Jump to content
qdba

[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )

Recommended Posts

DumpCreds 2.0

  • Author: QDBA
  • Version: Version 2.0.2
  • Target: Windows

Description

Dumps the usernames & plaintext passwords from

  • Browsers (Crome, IE, FireFox)
  • Wifi
  • SAM Hashes
  • Mimimk@tz Dump
  • [new] Computerinformition ( Hardware, Softwarelist, Hotfixes, ProuctKey, Users...)

without

  • Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
  • Internet connection (becaus Firewall ContentFilter Blocks the download sites)

Configuration

None needed.

Requirements

Impacket must be installed. Install it from tools_installer payload

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/tools_installer

STATUS

LED
-----------------------
             Status
--------------------------------------------------------------
White                        Give drivers some time for installation
Red Blink Fast                   Impacket not found
Red Blink Slow              Target did not acquire IP address
Amber Blink Fast              Initialization
Amber              HID Stage
Purple Blink Fast             Wait for IP coming up
Purple Blink Slow             Wait for Handshake (SMBServer Coming up)
Purple / Amber             Powershell scripts running
RED             Error in Powershell Scripts
Green             Finished
   

Download

https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCreds_2.0

 

ToDo

  • paralellize Creds gathering with PS
  • while Bashbunny is waiting for Target finished the script it can do some other nice work. i.e. nmap the target. (Not very usefull at the moment, because I'm Admin on Target Host)
  • remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) Not Possible at the moment
  • put some version information into the sourcecode and the output file
  • rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox)
  • Maybe! If Target is in a AD Domain and Mimik@tz give us some Passwords try to get some more information about the AD Domain

 

Credits 

to...... 

https://github.com/sekirkity/BrowserGather      Get-ChromeCreds.ps1
https://github.com/EmpireProject/Empire         Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1
 

 

 

Edited by qdba
  • Upvote 2

Share this post


Link to post
Share on other sites

 

@LowValueTarget At the moment MS Defender and Avira Antivir don't detect it. But I'm sure in 1 or 2 days they will :-
Feel free to obfuscate the code if you want.

 

I won't publish some encoded or obfuscated code here in this forum.
If I do so, I'm sure some Anti-Virus Tools will detect it in 1 or 2 days. 

 


 

 

Share this post


Link to post
Share on other sites
7 minutes ago, qdba said:

 

@LowValueTarget At the moment MS Defender and Avira Antivir don't detect it. But I'm sure in 1 or 2 days they will :-
Feel free to obfuscate the code if you want.

 

I won't publish some encoded or obfuscated code here in this forum.
If I do so, I'm sure some Anti-Virus Tools will detect it in 1 or 2 days.

 

 

Fair enough. Good payload.

Edited by LowValueTarget

Share this post


Link to post
Share on other sites
 

So its blinking red really fast on my secondary Laptop - WINDOWS 7 - What does  that mean really?

Red Blink Fast Impacket not found Like what does impacket not found?

Share this post


Link to post
Share on other sites

nvm i got it! :D wrong switch haha

Share this post


Link to post
Share on other sites
51 minutes ago, illwill said:

open a cmd prompt as admin and type: powershell -exec bypass

then run the script

Well the point of the bunny is so you don't have to do that.. I'll just edit the code to type A, that will work won't it?

Share this post


Link to post
Share on other sites

I haven't taken a dive into the code yet, but while testing this on windows 10 my bunny is getting caught up on waiting for the handshake (slow purple flashes). do you know why this could be? I uninstalled the drivers that had been on my computer for the NDIS network adapter mode that way it could have a fresh start, as though I was plugging this into a new machine, but still no cigar.

any suggestions?

Share this post


Link to post
Share on other sites
1 hour ago, jafahulo said:

I haven't taken a dive into the code yet, but while testing this on windows 10 my bunny is getting caught up on waiting for the handshake (slow purple flashes). do you know why this could be? I uninstalled the drivers that had been on my computer for the NDIS network adapter mode that way it could have a fresh start, as though I was plugging this into a new machine, but still no cigar.

any suggestions?

While Purple blinking Slow , coud you reach    \\172.16.64.1\e      with windows explorer?

 

Share this post


Link to post
Share on other sites
4 minutes ago, qdba said:

While Purple blinking Slow , coud you reach    \\172.16.64.1\e      with windows explorer?

 

I just tested, and no I wasn't able to.

Share this post


Link to post
Share on other sites
33 minutes ago, jafahulo said:

I just tested, and no I wasn't able to.

 

Could you check that File and printer sharing is enabled in your Firewall.

Share this post


Link to post
Share on other sites

My ideas coming with next Version.....

