korang Posted September 6, 2016 Share Posted September 6, 2016 https://room362.com/post/2016/snagging-creds-from-locked-machines/ In this article Mubix mentions installing inotify-tools. I cannot find it to install. Yes, I have run opkg update. Anyone know the correct source to install to get this package? Link to comment Share on other sites More sharing options...
Xcellerator Posted September 7, 2016 Share Posted September 7, 2016 Pretty sure he was only referring to the USB Armory when he was talking about inotify-tools. There aren't any LEDS on the Turtle for inotify-tools to interface with. Link to comment Share on other sites More sharing options...
zoro25 Posted September 7, 2016 Share Posted September 7, 2016 Hopefully , Darren will create a module which do also handle the LED's , he's hinted at it here , https://room362.com/post/2016/snagging-creds-from-locked-machines/#comment-2880269923 However Lanturtle set up seems quite straight forward. **Edit** Can't get it to log anything on my locked Win10 devices , obviously grabs the NTLM hashes from unlocked devices. Link to comment Share on other sites More sharing options...
barry99705 Posted September 8, 2016 Share Posted September 8, 2016 I'm not getting anything on mine. Tested on a win10 box and 2 different win7 boxen. Link to comment Share on other sites More sharing options...
b0N3z Posted September 9, 2016 Share Posted September 9, 2016 I did this with a raspberry pi zero and im not getting results either Link to comment Share on other sites More sharing options...
bored369 Posted September 10, 2016 Share Posted September 10, 2016 Darren mentioned in the comments you can control the LEDs on the turtle with this method: ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To make the LED go solid on the LAN Turtle after the creds are looted put the following in the /etc/rc.local file: echo "Staring cred watch" >> /root/rc.log /usr/bin/screen -dmS notify bash -c 'while inotifywait -e modify /root/responder/Responder.db; do echo 255 > /sys/devices/platform/leds-gpio/leds/turtle:yellow:system/brightness; done' If you want to get creative with blinky blink patterns you can echo 0 for off and 255 for on into the file /sys/devices/platform/leds-gpio/leds/turtle:yellow:system/brightness ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- I haven't tested it yet myself though. I was able to setup the turtle and it grabbed creds seconds after it was setup on my win10 system. I was logged in at the time and i do have onedrive syncing, so I assumed that's what was pulled. Unsure though... Link to comment Share on other sites More sharing options...
Forgiven Posted September 11, 2016 Share Posted September 11, 2016 I followed the instructions explicitly. Didn't work for me on an attempt at my lab Win10 test unit. The blog article doesn't go into any depth on the Turtle configurations employed. Link to comment Share on other sites More sharing options...
ptrac3 Posted September 12, 2016 Share Posted September 12, 2016 17 hours ago, Forgiven said: I followed the instructions explicitly. Didn't work for me on an attempt at my lab Win10 test unit. The blog article doesn't go into any depth on the Turtle configurations employed. I do agree, moreover i don't understand if i have to change the DHCP options or not to include the proxy WPAD on the Lan Turtle.. Link to comment Share on other sites More sharing options...
barry99705 Posted September 12, 2016 Share Posted September 12, 2016 It's mostly working for me, the only problem is the responder.db is not in the root folder, it's in /etc/turtle/Responder/ folder. Link to comment Share on other sites More sharing options...
ptrac3 Posted September 12, 2016 Share Posted September 12, 2016 13 minutes ago, barry99705 said: It's mostly working for me, the only problem is the responder.db is not in the root folder, it's in /etc/turtle/Responder/ folder. this is a problem because if you reboot you will lost it right? This is what i have done so far: Installed responder module, enabled and started modified rc.local with this lines: /etc/init.d/dnsmasq stop /usr/sbin/screen -dmS responder bash -c 'cd /overlay/etc/turtle/Responder; python Responder.py -I br-lan -f -w -r -d -F' #Add your commands above this line exit 0 Am i missing something? I receive hashes only if i connect to HTTP websites or non existent shares.. But i am not receiving hashes while i have screen locked (i have multiple accounts in the machine but i don't think that`s the problem) Thank you very much for any help Link to comment Share on other sites More sharing options...
