heard about Intel ME and Intel AMT, is there any way that BadUSB/RubberDucky/BashBunny could use a HID attack to exploit them? Especially consumer computers, where the default password is "admin", and ME/AMT doesn't seem to be a popular topic. Thanks!

@conway642 7 жыл бұрын

ps currently a lowly script kiddy, just had a thought. I'm looking into pentesting tho, it would be an awesome career!

@olliversmith8261 7 жыл бұрын

Ashton Powell That's okay, we were all beginners at some point and your not a skiddie unless you just don't want to learn. But you seem like you really do so the correct word would be neophyte. Keep trying to learn and you'll get better! And yes any new computer part is going to have vulnerabilities and a whole bunch of zero-days to go with them.

@conway642 7 жыл бұрын

Thanks! really motivational!

@alikamran3782 7 жыл бұрын

I have a question for you Sir! I am new to Linux i was wondering what if my bash bunny OS crashes? How do i install a new one? Same as we do on a traditional laptop? Or the bash bunny linux OS is smaller in size designed to sit well for bash bunny?? @Darren Kitchen

@DarrenKitchen 7 жыл бұрын

There's a recovery partition on the Bash Bunny that gets booted from in the event that it fails to properly boot 3 times. This recovery partition will automatically restore the root file system to a known working state, and will facilitate updates to future versions. Upgrading the Bash Bunny OS is a matter of copying over a firmware file to the mass storage partition, which we will be providing.

@mpeugeot 7 жыл бұрын

Interstitial, is it fancy pants word day? Thursday ain't until tomorrow... LOL

@pulkitsoni772 7 жыл бұрын

i tried to copy file to my pen drive but it shows access denied in Windows 7 Any Suggestions??

@anteconfig5391 5 жыл бұрын

Where can I find me one of these "Bash Bunny's" I've been hearing about?

@Anonymouspock 7 жыл бұрын

You could move the if conditional into the while conditional and save some bytes (and redundant statements).

@DarrenKitchen 7 жыл бұрын

True, and with the right aliases I might have enough characters left over to add in the registry cleanup. Run dialog caps out at 260 sadly :(

@Anonymouspock 7 жыл бұрын

Darren Kitchen I'm sure it's possible. Just use enough aliases such as rm and wildcards and it can be done.

@michaeltimmerman2130 7 жыл бұрын

github.com/hak5/bashbunny-payloads/pull/105

@Tea-Spin 7 жыл бұрын

Come to Yogyakarta if you want more cultural tour, and it is less busy than Jakarta(well, not in the city tho)

@harrylopez1576 6 жыл бұрын

On the payload can u add more than one file source..pdf,exe etc

@FuzzyLitchi 7 жыл бұрын

couldn't you do "while ( -Not Test-Connection 172.16.64.1 -count 1 -quiet) {}; rest of code here" and then save around 14 charaters?

@DarrenKitchen 7 жыл бұрын

Yes! I'd say submit a pull request, but I may just make the easy fix. Thanks! ^_^

@FuzzyLitchi 7 жыл бұрын

Okay, sorry for replying late the comments were acting weird last time :)

@paix8577 7 жыл бұрын

If not where can I find out?

@ww3586 7 жыл бұрын

540 wat laptop r u using

@mr.holmes4149 7 жыл бұрын

Awesome!

@Canadian789119 7 жыл бұрын

This is impressive. Ah Powershell is an attack surface ^^ No doubt

@DarrenKitchen 7 жыл бұрын

This could also be done with CMD ;-)

@-a6833 7 жыл бұрын

Wouldn't -windowstyle hidden be better in most cases?

@SupaSwagdeskKILLTHEHUMANZ 7 жыл бұрын

Is it possible to do this type of attack with a RPI?

@raymondrizzuto7997 7 жыл бұрын

Could you have the powershell do a net use /delete after the copy, and detect the disconnect in bash script as the termination condition?

@DarrenKitchen 7 жыл бұрын

Not a bad idea. Another point out creating a completed file to indicate to the Bash Bunny that the file transfer is done. I think that method will probably be faster overall.

@raymondrizzuto7997 7 жыл бұрын

The issue with a sentinel file is that if the collection contains an identical file, the script would terminate early. Of course, you can make that less likely by having the sentinel file have some specific marker content that you check for.

@muhammadrizki8428 7 жыл бұрын

Jakarta @hak5 indonesia ?