  • paralellize Creds gathering with PS
  • while Bashbunny is waiting for Target finishing the scripts it can do some other nice work. i.e. nmap the target. (any other ideas)
  • remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts)
  • put some version information into the sourcecode and the output file
  • rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox)
  • Maybe! If Target is in a AD Domain and Mimik@tz give us some Domain Passwords try to get some more information about the AD Domain

 

Share this post


Link to post
Share on other sites
6 hours ago, qdba said:

 

Could you check that File and printer sharing is enabled in your Firewall.

Yes, File and printer sharing is enabled. I dug into it, and the bash bunny is actively refusing the connections.

I connect my bunny to the computer, it gui r into run and runs the powershell script which in turn runs the command line which waits until the bunny's ip is on the network. Once it is, the bash bunny flashes purple slowly, and the command window goes away, and nothing happens. it literally can't put the file on the bunny to tell it to continue working. I'm thinking this is because my bunny is configured incorrectly outside of your code. Could this be the case? I haven't ssh'd or serial'd into it and changed anything yet. Is that a prerequisite that was assumed to be done?

Share this post


Link to post
Share on other sites
32 minutes ago, jafahulo said:

Yes, File and printer sharing is enabled. I dug into it, and the bash bunny is actively refusing the connections.

I connect my bunny to the computer, it gui r into run and runs the powershell script which in turn runs the command line which waits until the bunny's ip is on the network. Once it is, the bash bunny flashes purple slowly, and the command window goes away, and nothing happens. it literally can't put the file on the bunny to tell it to continue working. I'm thinking this is because my bunny is configured incorrectly outside of your code. Could this be the case? I haven't ssh'd or serial'd into it and changed anything yet. Is that a prerequisite that was assumed to be done?

 

- Can you ping 172.16.64.1

- Try the attached payload.txt. If it goes to red,  smbserver.py is missing. If not, ssh to bunny while purple LED blinks slow. 

 

1. enter command at Terminal

ps -ef | grep smb

As result there should be a line like 

root       741     1  3 01:00 ?        00:00:27 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch1

 

2. enter command at Terminal

mount |grep udisk

As result there should be a line like 

/dev/nandf on /root/udisk type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=ascii,shortname=mixed,errors=continue)
 

WIll the second powershell command fired up successfully - check cmd Window (I switched it to B&W in the payload)

Have you tried it at second Computer
 

 

payload.txt

  • Upvote 1

Share this post


Link to post
Share on other sites
3 hours ago, qdba said:

 

- Can you ping 172.16.64.1

- Try the attached payload.txt. If it goes to red,  smbserver.py is missing. If not, ssh to bunny while purple LED blinks slow. 

 

1. enter command at Terminal

ps -ef | grep smb

As result there should be a line like 

root       741     1  3 01:00 ?        00:00:27 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch1

 

2. enter command at Terminal

mount |grep udisk

As result there should be a line like 

/dev/nandf on /root/udisk type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=ascii,shortname=mixed,errors=continue)
 

WIll the second powershell command fired up successfully - check cmd Window (I switched it to B&W in the payload)

Have you tried it at second Computer
 

 

payload.txt

Alright, so I actually fixed it, but I'll let you know what was happening upto the point where I fixed it so you can refrence it if you ever need to.

I could ping it, and the light did not turn red. I ssh'd into it and ran :

ps -ef | grep smb

I didn't get any smb servers running. The partition did mount to udisk correctly, and at that point, the command was not opening the second powershell terminal correctly. (I further modified the payload you sent me to make the cmd window stay open after it ran).

What I did to fix it was to play around with how the smbserver got called. What worked for me was to have it called like this:

python /pentest/impacket/examples/smbserver.py e $SWITCHDIR &

small change, but huge difference. XD

 

Thanks for all the help, and your payload is awesome! I love it! 

Share this post


Link to post
Share on other sites
15 hours ago, jafahulo said:

python /pentest/impacket/examples/smbserver.py e $SWITCHDIR &

Yes thats the original call of smbserver command. The "nohup python /pentest/impacket/......." was only for debugging in your case.

There are some timing problems in an older payload. I fixed in a later version. Guess you have an old one . sorry about it. 

But anyway fine that you like the payload. 

 

  • Upvote 1

Share this post


Link to post
Share on other sites
7 hours ago, qdba said:

Yes thats the original call of smbserver command. The "nohup python /pentest/impacket/......." was only for debugging in your case.

There are some timing problems in an older payload. I fixed in a later version. Guess you have an old one . sorry about it. 

But anyway fine that you like the payload. 

 

ahh, in that case, my bad! But thank you for taking the time to help me out with it!

Share this post


Link to post
Share on other sites

Damn this is a nice payload, can't wait on this:

On 31-3-2017 at 9:04 AM, qdba said:

rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox)

 

Good job, keep up the good work :smile:

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...