Bash Bunny: Windows Remote Shell using Metasploit & PowerShell

•March 27, 2017 • Leave a Comment

In this article, we will see how to use the Bash Bunny to get a full reverse shell on a Windows system using Kali Linux, PowerShell and the Metasploit Web Delivery module.

The USB Bash Bunny is the latest pentesting tool from Hak5. Using this advanced USB attack platform, you can easily perform multiple USB based attacks. The device normally emulates a keyboard and automatically sends typed commands through the USB port as soon as it is plugged in. The Bash Bunny is a programmable device that contains two separate attack modes and an arming mode.

The attack modes are set by a switch on the side. You can set up different scripts to fire whether the switch is in position 1 or 2. The arming position is for loading new scripts onto the device.

When you load an attack script on the device and plug it into the USB port, the script executes. In this case, it will make a Windows system call back to the Kali system and create a full Metasploit shell. The Metasploit shell is nice, because you have complete control over the target.

In Kali Linux, start Metasploit. We will use the Web Delivery script:

The module is pretty straight forward, we set the IP address and port for our Kali system, then select a PowerShell (PSH) based target, and lastly select the reverse TCP Meterpreter Shell. When the module runs, it will provide you with a rather lengthy PowerShell command.

We will take the PowerShell command and use it in our Bash Bunny script. Because the Bash Bunny does seem to parse some of the input, you will need to use a switch character to get it to properly execute the PowerShell command. I had to put a “\” in front of every special character.

The entire Bash Bunny Script:

The PowerShell command is a single line, it just wraps several lines in the picture above. The Q in front of the lines is short for Quack, as a reference to the Hak5 Rubber Ducky. Many of the Ducky scripts will work with the Bash Bunny with some modification.

Basically, the first line tells Bash Bunny to act like a keyboard (HID). The LED command turns the status led to Blue. “GUI R” are the commands needed to open a run prompt in Windows. The delays are so the Bash Bunny has time to type each line in, longer delays for longer commands. And that is it. When the command is done, the LED turns to green.

All that is needed is to save the script to one of the Bash Bunny Payload Switch directories. Then set the switch to the corresponding position and plug it into the target machine.

Shortly after the USB drive is inserted into the Windows PC, we get a remote shell:

After we connect to the session, we have a full Meterpreter shell and basically have full control of the remote system.

Here I just entered the command to pull a remote screenshot, and the resultant screenshot:

Bash Bunny is an exciting and fun tool for any security professional. Once you get the hang of using the device, modifying Rubber Ducky scripts or creating your own is very easy. With the flexibility of the Bash Bunny, the usage scenarios are pretty much limited only by your imagination, and an open USB port.

Hopefully this demonstrates the importance of physically securing your machines. Disable USB ports that are not needed, limit accounts to “User” level authentication, and enable/ monitor PowerShell logging.

(This article is for educational use only. Never try to access a computer that you do not have permission to access. Doing so is illegal (and unethical) and you may end up in jail.)

“Security Testing with Kali NetHunter” Book Overview

•January 18, 2017 • Leave a Comment

nethunter-front-coverMy latest book, “Security Testing with Kali NetHunter” is out! NetHunter brings the power of Kali Linux to supported Android devices.

In this blog post I will cover a quick overview of the book and why I wrote it. This book is the latest in my “Security Testing with Kali” series. If you like my Basic & Intermediate books, I think you will love this one!

I was working on writing a non-Kali based security book, when a good friend approached me and asked if I would create a 50-page quick guide to Kali NetHunter. Being a huge Kali Linux fan, I set my current writing project aside and immediately began on the NetHunter book.

I soon realized that even with trying to make this a quick coverage guide, 50 pages would not even begin to cover the capabilities of this exceptional platform. The ability to use it with wireless and USB based attacks, along with a complement of the normal Kali Linux tools, really makes NetHunter a robust and feature rich device. Add in the fact that it all runs on a small mobile platform and you really have a winner.

To spend the most book time on usage tutorials, with the thought of new devices and platforms at some point being added to the NetHunter supported list, I start the book from the point of a fully installed NetHunter device. Though, I do give an overview of the install process.

This book uses the exact same lab setup as the other books in my Kali series. So, if you already have the lab setup from these books, you just need to connect your NetHunter device to your wireless router.

The book assumes that you already have a level of comfortability with using Kali Linux and have experience connecting to your mobile device using Linux or Windows. From a difficulty level, I would say that this book would fit between my Basic & Intermediate Kali books.