@mrdroid3000 5 жыл бұрын

Will this work if the user is logged off?

@WA4OSH 7 жыл бұрын

Deja Vu with all those kitties ... are you sure you're not in the Matrix? ;)

@tempest_dawn 7 жыл бұрын

Hak5's latest cat video.

@miguel1waterpolo1guy 7 жыл бұрын

So does the bash bunny function similar to the pinapple? How are they different

@DarrenKitchen 7 жыл бұрын

They're completely different animals. One is a rogue access point platform, the other is a physical access pentest tool. I'd say they're apples and organges, but they're pineapples and bunnies.

@miguel1waterpolo1guy 7 жыл бұрын

Does the Bunny act as a network as well?

@tehtron 7 жыл бұрын

2:06 Someone waving in the background

@remocrapstuff5414 7 жыл бұрын

Where was that!? It looks amazing 😉!!!!

@DimusTech 7 жыл бұрын

why do you use powershell -windowstyle minimize ? First of all, you can use powershell -w minimize and second, you can also use hidden so it won't show at all (you will see it only from task manager)

@Jarred_Anae 7 жыл бұрын

You're dressed liked a gangster Crip with those blue colours lol. be careful you could get mistaken for one.

@hamzaibrahim3320 6 жыл бұрын

lol

@bio8333 7 жыл бұрын

could you set the led R R G to make orange or something like that? and if not is there anyway to make a color like orange?

@DarrenKitchen 7 жыл бұрын

You can make Yellow/Amber - but not Orange. The available colors are Red, Green, Blue, Amber, Purple and White.

@bio8333 7 жыл бұрын

Darren Kitchen thanks

@PosiP 7 жыл бұрын

DK how many BB have you sold?

@paix8577 7 жыл бұрын

When you bash bunny will it's Manuel tell you what any of what ur saying means?

@philipm1896 7 жыл бұрын

you the man

@cryptofiend2731 6 жыл бұрын

Whats with a ll blue swag

@brian.illusion 4 жыл бұрын

Is it still working in 2020? With Win10?

@soulife8383 3 жыл бұрын

I got a brand new printer with smb and windows won't connect to it because "smb is disabled". When I try to enable it windows fights back stating it's insecure. I'm sure I could force enable it but tldr windows no longer uses samba

@TechnomancerTheWise 7 жыл бұрын

gotta get one

@concisejellyfish 6 жыл бұрын

You can also remove the windows explorer folder path history via HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

@over00lordunknown12 7 жыл бұрын

Anyone else find yourself staring at the reflection of his selfie stick in his sunglasses? :P

@ukaszMarianszki 7 жыл бұрын

i luv cats :D

@eleanorhathaway927 7 жыл бұрын

whoop, hope your feeling better? oh and check out mobaxterm as a replacement for putty.

@FredHilbert 7 жыл бұрын

Mobaxtrem is a fantastic find. Thanks to you

@sonarexile 7 жыл бұрын

I see that the bash bunny depends on starting the run command to be able to begin doing its thing. Could it be stopped by disabling the windows run command with a simple registry edit like: REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

@DarrenKitchen 7 жыл бұрын

Sure, but then the delivery mechanism could be changed to initiate powershell from the start menu instead of the run dialog. Alternatively the stager can be written in CMD if powershell if disabled.

@marioyoku43 7 жыл бұрын

wait. you're in Jakarta ? where can I meet you sensei ? :D

@firmansetiawan7990 7 жыл бұрын

oh you in indonesia?? is blow my mind where are you bali??

@TechnomancerTheWise 7 жыл бұрын

nice

@KielEire 3 жыл бұрын

00:00:00 UTC Jan 1, 1970 Unix Epoch

@aortizc82 7 жыл бұрын

"You have been exfiltrated!"

@gustavow3690 7 жыл бұрын

Just curious, How can this type of bash bunny or rubber ducky attack be classified? some kind of social engineering, phishing(OS is being deceived)?

@DarrenKitchen 7 жыл бұрын

Social Engineering is one method for deployment. The first stage (HID) uses a Keystroke Injection attack. The second stage (Ethernet) uses a Pocket Network attack. All together? I'd say the best term would be a Physical Access attack.

@joeltyler3427 7 жыл бұрын

Or through a window!

@gustavow3690 7 жыл бұрын

Thanks, you're awesome!