qdba Posted April 9, 2017 Posted April 9, 2017 (edited) DumpCreds 2.1 Author: QDBA Version: Version 2.1.0 Build 1004 Target: Windows 10 Description ** !!!!! works only at Bash Bunny with FW 1.1 !!!!! ** Dumps the usernames & plaintext passwords from Browsers (Crome, IE, FireFox) Wifi SAM Hashes (only if AdminMode=True) Mimimk@tz Dump (only if AdminMode=True) Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist) without Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock) Internet connection (becaus Firewall ContentFilter Blocks the download sites) Problems if you first use the payload on a computer, it will take some time and tries until the drivers are successfully loaded. If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times) If the payload stops working yellow LED blinks very fast longer than 2min. You get no white LED. Your run in a time out. If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue) Debug If you want some debug information, create a file with name "DEBUG" in the payload folder you got the debug information in \loot\DumpCred_2.1\log.txt Folder Configuration None needed. Requirements impacket - install it form https://github.com/qdba/MyBashBunny/tree/master/tools Download https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds Install Put Bash Bunny in arming mode Copy All Folders into the root of Bunny Flash Drive Mandatory * payloads/library/DumpCreds_2.1 --> the payload Files * payloads/library/DumpCreds_2.1/PS --> the Powershell scripts for the payload * tools --> impacket tools (provide the smbserver.py) (not neccessary if you had already installed) Not neccessary * docs --> this doc file * languages --> languauge files for DUCKY_LANG eject Bash Bunny safely!! Insert Bash Bunny in arming mode ( Impacket and languages will be installed ) Put all Files and Folders to payload from payloads /payloads/library/DumpCreds_2.1 to payloads/switch1 or payloads/switch2 eject Bash Bunny safely move switch in right position plugin Bash Bunny and have fun....! :-) STATUS LED Status Magenta Solid Setup Red slow blink Impacket not found Red fast blink Target did not acquire IP address Yellow single blink Initialization Yellow double blink HID Stage Yellow triple blink Wait for IP coming up Yellow quad blink Wait for Handshake (SMBServer Coming up) Yellow very fast blink Powershell scripts running White fast blink Cleanup, copy Files to /loot Green Finished ----------------------- -------------------------------------------- Discussion https://forums.hak5.org/index.php?/topic/40582-payload-drumpcreds-20-wo-internet-wo-usb-storage Credits to...... https://github.com/EmpireProject/Empire Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1 Changelog Complete new payload.txt code for BashBunny 1.1 Added a lot of debug code into the payload For Debugging create a File "DEBUG" to payload Folder. You got the debug log in \loot\Dumpcreds_2.1 Impacket.deb included for easy impacket installation Some Ducky languages included (from DuckyInstall Payload) Edited April 11, 2017 by qdba Quote
b0N3z Posted April 9, 2017 Posted April 9, 2017 why doesnt it save the loot to the loot directory but instead to the payload folder that it runs from. Is this for a faster payload or to get rid of storage mode during the payload? Quote
qdba Posted April 9, 2017 Author Posted April 9, 2017 you are right. It's to get rid of team storage mode. I don't know any company who allows Usb storage. the sun ports are almost blocked. so I store the loot to the payload folder and copy it during cleanup to the /loot folder Quote
b0N3z Posted April 9, 2017 Posted April 9, 2017 I have used this 3 times now on my win10 machine also restarted the win10 machine after the first 2 tries. The loot folder is created and the bunny led blinks like the description but I never have anything in the loot folder Quote
Mohamed A. Baset Posted April 10, 2017 Posted April 10, 2017 @qdba Why relying on an SMB server when you can rely on a simple python HTTP one with a little POST script? HTTP servers make sense more than SMB shits, I'm always facing nightmares with SMB :D Quote
qdba Posted April 10, 2017 Author Posted April 10, 2017 15 hours ago, b0N3z said: why doesnt it save the loot to the loot directory but instead to the payload folder that it runs from. Is this for a faster payload or to get rid of storage mode during the payload? Plz. can go to DEBUG mode (create a file named DEBUG in the payload folder. look at the file in the /loot/DumpCred_2.1/log.txt If there is no log..txt take a look at /tmp/log.txt. If there is something like bunny.service timeout or bunny.service failed you propably run into a timeout. This is a Bunny issue in Firmware 1.1 and will bes solved in Fw 1.2 Look there ..... Quote
trumoo Posted April 10, 2017 Posted April 10, 2017 (edited) url is bad, was this pulled? edit: https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds my payload just blinks yellow 4 times endlessly until it times out. nothing is ever run. i can't figure out how to get the debug information. Edited April 10, 2017 by trumoo Quote