8bit Posted September 12, 2016 Share Posted September 12, 2016 I'm not entirely sure as I've only just started looking at this - but for those of you who it's not working for, do the test machines belong to a domain, or only use local accounts? I don't think local accounts will be grabbed - only challenge-response type authentication, NTLM etc I'm just guessing, but i'm sure someone skilled on this can clarify? Link to comment Share on other sites More sharing options...
bored369 Posted September 12, 2016 Share Posted September 12, 2016 12 minutes ago, 8bit said: I'm not entirely sure as I've only just started looking at this - but for those of you who it's not working for, do the test machines belong to a domain, or only use local accounts? I don't think local accounts will be grabbed - only challenge-response type authentication, NTLM etc I'm just guessing, but i'm sure someone skilled on this can clarify? It works with local accounts as well. I've been testing it with both local account and microsoft accounts on windows 10. Haven't had it fail yet, haven't tested if no one is logged in, but both logged in and in a locked session it always seems to grab a hash with the creds in it. Link to comment Share on other sites More sharing options...
zoro25 Posted September 12, 2016 Share Posted September 12, 2016 I'm logged into a domain and nothing for me, I have a both Darren's light script and also the needed /etc/init.d/dnsmasq stop/usr/sbin/screen -dmS responder bash -c 'cd /overlay/etc/turtle/Responder; python Responder.py -I br-lan -f -w -r -d -F' in my rc.local file and nothing is logged from locked devices (also domain joined). For people who can get it to work can you please give more info on your set up or even a walk through if possible. Link to comment Share on other sites More sharing options...
8bit Posted September 13, 2016 Share Posted September 13, 2016 Thanks bored369 - appreciate the confirmation. I tried at hom on my 10.11 OSX machine with no luck, also didn't work on my Windows 7 VM I just tried on my Win 7 work machine which in bound to a domain and that did work - however I had to install the drivers so that would be a show stopper in a real world attack. I guess running on a Pi and connected via Ethernet as opposed to USB would be better to avoid driver issues? One question - I tried on another OSX machine at work and the turtle seems to boot, then after a short time the LED's confirm credentials have been obtained.. however when I get my loot folder all I see is the files below - which of course don't contain any captured hashes. Does this sound right? root@turtle:~/loot/0008# ls -l -rw-r--r-- 1 root root 0 Sep 12 20:36 Analyzer-Session.log -rw-r--r-- 1 root root 6794 Sep 12 20:36 Config-Responder.log -rw-r--r-- 1 root root 0 Sep 12 20:36 Poisoners-Session.log -rw-r--r-- 1 root root 107 Sep 12 20:36 Responder-Session.log Thanks again! Link to comment Share on other sites More sharing options...
feta Posted September 13, 2016 Share Posted September 13, 2016 I was able to capture but, I needed to disconnect the machine from the network (ethernet and wireless). The problem I'm having is when I disconnect the Turtle and move it to my machine to view the logs and the DB, they get overwritten. How can I resolve this, any help would be appreciated. Link to comment Share on other sites More sharing options...
azzarin Posted September 13, 2016 Share Posted September 13, 2016 I can only get this to save the file in the /tmp/ folder. But then it will be deletet the next reboot. Any clue ? Else it works fine. Link to comment Share on other sites More sharing options...
ptrac3 Posted September 13, 2016 Share Posted September 13, 2016 4 hours ago, azzarin said: I can only get this to save the file in the /tmp/ folder. But then it will be deletet the next reboot. Any clue ? Else it works fine. Try to do something like this: mkdir -p -m 700 /root/logs rm /overlay/etc/turtle/Responder/logs ln -s /root/logs /overlay/etc/turtle/Responder/logs I am still unable to receive any hash with a locked Win 10..I run "python Responder.py -I br-lan -f -d", is that correct? Link to comment Share on other sites More sharing options...
ROTHWELL Posted September 15, 2016 Share Posted September 15, 2016 Hi all, Been trying to get this working with my LAN Turtle, using various guides im finding online. Suspect I may be making it more difficult than it is! But then I noticed a module (QuickCreds) was released for this. I tried updating my LAN Turtle, but it says No Updates Available, and its not appearing in my list of modules. Can anyone shed any light on this? Link to comment Share on other sites More sharing options...
