Jump to content

[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )


qdba
 Share

Recommended Posts

DumpCreds 2.0

  • Author: QDBA
  • Version: Version 2.0.2
  • Target: Windows

Description

Dumps the usernames & plaintext passwords from

  • Browsers (Crome, IE, FireFox)
  • Wifi
  • SAM Hashes
  • Mimimk@tz Dump
  • [new] Computerinformition ( Hardware, Softwarelist, Hotfixes, ProuctKey, Users...)

without

  • Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
  • Internet connection (becaus Firewall ContentFilter Blocks the download sites)

Configuration

None needed.

Requirements

Impacket must be installed. Install it from tools_installer payload

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/tools_installer

STATUS

LED
-----------------------
             Status
--------------------------------------------------------------
White                        Give drivers some time for installation
Red Blink Fast                   Impacket not found
Red Blink Slow              Target did not acquire IP address
Amber Blink Fast              Initialization
Amber              HID Stage
Purple Blink Fast             Wait for IP coming up
Purple Blink Slow             Wait for Handshake (SMBServer Coming up)
Purple / Amber             Powershell scripts running
RED             Error in Powershell Scripts
Green             Finished
   

Download

https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCreds_2.0

 

ToDo

  • paralellize Creds gathering with PS
  • while Bashbunny is waiting for Target finished the script it can do some other nice work. i.e. nmap the target. (Not very usefull at the moment, because I'm Admin on Target Host)
  • remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) Not Possible at the moment
  • put some version information into the sourcecode and the output file
  • rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox)
  • Maybe! If Target is in a AD Domain and Mimik@tz give us some Passwords try to get some more information about the AD Domain

 

Credits 

to...... 

https://github.com/sekirkity/BrowserGather      Get-ChromeCreds.ps1
https://github.com/EmpireProject/Empire         Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1
 

 

 

Edited by qdba
  • Upvote 2
Link to comment
Share on other sites

 

@LowValueTarget At the moment MS Defender and Avira Antivir don't detect it. But I'm sure in 1 or 2 days they will :-
Feel free to obfuscate the code if you want.

 

I won't publish some encoded or obfuscated code here in this forum.
If I do so, I'm sure some Anti-Virus Tools will detect it in 1 or 2 days. 

 


 

 

Link to comment
Share on other sites

7 minutes ago, qdba said:

 

@LowValueTarget At the moment MS Defender and Avira Antivir don't detect it. But I'm sure in 1 or 2 days they will :-
Feel free to obfuscate the code if you want.

 

I won't publish some encoded or obfuscated code here in this forum.
If I do so, I'm sure some Anti-Virus Tools will detect it in 1 or 2 days.

 

 

Fair enough. Good payload.

Edited by LowValueTarget
Link to comment
Share on other sites

 

So its blinking red really fast on my secondary Laptop - WINDOWS 7 - What does  that mean really?

Red Blink Fast Impacket not found Like what does impacket not found?
Link to comment
Share on other sites

I haven't taken a dive into the code yet, but while testing this on windows 10 my bunny is getting caught up on waiting for the handshake (slow purple flashes). do you know why this could be? I uninstalled the drivers that had been on my computer for the NDIS network adapter mode that way it could have a fresh start, as though I was plugging this into a new machine, but still no cigar.

any suggestions?

Link to comment
Share on other sites

1 hour ago, jafahulo said:

I haven't taken a dive into the code yet, but while testing this on windows 10 my bunny is getting caught up on waiting for the handshake (slow purple flashes). do you know why this could be? I uninstalled the drivers that had been on my computer for the NDIS network adapter mode that way it could have a fresh start, as though I was plugging this into a new machine, but still no cigar.

any suggestions?

While Purple blinking Slow , coud you reach    \\172.16.64.1\e      with windows explorer?

 

Link to comment
Share on other sites

33 minutes ago, jafahulo said:

I just tested, and no I wasn't able to.

 

Could you check that File and printer sharing is enabled in your Firewall.

Link to comment
Share on other sites

My ideas coming with next Version.....

  • paralellize Creds gathering with PS
  • while Bashbunny is waiting for Target finishing the scripts it can do some other nice work. i.e. nmap the target. (any other ideas)
  • remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts)
  • put some version information into the sourcecode and the output file
  • rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox)
  • Maybe! If Target is in a AD Domain and Mimik@tz give us some Domain Passwords try to get some more information about the AD Domain

 

Link to comment
Share on other sites

6 hours ago, qdba said:

 

Could you check that File and printer sharing is enabled in your Firewall.

