illwill Posted March 15, 2017 Posted March 15, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC 2 Quote
yeahits_ZP83 Posted March 15, 2017 Posted March 15, 2017 Can't get it to work. hmm.. Is there an adjustment i need to make? Quote
hysteric Posted March 16, 2017 Posted March 16, 2017 This works flawlessly on Windows 10 systems, fails on two different Windows 7 hosts. I still want to give kudos to illwill for the for the awesome script! Quote
illwill Posted March 16, 2017 Author Posted March 16, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote
jokre Posted March 16, 2017 Posted March 16, 2017 Please note that the "key=clear" part of the netsh command (in the a.cmd file for this payload) requires local admin privileges on the specific Windows box to get anything out of it. I.e. the logged on user on the PC has to be a local admin, otherwise key=clear will produce nada... So... that part will be "step 1" to verify. If the tests of the payload is executed in a lab environment (or on a PC where you can get access to the box the "correct" way), then logon and run the netsh command in the way it is specified in the a.cmd file of the payload. If netsh throws back an error telling you that it needs to be executed with admin privileges, then the current logged in user has no rights to issue this command with the key=clear "switch". The payload could perhaps be enhanced to catch the error that the command throws back at you and if it says you need admin rights, then the payload could either blink a sequence telling that the execution went bad or put the status in a file on the local storage of the bunny (or both). If working on boxes with a language other than English, the "error catch part" of the payload has to be adjusted so that it can handle error messages in the appropriate system language as well. 1 Quote
IRNMNKY Posted March 16, 2017 Posted March 16, 2017 Props to illwill, only issue is it wont run auto for me, but does snag all creds if I run the powershell directly. still a noob so I dont know if Im doing something wrong. Quote
yeahits_ZP83 Posted March 16, 2017 Posted March 16, 2017 Maybe I missed a step, but the payload hasn't provided me with any wificreds yet. I'm getting nothing in the loot. Only tested with Windows 10 so far. Quote
illwill Posted March 17, 2017 Author Posted March 17, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC 1 Quote
yeahits_ZP83 Posted March 17, 2017 Posted March 17, 2017 Creates a loot folder but no loot. I'll tinker with it more today. Quote
larsc3po Posted March 17, 2017 Posted March 17, 2017 On 3/16/2017 at 1:37 AM, jokre said: Please note that the "key=clear" part of the netsh command (in the a.cmd file for this payload) requires local admin privileges on the specific Windows box to get anything out of it. I.e. the logged on user on the PC has to be a local admin, otherwise key=clear will produce nada... So... that part will be "step 1" to verify. If the tests of the payload is executed in a lab environment (or on a PC where you can get access to the box the "correct" way), then logon and run the netsh command in the way it is specified in the a.cmd file of the payload. If netsh throws back an error telling you that it needs to be executed with admin privileges, then the current logged in user has no rights to issue this command with the key=clear "switch". The payload could perhaps be enhanced to catch the error that the command throws back at you and if it says you need admin rights, then the payload could either blink a sequence telling that the execution went bad or put the status in a file on the local storage of the bunny (or both). If working on boxes with a language other than English, the "error catch part" of the payload has to be adjusted so that it can handle error messages in the appropriate system language as well. I ran the netsh command on a Windows 10 laptop logged in as a user that's a standard user and it returns the clear text pw. If you try to get past UAC as a standard user, that won't work though. Quote
illwill Posted March 19, 2017 Author Posted March 19, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote
yeahits_ZP83 Posted March 19, 2017 Posted March 19, 2017 Windows 10 so far. I can't get the WifiCreds or Wipassdump to work. I've gotten a few others to work such as usb_exfiltrator. Very fun tool to learn with. Quote
illwill Posted March 19, 2017 Author Posted March 19, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote
GreenRubi Posted March 19, 2017 Posted March 19, 2017 On 3/17/2017 at 7:22 AM, yeahits_ZP83 said: Creates a loot folder but no loot. I'll tinker with it more today. Same thing on Windows 10 here. Loot folder shows up and has the file DONE in it but nothing else. Running version 0.2 of the payload. Quote