NetHunter includes a couple Android based security tools and a graphical “NetHunter” menu. The book steps you through the Android based attack tools and then goes through each NetHunter menu item as they appear.

Several menu items have an entire chapter devoted to itself.  With the step-by-step tutorials, you can see how the tools work, many times using the tool against our test lab systems.

Along with the NetHunter menu, more experienced users will probably prefer to use many of the Kali tools directly from the terminal prompt. NetHunter uses a slightly reduced install of Kali Linux. You can however install other Kali Metapackages if you wish.

The book topics include:

  • Kali NetHunter Introduction and Overview
  • Shodan App (the “Hacker’s Google”)
  • Using cSploit & DriveDroid
  • Using NetHunter in Human Interface Device Attacks
  • Man-in-the-Middle Attacks
  • Wi-Fi Attacks
  • Metasploit Payload Generator
  • Using NetHunter with a WiFi Pineapple Nano

For the book tutorials, you will need a supported device with NetHunter installed, a host system to run VMWare images, and a supported USB WiFi adapter (I used a TP-Link TL-WN722N).  If you want to follow through the Pineapple Connector chapter you will also need a Hak5 Pineapple Nano.

If you enjoyed my previous books, I think you will really like this one.

Check it out on Amazon.com

 

 

 

 

 

ProtonMail Artifacts from Memory Dump

•August 28, 2016 • Leave a Comment

“Physical Access = Total Access”. In this post we will take a quick look at pulling ProtonMail artifacts from a Windows 10 process memory dump.

It’s been a very long time since I have posted on my blog. I have been very busy with a couple new book writing projects, but I have missed doing regular blog posts. Ran into this today and thought it would be a good post to hopefully get back on the blogging horse. Let me say before we get started that I am a big ProtonMail fan, and highly recommend it. I am not breaking their encryption or anything fancy like that, just simply pulling artifacts that belong to a ProtonMail session out of the computer’s memory.

Last year I covered how to pull Word documents out of Windows memory using a remote Kali Linux shell.  Using the same techniques and tools covered in that article you can do the same to recover ProtonMail artifacts.

As a test I crafted an e-mail using text from the Boba Fett Wikipedia entry. I figured the word “Boba” would make a good canary, a word that would be easily found in the memory dump.

The test e-mail looked like this in ProtonMail:

Bobba Fett Test 1

I then performed a memory dump on the Firefox process:

  • The “tasklist” command returned the Firefox process ID
  • Then, “procdump64 -ma [Process ID or you can just use ‘firefox.exe’] mem_dump_filename
  • And then, “strings64 mem_dump_filename.dmp > Protonmail.txt

The procdump command copies memory in use by the Firefox process to a file. The resultant file is very large, so the strings command is used to pull text strings out of the dump and save them to a much smaller file called “Protonmail.txt”.

I then manually searched through the resultant .txt file for artifacts.

I found the source e-mail address, and the e-mail subject. A little farther down I found the entire e-mail text as seen below:

Bobba Fett Test 2Comparing the two images you can see that the entire e-mail text was recovered from the memory dump. I was also able to view the contents of every e-mail that was opened during the session (not shown) and most, if not all e-mail contacts that I have in ProtonMail.

This shows that if you have physical access to a system, you could recover ProtonMail artifacts including entire messages from a memory dump. The moral of this story, as a Linux guru once told me – “physical access equals total access”. If you have physical access (including remote access) to a system, you can recover many interesting things from system memory. That is why it is important to secure physical access to your systems.

If you enjoyed this article, check out my book, “Intermediate Security Testing with Kali Linux 2” which has an entire section on performing Forensics with Kali Linux.

 

 

DNS Spoofing with Nethunter, cSploit & Kali Linux

•May 28, 2016 • Leave a Comment

Kali Nethunter cSploit 1

How cool would it be as a pentester to walk around a target company, with only your smartphone, and divert individual systems surfing the web to an outside Kali Linux system you have setup that is just waiting for incoming connections. With Kali Nethunter you could!

Using Kali Nethunter & cSploit on your Android phone, you can fairly easily perform a Man-in-the-Middle attack on target systems. Of course you can do all the normal MitM type attacks but what is nice is that you can also do DNS spoofing. This would allow you to divert a system surfing the web (without ever physically touching the target) to a different website.

Well, what if that different website was a Kali Linux system running Social Engineering attacks?

