qdba
-
Posts
87 -
Joined
-
Last visited
-
Days Won
2
Posts posted by qdba
-
-
8 hours ago, Alim said:
I know, and this executable is not available in my Win10 (Enterprise) 10.0.15063
New Version added You can set UAC_MODE=0 in payload.txt
-
On 15.9.2017 at 3:10 PM, Alim said:
Dude,
This is Beta, you reference to an Fodhelper.exe in the system32?
That is not an default app.
CheersIt's for Windows 10 only
-
Which Version of DumpCreds do you use? The newest ist 2.3.
You can download it here
https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds
-
@PoSHMagiC0de Thanks for your comment.
This comes from not searching enough.
But now there are 2 scripts for encrypting code. This helps to hide some code from detecting by AV.
I just started with powershell scripting so it was good for learning.
-
EncDecFiles.ps1
- Author: (c) 2017 by QDBA
- Version 1.0
Description
EncDecFiles.ps1 is a powershell script to Encrypt / Decrypt a powershell (or any other) file with AES. You can use it to obfuscate your powershell script, so AV Scanner doesn't detect it.
- Usage:
-
EncDecFiles.ps1 -
< -Encrypt | -Decrypt > # encrypt or decrypt a file -
< -In Filename > # Input File -
[ -Out Filename ] # Output File -
[ -Pass Password ] # Password
Example 1
- encdecfiles.ps1 -In c:\test.ps1 -encrypt Encrypts File c:\test.ps1 with password "hak5bunny" encrypted file is c:\test.encExample 2
- encdecfiles.ps1 -In c:\test.ps1 -encrypt -pass secret Encrypts File c:\test.ps1 with password "secret" encrypted file is c:\test.encExample 3
- encdecfiles.ps1 -In c:\test.ps1 -encrypt -Out c:\encrypted-file.aes -pass Secret Encrypt a File c:\Test.ps1 with password "Secret" encrypted file is c:\encrypted-file.aesExample 4
- encdecfiles.ps1 -In c:\Test.enc -decrypt Decrypt a encrypted file c:\test1.enc to c:\test1.ps1 with default password "hak5bunny"How to run the encrypted powershell script
In the Script "Run_Script_Example.ps1" you see an example how to load and execute the encrypted Script. Load the encrypted script to a variable. Than execute the function Run with the variable and a password
Download
https://github.com/qdba/MyBashBunny/tree/master/Other/EncDecFiles
-
1
-
- smbserver stuff removed
- handshake removed
- HTTP Server added (Download Powershell scripts, upload loot)
-
Invoke-m1m1d0gz.ps1 AES encrypted to Invoke-m1m1d0gz.enc. Not really neccessary but if you are in storage mode, the AV doesn't remove it.
- All in all a little bit faster
- removed the debug code
- recoded the Get-WiFiCreds.ps1 for working on Windows 7
-
1
-
2.2 is heavy under development and not ready for use.
- Payload not ready
- main.ps1 50% ready
all powershell files were aes encoded they will encoded direct to memory so av scanner does not detect them too fast.
- Encode Decode Script ready
Please wait a few days until all is working fine.
-
6 hours ago, Fang_Shadow said:
I made some changes to the payload, instead of cmd calling powershell to open another cmd, i have it opening a powershell as admin (more tools). And I have made another section which closes all open cmd and powershell just in case one lingers for what ever reason, oh and of course clearing the run dialog.
does it work if you are no admin and there is no uac prompt?
-
21 minutes ago, Fang_Shadow said:
nano or vi into the file located at /usr/local/bunny/bin/bunny_framework, it is the last hop in the file at the very end and changing it to "hop &"(without the double quotes). I don't recommend it for now though and just wait for 1.2 as doing so will have effects unintended or harmful to the BB. I had an issue and restored it 3 times after changing the bunny_framework file (just me most likely), and the LEDs won't work properly after the change.
yes, that's what I said.
The only way for me to get rid of the timeout problem at the moment was set the Timeoutsec variable as I described in the first post of these thread. But it is only for experienced linux users who knows what they do. For others waiting for FW 1.2
-
hi sebkinne
I changed the bunny_framework and changed the hop command at the last line to hop &
Payload does not work and when I boot in arming mode the blue Led stop blinking and goes off after a few seconds. I can login in serial mode.
can you confirm?
I will so some more investigation and give you some logs.
-
in version FW 1.0 there is no bunny_framework. Important that you can login to bunny, so the bunny works.
You put the & at the wrong place.I got the advice with the & from sebkinne, but during writing the patch I'm not sure if it works right. Therefor I removed the post from this list. Please wait for the patch. Or wait for FW 1.2 which will come asap.
-
had you plug off the bunny during recovery or installation fw1.1
could you login with serial in arming mode.
-
so do a Clean Factory reset. November
Stay at fw 1.0 .Test if you can reach the bunny
-
Open the File with the vi editor. Are there ^M at the end of the line.
