Jump to content

[PAYLOAD] QuickCreds


Darren Kitchen

Recommended Posts

  • Replies 106
  • Created
  • Last Reply
On 3/12/2017 at 3:12 PM, Th3G04t said:

I have the same issue ...

It blinks yellow and never completes (gave it 5 mins+ it does creates the loot/quickcreds/mypc/  folder but its empty

Local Account and Windows 10 

 

Any Idea's would help! and thanks in advance

I'm also getting this issue, and I couldn't find a fix for this. Any suggestions??

Link to comment
Share on other sites

2 minutes ago, peterkozmd said:

Pretty sure we all did those easy steps but still having problems.

Ok, did you try instead of copying those tools files and pasting into the payload folder, try doing a cut n paste instead of copy. Does that work?

Link to comment
Share on other sites

My 7 caracters password are cracked in 3h55.

With hashcat and the commande :
hashcat64.exe --force -m 5600 1.txt -a 3 --status
(1.txt is my renomed hash file from Bash Bunny, originaly named Proxy-Auth-NTLMv2-172.16.64.10.txt).

Link to comment
Share on other sites

On 3/4/2017 at 10:52 PM, Darren Kitchen said:

Also as an FYI all this payload does is copy the contents of tools_to_install to /pentest on the Bash Bunny. If you're comfortable doing that over SCP -- go for it. We're changing this operation in the next firmware in such a way that will make this payload obsolete.

I don't even have a pentest folder? Unless I can only see it by using Putty? Only reason I did this was to get the QuickCreds to work. But then I re-read this and it said it will be obsolete- is this why I don't see a Pentest folder? Because it's already obsolete?

Link to comment
Share on other sites

The pentest folder is in the device root, not /root. You can see it if you SSH into the Bunny and look in /. You won't see it when using STORAGE mode.

For those wondering why they aren't seeing immediate results/just a blinking amber LED, you need to give Responder time to capture a hash. If you're using the Bunny against a test VM or just a convenient Windows PC, you may be waiting a while unless you force/initiate a request for a file share. QuickCreds looks for the log file Responder creates when it captures an NTLM hash. The Bunny will blink the amber LED until it sees at least one such log file. You won't get an NTLM hash and a log file until the target sends that information for something like a file share and is tricked into providing the hash to Responder.

Link to comment
Share on other sites

  • 1 month later...

I have a question... I tried it on a locked Windows 10 machine and I got the hashes.. but what can I do with NTLMV2? From the knowledge I have it is either hash passing attacks or cracking.. but cracking in a real world scenario is almost not an option.. so what do you do with the NTLMV2?

 

Link to comment
Share on other sites

2 hours ago, Mehardeep Singh said:

I have a question... I tried it on a locked Windows 10 machine and I got the hashes.. but what can I do with NTLMV2? From the knowledge I have it is either hash passing attacks or cracking.. but cracking in a real world scenario is almost not an option.. so what do you do with the NTLMV2?

 

https://security.stackexchange.com/questions/72005/are-there-any-ways-to-leverage-ntlm-v2-hashes-during-a-penetration-test

Link to comment
Share on other sites

I am currently running FW 1.1 and QuickCreds works great, however, when I try to crack the captured ntlmv2 hash with hashcat using a known password it didn't work. I had the same problem as seen here: http://stackoverflow.com/questions/41487203/hashcat-not-working-on-netntlmv2-hashes-obtained-by-responder

I originally used https://github.com/qdba/MyBashBunny/tree/master/tools by user qdba to install responder_2.3.3.5.deb. Based on the stackoverflow post, I used the latest responder 2.3.3.6 on a Kali VM and cracked a captured hash with a known password immediately. It seems my issue is that I'm using an older version of responder. My question: What's my best course of action for installing the latest version of responder on my BashBunny? Should I just update packages? Put the latest responder version in the tools directory? I don't want to brick anything so I'm treading carefully.

Link to comment
Share on other sites

8 hours ago, Vagabond said:

I am currently running FW 1.1 and QuickCreds works great, however, when I try to crack the captured ntlmv2 hash with hashcat using a known password it didn't work. I had the same problem as seen here: http://stackoverflow.com/questions/41487203/hashcat-not-working-on-netntlmv2-hashes-obtained-by-responder

I originally used https://github.com/qdba/MyBashBunny/tree/master/tools by user qdba to install responder_2.3.3.5.deb. Based on the stackoverflow post, I used the latest responder 2.3.3.6 on a Kali VM and cracked a captured hash with a known password immediately. It seems my issue is that I'm using an older version of responder. My question: What's my best course of action for installing the latest version of responder on my BashBunny? Should I just update packages? Put the latest responder version in the tools directory? I don't want to brick anything so I'm treading carefully.

I second this. I have tried the upgraded version and it does not seem to capture any hashes. With 1.0.

Link to comment
Share on other sites

13 hours ago, Fang_Shadow said:

I have an updated dev file on my github 

https://github.com/F9Alejandro/packages just place in your tools folder in arming mode, unpkug, the plug back in for it to install, be sure to remove the old responder from the /tools/ folder on the linux side before install.

Great stuff @Fang_Shadow, works great. Just for anyone else who is curious you can 'rm -r /tools/responder' the older responder version and then simply place this new responder_2.3.3.6-2.deb in the tools folder when the BB is mounted as storage. Safely remove the mounted BB and then plug it back in and it should install successfully as "NBT-NS, LLMNR & MDNS Responder 2.3.3.6" which fixes several issues including dumping a bad NetNTLMv2 hash. Cheers.

Link to comment
Share on other sites

I have version 1.1_228 and I think I have fully installed responder and impacket but I may not have done things correctly. When I try to use quickcreds it lights up purple for a minuite then just blinks red. How I installed the tools was download them from GitHub then put the tools in the tools folder. After that I unplugged and replugged them back in and the folders disappeared. Then I remoted in to the bash bunny and ran the setup.py for impacket and it looked like responder did not have a setup.py file.

Link to comment
Share on other sites

Correct they impacket is the only one with a setup.py responder doesn't need any setup it just works, all that is needed is to look for the REQUIRETOOL fields and make sure impacket and responder are there. Then to run the test server and such you need to basically cd into the dir with the examples, if not quickcreds should do it for you.

Link to comment
Share on other sites

The date in my loot folder is incorrect (example; date modified on the folders and files created within the loot folder from this payload) - is this a setting in the linux side of BB that cannot be changed because there's no RTC in the bb or is this a setting I can change with SSH, or is something else wrong?

Link to comment
Share on other sites

it is because the linux box can't get the correct time and date, my packages repo says last updated 15 days ago because i pushed via my bashbunny to github. Don't worry about the time being off and or date because you will need to change the settings every time you plug it in.

Link to comment
Share on other sites

17 hours ago, trumoo said:

The date in my loot folder is incorrect (example; date modified on the folders and files created within the loot folder from this payload) - is this a setting in the linux side of BB that cannot be changed because there's no RTC in the bb or is this a setting I can change with SSH, or is something else wrong?

The Bash Bunny doesn't have a battery connected to the RTC, so it has to way to keep accurate time. 

We use a bit of a hack to try to make the time a bit more accurate by using NTP (when an Internet connection is present) and checking the last accessed time of files on the Bash Bunny and setting the time to the latest date found. 

While this method is not accurate it will usually get you in the same year and month, which is enough for most utilities to function properly (certificate verification for example). 

Link to comment
Share on other sites

  • 3 months later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...