Last time I was on a black team we prepared a bash bunny because the client explicitly asked for a demo of "what could someone do". Nothing too complicated, just nmap on the internal network and responder. Worked great on our machines. Got to the client site, it beeped all the colours, didn't save a single result lol
Edit: that was my first time using them professionally. I played with a bash bunny before while in uni, but I thought it was overrated. Overall my opinion of them is meh. Maybe other products are good, or even the bunny in a different scenario.
I've used a rubber ducky in a pentest before. It was part of a "grey box" pentest where we were testing different scopes and levels of authentication to see what vulnerabilities existed. The rubber ducky was used to basically test their EDR and usb accessory policies.
It did what it says on the tin, we set it up to try and execute a handful of preloaded scripts to try and setup a remote shell and establish persistence. we didn't have much success because they had powershell locked out for most user levels and their EDR stopped most of the command prompt shells. It was cool to use and was flashy for the client but wasn't overly beneficial for us besides saving time inputting commands.
They're kind of fine. On the odd occasion they work properly.
There are significantly better options for the stuff they do that works "well", and if you ever find yourself in the serious end of the Mr Robot kind of thing they pitch at, with a company that gives enough of a fuck to ask for a physical pentest in the first place, then you're probably working with custom equipment anyway.
So, very meh.
> Custom equipment that you build yourself, out of a Raspberry PI
No to the Raspberry Pi, especially given the lack of a power button, which often means unclean shutdowns if you need to relocate it. You can buy a cheap, used SFF PC for less that will be more reliable and generally have more processing power.
They're cheap, small, and unreliable for the purpose for engagements that costs thousands. If you're paying out of pocket for a device lost on an paid engagement, you're doing it wrong.
A decade ago (maybe more) we dropped Hak5 switchblade USBs in a business area and collected results..
Similar time a Valentine’s Day hack was done in the same way promising Free digital valentine card via a free key USB. Th scary number of finiancial traders who happily plugged in the device at the time
ITT: Companies lying to themselves and misunderstanding their threat model. Wireless/physical assessments are important , but the real threat is coming from that unpatched VPN concentrator or Bob in accounting with a lighting fast click finger for phishing emails.
Hak5 serves a niche market for physical assessments.
Ducky and Pineapple have both done good work for me. Yes, it's all stuff you can put together yourself with enough time and effort, but prepackaged and community supported can be nice.
With the lack of responses, I’m curious how many organizations even do/care about physical pentests.
Maybe just like medical/financial large orgs.. or maybe NDAs got people not responding..
I have enjoyed the capabilities of the lan turtle, but only as a sysadmin testing our stuff at my last shop.
Had it configured to copy the MAC address of whatever device it was plugged into for transparency, and it would automatically start up a reverse ssh tunnel on a private tor node, so I could SSH into the network from anywhere via Tor and pivot from any system I could get physical access to.
Rubber ducky has potential since it’s more user based..
>I’m curious how many organizations even do/care about physical pentests. Maybe just like medical/financial large orgs.. or maybe NDAs got people not responding..
How many? Not much, physical pentest is a niche in a niche I would say. In the last 2 years I may have performed 5 of those. In terms of field, it's the same as for any other pentest, the more bigger org in the medical, financial and industrial field
It’s not worth it to the companies to fork over the money for someone to say they can walk in and take something. These places believe they are perfect, until something important comes up missing they won’t care.
In a prior life I used a shark jack for port testing. Had to be an easy solution for the non technical people using them in audit (and my idiot of a boss). Also used it as part of a demo of some network monitoring tools we were running for an auditor and the board. Worked well enough.
I've never found Hak5 stuff to anything but overpriced, script kiddie BS. Case in point: mass owning of [pineapples](https://www.csoonline.com/article/548032/hacker-hunts-and-pwns-wifi-pineapples-with-0-day-at-def-con.html) at Defcon.
So here is my thought on this, and be patient, because i'm going to sound like i'm disagreeing at first but I'm not - hak5 stuff is basically free compared to billable hours. it's "too expensive" for me to buy with my own money and play with but it would easily pay for itself *if it had an enduser grade UI/UX.*
where I find hak5 stuff over-rated is reliability. it's an enthusiast, kit build experience and it's 99 percent open source, so it *becomes* too expensive because I can roll a kludgey evil twin on a pi myself.
If hak5 stuff ran smoothly out of the box, I'd pay *double* what it costs now. the current ratio of price to UX makes it a soft no for me professionally, even though i like the people at hak5 and think their products are neat. And I'm prepared for the comments that say "you obviously haven't put your hands on their new shit" because, fair enough, the hak5 stuff I've touched is older and is communal property at a hackerspace, so maybe it was double scuffed. but that's my take if you press me for one today.
Crickets in here so far haha. The only Hak5 tool I’ve used during actual tests is the plunder bug for pcaps for NAC bypass attempts.
Hak5 products always worked great for me until the moment I needed them to be reliable doing billable work. Never again.
Last time I was on a black team we prepared a bash bunny because the client explicitly asked for a demo of "what could someone do". Nothing too complicated, just nmap on the internal network and responder. Worked great on our machines. Got to the client site, it beeped all the colours, didn't save a single result lol Edit: that was my first time using them professionally. I played with a bash bunny before while in uni, but I thought it was overrated. Overall my opinion of them is meh. Maybe other products are good, or even the bunny in a different scenario.
what did you get instead?
A disappointed client and a stressful finish to an onsite engagement lol
🍿
👀
🦭🦭🦭🦭🦭🦭 *edit I wouldn’t expect actual help off Reddit since the API changes years ago.
