I love your channel! I'm an elementary school teacher and I love to teach a bit of coding to my students. I have no idea on how to improve your payload, but I would be so happy to win. Have a great day!
Quick question. The payload.txt and the custom powershell script have to be placed on the same switch or different switches for both? I assume the latter? Beginner here, just learning!
An idea to make it better could be to scrub all traces of itself as well as any traces of it running (including shredding drive space, editing logs, etc.). Maybe a trace removal script to be used for other things as well.
Impossible to "scrub". Said "scrub" will leave a digital footprint - windows events logs, which are sent to the domain controller. So only way would be to pwn the server as well.
I spotted a bug: the script will not work near midnight, especially if the folder to compress is large. To avoid the problem, call the time function only once and store the date on a variable
This will not work on my machine, I relocated the documents folder to: D:\documents so the powershell will compress the wrong documents folder on my machine. How would you be able to fix this and get the relocated folder instead?
Would it be possible to set up a 2 stage payload on a locked computer where you enter your BashBunny and sort of 'boobytrap' the machine to execute a second payload on the detection of the unlocking of the machine ... where you would even have the second payload wait like 3600 seconds after the unlock. Polling the securitylog for event 4801 would make this possible, however these are security events and therefore not visible to plain users.
How about connecting the Bash Bunny to an unlocked Android or iOS device with an OTG adapter? There are some hotkeys you can use to navigate around. Could you open the browser to a previously staged website on your own server which has an upload files option and upload some specific files from the device that way?
rubber ducky help - i copied and pasted darrens exfiltrator payload and put in the duck toolkit encoder and it wont work, i keep getting errors. I thought darrin said it would work "exactly" on the rubber ducky!? keeps saying "quack not in language".
A. O. I don’t know about doing it on the Dropbox side, but you could tell it to just encrypt the files in the same directory, with a password. That would save the time of uploading and then downloading the encrypted version. I suppose it would be a two prong attack, one is uploading the other is encrypting and deleting. I imagine it would have to be done one after the other, as the copying and deleting might finish quicker than the upload, therefore you’d not exfiltrate all the files. The encrypted would have to be in a separate directory too I imagine, otherwise you’d risk uploading the encrypted file?
You could edit the payload to search for files like password.txt or doc or something. In my years of checking customer computers i see a lot of files containing passwords. (Mostly on the desktop but sometimes hidden in other folders).
What about when using powershell or even terminal using the bash bunny ducky script, pulling self contained binaries or exe files so they can run on a computer that may be missing said files.
These payload videos are awesome and this one could be especially handy in a Pen Test but I want some follow up as to how we could secure against things like this running. The blue team side as it where.
Yes, This is what I was thinking. This is a simple example that a customer can understand. Maybe do the desktop as well (I see people that put all their documents on the desktop). Show this to a CEO, In the back of his mind "oh crap, i put all my girlfriend's dirty pictures on my desktop, I better not pick up strange USB sticks, or leave somebody alone with my computer".
So I guess to answer my own question, disabling power shell on endpoint devices would effectively kill these exploits. That could be done with group policy. Since the exfiltrated data isn’t being encrypted use of some sort of DLP product could also stop the data from getting off the network. So any suggestions on what Data Leak Prevention tools you all would use?
Brian Hoskinson I suppose you could also enforce a Mac style keyboard detection system. If a non-Mac keyboard is plugged in to a Mac, it tries to run a set up or some alert box (as seen in previous videos). If your organisation only uses one type of keyboard you could essentially disallow any other manufacturer. However, if they’re close enough to plug in a USB, they’ll likely have known what keyboards are in use first and changed the firmware (as in previous videos).
What if when the script was ran there was persistence so upon making the powershell script available on the system, after taking out the bash bunny, we allowed for constant updating of a specific folder over time. This way if any new files popped up, they could be saved
If we're using a staged payload could you download a second stage that would execute with a delay? On linux you could add it as a cron job to run on the weekend when nobody is around to catch it, I don't know what to donfor a windows box though.
Can we try a payload with a nirsoft exe that takes credentials and may be stored on the memory USB or Dropbox, it would be great (For educational purposes) lol
@@cyclotechtwister1997 Sorry bald and fat guy! I think I'm here to give contributions learn and give ideas BTW you should delete your vids you look so finished and old . Regards. LOL
How about exfiltrating their whole drive (cookies, password manager, browsing history, etc.), but just a piece at a time to fly under the radar...er, I mean, to not hog bandwidth? Gather the folder structure and from time to time use it to zip another folder and upload it.
