Snagging creds from locked machines

[tdhuck]

21 minutes ago, barry99705 said:

I gave it that whole file.  You're not going to get anything from mine, I scrambled the hashes, that's really my desktop and microsoft account....

Gotcha, I was trying to copy/paste what I thought was the hash. For the record, I wasn't planning on using yours, I figured it was garbage/worthless if you posted it.

[M@$T]

On 9/17/2016 at 11:50 PM, Skeletnyy Klyuch said:

I went to the path above and I do not have the responder.db - am I missing something?

[M@$T]

I tried this on 2 Windows 10 and a Windows 7 and the Responder.db never appears.. 

I am using the quick creds module.. Maybe this only appears with the original @mubix tutorial?

 

[barry99705]

5 hours ago, M@$T said:

I tried this on 2 Windows 10 and a Windows 7 and the Responder.db never appears.. 

I am using the quick creds module.. Maybe this only appears with the original @mubix tutorial?

 

What lives in /root/loot ?  Should have a few numbered folders, they'll be in the order of the computers you've plugged into.

[M@$T]

I only have four files within every numbered folder.. 

Analyzer-Session.log

Config-Responder.log

Poisoners-Session.log

Responder-Session.log

under loot, apart from the folders there is a file named responder.log

[M@$T]

Some help anyone?

[M@$T]

ok guys I re flashed the turtle for the 5th time and now it captured the hash and i have the Proxy-Auth-NTLM file and also the responder.db.

 

I cant open the db for some reason. 

 

Can someone help me out here maybe im missing something.. Is the hash stored in the Proxy-Auth file or in the responder.db?

[TeCHemically]

I have setup the pi zero with responder and it "functions successfully"; but unless your target has the "RNDIS ethernet gadget" driver installed it isn't going to grab any creds. This effectively makes the device useless since almost no targets you will ever come across on a pentest will have this driver installed given the complexity of the driver install (see steps for installation here-> https<colon slash slash>github<dot>com/ev3dev/ev3dev/wiki/Setting-Up-Windows-USB-Ethernet-Networking). With much time wasted on this effort (well, not that much; but still quite a let down) I am hesitant to grab a lanturtle. Seeing many users here unable to grab or keep credentials has me a fair bit gun shy. wasting $5 on a pi zero is one thing; but $50 on a lanturtle that I may have to spend hours or days on getting to work is not something I have the time or patience for. Does this work reliably? Can anyone testify to its usefulness on actual engagements? Thanks to all who reply!

[TeCHemically]

On 11/22/2016 at 8:15 AM, M@$T said:

ok guys I re flashed the turtle for the 5th time and now it captured the hash and i have the Proxy-Auth-NTLM file and also the responder.db.

 

I cant open the db for some reason. 

 

Can someone help me out here maybe im missing something.. Is the hash stored in the Proxy-Auth file or in the responder.db?

If grabbing the creds from the responder.db on the pi zero implementation you do the following:

sqlite3 /home/pi/tools/responder/Responder.db
select * from responder;

Getting the creds from the lanturtle they should be under the loot directory. Possibly the file is accessed by the same means. Sorry, I don't own a lanturtle yet so I'm not sure. I'm hesitant to purchase one for actual engagements because stability and repeatability is key. Having to re-flash 5 times to get it to work doesn't fill me with confidence. Once I have extra cash lying around I'll def get one to play with; but if someone can testify to the stability and reliability of the lanturtle in red team engagements for the quickcreds and any other functionality then i'll grab one right away. Here's to hoping I get a ton of responses about its reliability!! :)

[jason001]

Just sharing my experience in the off chance in helps someone:

• after initial setup -> enable quick creds and responder modules 
• Noticed quick creds refuses to start unless responder is running and neither would auto-start 
• in /etc/turtle/autoload-modules : 
• 3 links were in the folder: 99-responder, 99-module-manager, 99-quick-creds
• renamed 99-responder to 98-responder 
• works fine now! all modules auto-load and I got my creds in as few as 3 seconds after boot 

My only issue with this otherwise fantastic technique is that all win 7 computers I tried failed to auto-install the LAN drivers :-(

Was really hoping to use this in the field. Does anyone know if I can still use eth1 on the turtle if the computer doesn't install the drivers? If I can't run responder on br-lan for local machines, maybe it's still useful as a self-contained LAN responder device? Thoughts?