Introduction

If you haven’t played with Nethunter yet, it is one of the coolest things since sliced bread. Nethunter is an adaptation of the most excellent Kali Linux penetration testing platform re-invented for use on smartphones.

As always, it is illegal to attempt to access or modify a system that you do not have express written permission to do so. Doing so could get you into serious legal trouble and you could end up in jail.

Though DNS spoofing attacks are not new, it is just so easy to do them with Nethunter. And as this could be easily misused, I will not show all the steps in this process, only show how the attack could be set up.

Also, I will not show how Nethunter is installed. If you install Nethunter on your phone, you do so at your own risk. Installing Nethunter involves wiping your phone, installing new and custom firmware and rooting it. As with modifying any smartphone, there is a possibility that the phone could be bricked in the process, turning your favorite phone into an expensive drink coaster.

Three systems will be used in this article – The smartphone running Nethunter, a test target system running Windows 7 and a third computer running Kali Linux.

Kali Nethunter cSploit 2

All right, enough talk, let’s get to it!

Using Nethunter

When Nethunter boots up it looks like any other Android phone, other than the epic Kali booting screen that is. Kali Nethunter installs multiple tools found in a regular Kali Linux install and presents you with a nice menu system under the “Nethunter” icon:

Kali Nethunter cSploit 3

There are some great tools here like “HID attacks”. This allows you to turn your phone into an evil USB keyboard that actually types commands on the target system when your phone is connected. There is also the MITM Framework which allows you to do more advanced MITM attacks than we will cover today. Of course you can also run Nmap scans, start Kali Services and several other things.

Don’t forget as well, that you have many of the Kali tools installed in the file system itself, so you can open a terminal and run them just as you would on a regular Kali system.

MitM DNS Spoofing with cSploit

Along with the Kali tools, Nethunter also installs several additional tools that are very helpful to a penetration tester including cSploit. cSploit is probably the fastest way on the phone to scan a connected network and perform basic attacks, including MitM.

Just tap the cSploit icon to start the application.  It will immediately perform an extremely quick scan of all systems connected to the network. You will then be shown a list of all the network devices along with their name, MAC & IP addresses along with how many ports were detected on each device.

Clicking an individual target will give you a list of scans and attacks that can be run against the target:

Nethunter Csploit

Trace and port scanner are self-explanatory. Service inspector runs an indepth scan with service detection. Once this is done, you can then click the “Exploit Finder” button to try to find exploit for any vulnerabilities found during the Service inspection.

Let’s take a look at the MITM attacks:

Nethunter Csploit 2

We can use the DNS spoofing button to redirect the target system to a system we control. Once you click the “DNS Spoofing” button you will be presented with an Ettercap config screen. Simply set the Domain name you want to the IP address that you want it to actually point to.

For example, if we want the target to go to our separate Kali Linux system that we have, we would just put in its IP address. As “microsoft.com” is already added in the config file as an example, we just need to modify the IP address. So if our Kali Linux system was running at 192.168.1.39 then we would modify the Ettercap config screen to look something like this:

 

Ettercap DNS config 1

When Finished:

  • Just click, “SAVE”
  • And then click, “START”

And that is it. cSploit will start the MITM attack and set the Microsoft DNS entry on that target system to point to our Kali Linux box.

On the Kali Linux system, start the Social Engineering Toolkit, and then step through the web attack menu having it clone the Microsoft website.

And then when the target system opens their internet browser and types in “microsoft.com”, they will indeed see this:

Microsoft webpage

But they will actually be connected to the Kali Linux system and be shown the cloned Microsoft website from the Social Engineering Toolkit.

If they click on any links they will get errors as SET does not clone the entire website. But the gist here is that we used our phone to redirect a user to a third system that could be hypothetically anywhere running a program that, when set up properly, could grab any text or credentials entered.

Conclusion

DNS spoofing will not work on all websites, and MitM attacks do not work at every location. But this could work out very well for a penetration tester in some circumstances. They could set up a cloned copy of a website (maybe the target system’s corporate website) on an offsite computer. Then just take their phone into the building, connecting to an open network port or the corporate Wi-Fi, and re-direct individual systems to the outside box for the win.

The best defense against Man-in-the-Middle attacks are to protect your physical network. Use complex passwords for your Wireless networks, disable or protect open & unused network ports, and segment your network when possible. DNS attacks will usually not work against websites using SSL (HTTPS), also they do not work well against websites that are hosted on a server that hosts multiple websites.

If you want to learn more about Kali Linux and Social Engineering attacks, check out my Kali Tutorial books on Amazon.com.