Can u please let us show how to brute force a gate with the yardstick one using the de bruijn sequence? I cant do it like garages it works differenty i suppose. Greetings from rj Holland
Darren my vm doesn’t attach to the bash bunny. I tried this on oracle, and on VMware. On two machines. Maybe I’ll hit up the Hak5 forum about this issue I’m having. Thanks!
Here’s what I did with Virtual Box. I removed all payloads from switch 2, then plugged it in. I shut down my VM and set it up to automatically grab the bash bunny. Next time I plugged it in with switch 1 or 2, it worked.
Ok i know this video is about Dropbox but I'm desperate for some advice here So I need to know how to get Wire shark to work on a Raspberry Pi 3 B+ thanks in advance :-(
So i cant get my .ps1 from dropbox to run in powershell (solved so i am using a malduino cus im cheap and stuff so i had to rewrite the command a bit had to remove alot of the \\ but it works now tho alot of ppl have a really large documents folder more than 6gb and that will cause some problems either it taking like 10 minutes or it not even uploading the zip file)
Definitly gonna use this on my class mates and let them see what can happen if they leave their laptop unlocked unattended ^^ there should be a removal of the process traces tho
I'd like to try this with Windows Credential Manager. I remember seeing somewhere that you can dump it to a CSV on an account with admin rights. *EDIT* - Just verified that it is possible, according to TechNet. Now to pull those RDP credentials...
Update: Obviously RDP creds are encrypted :/. Pulling the hashes may work, but pulling stored web passwords for websites works perfectly with the Get-Stored-Credential module. OR this small chunk of (not my) code: [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }
You think this is cool? Me and my friend used dropbox to fkin chat!! I would write stuff inside a .txt file save it then my friend would edit it and then save.... XD
I used Dropbox to remotely download torrents from work at my home pc. Upload the . torrent file in a folder in Dropbox, a folder that utorrent was monitoring. New movie, series episode or wtvr is up? Already downloaded until I am home. Then in my new job Dropbox was blocked so I discovered rss torrents
docs.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables There is some cool var. You could build a stage that enumeraes the users profile and server info / other storage location. We work with sharepoint and a lot info is stored in the internet history. I think that would be a good thing to backup. ;-)
![[PAYLOAD] - Stealing Files With Optics? - Hak5 2320](http://i.ytimg.com/vi/sZpIiSfRMSw/mqdefault.jpg)
![[PAYLOAD] - Stealing Files With Optics? - Hak5 2320](/img/tr.png)
I love your channel! I'm an elementary school teacher and I love to teach a bit of coding to my students. I have no idea on how to improve your payload, but I would be so happy to win. Have a great day!
Loved this payload! Perhaps to expand on it you could grab the ncat exe or a metasploit payload from Dropbox and get a reverse shell.
all you have to do is modify the exfil.ps1 to do whatever you want. I recommend making that and adding it to the github repo, sounds like a good idea.
Wonderful execution! Is there a way to make sure the the Run line is cleared afterward so as to hide any trace of what happened?
I am so happy about seeing this video and seeing my name on there!!!
Love the idea of extracting web-tokens + browser save data + cookies
Quick question. The payload.txt and the custom powershell script have to be placed on the same switch or different switches for both? I assume the latter? Beginner here, just learning!
An idea to make it better could be to scrub all traces of itself as well as any traces of it running (including shredding drive space, editing logs, etc.). Maybe a trace removal script to be used for other things as well.
I'd at least like to know what to add to remove the first stage from the run box.
Impossible to "scrub". Said "scrub" will leave a digital footprint - windows events logs, which are sent to the domain controller. So only way would be to pwn the server as well.
loved this! especially because i’ve seen malware in the wild use dropbox/gdrive/skydrive to exfil data. delicious realism!
Good stuff. I've avoided powershell up til now, but I could definitely use that "-w h" option.
Are you ever gonna film in the studio anymore?
I spotted a bug: the script will not work near midnight, especially if the folder to compress is large. To avoid the problem, call the time function only once and store the date on a variable
This will not work on my machine, I relocated the documents folder to: D:\documents so the powershell will compress the wrong documents folder on my machine. How would you be able to fix this and get the relocated folder instead?
Update your environment variables (USERPROFILE in particular) or change the first command to zip the correct documents folder.
