Jump to content
Hak5 Forums


Active Members
  • Content count

  • Joined

  • Last visited

  • Days Won



About PoSHMagiC0de

  • Rank
    Hak5 Pirate

Contact Methods

  • Website URL
  1. Newbie Issue - quickcreds - red lights

    Can we post something in the quickcreds payload about warning about it not working reliably in fully patched Windows 10? Okay, this topic is getting extremely old. So, I tested again to get absolutely up to date info. Now, Windows 10, quickcreds is a hit or miss but most often a miss. I had it work one time on my test Win10 machine and not work again. It worked with it unlocked and if I fired off the edge browser. Never use Chrome, chrome fixed that issue of coughing up creds ages ago. You could also use explorer and browse to a non-existent share. While Win10 is locked it did not work, even with browser open. It got like that after the Creator's Update. Payloads that use mimikatz do not work on newer Win10. Mimikatz was updated but not the powershell version and will get detected if used (old or new) by defender (definitely Avast). Responder is the same for Win10 as it not always works and I have seen with impacket smb server that some WIn10 machine will not connect unless credentials are input again. So, again...quickcreds work mostly reliable on Win7, on Win10 it may work with it unlocked and some manual intervention and it may not. If you want it to be reliable, browse the bunny IP and it will definitely do something but auto is a hit but more than likely will be a miss. Once again, MS knows about this thing and is actively fixing faults. After all that, any future threads I come across that talks about this same topic the answer will be "doesn't work" as far as Win10 is concern. Now some may come out and say it does after some hoop jumping but then it is not automatic anymore now is it?
  2. Which Language ?

    Depends on what you want to do but I would agree with the others to just start since when it comes to non-compiled languages like python, ruby, powershell, vbs, js is pretty much becomes syntax. C# is like between those languages and the lower level languages since it compiles. Now, if you want to get into binary exploiting then you will need to learn the lower level languages like C C++ to maybe understand what the pitfalls are but ultimately you will need to learn assembly and its conversion to ops codes to be able to do any type of custom code injection or understand lower level exploits.
  3. What's up with the Github Repo?

    So, I notice the github repo for the community payloads has an extremely slow turnaround. I am talking about weeks to months. I checked it recently and still see tons of pull requests with a few being on hold for almost a year. Daaaaannnnggg!!!! I just seen the most recent commit and noticed it is Seb that did it. You have him handling the community repo too? What the hell? That guy has enough on his plate to be minding the ever changing landscape of userland pull requests. He has new projects to get done, PoCs to prove, ulcers to nurse from user rants. It is time to hand the mantle to someone else or begin looking for a few volunteers to handle that baggage over there because it is beginning to look a little stale and Seb is aging too fast. :-P
  4. Possible Payload of PrivateLocker on BashBunny?

    What Razor said. Like if someone was to obfuscate Lazagne, they would make the python scripts look completely different, probably like garbage, but if ran through python it will come out to perfect sense at runtime. They would do it by renaming functions, string substitution, partial base 64 of some of the code to be converted back and loaded at runtime, etc. Example would be to encrypt a powershell script with the IV and key on the front. The cradle on the victim machine that will receive it knows how to decrypt it by pull the key from the front (which it knows its size) and IV (once again it knows) and using them to decrypt the payload and run it. Obfuscation is mainly a means to bypass security like AV and IDS. Even hide it from human eyes of understanding. Mimidogz is a semi-obfuscated version of powershell mimikatz and used to work very well at AV evasion because of it. Think mimidogz is known by AV now.
  5. [PAYLOAD] HoppEye - 8x Mobile Payload Chooser

    My usage of this in the BBTPS is kinda different. No rewriting locations of files. Hoppeye is only using to change environment variables to affect what payload pack configs are ran. Everything will still exist in the switch 2 folder so I can have a payload in switch 1 and it will not get affected by the BBTPS running hoppeye on switch 2. It will also be an optional config being the BBTPS will function standard unless in the payloadselect.txt you comment out the usually selection and uncomment hoppeye. There will be a config file for it that is just declarative (hide all the other config junk) to select what config file to run under each color. Sheesh, the BBTPS is turning into config file hell.
  6. Possible Payload of PrivateLocker on BashBunny?

    Better yet, just build it in .NET so you can have all the graphical bells and whistles and able to do it in Visual Studio. Just make sure it compiles to a single .NET executable else you will have to send over each dll and load those first before loading the exe and running main function. Why? Will be much smaller and you can then use powershell to load it reflectively and then execute the entrypoint (or main function). As a .NET app Powershell can load it. Doesn't even have to touch the HD, copy it over to powershell as base64, decode back to bytes and reflectively load it as an assembly. Then run the entry point. I have many different versions of crypto via code on my machine before I saw holdemup. .NET, python, nodejs, and powershell. All using AES and RSA examples. I wanted to see if it was possible and even I had an idea to create a crypto payload but was going to be for Powershell Empire. I changed my mind also on that because there was no practical use for it in a pentest environment. It would just end up in the troll section of the modules. I do use it for in transit objuscation. One example is use aes to encrypt script on fly on server in aes with the iv and key prepended to the front of the encrypted script before sending. Why? I am not caring about hiding it from humans trying to crack it, I am hiding it from the ids seeing what it is in transit. I call it Lazy AES Obfuscation.
  7. Web Filter or Proxy?

