I decided to dust off my Hak5 field kit and refamiliarize myself with all the tools. I have the bashbunny, the LAN turtle, the rubber ducky, and a bunch of utility adapters. I also have a wifi cactus in there, but I’m pretty sure I picked that up separately.
I started with the Bashbunny, since it’s so versatile. I won’t address advanced topics like locked PCs in this post, this is very basic bashbunny talk. So the scope here is “some dumbass left me unmonitored access to a PC.” Either unattended, or “here, you drive while I go get a drink.” Yeah, don’t do that with someone who might have these tools and tendencies.
So the first thing I noticed was that it was out of date. Fortunately, Hak5 has very usable instructions and tools for making it current.
So I went through all that process, bringing my payloads and firmware up to current levels. It was a fun exercise.
The first script I ran was recon/MacProfiler. I set the Bashbunny to Arm, copied the payload.txt into switch1/, ejected it, switched the Bashbunny to position 1, and reinserted it.
Ran once, and it left the bashbunny mounted. The second time I ran it, it successfully ejected itself, which is important if you’re trying to be a bit stealthy. At some point I’ll investigate that further.
It worked well. It gathered a list of all of the /Applications on my MacBook Air, a list of all users, and all the networking information I might need. Oh, and a list of things that startup automatically. All of this is tremendously useful for recon, so that you can craft a later attack for next time you have access to the same PC.
Next, I tried macinfograbber. Similar concept, but it’s specifically crafted to grab a copy of any spreadsheets (xls/xlsx) in the user’s Documents directory. By extension, of course, this could mean whatever type of files you’re specifically aiming for.
(arm) (eject) (switch) (reinsert)
OK, this did some stuff, then ended with a red LED indicator on the bashbunny. This translates to “no files found” according to the script. Kind of surprising. Do I really have no xls/xlsx files in my Documents directory? Let’s see… Hmmm, yep. I do. Why did it fail? At first I thought maybe it was spaces in the filename and a poorly-written script, but I renamed it to a single word and tried again and it continued to fail.
So I dug deeper. Here’s the command that macinfograbber uses to grab those files:
cp ~/Documents/{*.xlsx,*.xls,*.pdf} /Volumes/BashBunny/loot/MacLoot/xlsx/
And here’s the problem. I’m assuming these scripts were written back in 2017 when the Bashbunny was fresh. In 2019, Apple switched from bash to zsh on the Macs. And apparently, zsh fails this command if any glob fails for safety reasons. So that line will need to be rewritten, or just broken out into individual commands.
More on the Bashbunny later. I plan to dig deep through the whole payload library for a 2021 refresh, because it’s still useful. Although you might want to remember to take your USB-C adapter with you for modern MacBooks. 🙂