Jump to content

Problem with QuickCreds


wmrabb

Recommended Posts

Hello everyone!

I was having some trouble running the QuickCreds payload with my Bash Bunny. I have tested other payloads that work (such as the nmapper and a basic ducky hello world that I wrote). I have installed the tools into the /pentest folder properly. It seems to get stuck in an infinite loop where it's blinking amber (I believe). When I unplug it, switch to arming mode, and open up the files I see a loot folder that wasn't there before. It then goes to quickcreds --> name_of_computer but there's nothing inside that folder. I've let it go for as high as about thirty minutes before giving up on it. I'm not sure what I'm doing wrong. I've tested it on a MacBook Pro, a linux laptop, and a Windows 7 64 bit Virtual Machine, all with the same problem. I saw other people post about it with the same issue as me but I didn't see a response that worked. Thanks in advance for your help!

Link to comment
Share on other sites

20 hours ago, SRG said:

Try pulling the payloads again from Github. There's be a bunch of updates.  Make sure your bunny_helpers.sh file on the BashBunny is updated.  

Thanks for your response! Unfortunately, I tried that and it didn't work. It still won't work on my Mac, Laptop running Linux, or a Windows 7 Virtual Machine. However, I did get it to work on my friends Windows 7 Laptop. Do you know if QuickCreds is supposed to work on any other OS than Windows?/Do I have to change the type of hashes that it scans for?

Link to comment
Share on other sites

On 3/23/2017 at 11:57 AM, wmrabb said:

However, I did get it to work on my friends Windows 7 Laptop

Same exact problem as wmrabb's. I have tried EVERYTHING, it's been a month now and I can confidently say that I have ran out of options. Without changing anything it pulled the windows 7 creds in less than a second. My windows 10, Linux, my sister's Win 10...all either get hung up on amber.

It's making me feel really stupid lol. I literally have tried EVERYTHING thats posted on the Internet and all previous posts about this or similar :(

Link to comment
Share on other sites

Apologize for the double post but I cant find an edit button lol. I forgot to mention that on every win10 machine when plugged in a message shows up asking if they want to allow this new network to share the internet. If not answered it goes away and the bunny get hung up on amber. Then if I go and share the connection with the bunny thats where it blinks red (IP not pulled).... oh and also, the other payload that refuses to work with anything BUT Win 7 is the usb-exfiltrator

However nmapper works flawlessly, what am I (We) doing wrong??

Link to comment
Share on other sites

26 minutes ago, Lok! said:

Nothing? Im just confused how it works for most people. Either we're doing something wrong or idk, a faulty bunny? :(

Yeah, I still have nothing. I don't know why it wouldn't work on Windows 10. But also, I'm not sure why the script would work on a mac or linux because I'm pretty positive neither of them store passwords in the NTLM hash format. I still have only been able to get it to work on a Windows 7 machine.

Link to comment
Share on other sites

Exactly, I even uninstalled the RNDIS driver and again it's just gets stuck on blinking amber. Install tools is correctly installed. On other note, from what I read an NTLMv2 hash is pretty hard to crack, unless the pass is in a wordlist or a rainbow table, but i don't even know if there is NTLMv2 rainbow tables

Link to comment
Share on other sites

3 minutes ago, Lok! said:

Exactly, I even uninstalled the RNDIS driver and again it's just gets stuck on blinking amber. Install tools is correctly installed. On other note, from what I read an NTLMv2 hash is pretty hard to crack, unless the pass is in a wordlist or a rainbow table, but i don't even know if there is NTLMv2 rainbow tables

Yeah, even the hashes I retrieved from my friends computer, I've not been able to crack. I've tried john and hashcat and I haven't gotten either to work successfully.

Link to comment
Share on other sites

Are you guys still having issues? What I did besides change ECM to RNDIS (windows 10) is enable the network prompt when it pops up (basically I say yes). If you are still having problems, I am willing to give you the payload.txt I am using to see what the issue is.

Link to comment
Share on other sites

Blinking Amber means it is scanning.  if it is working is questionable.  When it is running and the network screen you specify pops up.  Ignore it and get to command prompt to see if you can ping the bunny IP.  ipconfig to see if you have another adapter with IP on bunny range.  Last, with responder you need some kind of traffic that can be tricked to making windows cough up creds.  One sure way to test for discrepancies with responder is while the quickcreds is running, open up file explorer and browse to a false network path "\\nowhere\junk".

If it goes green and you get a prompted for your creds, then we know it is working just Win10 might have had some improvements, or your installation has the settings, to not share creds with untrusted sources.  MS been working with security guys from Metasploit and Empire to fix some of these security issues like blantantly sharing creds with anyone who asks and injection which is why you will notice reflectiveinject fails on windows 10 if you disable Powershell version 2.  Windows 10 will be a constant moving target in this area due to forced autoupdates too.Very rare to find an out of date Win10 machine.

 

last thing to try is load an empty payload that puts BB in ethernet attack mode and then ssh to it and run responder directly with -A command and see if it is able to analyze traffic.  You can also run responder commands directly under SSH and see it is outputting stuff to the screen.  I have a feeling it maybe a security feature.

Edited by PoSHMagiC0de
Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...