Jump to content

illwill

Recommended Posts

Please note that the "key=clear" part of the netsh command (in the a.cmd file for this payload) requires local admin privileges on the specific Windows box to get anything out of it. I.e. the logged on user on the PC has to be a local admin, otherwise key=clear will produce nada... So... that part will be "step 1" to verify. If the tests of the payload is executed in a lab environment (or on a PC where you can get access to the box the "correct" way), then logon and run the netsh command in the way it is specified in the a.cmd file of the payload. If netsh throws back an error telling you that it needs to be executed with admin privileges, then the current logged in user has no rights to issue this command with the key=clear "switch". The payload could perhaps be enhanced to catch the error that the command throws back at you and if it says you need admin rights, then the payload could either blink a sequence telling that the execution went bad or put the status in a file on the local storage of the bunny (or both). If working on boxes with a language other than English, the "error catch part" of the payload has to be adjusted so that it can handle error messages in the appropriate system language as well.

  • Upvote 1
Link to comment
Share on other sites

On 3/16/2017 at 1:37 AM, jokre said:

Please note that the "key=clear" part of the netsh command (in the a.cmd file for this payload) requires local admin privileges on the specific Windows box to get anything out of it. I.e. the logged on user on the PC has to be a local admin, otherwise key=clear will produce nada... So... that part will be "step 1" to verify. If the tests of the payload is executed in a lab environment (or on a PC where you can get access to the box the "correct" way), then logon and run the netsh command in the way it is specified in the a.cmd file of the payload. If netsh throws back an error telling you that it needs to be executed with admin privileges, then the current logged in user has no rights to issue this command with the key=clear "switch". The payload could perhaps be enhanced to catch the error that the command throws back at you and if it says you need admin rights, then the payload could either blink a sequence telling that the execution went bad or put the status in a file on the local storage of the bunny (or both). If working on boxes with a language other than English, the "error catch part" of the payload has to be adjusted so that it can handle error messages in the appropriate system language as well.

I ran the netsh command on a Windows 10 laptop logged in as a user that's a standard user and it returns the clear text pw.  If you try to get past UAC as a standard user, that won't work though.

Link to comment
Share on other sites

On 3/17/2017 at 7:22 AM, yeahits_ZP83 said:

Creates a loot folder but no loot. I'll tinker with it more today.

 

Same thing on Windows 10 here.  Loot folder shows up and has the file DONE in it but nothing else.  Running version 0.2 of the payload.

Link to comment
Share on other sites

2 hours ago, illwill said:

im testing on win10 and both codes i posted work for me, the first code didnt work with windows 7 because of an array error in powershell i need to track down so i changed it to just a bash script for now that worked on win7 8 and 10 when i tested

 

I accidentally lied to you, the Widumppass worked and had a folder with results I was looking for. I can't get it to do it again on the same windows 10 box.. Still working on this though. Probably something simple I am missing. 

 

With your wificreds code, should i include a.cmd in the switch folder? 

Link to comment
Share on other sites

2 minutes ago, illwill said:

my code is inline in payloads.txt, sit tight im working on an updated version, i figured out the issue with win7, because the person may not have updated powershell (ie. version 2.0) is the reason for my code not working. almost finished escaping the chars in my script and ill post in a few

Thanks for all of the great work. Just reading these codes is going to get me better fast. 

Link to comment
Share on other sites

  • 1 month later...

@illwillYou have placed so much effort into this, as has Sally Vendeven. Unfortunately, neither of these work on three Windows 10 boxes and four VMs. Sadly, running a.cmd does exactly what this payload proposes to do, but you must execute it manually. So, if I'm left with no other option, using several scenarios, how do I make a simple payload that calls upon a.cmd? Seriously! After months of coding and comparing, the Windows-based command works effortlessly. Let it do just that, and teach us all how to call upon that file in the beginning and leave it there. Please get back to me at your convenience, as I appreciate your time.

-Opticon

Link to comment
Share on other sites

45 minutes ago, Opticon said:

@illwillYou have placed so much effort into this, as has Sally Vendeven. Unfortunately, neither of these work on three Windows 10 boxes and four VMs. Sadly, running a.cmd does exactly what this payload proposes to do, but you must execute it manually. So, if I'm left with no other option, using several scenarios, how do I make a simple payload that calls upon a.cmd? Seriously! After months of coding and comparing, the Windows-based command works effortlessly. Let it do just that, and teach us all how to call upon that file in the beginning and leave it there. Please get back to me at your convenience, as I appreciate your time.

-Opticon

There are multiple ways to do this.

This is an example of using HID and STORAGE attackmodes to run a powershell command to run a cmd script.

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/PasswordGrabber

This is Darren's python solution to grabbing credentials (uses only RNDIS_ETHERNET attackmode)

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/QuickCreds

You can also do it another way, by starting a webserver and sharing a batch/cmd file over the Bunny's network, then making a HID attack to run the script from the share folder.
Uses RNDIS_ETHERNET and HID attackmodes.

The batch/cmd files served don't have to grab credentials either. They could robocopy the documents folder or run other commands (like outputting ipconfig to a file on the BashBunny if you really wanted to).

Edited by Dave-ee Jones
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...