kurtb2012 Posted March 29, 2017 Share Posted March 29, 2017 So, I've got the Bashbunny and I'm testing out Quickcreds and I get nothing but the blinking Amber light. I've have tried on multiple PC's and still blinking amber. I've put NFL.com and other sites up on browsers and then locked the machine to run Quickcreds and still nothing. I've configured all of the pentest and loot directories as well. It will create a directory under loot with the name of the machine, but no data in it. And I've let it run for an hour. I've used the nmapper payload and it worked fine. So, it is writing to the loot directory. I used the Mr. Robot one, and nothing with that. Looking for any sort of direction. And yes, I've read the other postings here and made sure I had everything configured. Link to comment Share on other sites More sharing options...
bg-wa Posted March 29, 2017 Share Posted March 29, 2017 You can use this helper to debug: https://github.com/bg-wa/bashbunny-payloads/blob/bunny_debug_helpers/payloads/library/bunny_debug_helpers.sh 1.) Include the helper at the top of your script: source bunny_debug_helpers.sh 2.) Pepper your script with log entries to see where events succeed. debug_log "Attack Mode Set" #ln. 34 debug_log "IP Address : ${TARGET_IP}" #ln 55 3.) Plug in Bunny... bash bash bash... 4) When finished, set the Bunny to arming mode and view your debug logs in the newly created "Debug" folder. Link to comment Share on other sites More sharing options...
kurtb2012 Posted March 29, 2017 Author Share Posted March 29, 2017 dude, THANK YOU!!! I will try this!! Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted March 29, 2017 Share Posted March 29, 2017 Did you bother reading the readme.md file in the QuickCreds folder? It tells you what the LED colours mean. White (blinking) means dependencies not met (install.sh) Red means Setup is going Red (blinking) means Setup failed Amber means responder is running, waiting for creds Green means finished. Nothing about Amber (blinking). Are you sure you are running the right payload in the right switch? Remember, Switch 1 is the furthest away from the USB end, Switch 2 is the middle and Arming mode is Switch 3 (closest to USB end). Link to comment Share on other sites More sharing options...
kurtb2012 Posted March 29, 2017 Author Share Posted March 29, 2017 Yes I have read through all the notes about Quickcreds. "For those wondering why they aren't seeing immediate results/just a blinking amber LED, you need to give Responder time to capture a hash. ' But I would think that after an hour of waiting, its not happening. Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted March 29, 2017 Share Posted March 29, 2017 Sounds like you have something blocking it. My guess is (without looking at the QuickCreds payload.txt) it is running a loop that constantly checks whether it can capture a hash, and if it can't it just runs the loop again. This would mean it is forever running a loop and forever failing, so therefore something is blocking it. Just a guess. Seems like the most likely scenario though. EDIT: Confirmed. Sets the LED to yellow (Amber) with a blinking argument (500). Sets the directory, removes logs, starts the responder and then goes into a 'until' loop, waiting until the responder is finished and the NTLM logs are there. So it is more than likely something wrong with the Responder.py script. EDIT2: Quick question: Have you updated all the payloads from the GitHub? If not, then that's probably why. He would have put out a patch and released it and you would still have the old patches, having a new BB that isn't updated with the payloads. Link to comment Share on other sites More sharing options...
nullsec Posted May 19, 2017 Share Posted May 19, 2017 I had to manually install the responder.deb listed in tools forum (latest update with three tool links). So i moved responder.deb into tools, serial to device, copy to tools on linux box after mounting udisk, then -dpkg or w/e. Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 19, 2017 Share Posted May 19, 2017 The installation guides on the Github projects does apply to the Bunny as well. Well, for Impacket at least. To install Impacket I had to follow that guide. With Responder I just got Sebkinne's and installed it his way and it worked fine. Link to comment Share on other sites More sharing options...
rottingsun Posted May 19, 2017 Share Posted May 19, 2017 Perhaps LLMNR, NETBIOS, and WPAD are all disabled on the target? Far fetched of it's a home PC i know but. Link to comment Share on other sites More sharing options...
Vert Posted May 19, 2017 Share Posted May 19, 2017 i had similar results due to use of microsoft account many payloads only work on local accounts. Link to comment Share on other sites More sharing options...
Tamanbir Posted September 9, 2017 Share Posted September 9, 2017 my many creds payloads are not working! for instance when i plug the bash bunny, for browser creds it shows green light and then red light starts blinking, also it make a folder in loot but there is nothing inside it. i tries quick creds and mr.robot also nothing is working please help! Link to comment Share on other sites More sharing options...
TeCHemically Posted October 22, 2017 Share Posted October 22, 2017 I am getting the blinking amber light as well. It just sits there. I completely reset my BB (because nothing was working) and then updated to 1.3 via the bunnyupdater. This should bring all of my payloads up to date as well, correct? Link to comment Share on other sites More sharing options...
Sebkinne Posted October 22, 2017 Share Posted October 22, 2017 54 minutes ago, TeCHemically said: I am getting the blinking amber light as well. It just sits there. I completely reset my BB (because nothing was working) and then updated to 1.3 via the bunnyupdater. This should bring all of my payloads up to date as well, correct? If you ran the updater twice, yeah :) Link to comment Share on other sites More sharing options...
TeCHemically Posted October 22, 2017 Share Posted October 22, 2017 Just now, Sebkinne said: If you ran the updater twice, yeah :) Thanks Seb! Any idea why quick creds is blinking amber on every PC i try it on? That isn't a documented response in the read me. Link to comment Share on other sites More sharing options...
TeCHemically Posted October 22, 2017 Share Posted October 22, 2017 11 minutes ago, TeCHemically said: Thanks Seb! Any idea why quick creds is blinking amber on every PC i try it on? That isn't a documented response in the read me. This was being caused because there was no SMB traffic on the target. Once I created some the quick creds module/payload worked successfully. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted October 22, 2017 Share Posted October 22, 2017 If you are doing this on a Windows 10 machine, good luck, you have to force it. Like the above post says. They have to open probably a file explorer window and browse to a non-existent file server to get it to work. Sometimes even then it may not give you anything. I do not know if IE 11 will still fall for this but when you put up your site, use internet explorer. Chrome will not give out creds and neither will Edge. Or they will prompt at least. Windows 7 it should still be successful but still use IE if you are going to try and force it with a browser. Link to comment Share on other sites More sharing options...
TeCHemically Posted October 22, 2017 Share Posted October 22, 2017 3 minutes ago, PoSHMagiC0de said: If you are doing this on a Windows 10 machine, good luck, you have to force it. Like the above post says. They have to open probably a file explorer window and browse to a non-existent file server to get it to work. Sometimes even then it may not give you anything. I do not know if IE 11 will still fall for this but when you put up your site, use internet explorer. Chrome will not give out creds and neither will Edge. Or they will prompt at least. Windows 7 it should still be successful but still use IE if you are going to try and force it with a browser. Thanks, that's good info to have. So, it is looking like this technique is starting to become ineffective in many places already. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.