Zurix Posted March 13, 2017 Share Posted March 13, 2017 Ok, it's work. I have a NTLMv2 file with hashes strings. But, Hashcat ou John the ripper don't decrypte it :( Link to comment Share on other sites More sharing options...
Cpt.Pickles Posted March 13, 2017 Share Posted March 13, 2017 Are you testing with something that is known in the text file you are using? if not echo the word into the end of the file... echo "blah" >> example.txt Sometimes I found it best to set the format that I am using rather than let John guess. Link to comment Share on other sites More sharing options...
Zurix Posted March 13, 2017 Share Posted March 13, 2017 Cpt.Pickles : Yes i have forced John with "--format=netntlmv2" commande option. Link to comment Share on other sites More sharing options...
Xeladen Posted March 13, 2017 Share Posted March 13, 2017 On 3/12/2017 at 3:12 PM, Th3G04t said: I have the same issue ... It blinks yellow and never completes (gave it 5 mins+ it does creates the loot/quickcreds/mypc/ folder but its empty Local Account and Windows 10 Any Idea's would help! and thanks in advance I'm also getting this issue, and I couldn't find a fix for this. Any suggestions?? Link to comment Share on other sites More sharing options...
peterkozmd Posted March 13, 2017 Share Posted March 13, 2017 Pretty sure we all did those easy steps but still having problems. Link to comment Share on other sites More sharing options...
kpeezy Posted March 13, 2017 Share Posted March 13, 2017 2 minutes ago, peterkozmd said: Pretty sure we all did those easy steps but still having problems. Ok, did you try instead of copying those tools files and pasting into the payload folder, try doing a cut n paste instead of copy. Does that work? Link to comment Share on other sites More sharing options...
Zurix Posted March 14, 2017 Share Posted March 14, 2017 Ok, the hsah work with hashcat, but only brute force or wordlist for decrypte it. And many year on brute force for a 9 ou 10 caracters ;) A better solution ? Ophack ? (I don't test it) Link to comment Share on other sites More sharing options...
Zurix Posted March 14, 2017 Share Posted March 14, 2017 My 7 caracters password are cracked in 3h55. With hashcat and the commande : hashcat64.exe --force -m 5600 1.txt -a 3 --status (1.txt is my renomed hash file from Bash Bunny, originaly named Proxy-Auth-NTLMv2-172.16.64.10.txt). Link to comment Share on other sites More sharing options...
zerocooler Posted March 17, 2017 Share Posted March 17, 2017 On 3/4/2017 at 10:52 PM, Darren Kitchen said: Also as an FYI all this payload does is copy the contents of tools_to_install to /pentest on the Bash Bunny. If you're comfortable doing that over SCP -- go for it. We're changing this operation in the next firmware in such a way that will make this payload obsolete. I don't even have a pentest folder? Unless I can only see it by using Putty? Only reason I did this was to get the QuickCreds to work. But then I re-read this and it said it will be obsolete- is this why I don't see a Pentest folder? Because it's already obsolete? Link to comment Share on other sites More sharing options...
cmaddy Posted March 17, 2017 Share Posted March 17, 2017 The pentest folder is in the device root, not /root. You can see it if you SSH into the Bunny and look in /. You won't see it when using STORAGE mode. For those wondering why they aren't seeing immediate results/just a blinking amber LED, you need to give Responder time to capture a hash. If you're using the Bunny against a test VM or just a convenient Windows PC, you may be waiting a while unless you force/initiate a request for a file share. QuickCreds looks for the log file Responder creates when it captures an NTLM hash. The Bunny will blink the amber LED until it sees at least one such log file. You won't get an NTLM hash and a log file until the target sends that information for something like a file share and is tricked into providing the hash to Responder. Link to comment Share on other sites More sharing options...
yeahits_ZP83 Posted March 17, 2017 Share Posted March 17, 2017 Quickcreds is working great. Awesome tool. Link to comment Share on other sites More sharing options...
Mehardeep Singh Posted April 19, 2017 Share Posted April 19, 2017 I have a question... I tried it on a locked Windows 10 machine and I got the hashes.. but what can I do with NTLMV2? From the knowledge I have it is either hash passing attacks or cracking.. but cracking in a real world scenario is almost not an option.. so what do you do with the NTLMV2? Link to comment Share on other sites More sharing options...
LowValueTarget Posted April 19, 2017 Share Posted April 19, 2017 2 hours ago, Mehardeep Singh said: I have a question... I tried it on a locked Windows 10 machine and I got the hashes.. but what can I do with NTLMV2? From the knowledge I have it is either hash passing attacks or cracking.. but cracking in a real world scenario is almost not an option.. so what do you do with the NTLMV2? https://security.stackexchange.com/questions/72005/are-there-any-ways-to-leverage-ntlm-v2-hashes-during-a-penetration-test Link to comment Share on other sites More sharing options...
Vagabond Posted April 20, 2017 Share Posted April 20, 2017 I am currently running FW 1.1 and QuickCreds works great, however, when I try to crack the captured ntlmv2 hash with hashcat using a known password it didn't work. I had the same problem as seen here: http://stackoverflow.com/questions/41487203/hashcat-not-working-on-netntlmv2-hashes-obtained-by-responder I originally used https://github.com/qdba/MyBashBunny/tree/master/tools by user qdba to install responder_2.3.3.5.deb. Based on the stackoverflow post, I used the latest responder 2.3.3.6 on a Kali VM and cracked a captured hash with a known password immediately. It seems my issue is that I'm using an older version of responder. My question: What's my best course of action for installing the latest version of responder on my BashBunny? Should I just update packages? Put the latest responder version in the tools directory? I don't want to brick anything so I'm treading carefully. Link to comment Share on other sites More sharing options...
