WEBVTT 00:00:00.440 --> 00:00:01.900 In this final demonstration, 00:00:01.910 --> 00:00:04.180 we will look at the loop that we gathered from our attack 00:00:04.180 --> 00:00:05.960 on the laptop in the previous demo. 00:00:07.040 --> 00:00:11.370 We should also look at how easy it is to modify default payloads to perform 00:00:11.370 --> 00:00:16.280 other attacks. With the Bash Bunny switched back to position three, turning 00:00:16.280 --> 00:00:20.700 it back into a mass storage device, otherwise we would attack ourselves, we 00:00:20.700 --> 00:00:26.310 can navigate into the loot folder on the Bash Bunny. For every successful 00:00:26.310 --> 00:00:29.120 attack we performed, the Bash Bunny created a folder. 00:00:29.130 --> 00:00:33.750 Within this folder, we see this cookies SQLite database stolen from the laptop. 00:00:36.440 --> 00:00:40.500 In the previous demonstration, we stole a chromecookies.db file, 00:00:40.720 --> 00:00:44.150 which we can then interact with and potentially recover session cookies. 00:00:45.040 --> 00:00:48.820 We can run the file command on the cookies.db file and discover that it's a 00:00:48.820 --> 00:00:54.530 SQLite database. Loading it into SQLite, we can then run the .show command to 00:00:54.530 --> 00:00:56.700 get some basic information about the database, 00:00:56.940 --> 00:01:00.290 including its fill delimiter and its row separator. 00:01:02.140 --> 00:01:06.370 If we now run the .tables command, we can also list the tables contained in it. 00:01:07.140 --> 00:01:07.690 Obviously, 00:01:07.690 --> 00:01:10.940 the cookies table is what we're after here, and we can run a select 00:01:10.950 --> 00:01:14.040 count from cookies table to find out how many cookies we've 00:01:14.040 --> 00:01:19.630 exfiltrated. We can see the domains that the cookies relate to by 00:01:19.630 --> 00:01:25.280 running the command select host_key from cookies. I can't show you 00:01:25.280 --> 00:01:26.470 the cookie data itself, 00:01:26.470 --> 00:01:29.470 as they are currently encrypted, and decrypting Chrome's cookie 00:01:29.470 --> 00:01:32.150 database is not within the scope of this course. 00:01:32.740 --> 00:01:33.400 However, 00:01:33.400 --> 00:01:35.840 I hope you can see the power and ease at which the Bash 00:01:35.840 --> 00:01:37.870 Bunny can exfiltrate important data. 00:01:40.940 --> 00:01:44.360 Let's now look at another script that we could have used to exfiltrate data. 00:01:44.840 --> 00:01:50.030 Here you can see the payload MacPDFExfil, which searches specifically for 00:01:50.030 --> 00:01:53.620 PDFs. We can easily change this to look for Word documents, 00:01:53.630 --> 00:01:56.550 JPEGs, or any other file extension we choose. 00:01:57.440 --> 00:02:00.630 We mentioned earlier that the RGB LED can be used to 00:02:00.630 --> 00:02:02.660 give visual indicators to the user. 00:02:03.140 --> 00:02:06.560 These are easily set up and changed within the Bash Bunny payload script. 00:02:07.040 --> 00:02:09.539 Here we can add the visual indicator of a green LED 00:02:09.539 --> 00:02:11.890 status to show the script has completed. 00:02:13.540 --> 00:02:16.810 I want to finish this demonstration with an overview of some of what I 00:02:16.810 --> 00:02:21.390 think of as valuable, important payloads that come with the Bash Bunny. 00:02:21.390 --> 00:02:24.830 The Bash Bunny is an advanced attack platform, 00:02:24.840 --> 00:02:28.310 and I think the most impressive payload is Quick Creds. 00:02:28.620 --> 00:02:33.450 It's a payload created by Hak5Daren, based on the amazing work by Mubix. 00:02:34.240 --> 00:02:35.350 Using this payload, 00:02:35.360 --> 00:02:39.460 it is possible to steal password hashes even from a locked Windows machine. 00:02:40.140 --> 00:02:43.470 It does this by pretending to be a virtual Ethernet driver. 00:02:44.140 --> 00:02:46.580 And whilst it does take some effort to get this payload up and 00:02:46.580 --> 00:02:48.930 running with the additional tools that it requires, 00:02:49.150 --> 00:02:50.860 the results are outstanding. 00:02:51.640 --> 00:02:54.080 I wish the Bash Bunny came with this pre‑set up, 00:02:54.090 --> 00:02:56.260 as I believe this is one of the most powerful attacks 00:02:56.260 --> 00:02:57.670 that the Bash Bunny can perform. 00:02:59.540 --> 00:03:01.610 Obviously, with any red team engagement, 00:03:01.620 --> 00:03:04.550 the goal is often to gain and maintain persistence. 00:03:04.940 --> 00:03:08.560 Bash Bunny comes with a variety of payloads to help you gain reverse shells 00:03:08.560 --> 00:03:12.720 for multiple operating systems, and the Windows meterpreter staged payload is 00:03:12.720 --> 00:03:15.010 one of my particular favorites for doing this. 00:03:17.040 --> 00:03:20.640 One of the most interesting uses of the Bash Bunny payload system is the 00:03:20.640 --> 00:03:23.970 ability to exfiltrate data using free space optics. 00:03:24.640 --> 00:03:28.870 Selected files are converted into QR codes that are displayed on the screen. 00:03:29.340 --> 00:03:33.660 No local record of showing these files are being moved or extracted are made. 00:03:34.440 --> 00:03:38.250 QR codes can then be recorded using a video camera for later decoding. 00:03:40.740 --> 00:03:44.550 The final payload I want to mention is WifiPass by TheRoninRunner. 00:03:45.240 --> 00:03:48.390 This steals Wi‑Fi credentials stored on Windows targets and 00:03:48.390 --> 00:03:52.170 works on Windows 7, 8, and even Windows 10. 00:03:52.640 --> 00:03:55.680 It's a very valuable payload to help you gain that initial 00:03:55.680 --> 00:03:58.070 access into a target environments network. 00:03:59.340 --> 00:04:01.910 The Bash Bunny has many more capabilities than we 00:04:01.910 --> 00:04:03.290 have shown in this short course. 00:04:03.740 --> 00:04:04.650 I hope, however, 00:04:04.660 --> 00:04:08.190 this encourages you to look at all the default payloads that come with the 00:04:08.190 --> 00:04:11.750 Bash Bunny and look at how you can modify them to your needs. 00:04:12.340 --> 00:04:15.780 If you create a payload that you believe will be worthwhile to others, 00:04:16.000 --> 00:04:18.970 then please do consider sharing it with the Bash Bunny community.