[PAYLOAD] QuickCreds

[levic08]

9 hours ago, Sebkinne said:

No.

I'm sorry. I'm kind of new. How are you supposed to install the tools then?

[Lord_KamOS]

18 minutes ago, levic08 said:

How are you supposed to install the tools then?

https://wiki.bashbunny.com/#!./index.md#Tools

[dragmus31]

Does anyone know how to speed up the process because when I run quick creds on a locked Windows machine or an unlocked machine it simply continues flashing Amber and appears to not be able to grab credentials

[smelly]

Doesn't seem to work on Microsoft account on windows 10.  Stalls out on the amber light and never finishes.  If I use a local account works great.  Any work around?

[dragmus31]

After installing the GitHub library on my bashbunny quick quickcreds works just fine don't forget to install n setup impacket

[dragmus31]

Does anyone know why quick creds does not work for windows 10 64bit anymore?

For some reason it is no longer acting as the main source of internet if im connected to wifi or ethernet the bashbunny doesn't override it and even when it's the main source of net it still stays flashing amber and never grabs any information what so ever

[PoSHMagiC0de]

Try launching ie 11 and then try it.  Not edge or chrome.  Chrome will prompt, edge will too now I believe because MS sandboxed it, or is going to.

It doesn't work as well for win10 because ms turned down the chattiness of win10.  Plus they added a few other things like trusted sources, etc, etc.

[Dave-ee Jones]

You could try boosting the speed of the Bunny's adapter, but I'm not sure it would work (e.g. setting RNDIS_SPEED_10000000, essentially telling the PC it's *almost* a 10Gb connection).

[MikeB]

I'm having a very similar problem but it started after I ran the bunnyupdater.  Ran the updater which updated the firmware from 1.0 to current (1.3-264).  I then tried to run quickcreds and receive the Fail1 (slow blinking red) light. 

I've run the current install tools from here on Hak5 forum. However, I bunny never installs or moves the files.  I've manually created pentest folder and copied the two folders from tools to install but no luck.

Is there a way to see if responder is installed on Bunny?  Perhaps through serial?  Can I manually install it and how do I?  Has anyone ever had to reset theirs to factory?  is that possibility?

Thank you for any help

 

 

[MikeB]

I think I made some process.  I copied the responder folder from /tools/pentest/responder to /tools/responder and quickcreds is now showing a fast red flash (fail 2) instead of the slower red flash (Fail 1.)

I feel that I've buggered this up in some fashion but I'm not sure how.   

Again, thanks for any help.

 

[InfoSecREDD]

I have no issues with this script.

 

Download the needed Tools from the official Wiki. Put them into the Tools folder using arming mode, eject the BashBunny and reinsert. That will get the BashBunny to install the Deb files into the /tools folder of the BashBunny itself. After that you should be good to go.

 

 

[MikeB]

I've followed the steps in this video - Snagging Windows credentials with QuickCreds Part 1 and I've been able to capture from my windows box while unlocked.

Thank you 

 

[Enso]

I just thought of a fix for this that may work but I don't have my bash bunny to test it.

Could you turn off internet in the bottom right before trying this on the log screen?

• Press the little icon bottom right.
• Press the slider on the adapter to off
• Press back on main screen
• Try now

Microsoft may be contacting its server or something as part of the new fix on the creators update on live accounts.

Due to local accounts being known to work on the new creators update this may just work.

[Enso]

14 minutes ago, Enso said:

I just thought of a fix for windows 10 live account that may work but I don't have my bash bunny to test it.

Could you turn off internet in the bottom right before trying this on the log screen?

• Press the little icon bottom right.
• Press the slider on the adapter to off
• Press back on main screen
• Try now

Microsoft may be contacting its server or something as part of the new fix on the creators update on live accounts.

Due to local accounts being known to work on the new creators update this may just work.

If not it may be stored in another location ect as when you try signing in with internet off and you give it the wrong password it says to use the last used password used on the device so it has to be somewhere.

This is what i meant to say.
deep apologizes I cannot seem to find the edit function and it seems I left a bit out.  

[Shad0wChick46]

mine is also yellow forever and as im trying to get creds from my machine while its locked I can go into chrome or watch wireshark. responder is installed and works when the computer is not locked but i need it to work while it is locked. Any ideas?

[v0dka]

Tested on a locked windows 10 box. It worked well.    But failed on a locked windows 7 that in a domain environment

[v0dka]

On 2017/12/1 at 2:00 AM, Shad0wChick46 said:

mine is also yellow forever and as im trying to get creds from my machine while its locked I can go into chrome or watch wireshark. responder is installed and works when the computer is not locked but i need it to work while it is locked. Any ideas?

I met the same question.     you tested on windows 7 or 10?