Bryfi Posted April 20, 2017 Share Posted April 20, 2017 8 hours ago, Vagabond said: I am currently running FW 1.1 and QuickCreds works great, however, when I try to crack the captured ntlmv2 hash with hashcat using a known password it didn't work. I had the same problem as seen here: http://stackoverflow.com/questions/41487203/hashcat-not-working-on-netntlmv2-hashes-obtained-by-responder I originally used https://github.com/qdba/MyBashBunny/tree/master/tools by user qdba to install responder_2.3.3.5.deb. Based on the stackoverflow post, I used the latest responder 2.3.3.6 on a Kali VM and cracked a captured hash with a known password immediately. It seems my issue is that I'm using an older version of responder. My question: What's my best course of action for installing the latest version of responder on my BashBunny? Should I just update packages? Put the latest responder version in the tools directory? I don't want to brick anything so I'm treading carefully. I second this. I have tried the upgraded version and it does not seem to capture any hashes. With 1.0. Link to comment Share on other sites More sharing options...
Fang_Shadow Posted April 21, 2017 Share Posted April 21, 2017 I have an updated dev file on my github https://github.com/F9Alejandro/packages just place in your tools folder in arming mode, unpkug, the plug back in for it to install, be sure to remove the old responder from the /tools/ folder on the linux side before install. Link to comment Share on other sites More sharing options...
Smeege Posted April 21, 2017 Share Posted April 21, 2017 13 hours ago, Fang_Shadow said: I have an updated dev file on my github https://github.com/F9Alejandro/packages just place in your tools folder in arming mode, unpkug, the plug back in for it to install, be sure to remove the old responder from the /tools/ folder on the linux side before install. Great stuff @Fang_Shadow, works great. Just for anyone else who is curious you can 'rm -r /tools/responder' the older responder version and then simply place this new responder_2.3.3.6-2.deb in the tools folder when the BB is mounted as storage. Safely remove the mounted BB and then plug it back in and it should install successfully as "NBT-NS, LLMNR & MDNS Responder 2.3.3.6" which fixes several issues including dumping a bad NetNTLMv2 hash. Cheers. Link to comment Share on other sites More sharing options...
Bryfi Posted April 21, 2017 Share Posted April 21, 2017 14 hours ago, Fang_Shadow said: I have an updated dev file on my github https://github.com/F9Alejandro/packages just place in your tools folder in arming mode, unpkug, the plug back in for it to install, be sure to remove the old responder from the /tools/ folder on the linux side before install. Working flawlessly thanks! Link to comment Share on other sites More sharing options...
rawrmonster Posted April 21, 2017 Share Posted April 21, 2017 I have version 1.1_228 and I think I have fully installed responder and impacket but I may not have done things correctly. When I try to use quickcreds it lights up purple for a minuite then just blinks red. How I installed the tools was download them from GitHub then put the tools in the tools folder. After that I unplugged and replugged them back in and the folders disappeared. Then I remoted in to the bash bunny and ran the setup.py for impacket and it looked like responder did not have a setup.py file. Link to comment Share on other sites More sharing options...
Fang_Shadow Posted April 21, 2017 Share Posted April 21, 2017 Correct they impacket is the only one with a setup.py responder doesn't need any setup it just works, all that is needed is to look for the REQUIRETOOL fields and make sure impacket and responder are there. Then to run the test server and such you need to basically cd into the dir with the examples, if not quickcreds should do it for you. Link to comment Share on other sites More sharing options...
trumoo Posted April 22, 2017 Share Posted April 22, 2017 The date in my loot folder is incorrect (example; date modified on the folders and files created within the loot folder from this payload) - is this a setting in the linux side of BB that cannot be changed because there's no RTC in the bb or is this a setting I can change with SSH, or is something else wrong? Link to comment Share on other sites More sharing options...
Fang_Shadow Posted April 22, 2017 Share Posted April 22, 2017 it is because the linux box can't get the correct time and date, my packages repo says last updated 15 days ago because i pushed via my bashbunny to github. Don't worry about the time being off and or date because you will need to change the settings every time you plug it in. Link to comment Share on other sites More sharing options...
Sebkinne Posted April 22, 2017 Share Posted April 22, 2017 17 hours ago, trumoo said: The date in my loot folder is incorrect (example; date modified on the folders and files created within the loot folder from this payload) - is this a setting in the linux side of BB that cannot be changed because there's no RTC in the bb or is this a setting I can change with SSH, or is something else wrong? The Bash Bunny doesn't have a battery connected to the RTC, so it has to way to keep accurate time. We use a bit of a hack to try to make the time a bit more accurate by using NTP (when an Internet connection is present) and checking the last accessed time of files on the Bash Bunny and setting the time to the latest date found. While this method is not accurate it will usually get you in the same year and month, which is enough for most utilities to function properly (certificate verification for example). Link to comment Share on other sites More sharing options...
levic08 Posted August 11, 2017 Share Posted August 11, 2017 There is no tools_installer now? Link to comment Share on other sites More sharing options...
Sebkinne Posted August 11, 2017 Share Posted August 11, 2017 2 hours ago, levic08 said: There is no tools_installer now? No. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.