 

 

[SenalWolf]

Hi there,

I'm new with LAN turtle..I just want to try it with Quick Creds,,,I;m not sure about the procedure...after I enabled  and plug it to a locked machine ..it won't do the work..Do i need to find the snagged creds inside some directory called loot..confused.. Please help

[jason001]

6 hours ago, SenalWolf said:

Hi there,

I'm new with LAN turtle..I just want to try it with Quick Creds,,,I;m not sure about the procedure...after I enabled  and plug it to a locked machine ..it won't do the work..Do i need to find the snagged creds inside some directory called loot..confused.. Please help

Do some troubleshooting first. The target computer needs to have the appropriate drivers installed to recognize the turtle as a USB lan adapter. Once you plug it in, ssh into it to make sure the modules are running. For this scenario only quickcreds and responder need to be enabled, anything else may block ports which responder may try to use. Activity on the computer is definitely something to think about. Are there any running applications? if you want to force some hashes to get sent, try SMB browsing to a share that doesn't exist or enabling auto proxy detection on IE, then browsing around to some sites. Finally, keep in mind that while capturing hashes in this manner works *most* times, there are some configurations which are resistant to the attack, in which case you may not capture any hashes at all.

[SenalWolf]

On 12/7/2016 at 5:03 AM, jason001 said:

Do some troubleshooting first. The target computer needs to have the appropriate drivers installed to recognize the turtle as a USB lan adapter. Once you plug it in, ssh into it to make sure the modules are running. For this scenario only quickcreds and responder need to be enabled, anything else may block ports which responder may try to use. Activity on the computer is definitely something to think about. Are there any running applications? if you want to force some hashes to get sent, try SMB browsing to a share that doesn't exist or enabling auto proxy detection on IE, then browsing around to some sites. Finally, keep in mind that while capturing hashes in this manner works *most* times, there are some configurations which are resistant to the attack, in which case you may not capture any hashes at all.

Thanks for the reply mate

[troublez]

Hello all,

I am super new to this but I am pretty sure I got it running. Is it true, unless you are able to crack the hash then you are basically just stuck with a hash?

I tried using Hashcat to crack my windows password with no luck using a large word list I found online. When I changed my windows password to 'test' I was able to crack it.

So is it only as good as the list you use?

Thanks and sorry for the noob question.

 

[FlashB]

Well, this seemed dead simple, but apparently not. I've got QuickCreds and Responder modules started but I on;y get a flashing yellow light and nothing in my loot logs even in the latest.Not even the next layer of log file names. 

Has anyone figured this out? Will someone at Hak5 come to our rescue? Is this a lost cause?

[blackball]

So, I've reset the LAN turtle multiple times now trying to get the QuickCred module to work.  It seems the issue I've had time after time is that Responder is not being installed properly by the module manager as a dependency.  I attempted to start the module from the SSH console and saw "ln: /etc/turtle/Responder/logs: No such file or directory".  Indeed, Responder is nowhere to be found.  Does anyone know how I can work around this?  I've tried installing the Responder module as well, but it seems to look for resources in the wrong spot and causes conflicts.

[br4ve-trav3ler]

Seems like some people are feeling buyer's remorse over an inability to steal credentials with the LAN Turtle. Responder honestly seems like a pretty hit-or-miss approach to stealing login credentials in general. That's what you get for the relative ease-of-use.

Trust me - the device is a great pen testing tool regardless of whether or not Responder or QuickCreds works well. Stick with it. Learn the ins and outs. Maybe you'll get lucky and find an exploit somewhere else in the stack.

I consider mine as a long-term investment. I don't know what all it can do yet, but I expect it to be a hard yet enjoyable learning curve.

[Osama]

On 9/26/2016 at 11:04 AM, M@$T said:

Must agree with Mohamed.. the module isn't consistent and isnt working well for most of us.. My amber led keeps flashing continuously and doesn't seem to be working... maybe a refresh of the module is needed?

Any luck ??? Is it working at your end ?? I am having the same issue.

I am available on remote session please help me (I will share my screen via teamviewer or skype)

[Osama]

On 10/14/2016 at 7:34 PM, CrypieJay said:

I am having problems where QuickCreds won't start. I went back to factory reset on the turtle then loaded up QuickCreds, applied dependencies, enabled on boot. But when I start it manually I get the following error:

Note that I do not have the directory structure it seems to want:

 

I am having the same issue , Please make a video from start if anyone has successfully done this. It seems like I have wasted my money on this ?

[simoncfc]

On 11/7/2017 at 11:38 PM, blackball said:

So, I've reset the LAN turtle multiple times now trying to get the QuickCred module to work.  It seems the issue I've had time after time is that Responder is not being installed properly by the module manager as a dependency.  I attempted to start the module from the SSH console and saw "ln: /etc/turtle/Responder/logs: No such file or directory".  Indeed, Responder is nowhere to be found.  Does anyone know how I can work around this?  I've tried installing the Responder module as well, but it seems to look for resources in the wrong spot and causes conflicts.

i added the Responder folder and logs inside this. the error message disappeared and now the quickcred does the fast blink but never stops to solid as instructed. if a simple attack doesnt work why on earth would you stick with this piece of kit. the reset is unclear, mine has no reset button and when strapping the pins still nothing. i have it running now for 20 minutes, not the item sold as being excellent and makes me think if the other modules will be of any use.......

 

maybe Hak5 can actually answer these issues and put out some video how toos instead of an over excited Darren saying how great they are. we want fixes and we want the work arounds not million suggestions