8bit Posted September 15, 2016 Share Posted September 15, 2016 Hey ROTHWELLO The turtle will need an internet connection.. this happened on mine - just connect a network cable from the ethernet port of the turtle to your router/hub/whatever an it should get a DHCP IP and connect. That's what I needed to do at least. Then once added, go to 'configure' inside that module and it'll download and install the required dependencies Link to comment Share on other sites More sharing options...
ROTHWELL Posted September 15, 2016 Share Posted September 15, 2016 29 minutes ago, ROTHWELL said: Hi all, Been trying to get this working with my LAN Turtle, using various guides im finding online. Suspect I may be making it more difficult than it is! But then I noticed a module (QuickCreds) was released for this. I tried updating my LAN Turtle, but it says No Updates Available, and its not appearing in my list of modules. Can anyone shed any light on this? EDIT: To anyone that read the above and thought "What a tool!" - you were right, I am! After alittle more googling, I realised I needed to go into Module Manager, and update my list of modules from there. Completely my own fault for not properly learning how to use the tool. (My only excuse is i've been hectically busy doing my OSCP). #RubbishExcuse #GoogleAllTheThings Link to comment Share on other sites More sharing options...
UnixSecLab Posted September 16, 2016 Share Posted September 16, 2016 Regarding the new QuickCreds module, I installed this using "configure" from the module list, then enabled it. None of the Windows machines I used for testing responded with "creds" as far as I could tell. Three of the log files in the loot/000# directory showed growth, and looking at them I can see where it says it is responding with poison responses, but it never snags any results. I tried disabling all other networking on one of the targets and it still did not work. I'll be taking this to work with me tomorrow to let one of the corporate security team members try it on a workstation that is associated with an active domain controller (since my personal ones are not, in case this is the issue.) I did notice while reviewing the Config log that it keeps complaining that some other service has port 53 tied up. I looked at the /etc/turtle/autostart_modules/99-QuickCreds script, and the 'start' function looks like it is calling /etc/init.d/dnsmasq stop, but it's not working correctly. If I run netstat -plant before starting QuickCreds, it shows dnsmasq owns that port. If I run 99-QuickCreds start manually and check again, a bunch of services are listening that belong to python, but 53 still blongs to dnsmasq. If I manually stop dnsmasq before running the QC start script, then start QuickCreds as above, python owns port 53 as expected. Running the QuickCreds stop actually works properly and re-starts dnsmasq as expected. I'll dig through this script with a more careful eye and see if I can figure out why it's hosed on start, but I don't know if this is why I never get creds or not. The three targets I tried were two Windows 10 laptops and a Windows 7 laptop. I tried in both "logged in" and "workstation locked with windows-L key" modes. I got nothing for my troubles. Link to comment Share on other sites More sharing options...
barry99705 Posted September 16, 2016 Share Posted September 16, 2016 Leave the responder module running as well. Link to comment Share on other sites More sharing options...
ROTHWELL Posted September 16, 2016 Share Posted September 16, 2016 After my rocky start, I managed to get this to work on one domain machine (my own!). Tried it on two others though, and its mithering for the Ralink driver :-/ Link to comment Share on other sites More sharing options...
M@$T Posted September 16, 2016 Share Posted September 16, 2016 Hi there! My Turtle is on its way and I can't wait to try it out! I have been looking at guides and tutorials on how to use the snatch credentials functionality.. Looks straight forward, but most of you seem to be finding it a bit difficult.. Is there someone here who managed to successfully make this work create a guide with step by step commands. This would help out everyone here on the forum Just a suggestion to help everyone out Link to comment Share on other sites More sharing options...
UnixSecLab Posted September 16, 2016 Share Posted September 16, 2016 8 hours ago, barry99705 said: Leave the responder module running as well. I'm not sure whom you are replying to specifically, but if it was me, I never set up the responder module through the turtle config separately from the QuickCreds module. Are both modules supposed to be configured? It looks like a conflict to do it that way, since QuickCreds sets it up a specific way and runs it, and "responder" has settings that change the behavior. And both of them are at the same 99-<script name> level in the autostart_modules directory. If we're supposed to set up both, what are the configuration options that the responder module needs that don't conflict with the QuickCreds module? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.