Yes, File and printer sharing is enabled. I dug into it, and the bash bunny is actively refusing the connections.

I connect my bunny to the computer, it gui r into run and runs the powershell script which in turn runs the command line which waits until the bunny's ip is on the network. Once it is, the bash bunny flashes purple slowly, and the command window goes away, and nothing happens. it literally can't put the file on the bunny to tell it to continue working. I'm thinking this is because my bunny is configured incorrectly outside of your code. Could this be the case? I haven't ssh'd or serial'd into it and changed anything yet. Is that a prerequisite that was assumed to be done?

Link to comment
Share on other sites

32 minutes ago, jafahulo said:

Yes, File and printer sharing is enabled. I dug into it, and the bash bunny is actively refusing the connections.

I connect my bunny to the computer, it gui r into run and runs the powershell script which in turn runs the command line which waits until the bunny's ip is on the network. Once it is, the bash bunny flashes purple slowly, and the command window goes away, and nothing happens. it literally can't put the file on the bunny to tell it to continue working. I'm thinking this is because my bunny is configured incorrectly outside of your code. Could this be the case? I haven't ssh'd or serial'd into it and changed anything yet. Is that a prerequisite that was assumed to be done?

 

- Can you ping 172.16.64.1

- Try the attached payload.txt. If it goes to red,  smbserver.py is missing. If not, ssh to bunny while purple LED blinks slow. 

 

1. enter command at Terminal

ps -ef | grep smb

As result there should be a line like 

root       741     1  3 01:00 ?        00:00:27 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch1

 

2. enter command at Terminal

mount |grep udisk

As result there should be a line like 

/dev/nandf on /root/udisk type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=ascii,shortname=mixed,errors=continue)
 

WIll the second powershell command fired up successfully - check cmd Window (I switched it to B&W in the payload)

Have you tried it at second Computer
 

 

payload.txt

  • Upvote 1
Link to comment
Share on other sites

3 hours ago, qdba said:

 

- Can you ping 172.16.64.1

- Try the attached payload.txt. If it goes to red,  smbserver.py is missing. If not, ssh to bunny while purple LED blinks slow. 

 

1. enter command at Terminal

ps -ef | grep smb

As result there should be a line like 

root       741     1  3 01:00 ?        00:00:27 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch1

 

2. enter command at Terminal

mount |grep udisk

As result there should be a line like 

/dev/nandf on /root/udisk type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=ascii,shortname=mixed,errors=continue)
 

WIll the second powershell command fired up successfully - check cmd Window (I switched it to B&W in the payload)

Have you tried it at second Computer
 

 

payload.txt

Alright, so I actually fixed it, but I'll let you know what was happening upto the point where I fixed it so you can refrence it if you ever need to.

I could ping it, and the light did not turn red. I ssh'd into it and ran :

ps -ef | grep smb

I didn't get any smb servers running. The partition did mount to udisk correctly, and at that point, the command was not opening the second powershell terminal correctly. (I further modified the payload you sent me to make the cmd window stay open after it ran).

What I did to fix it was to play around with how the smbserver got called. What worked for me was to have it called like this:

python /pentest/impacket/examples/smbserver.py e $SWITCHDIR &

small change, but huge difference. XD

 

Thanks for all the help, and your payload is awesome! I love it! 

Link to comment
Share on other sites

15 hours ago, jafahulo said:

python /pentest/impacket/examples/smbserver.py e $SWITCHDIR &

Yes thats the original call of smbserver command. The "nohup python /pentest/impacket/......." was only for debugging in your case.

There are some timing problems in an older payload. I fixed in a later version. Guess you have an old one . sorry about it. 

But anyway fine that you like the payload. 

 

  • Upvote 1
Link to comment
Share on other sites

7 hours ago, qdba said:

Yes thats the original call of smbserver command. The "nohup python /pentest/impacket/......." was only for debugging in your case.

There are some timing problems in an older payload. I fixed in a later version. Guess you have an old one . sorry about it. 

But anyway fine that you like the payload. 

 

ahh, in that case, my bad! But thank you for taking the time to help me out with it!

Link to comment
Share on other sites

3 hours ago, Decoy said:

I think you might need to update the main GitHub link on your original post.

Thanks..... Done.....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...