[PAYLOAD] QuickCreds

[Darren Kitchen]

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/QuickCreds

Snags credentials from locked or unlocked machines Based on the attack by Mubix of Room362.com Implements a responder attack. Saves creds to the loot folder on the USB Disk Looks for NTLM log files

[illwill]

Violation of CoC

[Darren Kitchen]

I just tested this on a fresh Bash Bunny and it worked. Here's what I did:

1. Download payloads from https://github.com/hak5/bashbunny-payloads/archive/master.zip
2. Unzip master.zip
3. Switch Bash Bunny to Arming mode and plug into PC
4. Copy bashbunny-payloads-mater\payloads\library\tools_installer\* to the Bash Bunny in payloads\switch2
5. Safely eject Bash Bunny
6. Switch Bash Bunny to switch 2 and plug into PC
7. Wait until LED goes white

The blinking red LED you're getting indicates that the tools_to_install folder wasn't found in payloads/switch2

Please verify that all contents of the tools_installer were copied to payloads/switch2 on the Bash Bunny. When complete you should get a white LED and there should be an installed-tools.txt file on the root of the USB drive.

[super-6-1]

I did this and the tools installed but for mine it blinks red Everytime. Tools are installed. 

[Darren Kitchen]

Also as an FYI all this payload does is copy the contents of tools_to_install to /pentest on the Bash Bunny. If you're comfortable doing that over SCP -- go for it. We're changing this operation in the next firmware in such a way that will make this payload obsolete.

[illwill]

Violation of CoC

[super-6-1]

I did get the pentest installed. The PayPal for credits always blinks red. Even redid the payload manually. I'll look more into it again tomorrow after I get some sleep lol. 

[b0N3z]

Gave quick creds a try last night and worked excellent on my win 10 machine. After changing attack mode to ECM instead of rndis to try on OSX, the script ran but never completed. The PC is not encrypted and was unlocked at the time. Any ideas why it wouldn't work on OSX.   Also the Mac has a fresh install with all my apps and programs setup as of last night before testing.

[Stormborn]

Hello all,

I am having some trouble getting the tools installed.

After completing Darren's step 6 above (Switch Bash Bunny to switch 2 and plug into PC), I get a purple light for a second then solid red. All the files in the tools_to_install directory are still there. I have tried a couple of times and I am not sure where to go with this.

I also noticed that when in arming mode the Win10 machine I am on sees the BashBunny as having only 1.99GB.

Any advice welcome.

Thank you.

[WatskeBart]

18 minutes ago, Stormborn said:

Hello all,

I am having some trouble getting the tools installed.

After completing Darren's step 6 above (Switch Bash Bunny to switch 2 and plug into PC), I get a purple light for a second then solid red. All the files in the tools_to_install directory are still there. I have tried a couple of times and I am not sure where to go with this.

I also noticed that when in arming mode the Win10 machine I am on sees the BashBunny as having only 1.99GB.

Any advice welcome.

Thank you.

Check this thread for more info about the tools_installer problems.

[Stormborn]

Thank you, WatskeBart

[lit]

Having a lot of fun with quickcreds (mad props on the bunny!), but it seems it just returns the ntlmv2 hash (as expected, same type of thing you would get with responder using the lanturtle) - my question is, as a relative novice, I know I can crack ntlmv2 with hashcat (given enough horsepower and time), but any good guides on how to "pass the hash" in an rdp scenerio? What other fun stuff can you do with the hashed NTLMv2 password?

 

Btw - Darren, I too got the red light bug after trying to run the install_tools payload, but, I made a mistake I think others ran into....copying the payload rather than cutting and pasting it into the switch1 or switch2 folder....after I ran rm -rf /pentest I the tried a 2nd time cutting it rather than copying it and had no issues. This was on a win10 box.

[Rub1xCub3]

I am not quite sure that it worked for me. It seems like all the logs populate, but for some reason in the responder session log the "NTLM hash:" part is blank. In the Proxy-Auth NTLMv2 log has different things in there every time I plug it into the "victim (myself)" machine. I would think I would get the same hashes every time I test this out... So I dont think that is the hash.

 

If I am having a noob moment can someone assist me? 

[wit09]

I too am having a problem with QuickCreds. I got the tool_installer to work. Yest when I have tested the quickcreds payload on many different windows and linux machines I only get the bunny scanning forever (blinking Amber LED) and then an empty folder in loot. Any ideas? 

[Cpt.Pickles]

From my testing with the LanTurtle, opening a fresh Chrome, I had less success with IE, should send the packets that Responder is looking for. If that does not work waking a computer from sleep or searching for random file shares should also send out the NBT-NS requests, and then the attack should work.

[wrxratd]

I've noticed on my end I kept trying quickcreds on my account on windows 10 and it wasn't working so I then switched to my brother login. Tested it there and it worked great now the difference between the accounts are his is a local account mine uses my live account to login. 

[Cpt.Pickles]

I would check some of the settings in this report from 4armed to see if there are any differences between the two accounts. 
https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/

[Torrey]

Finally had the chance to test this on Windows machines in the field. The Bash Bunny was consistently successful with this payload and achieved success in ~10 seconds every time (from boot to creds).

[b0N3z]

ive had a lot of success on windows but as for OSX it is a no go.  changed the settings for ecm as rndis will not run just a blinking red light and when i use ecm it just constantly blinks amber.  Ive had it locked (not logged out) and even unlocked it with the bunny in and running, tried surfing the web while it was doing that to see if it would get anything at all and after 15min i just said hell with it and unplugged with not even a file in the loot folder showing that it was plugged into the mac.  Nmapper works great though lol

[Rub1xCub3]

I have what looks like a NTLM hash. Just to verify can someone give me the "syntax" of how one is? From what I understand it should be 32 Characters total.

[Cpt.Pickles]

@Rub1xCub3 example hashes https://hashcat.net/wiki/doku.php?id=example_hashes, what the hash is https://hashcat.net/forum/thread-2939.html,,, I would google some more around to gain more knowledge. Then test with a known password that you have in a password list to test with John the Ripper or hashCat.

[Rub1xCub3]

Thanks Capt. (Love the username btw)! I did do some googling. I couldn't get it to crack the password (I have a pretty good one set) but I definitely got the hash (and good knowledge on how to do this attack now). Thanks for all your help!

 

I can confirm that this payload works flawlessly. 

[Th3G04t]

I have the same issue ...

Quote

I too am having a problem with QuickCreds. I got the tool_installer to work. Yest when I have tested the quickcreds payload on many different windows and linux machines I only get the bunny scanning forever (blinking Amber LED) and then an empty folder in loot. Any ideas? 

It blinks yellow and never completes (gave it 5 mins+ it does creates the loot/quickcreds/mypc/  folder but its empty

Local Account and Windows 10 

 

Any Idea's would help! and thanks in advance

[Th3G04t]

sorry and the tools installed work perfectly visually confirmed its there too, I also tested the nmap payload and it works 

[Cpt.Pickles]

Did you test the items I suggested above and read the article (4armed)? Both should allow you to see what is going on, mind you Wireshark captures will tell you if you are responding to queries or if you are still requesting and getting "normal responses." You can also see if all is working well by navigating to http://wpad this test should work as well.