Jump to content

[PAYLOAD] QuickCreds

Darren Kitchen

By Darren Kitchen
in Payloads

 Share

Recommended Posts

  • Replies 106
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Xeladen
Xeladen

I'm also getting this issue, and I couldn't find a fix for this. Any suggestions??

Darren Kitchen
Darren Kitchen

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/QuickCreds Snags credentials from locked or unlocked machines Based on the attack by Mubix of Room362.com Implements a resp

illwill
illwill

Violation of CoC

Darren Kitchen Grand Master

Darren Kitchen

Posted
  • Author
Posted

I just tested this on a fresh Bash Bunny and it worked. Here's what I did:

  1. Download payloads from https://github.com/hak5/bashbunny-payloads/archive/master.zip
  2. Unzip master.zip
  3. Switch Bash Bunny to Arming mode and plug into PC
  4. Copy bashbunny-payloads-mater\payloads\library\tools_installer\* to the Bash Bunny in payloads\switch2
  5. Safely eject Bash Bunny
  6. Switch Bash Bunny to switch 2 and plug into PC
  7. Wait until LED goes white

The blinking red LED you're getting indicates that the tools_to_install folder wasn't found in payloads/switch2

Please verify that all contents of the tools_installer were copied to payloads/switch2 on the Bash Bunny. When complete you should get a white LED and there should be an installed-tools.txt file on the root of the USB drive.

Link to comment
Share on other sites
b0N3z Rookie

b0N3z

Posted
Posted

Gave quick creds a try last night and worked excellent on my win 10 machine. After changing attack mode to ECM instead of rndis to try on OSX, the script ran but never completed. The PC is not encrypted and was unlocked at the time. Any ideas why it wouldn't work on OSX.   Also the Mac has a fresh install with all my apps and programs setup as of last night before testing.

Link to comment
Share on other sites
Stormborn Newbie

Stormborn

Posted
Posted

Hello all,

I am having some trouble getting the tools installed.

After completing Darren's step 6 above (Switch Bash Bunny to switch 2 and plug into PC), I get a purple light for a second then solid red. All the files in the tools_to_install directory are still there. I have tried a couple of times and I am not sure where to go with this.

I also noticed that when in arming mode the Win10 machine I am on sees the BashBunny as having only 1.99GB.

Any advice welcome.

Thank you.

Link to comment
Share on other sites
WatskeBart Newbie

WatskeBart

Posted
Posted (edited)
18 minutes ago, Stormborn said:

Hello all,

I am having some trouble getting the tools installed.

After completing Darren's step 6 above (Switch Bash Bunny to switch 2 and plug into PC), I get a purple light for a second then solid red. All the files in the tools_to_install directory are still there. I have tried a couple of times and I am not sure where to go with this.

I also noticed that when in arming mode the Win10 machine I am on sees the BashBunny as having only 1.99GB.

Any advice welcome.

Thank you.

Check this thread for more info about the tools_installer problems.

Edited by WatskeBart
  • Upvote 1
Link to comment
Share on other sites
lit Newbie

lit

Posted
Posted

Having a lot of fun with quickcreds (mad props on the bunny!), but it seems it just returns the ntlmv2 hash (as expected, same type of thing you would get with responder using the lanturtle) - my question is, as a relative novice, I know I can crack ntlmv2 with hashcat (given enough horsepower and time), but any good guides on how to "pass the hash" in an rdp scenerio? What other fun stuff can you do with the hashed NTLMv2 password?

 

Btw - Darren, I too got the red light bug after trying to run the install_tools payload, but, I made a mistake I think others ran into....copying the payload rather than cutting and pasting it into the switch1 or switch2 folder....after I ran rm -rf /pentest I the tried a 2nd time cutting it rather than copying it and had no issues. This was on a win10 box.

Link to comment
Share on other sites
Rub1xCub3 Newbie

Rub1xCub3

Posted
Posted

I am not quite sure that it worked for me. It seems like all the logs populate, but for some reason in the responder session log the "NTLM hash:" part is blank. In the Proxy-Auth NTLMv2 log has different things in there every time I plug it into the "victim (myself)" machine. I would think I would get the same hashes every time I test this out... So I dont think that is the hash.

 

If I am having a noob moment can someone assist me? 

Link to comment
Share on other sites
wit09 Newbie

wit09

Posted
Posted

I too am having a problem with QuickCreds. I got the tool_installer to work. Yest when I have tested the quickcreds payload on many different windows and linux machines I only get the bunny scanning forever (blinking Amber LED) and then an empty folder in loot. Any ideas? 

Link to comment
Share on other sites
Cpt.Pickles Newbie

Cpt.Pickles

Posted
Posted

From my testing with the LanTurtle, opening a fresh Chrome, I had less success with IE, should send the packets that Responder is looking for. If that does not work waking a computer from sleep or searching for random file shares should also send out the NBT-NS requests, and then the attack should work.

Link to comment
Share on other sites
wrxratd Newbie

wrxratd

Posted
Posted

I've noticed on my end I kept trying quickcreds on my account on windows 10 and it wasn't working so I then switched to my brother login. Tested it there and it worked great now the difference between the accounts are his is a local account mine uses my live account to login. 

Link to comment
Share on other sites
Torrey Newbie

Torrey

Posted
Posted (edited)

Finally had the chance to test this on Windows machines in the field. The Bash Bunny was consistently successful with this payload and achieved success in ~10 seconds every time (from boot to creds).

Edited by Torrey
Link to comment
Share on other sites
b0N3z Rookie

b0N3z

Posted
Posted

ive had a lot of success on windows but as for OSX it is a no go.  changed the settings for ecm as rndis will not run just a blinking red light and when i use ecm it just constantly blinks amber.  Ive had it locked (not logged out) and even unlocked it with the bunny in and running, tried surfing the web while it was doing that to see if it would get anything at all and after 15min i just said hell with it and unplugged with not even a file in the loot folder showing that it was plugged into the mac.  Nmapper works great though lol

Link to comment
Share on other sites
Rub1xCub3 Newbie

Rub1xCub3

Posted
Posted

Thanks Capt. (Love the username btw)! I did do some googling. I couldn't get it to crack the password (I have a pretty good one set) but I definitely got the hash (and good knowledge on how to do this attack now). Thanks for all your help!

 

I can confirm that this payload works flawlessly. 

Link to comment
Share on other sites
Th3G04t Newbie

Th3G04t

Posted
Posted

I have the same issue ...

Quote

I too am having a problem with QuickCreds. I got the tool_installer to work. Yest when I have tested the quickcreds payload on many different windows and linux machines I only get the bunny scanning forever (blinking Amber LED) and then an empty folder in loot. Any ideas? 

It blinks yellow and never completes (gave it 5 mins+ it does creates the loot/quickcreds/mypc/  folder but its empty

Local Account and Windows 10 

 

Any Idea's would help! and thanks in advance

Link to comment
Share on other sites
Cpt.Pickles Newbie

Cpt.Pickles

Posted
Posted

Did you test the items I suggested above and read the article (4armed)? Both should allow you to see what is going on, mind you Wireshark captures will tell you if you are responding to queries or if you are still requesting and getting "normal responses." You can also see if all is working well by navigating to http://wpad this test should work as well.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...