wmrabb Posted March 21, 2017 Share Posted March 21, 2017 Hello everyone! I was having some trouble running the QuickCreds payload with my Bash Bunny. I have tested other payloads that work (such as the nmapper and a basic ducky hello world that I wrote). I have installed the tools into the /pentest folder properly. It seems to get stuck in an infinite loop where it's blinking amber (I believe). When I unplug it, switch to arming mode, and open up the files I see a loot folder that wasn't there before. It then goes to quickcreds --> name_of_computer but there's nothing inside that folder. I've let it go for as high as about thirty minutes before giving up on it. I'm not sure what I'm doing wrong. I've tested it on a MacBook Pro, a linux laptop, and a Windows 7 64 bit Virtual Machine, all with the same problem. I saw other people post about it with the same issue as me but I didn't see a response that worked. Thanks in advance for your help! Quote Link to comment Share on other sites More sharing options...
wmrabb Posted March 22, 2017 Author Share Posted March 22, 2017 @Darren KitchenHave you heard anything about this or know what it could be? Quote Link to comment Share on other sites More sharing options...
SRG Posted March 22, 2017 Share Posted March 22, 2017 Try pulling the payloads again from Github. There's be a bunch of updates. Make sure your bunny_helpers.sh file on the BashBunny is updated. 1 Quote Link to comment Share on other sites More sharing options...
wmrabb Posted March 23, 2017 Author Share Posted March 23, 2017 20 hours ago, SRG said: Try pulling the payloads again from Github. There's be a bunch of updates. Make sure your bunny_helpers.sh file on the BashBunny is updated. Thanks for your response! Unfortunately, I tried that and it didn't work. It still won't work on my Mac, Laptop running Linux, or a Windows 7 Virtual Machine. However, I did get it to work on my friends Windows 7 Laptop. Do you know if QuickCreds is supposed to work on any other OS than Windows?/Do I have to change the type of hashes that it scans for? Quote Link to comment Share on other sites More sharing options...
Kel Posted March 25, 2017 Share Posted March 25, 2017 as it is specified in the payload : # Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET so depending on the settings you chose it works on Win / Mac / Nix Quote Link to comment Share on other sites More sharing options...
Lok! Posted March 30, 2017 Share Posted March 30, 2017 On 3/23/2017 at 11:57 AM, wmrabb said: However, I did get it to work on my friends Windows 7 Laptop Same exact problem as wmrabb's. I have tried EVERYTHING, it's been a month now and I can confidently say that I have ran out of options. Without changing anything it pulled the windows 7 creds in less than a second. My windows 10, Linux, my sister's Win 10...all either get hung up on amber. It's making me feel really stupid lol. I literally have tried EVERYTHING thats posted on the Internet and all previous posts about this or similar :( Quote Link to comment Share on other sites More sharing options...
Lok! Posted March 30, 2017 Share Posted March 30, 2017 Apologize for the double post but I cant find an edit button lol. I forgot to mention that on every win10 machine when plugged in a message shows up asking if they want to allow this new network to share the internet. If not answered it goes away and the bunny get hung up on amber. Then if I go and share the connection with the bunny thats where it blinks red (IP not pulled).... oh and also, the other payload that refuses to work with anything BUT Win 7 is the usb-exfiltrator However nmapper works flawlessly, what am I (We) doing wrong?? Quote Link to comment Share on other sites More sharing options...
Lok! Posted April 3, 2017 Share Posted April 3, 2017 Nothing? Im just confused how it works for most people. Either we're doing something wrong or idk, a faulty bunny? :( Quote Link to comment Share on other sites More sharing options...
wmrabb Posted April 3, 2017 Author Share Posted April 3, 2017 26 minutes ago, Lok! said: Nothing? Im just confused how it works for most people. Either we're doing something wrong or idk, a faulty bunny? :( Yeah, I still have nothing. I don't know why it wouldn't work on Windows 10. But also, I'm not sure why the script would work on a mac or linux because I'm pretty positive neither of them store passwords in the NTLM hash format. I still have only been able to get it to work on a Windows 7 machine. Quote Link to comment Share on other sites More sharing options...
Lok! Posted April 3, 2017 Share Posted April 3, 2017 Exactly, I even uninstalled the RNDIS driver and again it's just gets stuck on blinking amber. Install tools is correctly installed. On other note, from what I read an NTLMv2 hash is pretty hard to crack, unless the pass is in a wordlist or a rainbow table, but i don't even know if there is NTLMv2 rainbow tables Quote Link to comment Share on other sites More sharing options...
wmrabb Posted April 3, 2017 Author Share Posted April 3, 2017 3 minutes ago, Lok! said: Exactly, I even uninstalled the RNDIS driver and again it's just gets stuck on blinking amber. Install tools is correctly installed. On other note, from what I read an NTLMv2 hash is pretty hard to crack, unless the pass is in a wordlist or a rainbow table, but i don't even know if there is NTLMv2 rainbow tables Yeah, even the hashes I retrieved from my friends computer, I've not been able to crack. I've tried john and hashcat and I haven't gotten either to work successfully. Quote Link to comment Share on other sites More sharing options...
Bryfi Posted April 4, 2017 Share Posted April 4, 2017 Are you guys still having issues? What I did besides change ECM to RNDIS (windows 10) is enable the network prompt when it pops up (basically I say yes). If you are still having problems, I am willing to give you the payload.txt I am using to see what the issue is. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 6, 2017 Share Posted April 6, 2017 (edited) Blinking Amber means it is scanning. if it is working is questionable. When it is running and the network screen you specify pops up. Ignore it and get to command prompt to see if you can ping the bunny IP. ipconfig to see if you have another adapter with IP on bunny range. Last, with responder you need some kind of traffic that can be tricked to making windows cough up creds. One sure way to test for discrepancies with responder is while the quickcreds is running, open up file explorer and browse to a false network path "\\nowhere\junk". If it goes green and you get a prompted for your creds, then we know it is working just Win10 might have had some improvements, or your installation has the settings, to not share creds with untrusted sources. MS been working with security guys from Metasploit and Empire to fix some of these security issues like blantantly sharing creds with anyone who asks and injection which is why you will notice reflectiveinject fails on windows 10 if you disable Powershell version 2. Windows 10 will be a constant moving target in this area due to forced autoupdates too.Very rare to find an out of date Win10 machine. last thing to try is load an empty payload that puts BB in ethernet attack mode and then ssh to it and run responder directly with -A command and see if it is able to analyze traffic. You can also run responder commands directly under SSH and see it is outputting stuff to the screen. I have a feeling it maybe a security feature. Edited April 6, 2017 by PoSHMagiC0de Quote Link to comment Share on other sites More sharing options...
Mehardeep Singh Posted April 18, 2017 Share Posted April 18, 2017 guys I made it work on Windows 10 it gives me the NTLM in FW v1.1. All I did was put responder in the pentest directory instead of the tools directory. I made a /pentest in the root of the bunny. I was having the same problem.. an empty quickcreds directory. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.