    If you have a raspberry pi you could always use pi-hole. https://pi-hole.net/ Do not know how advanced your router is but if you can setup separate DNS options for reserved clients then you can setup their DNS to point to pi-hole. Now you can blackhole any DNS requests to sites you do not want them having access to. Do not know if pi-hole can mac filter requests but I do know it can act as a DHCP server too. It will give you an insight of all the queries they make too..in essence their sites. It pretty much black holes any DNS requests for sites you do not want. You could go with squid but you will need to tell the clients to use it via proxy settings. If you are really serious you could put a Snort/Saracata machine in line to do sniffing and filtering which will force them through it. Adding a cert trusted by the clients will give you insight into their https request contents as well.
  8. Remote Exec via PS (Payload Idea)

    Hmm, been awhile since I enable PSRemoting. I do not recall but after enabling does the machine usually require a reboot? If not, there is actually a even more hidden idea. WMI trigger to enable psremoting and allow your IP when some external event that you can control happens on the network or with a service on the machine. Use bunny to create trigger and now there is no psremote port open. Trigger WMI event from another machine so psremoting is enabled and then connect. When done you may can have an event to shut it back down too.
  9. Possible Payload of PrivateLocker on BashBunny?

    He removed the old payload because it was during a lot of the crypto scare time and the payload was a test but could not find a beneficial use for it on a pentest. Of course, he still has the crypto bug heheh. Understandable. Crypto is pretty cool when it doesn't give you a migraine. What are you thinking of accomplishing with the app? Is it going to be an automatic way for someone to secure their files on the bunny for transport like plug it in, it asks to retrieve or receive a file(s) or directory and either encrypts to bunny with public key set on bunny or decrypt from to computer with passworded private key? I looked at the app and like Dave-ee said your original project could be adapted to do the same. Reminds me of a crypto locker going legit. :-P
  10. Locking a folder with a batch file

    This reminds me of malware a customer of mine caught a while back. It replaced the original folder's names with a SID name and hid it and then created a shortcut that looked like the old folder that would tell it to run the malware first before opening the hidden folder it is associated with. Of course finding it is as simple as having "show hidden files" on in view.
  11. Need help with PasswordGrabber

    Know what, when I read through the payload.txt, I completely missed there was nothing there to create the folder it is dumping its files to. Yeah, creating the folder would be important. I have not used this payload.
  12. Need help with PasswordGrabber

    Are you including the "all" and the "-v". If Lazagne is not even working then that explains the empty payload folder.
  13. Need help with PasswordGrabber

    I don't remember the e and d files being exes. They were cmd files. Try this. If you got the lazagne.exe then copy it to the machine and run it. According to the command file the command below should display output to the screen. lazagne.exe all -v If you get something then we know lazagne works. Next with the bashbunny in arming mode run the command again but add in " > driveletterofBB:\loot\lazagnetest.txt" where driveletterofBB is the current drive letter of BashBunny. We are just testing here to make sure everything works piece by piece.
  14. Metasploit ssh_login_pubkey

    Do not know how manufacturers provision their devices. If they just burned the same image onto their devices with ssh installed already and if they set it up for key login with a key then there will be one there in all the images. Also the ID key of the server will be the same though I believe the server key will only assist you with MiTM to trick the user that you are the SSH server. If they never used keys to sign into SSH then there will be no default keys, just default passwords. If they never installed SSH but gives you the option to D/L and install like with Open WRT and opkg files then the key will be regenerated for the server and the user can copy a new logon key to the server for authentication which will not be default. So in short, it depends. The keys I think you are looking for are auth keys. If the manufacturer never used keys for auth then it will never have default key, just password.
  15. Just wanted to add 1 thing. Sharing violation is not hit here if after GC you sort it. Reason being when gc was ran against the files, all their content was picked up first, files were closed and then contents were piped. Powershell runs all of the command in each pipeline before proceeding to the next. To see this in action, GC a large file and pipe it to out-string. If it did it line by line then the out-string would populate line by line but it sits for while while it gets the contents before doing the out-string. Watch the process mem size and you will see it increases as it is reading the file. To read it bit by bit you will need to access the .NET classes and create a steam and use in a while loop or something of the sort that can be looped to keep reading the stream and do something with the contents until the stream is done. So, the above command will work like so: Get-Childitem C:\path\to\files\* -include *.txt -Recurse -File | gc | Sort-Object -Unique | Set-Content c:\path\to\sorted\wordlist.txt The above will work. I include "-File" in get-childitem to get only files..in case some folder is named something.txt. Just a habit for me to target objects I want to work with.