[srproctor]

Hi,

 

      How would one know what Algorithm is being used (i.e. NTLM, MD4, etc.) for the Hash?  Does it depend on the type of machine (Windows 10, Mac OS, Linux,) or something entirely different?

 

     Please advise.

 

[caretaker]

Hello all,

I am having trouble getting quickcreds to work as well. I get the FAIL1 (slow red blink) even though Responder is installed and I can run it from the terminal. I shouldn't be getting this error. Any ideas?

[KiraX]

I would like to ask, I use bashbunny captured the following information:

 

The general hash looks only 32, but I grabbed a few computers here are the same length:

 

poyu.chen::JXXXH:25d123edc76b5dbf:0155BA5C50942F00F12040F199927658:01010000000000008696A1F78F8BD3015E9D98B6196D2D3E000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000CE085D8E86F633AC8A87EEF618E92DB8C7DA22264AB245CF88D3EE0F0688E6DB0A0010000000000000000000000000000000000009003A0048005400540050002F00700072006F00780079007300720076002E006A0065007400730074006100720074006500630068002E0063006F006D000000000000000000

poyu.chen::JETSTARTECH:25d123edc76b5dbf:0155BA5C50942F00F12040F199927658:01010000000000008696A1F78F8BD3015E9D98B6196D2D3E000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000CE085D8E86F633AC8A87EEF618E92DB8C7DA22264AB245CF88D3EE0F0688E6DB0A0010000000000000000000000000000000000009003A0048005400540050002F00700072006F00780079007300720076002E006A0065007400730074006100720074006500630068002E0063006F006D000000000000000000

 

 

1. Is this normal?

2. What is the direction I need to study if this is an exception?

 

Please give me an idea or my mistake

 

thank

[PoSHMagiC0de]

19 hours ago, KiraX said:

I would like to ask, I use bashbunny captured the following information:

 

The general hash looks only 32, but I grabbed a few computers here are the same length:

 

poyu.chen::JXXXH:25d123edc76b5dbf:0155BA5C50942F00F12040F199927658:01010000000000008696A1F78F8BD3015E9D98B6196D2D3E000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000CE085D8E86F633AC8A87EEF618E92DB8C7DA22264AB245CF88D3EE0F0688E6DB0A0010000000000000000000000000000000000009003A0048005400540050002F00700072006F00780079007300720076002E006A0065007400730074006100720074006500630068002E0063006F006D000000000000000000

poyu.chen::JETSTARTECH:25d123edc76b5dbf:0155BA5C50942F00F12040F199927658:01010000000000008696A1F78F8BD3015E9D98B6196D2D3E000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000CE085D8E86F633AC8A87EEF618E92DB8C7DA22264AB245CF88D3EE0F0688E6DB0A0010000000000000000000000000000000000009003A0048005400540050002F00700072006F00780079007300720076002E006A0065007400730074006100720074006500630068002E0063006F006D000000000000000000

 

 

1. Is this normal?

2. What is the direction I need to study if this is an exception?

 

Please give me an idea or my mistake

 

thank

What you have there is what you are expecting.  That is a NTLMv2 hash.  It is what it looks like when it is sent over the network.  It is a hash of the hash hehe.  Start cracking.  The hash you are used to seeing is what how it is stored locally in the SAM.

[KiraX]

 Okay, I'll give it a try

I appreciate your message.

[TwistedPacket]

Hello Everyone,

I am having an issue with my quickcreds setup that perhaps someone can help me figure out. I have it installed and working just fine using switch 2. However it will only work if I disable or unplug the network card from the workstation? Also if the workstation happens to have a wireless network card it must be disabled as well or the attack will not work. Once I do that everything works as it should.  

I have tried this on windows 7 and windows 10. Five workstations and 3 laptops that all do the same thing.

Any ideas? 

Thank you!

[Shanegal]

Hello everyone, I’ve been playing with this payload for a while and I’ve had it working on some computers but then not on others (red light blinks meaning no ip recieved). I tested this on my home computer and was having the same problem even though I set up my computer to share files and printer over network and it didn’t work....but I’ve found the problem!
 

If the computer has dhcp disabled it won’t work and gives you that dreaded red LED. So after inserting the bashbunny and then Right clicking on the new network adapter and clicking diagnose, windows gave me the option to enable dchp, which I did and it then worked fine. I hope this helps a few of you out that have been dying to get this to work.

obviously this isn’t always practical if you wanted to get the creds and get out of there but atleast you no the reason why it’s not working for you. 
 

regards, shane

 

[Flebbi]

I downloaded responder and copied the payload into the switch position. Everything seems to go fine, but the yellow blinking led never finishes. I plugged it in a locked computer for 20 minutes and it was still attacking. It created the folder with my hostname but I didn't receive the hashes. It found nothingd