Jump to content

Bashbunny & creds issue


kurtb2012

Recommended Posts

So, I've got the Bashbunny and I'm testing out Quickcreds and I get nothing but the blinking Amber light.  I've have tried on multiple PC's and still blinking amber.  I've put NFL.com and other sites up on browsers and then locked the machine to run Quickcreds and still nothing.  I've configured all of the pentest and loot directories as well.  It will create a directory under loot with the name of the machine, but no data in it.  And I've let it run for an hour.

I've used the nmapper payload and it worked fine.  So, it is writing to the loot directory. 

I used the Mr. Robot one, and nothing with that. 

Looking for any sort of direction.  And yes, I've read the other postings here and made sure I had everything configured.

 

 

Link to comment
Share on other sites

You can use this helper to debug:

https://github.com/bg-wa/bashbunny-payloads/blob/bunny_debug_helpers/payloads/library/bunny_debug_helpers.sh

1.) Include the helper at the top of your script:

source bunny_debug_helpers.sh

2.) Pepper your script with log entries to see where events succeed.

debug_log "Attack Mode Set" #ln. 34
debug_log "IP Address : ${TARGET_IP}" #ln 55

3.) Plug in Bunny... bash bash bash...

4)  When finished, set the Bunny to arming mode and view your debug logs in the newly created "Debug" folder.

Link to comment
Share on other sites

Did you bother reading the readme.md file in the QuickCreds folder?

It tells you what the LED colours mean.

White (blinking) means dependencies not met (install.sh)

Red means Setup is going

Red (blinking) means Setup failed

Amber means responder is running, waiting for creds

Green means finished.

Nothing about Amber (blinking). Are you sure you are running the right payload in the right switch?

Remember, Switch 1 is the furthest away from the USB end, Switch 2 is the middle and Arming mode is Switch 3 (closest to USB end).

Link to comment
Share on other sites

Yes I have read through all the notes about Quickcreds.

 

"For those wondering why they aren't seeing immediate results/just a blinking amber LED, you need to give Responder time to capture a hash. ' 

But I would think that after an hour of waiting, its not happening.

Link to comment
Share on other sites

Sounds like you have something blocking it. My guess is (without looking at the QuickCreds payload.txt) it is running a loop that constantly checks whether it can capture a hash, and if it can't it just runs the loop again. This would mean it is forever running a loop and forever failing, so therefore something is blocking it.

Just a guess. Seems like the most likely scenario though.

 

EDIT: Confirmed. Sets the LED to yellow (Amber) with a blinking argument (500).  Sets the directory, removes logs, starts the responder and then goes into a 'until' loop, waiting until the responder is finished and the NTLM logs are there. 

So it is more than likely something wrong with the Responder.py script.

EDIT2: Quick question: Have you updated all the payloads from the GitHub? If not, then that's probably why. He would have put out a patch and released it and you would still have the old patches, having a new BB that isn't updated with the payloads.

Link to comment
Share on other sites

  • 1 month later...

I had to manually install the responder.deb listed in tools forum (latest update with three tool links). So i moved responder.deb into tools, serial to device, copy to tools on linux box after mounting udisk, then -dpkg or w/e.

Link to comment
Share on other sites

The installation guides on the Github projects does apply to the Bunny as well. Well, for Impacket at least.

To install Impacket I had to follow that guide. With Responder I just got Sebkinne's and installed it his way and it worked fine.

Link to comment
Share on other sites

i had similar results due to use of microsoft account many payloads only work on local accounts.

Link to comment
Share on other sites

  • 3 months later...

my many creds payloads are not working! for instance when i plug the bash bunny, for  browser creds it shows green light and then red light starts blinking, also it make a folder in loot but there is nothing inside it. i tries quick creds and mr.robot also nothing is working please help!

Link to comment
Share on other sites

  • 1 month later...
54 minutes ago, TeCHemically said:

I am getting the blinking amber light as well. It just sits there. I completely reset my BB (because nothing was working) and then updated to 1.3 via the bunnyupdater. This should bring all of my payloads up to date as well, correct? 

If you ran the updater twice, yeah :) 

Link to comment
Share on other sites

11 minutes ago, TeCHemically said:

Thanks Seb! Any idea why quick creds is blinking amber on every PC i try it on? That isn't a documented response in the read me.

This was being caused because there was no SMB traffic on the target. Once I created some the quick creds module/payload worked successfully.

Link to comment
Share on other sites

If you are doing this on a Windows 10 machine, good luck, you have to force it.  Like the above post says.  They have to open probably a file explorer window and browse to a non-existent file server to get it to work.  Sometimes even then it may not give you anything.

I do not know if IE 11 will still fall for this but when you put up your site, use internet explorer.  Chrome will not give out creds and neither will Edge.  Or they will prompt at least.

Windows 7 it should still be successful but still use IE if you are going to try and force it with a browser.

Link to comment
Share on other sites

3 minutes ago, PoSHMagiC0de said:

If you are doing this on a Windows 10 machine, good luck, you have to force it.  Like the above post says.  They have to open probably a file explorer window and browse to a non-existent file server to get it to work.  Sometimes even then it may not give you anything.

I do not know if IE 11 will still fall for this but when you put up your site, use internet explorer.  Chrome will not give out creds and neither will Edge.  Or they will prompt at least.

Windows 7 it should still be successful but still use IE if you are going to try and force it with a browser.

Thanks, that's good info to have. So, it is looking like this technique is starting to become ineffective in many places already. 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...