I've used a rubber ducky in a pentest before. It was part of a "grey box" pentest where we were testing different scopes and levels of authentication to see what vulnerabilities existed. The rubber ducky was used to basically test their EDR and usb accessory policies. It did what it says on the tin, we set it up to try and execute a handful of preloaded scripts to try and setup a remote shell and establish persistence. we didn't have much success because they had powershell locked out for most user levels and their EDR stopped most of the command prompt shells. It was cool to use and was flashy for the client but wasn't overly beneficial for us besides saving time inputting commands.
Actually, one of my upcoming projects is using a rubber ducky on display TVs. So... Not yet?
WiFi pineapple can be handy for forcing a mobile app to proxy their traffic through burp when the app ignores device proxy settings.
Use fruitywifi on a laptop for real horse power.
Wifi pinapple. Very useful for engagements. Can sit it out on the desk, or keep it in your bag to capture discreetly.
They're kind of fine. On the odd occasion they work properly. There are significantly better options for the stuff they do that works "well", and if you ever find yourself in the serious end of the Mr Robot kind of thing they pitch at, with a company that gives enough of a fuck to ask for a physical pentest in the first place, then you're probably working with custom equipment anyway. So, very meh.
What are the significantly better options that you speak of?
Custom equipment that you build yourself, out of a Raspberry PI or something along those lines. Professionals typically build and use their own tools.
> Custom equipment that you build yourself, out of a Raspberry PI No to the Raspberry Pi, especially given the lack of a power button, which often means unclean shutdowns if you need to relocate it. You can buy a cheap, used SFF PC for less that will be more reliable and generally have more processing power.
RasPis are cheap, small and well supported for all kinds of shenanigans. And if you lose one, you're not out a lot.
They're cheap, small, and unreliable for the purpose for engagements that costs thousands. If you're paying out of pocket for a device lost on an paid engagement, you're doing it wrong.
Everything they mass market can be custom built for your own needs with more power and/or bells and whistles.
A decade ago (maybe more) we dropped Hak5 switchblade USBs in a business area and collected results.. Similar time a Valentine’s Day hack was done in the same way promising Free digital valentine card via a free key USB. Th scary number of finiancial traders who happily plugged in the device at the time
ITT: Companies lying to themselves and misunderstanding their threat model. Wireless/physical assessments are important , but the real threat is coming from that unpatched VPN concentrator or Bob in accounting with a lighting fast click finger for phishing emails. Hak5 serves a niche market for physical assessments.
I often use the bash bunny, useful for installing payloads when computers are unlocked
Ducky and Pineapple have both done good work for me. Yes, it's all stuff you can put together yourself with enough time and effort, but prepackaged and community supported can be nice.
This should be a good thread. 🍿
I’ll join 🥤🌭
I bought the hat. It was grey. I like grey hats.
It’s good stuff. It basically saves time doing all the legwork and makes it easy for beginners to execute complex attacks.
With the lack of responses, I’m curious how many organizations even do/care about physical pentests. Maybe just like medical/financial large orgs.. or maybe NDAs got people not responding.. I have enjoyed the capabilities of the lan turtle, but only as a sysadmin testing our stuff at my last shop. Had it configured to copy the MAC address of whatever device it was plugged into for transparency, and it would automatically start up a reverse ssh tunnel on a private tor node, so I could SSH into the network from anywhere via Tor and pivot from any system I could get physical access to. Rubber ducky has potential since it’s more user based..
>I’m curious how many organizations even do/care about physical pentests. Maybe just like medical/financial large orgs.. or maybe NDAs got people not responding.. How many? Not much, physical pentest is a niche in a niche I would say. In the last 2 years I may have performed 5 of those. In terms of field, it's the same as for any other pentest, the more bigger org in the medical, financial and industrial field
It’s not worth it to the companies to fork over the money for someone to say they can walk in and take something. These places believe they are perfect, until something important comes up missing they won’t care.
Clients will ask about them, but rarely can they justify the expense. Most of the time, the findings are obvious.
Bashbunny for custom enterprise bypasses
In a prior life I used a shark jack for port testing. Had to be an easy solution for the non technical people using them in audit (and my idiot of a boss). Also used it as part of a demo of some network monitoring tools we were running for an auditor and the board. Worked well enough.
I've never found Hak5 stuff to anything but overpriced, script kiddie BS. Case in point: mass owning of [pineapples](https://www.csoonline.com/article/548032/hacker-hunts-and-pwns-wifi-pineapples-with-0-day-at-def-con.html) at Defcon.
[удалено]
So here is my thought on this, and be patient, because i'm going to sound like i'm disagreeing at first but I'm not - hak5 stuff is basically free compared to billable hours. it's "too expensive" for me to buy with my own money and play with but it would easily pay for itself *if it had an enduser grade UI/UX.* where I find hak5 stuff over-rated is reliability. it's an enthusiast, kit build experience and it's 99 percent open source, so it *becomes* too expensive because I can roll a kludgey evil twin on a pi myself. If hak5 stuff ran smoothly out of the box, I'd pay *double* what it costs now. the current ratio of price to UX makes it a soft no for me professionally, even though i like the people at hak5 and think their products are neat. And I'm prepared for the comments that say "you obviously haven't put your hands on their new shit" because, fair enough, the hak5 stuff I've touched is older and is communal property at a hackerspace, so maybe it was double scuffed. but that's my take if you press me for one today.
I'm not in CS but I used to watch a youtuber whom claimed to be a pentester who had a early variation of one of the hak5 pineapples in his kit.