yeahits_ZP83 Posted March 19, 2017 Posted March 19, 2017 2 hours ago, illwill said: im testing on win10 and both codes i posted work for me, the first code didnt work with windows 7 because of an array error in powershell i need to track down so i changed it to just a bash script for now that worked on win7 8 and 10 when i tested I accidentally lied to you, the Widumppass worked and had a folder with results I was looking for. I can't get it to do it again on the same windows 10 box.. Still working on this though. Probably something simple I am missing. With your wificreds code, should i include a.cmd in the switch folder? Quote
illwill Posted March 19, 2017 Author Posted March 19, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote
yeahits_ZP83 Posted March 19, 2017 Posted March 19, 2017 2 minutes ago, illwill said: my code is inline in payloads.txt, sit tight im working on an updated version, i figured out the issue with win7, because the person may not have updated powershell (ie. version 2.0) is the reason for my code not working. almost finished escaping the chars in my script and ill post in a few Thanks for all of the great work. Just reading these codes is going to get me better fast. Quote
illwill Posted March 20, 2017 Author Posted March 20, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote
GreenRubi Posted March 20, 2017 Posted March 20, 2017 I've ran v0.3 twice. Both times I ended with the purple blinking LED indefinitely but the DONE file has creds in it now. :) Quote
illwill Posted March 20, 2017 Author Posted March 20, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote
yeahits_ZP83 Posted March 20, 2017 Posted March 20, 2017 Oh that one looked like a charm. Did you intentionally want this output to only show the first letter of the pw? Quote
yeahits_ZP83 Posted March 20, 2017 Posted March 20, 2017 One thing that might would help is if the results got stored in a file with the computername.txt instead of done.txt. Awesome stuff to start the day off with. Thanks illwill. Quote
yeahits_ZP83 Posted March 20, 2017 Posted March 20, 2017 Seems like it is getting hung up in the getting wifi creds portion. The attack never stops blinking purple. Hmm. Windows 10 on this try. I'll see what else i can try it on. Quote
Opticon Posted May 9, 2017 Posted May 9, 2017 @illwillYou have placed so much effort into this, as has Sally Vendeven. Unfortunately, neither of these work on three Windows 10 boxes and four VMs. Sadly, running a.cmd does exactly what this payload proposes to do, but you must execute it manually. So, if I'm left with no other option, using several scenarios, how do I make a simple payload that calls upon a.cmd? Seriously! After months of coding and comparing, the Windows-based command works effortlessly. Let it do just that, and teach us all how to call upon that file in the beginning and leave it there. Please get back to me at your convenience, as I appreciate your time. -Opticon Quote
Dave-ee Jones Posted May 9, 2017 Posted May 9, 2017 (edited) 45 minutes ago, Opticon said: @illwillYou have placed so much effort into this, as has Sally Vendeven. Unfortunately, neither of these work on three Windows 10 boxes and four VMs. Sadly, running a.cmd does exactly what this payload proposes to do, but you must execute it manually. So, if I'm left with no other option, using several scenarios, how do I make a simple payload that calls upon a.cmd? Seriously! After months of coding and comparing, the Windows-based command works effortlessly. Let it do just that, and teach us all how to call upon that file in the beginning and leave it there. Please get back to me at your convenience, as I appreciate your time. -Opticon There are multiple ways to do this. This is an example of using HID and STORAGE attackmodes to run a powershell command to run a cmd script. https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/PasswordGrabber This is Darren's python solution to grabbing credentials (uses only RNDIS_ETHERNET attackmode) https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/QuickCreds You can also do it another way, by starting a webserver and sharing a batch/cmd file over the Bunny's network, then making a HID attack to run the script from the share folder. Uses RNDIS_ETHERNET and HID attackmodes. The batch/cmd files served don't have to grab credentials either. They could robocopy the documents folder or run other commands (like outputting ipconfig to a file on the BashBunny if you really wanted to). Edited May 9, 2017 by Dave-ee Jones Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.