Much credentials payloads are not working

[XenoByte]

Hi,

I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried:

• BrowserCreds
• MrRobot
• BunnyTap
• QuickCreds
• JackRabbit
• WindowsCookies

I've tried those on two different PC's, one with Windows 10 and one with Windows 7.

What also kinda bothered me is that i can't get the internet sharing working on Kali Linux. What i've tried:

1. Create a payload.txt file with "ATTACKMODE ECM_ETHERNET" on it. Started my BashBunny on the switch the file was located ( Switch 1 ).
2. Download bb.sh from bashbunny.com
3. Started it with root privileges.
4. Tried both Guided and Manual but both ended up in having no network at all.

But, beside those things. I really love the BashBunny and its features. Also the shipping was really quick. If anyone got some tips to get those payloads working, please post them.

[XenoByte]

Made a typo:

"I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried:"

Must be:

"I received my BB a week ago and 'till now all of the credential payloads i've tested did not work. Here's a list i've tried:"

[Dave-ee Jones]

Uhmm, so are you saying it's fixed? :P

The first one was correct, I believe..The way it's worded is a bit confusing.

First thing to do - update firmware to 1.3. Then try the latest QuickCreds. I wouldn't be surprised if all those payloads didn't work as most of them are outdated, especially if you are using firmware 1.0.

Also, my payload Slydoor does a similar thing to those. Maybe copy the bat/ps1 file to the Slydoor directory and tell it to run that instead (MODE option - though the file has to have a .ps1 extension to be run by Slydoor).

OR, even better, make your own passer :D

[XenoByte]

1 hour ago, Dave-ee Jones said:

Uhmm, so are you saying it's fixed? :P

The first one was correct, I believe..The way it's worded is a bit confusing.

First thing to do - update firmware to 1.3. Then try the latest QuickCreds. I wouldn't be surprised if all those payloads didn't work as most of them are outdated, especially if you are using firmware 1.0.

Also, my payload Slydoor does a similar thing to those. Maybe copy the bat/ps1 file to the Slydoor directory and tell it to run that instead (MODE option - though the file has to have a .ps1 extension to be run by Slydoor).

OR, even better, make your own passer :D

Sorry, it is kinda late lol.

No, they're still not working and i'm running the latest version, which is 1.3. I will check out your payload and eventually try to make something myself.

Most payloads ended up with a empty folder/txt file.

[Dave-ee Jones]

44 minutes ago, XenoByte said:

Sorry, it is kinda late lol.

No, they're still not working and i'm running the latest version, which is 1.3. I will check out your payload and eventually try to make something myself.

Most payloads ended up with a empty folder/txt file.

Ah so they did run just didn't execute the DUCKY script? Sounds like a broken driver..

[XenoByte]

17 minutes ago, Dave-ee Jones said:

Ah so they did run just didn't execute the DUCKY script? Sounds like a broken driver..

Sorry for not being clear enough.

The DUCKY scripts run, so does the Ethernet drivers ( for other payloads ). Mostly they'll fail at the POWERSHELL part. I have no clue where i can find/get a log so i can't provide one.

[Dave-ee Jones]

Ah. Sounds like the language your using is the issue. What's your PCs language? You need to have the Bunny's language the same as the PC's, otherwise when it injects keystrokes it won't interpret them correctly. Below shows how to change them.

Refer:

https://wiki.bashbunny.com/#!./index.md#Languages

[thefragile99]

I've noticed this too with the credential extracting payloads. QuickCreds works fine but the rest not so much. I'll check out the languages section of the FAQ. 

[Dave-ee Jones]

9 hours ago, thefragile99 said:

I've noticed this too with the credential extracting payloads. QuickCreds works fine but the rest not so much. I'll check out the languages section of the FAQ. 

Yeah, could be that QuickCreds sets the language before it runs the payloads, whereas the others don't so it doesn't interpret it properly.

[RazerBlade]

Try the password grabber payload, I created it because I myself hade these problems and for me its very stable.

[thefragile99]

Just tried password grabber - worked awesome!

[thefragile99]

Is there possibly a payload that can launch the Mac version (python) of LaZagne via the Bash?

[RazerBlade]

I think it can. I will have to see if thats possible but I will try when I get my hackingtosh working or getting a Mac

[thefragile99]

Cool - tried running LaZagne.py on my MBP but I get a 'key3 file not found' 

[nokia1556]

On 17/7/2017 at 4:36 AM, XenoByte said:

Hi,

I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried:

• BrowserCreds
• MrRobot
• BunnyTap
• QuickCreds
• JackRabbit
• WindowsCookies

I've tried those on two different PC's, one with Windows 10 and one with Windows 7.

What also kinda bothered me is that i can't get the internet sharing working on Kali Linux. What i've tried:

1. Create a payload.txt file with "ATTACKMODE ECM_ETHERNET" on it. Started my BashBunny on the switch the file was located ( Switch 1 ).
2. Download bb.sh from bashbunny.com
3. Started it with root privileges.
4. Tried both Guided and Manual but both ended up in having no network at all.

But, beside those things. I really love the BashBunny and its features. Also the shipping was really quick. If anyone got some tips to get those payloads working, please post them.

