Jump to content

[PAYLOAD] QuickCreds


Recommended Posts

  • Replies 82
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I'm also getting this issue, and I couldn't find a fix for this. Any suggestions??

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/QuickCreds Snags credentials from locked or unlocked machines Based on the attack by Mubix of Room362.com Implements a resp

Violation of CoC

I just tested this on a fresh Bash Bunny and it worked. Here's what I did:

  1. Download payloads from https://github.com/hak5/bashbunny-payloads/archive/master.zip
  2. Unzip master.zip
  3. Switch Bash Bunny to Arming mode and plug into PC
  4. Copy bashbunny-payloads-mater\payloads\library\tools_installer\* to the Bash Bunny in payloads\switch2
  5. Safely eject Bash Bunny
  6. Switch Bash Bunny to switch 2 and plug into PC
  7. Wait until LED goes white

The blinking red LED you're getting indicates that the tools_to_install folder wasn't found in payloads/switch2

Please verify that all contents of the tools_installer were copied to payloads/switch2 on the Bash Bunny. When complete you should get a white LED and there should be an installed-tools.txt file on the root of the USB drive.

Link to post
Share on other sites

Also as an FYI all this payload does is copy the contents of tools_to_install to /pentest on the Bash Bunny. If you're comfortable doing that over SCP -- go for it. We're changing this operation in the next firmware in such a way that will make this payload obsolete.

Link to post
Share on other sites

Gave quick creds a try last night and worked excellent on my win 10 machine. After changing attack mode to ECM instead of rndis to try on OSX, the script ran but never completed. The PC is not encrypted and was unlocked at the time. Any ideas why it wouldn't work on OSX.   Also the Mac has a fresh install with all my apps and programs setup as of last night before testing.

Link to post
Share on other sites

Hello all,

I am having some trouble getting the tools installed.

After completing Darren's step 6 above (Switch Bash Bunny to switch 2 and plug into PC), I get a purple light for a second then solid red. All the files in the tools_to_install directory are still there. I have tried a couple of times and I am not sure where to go with this.

I also noticed that when in arming mode the Win10 machine I am on sees the BashBunny as having only 1.99GB.

Any advice welcome.

Thank you.

Link to post
Share on other sites
18 minutes ago, Stormborn said:

Hello all,

I am having some trouble getting the tools installed.

After completing Darren's step 6 above (Switch Bash Bunny to switch 2 and plug into PC), I get a purple light for a second then solid red. All the files in the tools_to_install directory are still there. I have tried a couple of times and I am not sure where to go with this.

I also noticed that when in arming mode the Win10 machine I am on sees the BashBunny as having only 1.99GB.

Any advice welcome.

Thank you.

Check this thread for more info about the tools_installer problems.

Edited by WatskeBart
  • Upvote 1
Link to post
Share on other sites

Having a lot of fun with quickcreds (mad props on the bunny!), but it seems it just returns the ntlmv2 hash (as expected, same type of thing you would get with responder using the lanturtle) - my question is, as a relative novice, I know I can crack ntlmv2 with hashcat (given enough horsepower and time), but any good guides on how to "pass the hash" in an rdp scenerio? What other fun stuff can you do with the hashed NTLMv2 password?

 

Btw - Darren, I too got the red light bug after trying to run the install_tools payload, but, I made a mistake I think others ran into....copying the payload rather than cutting and pasting it into the switch1 or switch2 folder....after I ran rm -rf /pentest I the tried a 2nd time cutting it rather than copying it and had no issues. This was on a win10 box.

Link to post
Share on other sites

I am not quite sure that it worked for me. It seems like all the logs populate, but for some reason in the responder session log the "NTLM hash:" part is blank. In the Proxy-Auth NTLMv2 log has different things in there every time I plug it into the "victim (myself)" machine. I would think I would get the same hashes every time I test this out... So I dont think that is the hash.

 

If I am having a noob moment can someone assist me? 

Link to post
Share on other sites

I too am having a problem with QuickCreds. I got the tool_installer to work. Yest when I have tested the quickcreds payload on many different windows and linux machines I only get the bunny scanning forever (blinking Amber LED) and then an empty folder in loot. Any ideas? 

Link to post
Share on other sites

From my testing with the LanTurtle, opening a fresh Chrome, I had less success with IE, should send the packets that Responder is looking for. If that does not work waking a computer from sleep or searching for random file shares should also send out the NBT-NS requests, and then the attack should work.

Link to post
Share on other sites

I've noticed on my end I kept trying quickcreds on my account on windows 10 and it wasn't working so I then switched to my brother login. Tested it there and it worked great now the difference between the accounts are his is a local account mine uses my live account to login. 

Link to post
Share on other sites

Finally had the chance to test this on Windows machines in the field. The Bash Bunny was consistently successful with this payload and achieved success in ~10 seconds every time (from boot to creds).

Edited by Torrey
Link to post
Share on other sites

ive had a lot of success on windows but as for OSX it is a no go.  changed the settings for ecm as rndis will not run just a blinking red light and when i use ecm it just constantly blinks amber.  Ive had it locked (not logged out) and even unlocked it with the bunny in and running, tried surfing the web while it was doing that to see if it would get anything at all and after 15min i just said hell with it and unplugged with not even a file in the loot folder showing that it was plugged into the mac.  Nmapper works great though lol

Link to post
Share on other sites

Thanks Capt. (Love the username btw)! I did do some googling. I couldn't get it to crack the password (I have a pretty good one set) but I definitely got the hash (and good knowledge on how to do this attack now). Thanks for all your help!

 

I can confirm that this payload works flawlessly. 

Link to post
Share on other sites

I have the same issue ...

Quote

I too am having a problem with QuickCreds. I got the tool_installer to work. Yest when I have tested the quickcreds payload on many different windows and linux machines I only get the bunny scanning forever (blinking Amber LED) and then an empty folder in loot. Any ideas? 

It blinks yellow and never completes (gave it 5 mins+ it does creates the loot/quickcreds/mypc/  folder but its empty

Local Account and Windows 10 

 

Any Idea's would help! and thanks in advance

Link to post
Share on other sites

Did you test the items I suggested above and read the article (4armed)? Both should allow you to see what is going on, mind you Wireshark captures will tell you if you are responding to queries or if you are still requesting and getting "normal responses." You can also see if all is working well by navigating to http://wpad this test should work as well.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...