combatwombat27 Posted June 1, 2017 Share Posted June 1, 2017 (edited) Hey all! Inspired by Darren's recent blog post, I wanted to put together a version of the duckyscript SMB hash grab that didn't require an external networked SMB server setup. I know there are other ways of grabbing the hash given you have both HID and STORAGE access if you want, but it was a lot of fun to put together at the very least. Pull Request to Bash Bunny Github Repo Download Github SMBHashGrab Please reach out to me with any bugs or suggestions. * Author: Combat_Wombat @zac_borders * Version: Version 1.0 Description Bash Bunny script to exfiltrate hash via SMB attack standalone against Windows Domain computers. Inspired by Darren's post.@hak5darren || Hak5 Blog Configuration Run on a domain computer that is logged in. Requirements 1. **You must install impacket** 2. Download impacket 3. Place in /tools 4. This will install when you reconnect the drive 5. From the BashBunny run: cd /tools/impacket && python setup.py install Here you can find the: Impacket Github Payload LED STATUS FAIL.................Missing Requirement Impacket SETUP.............Setup STAGE1...........Setting up SMB server STAGE2...........HID Injection CLEANUP........Grepping for hash, storing in loot FINISH.............Light is green trap is clean. Edited June 2, 2017 by combatwombat27 Updated url Quote Link to comment Share on other sites More sharing options...
korang Posted June 14, 2017 Share Posted June 14, 2017 OK, I also put together a very similar script. I have found on my lab systems for my "work" environment, that the timing for mapping the network share had to be increased. I also ran into issues were the DUKCY ALT F4 did no close the explorer window as I had hoped. I had to use powershell to kill exploerer. This "work" system is a windows 7 x64 Laptop on a Active Directory Domain. One other weird note, due to certain GPO's we have I had to disconnect the hard wired lan cable to get it to properly map to the Bash bunny. Now , with the faster timing and ALT F4 , I found worked on my non-domain, stand alone windows 10 laptop. SO as i side note to anyone using in a professional capacity and environment. And with all PROPER PERMISSIONS, of course. May need to adjust timing and do some adjustments for it to work right, depending on any protections the workstation may have. But I will admit your script is way cleaner than mine. Quote Link to comment Share on other sites More sharing options...
combatwombat27 Posted June 14, 2017 Author Share Posted June 14, 2017 (edited) 5 hours ago, korang said: OK, I also put together a very similar script. I have found on my lab systems for my "work" environment, that the timing for mapping the network share had to be increased. I also ran into issues were the DUKCY ALT F4 did no close the explorer window as I had hoped. I had to use powershell to kill exploerer. This "work" system is a windows 7 x64 Laptop on a Active Directory Domain. One other weird note, due to certain GPO's we have I had to disconnect the hard wired lan cable to get it to properly map to the Bash bunny. Now , with the faster timing and ALT F4 , I found worked on my non-domain, stand alone windows 10 laptop. SO as i side note to anyone using in a professional capacity and environment. And with all PROPER PERMISSIONS, of course. May need to adjust timing and do some adjustments for it to work right, depending on any protections the workstation may have. But I will admit your script is way cleaner than mine. Awesome to see this getting some testing in the wild! I'm not entirely sure why Alt + F4 would fail in Windows 7 other than it just firing too fast, that is interesting to hear. With regards to the GPO and Lan cable, sounds to me like they have some GPOs setting what to use as the primary network connection. I would doubt many attacks written using the networking ATTACKMODE would work well on that machine given they often base their ability to intercept on the fact that being the fastest network connection makes them primary. Clean code?! 0.o I didn't expect to hear that of all comments. hahaha Thanks! Realistically I feel this isn't the most useful attack given you could use other duckyscript code to export hashes without needing to exploit network connectivity, but it certainly was a fun exercise to create, and if it helps at all then it has done some good. Thanks for checking out the tool, and bringing back some useful feedback! Edited June 14, 2017 by combatwombat27 Added post quoting Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.