Hi,

I have the same problem than you.

Could you make it work?

Please, if so, I would like to know how. I am getting mad about my BB.

Thanks

[maddin81]

On 31.7.2017 at 5:00 PM, nokia1556 said:

Hi,

I have the same problem than you.

Could you make it work?

Please, if so, I would like to know how. I am getting mad about my BB.

Thanks

Same Here. Any solution??

[Tamanbir]

 

On 7/17/2017 at 8:06 AM, XenoByte said:

Hi,

I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried:

• BrowserCreds
• MrRobot
• BunnyTap
• QuickCreds
• JackRabbit
• WindowsCookies

I've tried those on two different PC's, one with Windows 10 and one with Windows 7.

What also kinda bothered me is that i can't get the internet sharing working on Kali Linux. What i've tried:

1. Create a payload.txt file with "ATTACKMODE ECM_ETHERNET" on it. Started my BashBunny on the switch the file was located ( Switch 1 ).
2. Download bb.sh from bashbunny.com
3. Started it with root privileges.
4. Tried both Guided and Manual but both ended up in having no network at all.

But, beside those things. I really love the BashBunny and its features. Also the shipping was really quick. If anyone got some tips to get those payloads working, please post them.

SAME PROBLEM KINDLY HELP!

[TeCHemically]

I am having similar issues. It has been very frustrating. I identified what is broken in the jackrabbit payload; but don't understand why it is failing. All the details are here:

I hope this helps someone; and if I figure this out, I will post my solution in that jackrabbit payload post.

[TeCHemically]

On 7/19/2017 at 4:30 PM, RazerBlade said:

Try the password grabber payload, I created it because I myself hade these problems and for me its very stable.

Does Password Grabber get windows passwords and wireless profile passwords? I ran it; and it is running; but i'm not getting any passwords in the output file it creates. Thanks for your reply.

[TeCHemically]

I modified the xcopy section as follows to grab information on the wireless networks on the client:

REM if Exist %USERPROFILE%\Documents (
if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul

REM Same as above but does not create empty directories
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul

)

 

I have confirmed this works and much thanks to RazerBlade for a BB cred payload that actually works! Not only that; but it is insanely fast too! I think we could host the lazagne.exe file on a website we control to get around the read only issue they were discussing on hak5. However, I like the option of being able to do it all locally if possible. What would it take to modify this so we can pull it down from a server and run it? RazerBlade, is that something you could change real fast and make available so we can have an all local copy like we have now and a hosted version like JackRabbit? Thanks again!

Also, now that I have these wireless profiles, what is the best use of them? The passphrases are hashed or something. Can these be cracked or used in another way?

[sundhaug92]

All bashbunny-payloads should now be updated for 1.3+, which mean they should work with newer firmware and other languages. For languages other than en-US you still have to change the language-setting at the root of the device. 

[RazerBlade]

7 hours ago, TeCHemically said:

I modified the xcopy section as follows to grab information on the wireless networks on the client:

REM if Exist %USERPROFILE%\Documents (
if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul

REM Same as above but does not create empty directories
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul

)

 

I have confirmed this works and much thanks to RazerBlade for a BB cred payload that actually works! Not only that; but it is insanely fast too! I think we could host the lazagne.exe file on a website we control to get around the read only issue they were discussing on hak5. However, I like the option of being able to do it all locally if possible. What would it take to modify this so we can pull it down from a server and run it? RazerBlade, is that something you could change real fast and make available so we can have an all local copy like we have now and a hosted version like JackRabbit? Thanks again!

Also, now that I have these wireless profiles, what is the best use of them? The passphrases are hashed or something. Can these be cracked or used in another way?

I was thinking of doing the exfiltration via network, but in my experience, it is not as reliable. The best solution for this payload I think is to use read only storage and then have another partition on the Bunny writable so the documents can easily be exfiltrated.

[TeCHemically]

6 hours ago, RazerBlade said:

I was thinking of doing the exfiltration via network, but in my experience, it is not as reliable. The best solution for this payload I think is to use read only storage and then have another partition on the Bunny writable so the documents can easily be exfiltrated.

I agree that is best; but would still like the option. Is there a write up on implementing a read only partition to the bb for this yet? I am working on adding plaintext wifi cred dumping to your payload. I am having powershell syntax issues; but should have it working once that is worked out. I'll share once it is done.

[RazerBlade]

Read only storage is now an attackmode. If you use it, you probley need to exfiltrate the data via network by using some fancy powershell script

[TeCHemically]

57 minutes ago, RazerBlade said:

Read only storage is now an attackmode. If you use it, you probley need to exfiltrate the data via network by using some fancy powershell script

Oh, I see. Well, doesn't that just reintroduce the same stability issues with hosting payloads? You are still dependent on a network connection for your payload to function. I would rather keep the data written locally and have the option to call on a payload than to have to exfil the data. There's always a chance the exe wont be caught by AV; but if it is hosted and pulled down into memory and executed, then it almost definitely wont get caught by AV. Data exfil brings in its own potential hang ups. I already have a credential payload I'm using for Win that sends creds over the network to a server; but the php script doesn't work right so I just capture them via tcpdump.