Love this set of vids! When is the card game coming back to the shop? *EDIT* Never mind I just saw that it’s back in stock AND on sale! SCORE!
Would it be possible to set up a 2 stage payload on a locked computer where you enter your BashBunny and sort of 'boobytrap' the machine to execute a second payload on the detection of the unlocking of the machine ... where you would even have the second payload wait like 3600 seconds after the unlock.
Polling the securitylog for event 4801 would make this possible, however these are security events and therefore not visible to plain users.
@hak5
is this bashbunny only or is it similar for the ducky?
How about connecting the Bash Bunny to an unlocked Android or iOS device with an OTG adapter? There are some hotkeys you can use to navigate around. Could you open the browser to a previously staged website on your own server which has an upload files option and upload some specific files from the device that way?
rubber ducky help - i copied and pasted darrens exfiltrator payload and put in the duck toolkit encoder and it wont work, i keep getting errors. I thought darrin said it would work "exactly" on the rubber ducky!? keeps saying "quack not in language".
A cool way to expand it could be using a third stage, using a private disposable server so that the dropbox informations cannot be retrieved by logs
wouldn't this fail if the size of the files that you're exfiltrating are larger than the free space on the victim drive?
As a pen test:
Can you encrypt the files on the Dropbox side and then replace theirs with the encrypted set? (Unable to open without key)
A. O. I don’t know about doing it on the Dropbox side, but you could tell it to just encrypt the files in the same directory, with a password. That would save the time of uploading and then downloading the encrypted version.
I suppose it would be a two prong attack, one is uploading the other is encrypting and deleting. I imagine it would have to be done one after the other, as the copying and deleting might finish quicker than the upload, therefore you’d not exfiltrate all the files. The encrypted would have to be in a separate directory too I imagine, otherwise you’d risk uploading the encrypted file?
You could edit the payload to search for files like password.txt or doc or something. In my years of checking customer computers i see a lot of files containing passwords. (Mostly on the desktop but sometimes hidden in other folders).
What about when using powershell or even terminal using the bash bunny ducky script, pulling self contained binaries or exe files so they can run on a computer that may be missing said files.
is keeping a text file with all my passwords on dropbox a bad idea...?
Would it be possible to create a backdoor on which we can connect via something (like ssh or ftp) ?
These payload videos are awesome and this one could be especially handy in a Pen Test but I want some follow up as to how we could secure against things like this running. The blue team side as it where.
Yes, This is what I was thinking. This is a simple example that a customer can understand. Maybe do the desktop as well (I see people that put all their documents on the desktop). Show this to a CEO, In the back of his mind "oh crap, i put all my girlfriend's dirty pictures on my desktop, I better not pick up strange USB sticks, or leave somebody alone with my computer".
So I guess to answer my own question, disabling power shell on endpoint devices would effectively kill these exploits. That could be done with group policy. Since the exfiltrated data isn’t being encrypted use of some sort of DLP product could also stop the data from getting off the network. So any suggestions on what Data Leak Prevention tools you all would use?
Brian Hoskinson I suppose you could also enforce a Mac style keyboard detection system. If a non-Mac keyboard is plugged in to a Mac, it tries to run a set up or some alert box (as seen in previous videos). If your organisation only uses one type of keyboard you could essentially disallow any other manufacturer. However, if they’re close enough to plug in a USB, they’ll likely have known what keyboards are in use first and changed the firmware (as in previous videos).
What if when the script was ran there was persistence so upon making the powershell script available on the system, after taking out the bash bunny, we allowed for constant updating of a specific folder over time. This way if any new files popped up, they could be saved
Can you try to make a payload that takes all online passwords and maybe store it on dropbox or send it via e-mail?
If we're using a staged payload could you download a second stage that would execute with a delay? On linux you could add it as a cron job to run on the weekend when nobody is around to catch it, I don't know what to donfor a windows box though.
James Baross perhaps create a batch script that will create then scheduled task. Then download and execute the .bat file.
What about turning that script into an executable using SHC.
Can we try a payload with a nirsoft exe that takes credentials and may be stored on the memory USB or Dropbox, it would be great (For educational purposes) lol
"For educational purposes"
@lol - Lazy much? Been done if you took the time to research..."Script kiddie"
@@cyclotechtwister1997 Sorry bald and fat guy! I think I'm here to give contributions learn and give ideas BTW you should delete your vids you look so finished and old
.