Be sure the notepad++ Edit --> EOL Conversion is set to "Convert to Unix Format"
My scripts was also created with notepad++
-
1
-
-
extension.....
#!/bin/bash
function BLABLA() {
LED G
}
export -f BLABLApayload.....
LED STAGE1
BLABLA
Works for me..
-
6 minutes ago, GitGitBunny said:
I actually think i found out what the problem is.. and seem to be able to reproduce the problem as well. I did some testing and came to the following conclusion:
When creating a new file in Notepad++ (W7) and storing it on the BB, calling the function won't load it. However.. if i copy the original run.sh file, rename it to whatever and typing the script in this file (explicitly typing, so no copying), it works.
I'll add this finding to the github, maybe hak5 can do a root cause analysis.
Remember... The first line of the folder.sh sccipt must be
#!/bin/bash
tested it - it works
-
22 minutes ago, GitGitBunny said:
I also posted this on the github.
Hi! I'm experiencing some issues with the extensions and i dont really know what i'm doing wrong.. According to the documentation of the bash bunny i can just invoke the commands but that leads to no results.
./payloads/switch1/payload.txt
LED Y
FOLDER./payloads/library/extensions/folder.sh
function FOLDER() {
LED G
}The led won't turn green. I also tried to do a RUN instead.. also not working.
Anyone else have an idea?
./payloads/library/extensions/folder.sh
function FOLDER() {
LED G
}
export -f FOLDER -
5 hours ago, PoSHMagiC0de said:
After the upgrade I blindly blew away the old libraries on my BB and put the new ones...which did not have the old tools prepackaged. I ended up having to clone the current repos of impacket and Responder and put them in the tools on the usb partition and followed directions of safe unmounting, unplugging and replugging in BB. It copies them to the linux partition under /tools.
Responder just worked when I tested on SSH. impacket stuff did not until I did the install which it then placed stuff in /usr/local/bin and and all the scripts began to work. See this as a cross board compatibility issue with only paths like when someone does SMB exfiltration or Quickcreds they will probably have to modify the path to their tools. The extension for RequireTools will not work for all since their tools maybe not in the /tools folder on the linux partition.
Seen the linux partition apt folder has a sources.list to debian. Does that mean you can apt update and upgrade the BB or will it break their image doing so?
The Debian apt does not install the files to the /tools. I tried this with impacket. It works, but all checks from Fw 1.1 requiretool impacket and so on fails.
I decided to make my own deb file and with postinstallation script so impacket installs find to /tools and does the setup.py in the deb file postinstallation script
-
Look here
-
2 hours ago, Dave-ee Jones said:
Hi guys,
Once again, Dave-ee Jones comin' at you with another question!
How would one loop forever until an IP address (172.16.64.10-12), via DHCP, has been given to the client?
Looking for something like this...while cannot_see_client { sleep 1 } # Continue with rest of codewhile [ $(ping -c 1 -W 1 172.16.64.10 >/dev/null ; echo $?) -ne 0 ] ; do
sleep 1
done -
Try this,
1. ssh to bunny.
2. Backup the file /usr/local/bunny/bin/bunny_framework to /usr/local/bunny/bin/bunny_framerwork.bak
cp /usr/local/bunny/bin/bunny_framework /usr/local/bunny/bin/bunny_framework.bak3. enter followed command
cat /usr/local/bunny/bin/bunny_framework.bak | sed 's/^hop\w*$/hop \&/' > /usr/local/bunny/bin/bunny_framework
Advice:taking a look at /var/log/syslog is a good idea for debugging
-
5 hours ago, trumoo said:
Thanks. Issue was I didn't change lang from de to us in the payload.txt.
Payload is working now. At the end of the script, it closes the first cmd prompt but leaves open the red elevated cmd prompt. I'm running Windows 10 1607 as an admin.
I added
# Kill powershell.exe
kill -processname powershell -ErrorAction SilentlyContinueto the bottom of my .ps1 to properly terminate the powershell window.
I love this script, thank you for all your hard work!
The powershell window stays open, because your are in debug mode. Delelet the DEBUG file from payload folder and all all will be ok.
-
@Mohamed A. BasetSorry It should be looked that I ignore your post. You are right. SMB is really a nightmare. In the ner future I will rewrite the payload. But I'm waiting for bunn FW 1.2. Sebkinne said FW 1.2 will come asap.
-
4 hours ago, trumoo said:
url is bad, was this pulled?
edit: https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds
my payload just blinks yellow 4 times endlessly until it times out. nothing is ever run. i can't figure out how to get the debug information.
I updated the URL.
If you had created the File DEBUG in the payload folder debug information is written to the file /tmp/log.txt. At the end of the payload the log is copied to the /loot folder.
But If you run into timout neither the debug log nor the loot could be copied to /loot folder. For debugging you can ssh into the bunny and look at /tmp/log.txt
[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )
in Payloads
Posted
Please go the right forum........