Regards. LOL
@@nachoorozcog Ur a lil script kiddie, Uneducated button bashing child gtfo here.
How about exfiltrating their whole drive (cookies, password manager, browsing history, etc.), but just a piece at a time to fly under the radar...er, I mean, to not hog bandwidth? Gather the folder structure and from time to time use it to zip another folder and upload it.
Compress-Archive in powershell is limited to 2gb
@@andybfmv96 - Does Compress-Archive respond to -whatif? Can it break up an archive into multiple files?
Can u please let us show how to brute force a gate with the yardstick one using the de bruijn sequence?
I cant do it like garages it works differenty i suppose.
Greetings from rj
Holland
does this only work on windows vista?
How about making a payload that automaticly sends files to your destination email via Powershell or Command Prompt
Youbwould need an smtp server for that, big email providers continuosly change their smtp settings exactly to avoid such uses.
Best thing to do would be execute a small ASM file that does the same thing instead of using powershell with so many param
Can you create a payload that stores all the passwords from google chrome and upload it to a ftp server??
What's happened to the studio and the nice lady?
Darren my vm doesn’t attach to the bash bunny. I tried this on oracle, and on VMware. On two machines. Maybe I’ll hit up the Hak5 forum about this issue I’m having. Thanks!
Here’s what I did with Virtual Box. I removed all payloads from switch 2, then plugged it in. I shut down my VM and set it up to automatically grab the bash bunny. Next time I plugged it in with switch 1 or 2, it worked.
K I’ll give it a go right now
Just try it on you friends computer 🤪
How about using mimikatz or kiwi to extract the user credentials along with that payload !
Ok i know this video is about Dropbox but I'm desperate for some advice here So I need to know how to get Wire shark to work on a Raspberry Pi 3 B+ thanks in advance :-(
So i cant get my .ps1 from dropbox to run in powershell (solved so i am using a malduino cus im cheap and stuff so i had to rewrite the command a bit had to remove alot of the \\ but it works now tho alot of ppl have a really large documents folder more than 6gb and that will cause some problems either it taking like 10 minutes or it not even uploading the zip file)
7:26 someone deciding whether to interrupt filming lol...
Would be good to have no run or powershell windows visible at any stage
I made it step by step. Doesn't work :(
Can you make the bash bunny install a keylogger?
Love it!!!!
Works well, as long as victim is running Powershell 5 or better. (so Win10 or a non standard tweaked Win7)
Definitly gonna use this on my class mates and let them see what can happen if they leave their laptop unlocked unattended ^^ there should be a removal of the process traces tho
shhh! you're incriminating yourself -_-
@@intoam its okey if they give premission :3 they did btw :3
My question is do i need to have dropbox to be installed to make this work?
No
Powershell why you gotta look so ugly! Sweet video though. Enjoying the show format so far this season. Keep it up Darren and team!
How do u stop hairloss brother?
First at this amazing video!!
I want to know why RUclips has been cutting you from my feed?
How can I download files from the victim
root their box and leech :^)
This stuff could even run on an ATTiny amazing.
Sweet.
I'd like to try this with Windows Credential Manager. I remember seeing somewhere that you can dump it to a CSV on an account with admin rights.
*EDIT* - Just verified that it is possible, according to TechNet. Now to pull those RDP credentials...
Update: Obviously RDP creds are encrypted :/. Pulling the hashes may work, but pulling stored web passwords for websites works perfectly with the Get-Stored-Credential module.
OR this small chunk of (not my) code:
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }
Whoop whoop
It is easy to secure infrastructures against these kind of attacks....
Using AD GP and a Proxy server (Blue Coat).
7:26 there are some legs outside the studio
It would be nice to have a sd card slot on the bunny :)
First
You think this is cool? Me and my friend used dropbox to fkin chat!! I would write stuff inside a .txt file save it then my friend would edit it and then save.... XD
I used Dropbox to remotely download torrents from work at my home pc. Upload the . torrent file in a folder in Dropbox, a folder that utorrent was monitoring. New movie, series episode or wtvr is up? Already downloaded until I am home. Then in my new job Dropbox was blocked so I discovered rss torrents
Using Google docs to chat tho lmao
😂
docs.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables
There is some cool var. You could build a stage that enumeraes the users profile and server info / other storage location. We work with sharepoint and a lot info is stored in the internet history. I think that would be a good thing to backup. ;-)