qdba Posted April 10, 2017 Author Posted April 10, 2017 4 hours ago, trumoo said: url is bad, was this pulled? edit: https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds my payload just blinks yellow 4 times endlessly until it times out. nothing is ever run. i can't figure out how to get the debug information. I updated the URL. If you had created the File DEBUG in the payload folder debug information is written to the file /tmp/log.txt. At the end of the payload the log is copied to the /loot folder. But If you run into timout neither the debug log nor the loot could be copied to /loot folder. For debugging you can ssh into the bunny and look at /tmp/log.txt Quote
trumoo Posted April 11, 2017 Posted April 11, 2017 (edited) Thanks. Issue was I didn't change lang from de to us in the payload.txt. Payload is working now. At the end of the script, it closes the first cmd prompt but leaves open the red elevated cmd prompt. I'm running Windows 10 1607 as an admin. I added # Kill powershell.exe kill -processname powershell -ErrorAction SilentlyContinue to the bottom of my .ps1 to properly terminate the powershell window. I love this script, thank you for all your hard work! Edited April 11, 2017 by trumoo Quote
Mohamed A. Baset Posted April 11, 2017 Posted April 11, 2017 @qdba Look at this screenshot and you will understand the reason of my ignored reply! I hope you can find a solution for this. I did a manually debug and the error seems to be in the networking stuff, i don't know! Quote
qdba Posted April 11, 2017 Author Posted April 11, 2017 @Mohamed A. BasetSorry It should be looked that I ignore your post. You are right. SMB is really a nightmare. In the ner future I will rewrite the payload. But I'm waiting for bunn FW 1.2. Sebkinne said FW 1.2 will come asap. Quote
qdba Posted April 11, 2017 Author Posted April 11, 2017 5 hours ago, trumoo said: Thanks. Issue was I didn't change lang from de to us in the payload.txt. Payload is working now. At the end of the script, it closes the first cmd prompt but leaves open the red elevated cmd prompt. I'm running Windows 10 1607 as an admin. I added # Kill powershell.exe kill -processname powershell -ErrorAction SilentlyContinue to the bottom of my .ps1 to properly terminate the powershell window. I love this script, thank you for all your hard work! The powershell window stays open, because your are in debug mode. Delelet the DEBUG file from payload folder and all all will be ok. Quote
Vagabond Posted April 12, 2017 Posted April 12, 2017 First, thank you qdba for your work. On 4/10/2017 at 6:40 PM, trumoo said: Thanks. Issue was I didn't change lang from de to us in the payload.txt. At first I was plugging in, receiving 4 yellow blinks and after a while received a solid yellow. Nothing was created in the debug file or /tmp/log file. After changing the lang from de to us I now see powershell commands running however it seems to stop working (hangs) at the red cmd Administrator (c:\windows\system32) prompt. Again no debug or log information was written. Host is W10, I've also tried on Win7 VM. BB is 1.1 with impacket and responder. I've tried it many times and still not working, not sure what the issue is. Quote
Epoc Posted April 12, 2017 Posted April 12, 2017 7 hours ago, qdba said: open the file /usr/local/bunny/bin/bunny_framework with an editor. At the end of the file there is the comnand Hello qdba, Unfortunately the worst happened. So I went to / usr / local / bunny / bin / bunny_framework. Then I modified the bunny_framework file with nano. As you specified, i completed the command hop with a &, resulting hop & (). As a result, switchs 1 and 2 no longer work. The .deb file installation in the tools file, either. So i ran a factory reset, then an update with firmware 1.1. Unfortunately, no more files are installed ("docs", "languages", etc.). I went back to / usr / local / bunny / bin /, but I can not go further than / usr / local / because the file "bunny" seems to be no longer existing ... I am currently a little lost. I hope you will be able to give me valuable help. Thank you very much. Quote
qdba Posted April 12, 2017 Author Posted April 12, 2017 so do a Clean Factory reset. November Stay at fw 1.0 .Test if you can reach the bunny Quote
Epoc Posted April 12, 2017 Posted April 12, 2017 26 minutes ago, qdba said: so do a Clean Factory reset. Thank you for your reply. Unfortunately, I find myself at the same point as previously mentioned: still no access to the file bunny_framework, no folders created during restoration, finally no switchs works, this in FW 1.0 ... Quote
qdba Posted April 12, 2017 Author Posted April 12, 2017 had you plug off the bunny during recovery or installation fw1.1 could you login with serial in arming mode. Quote
Epoc Posted April 12, 2017 Posted April 12, 2017 (edited) I don't have plugged off the Bunny during recovery or installation, and yes, i could login with serial in arming mod. Edit: This is interesting, the bunny_framework file seems to have been erased ... I notice that even after a complete restoration with the original firmware, the situation does not work out. The file is always missing, precisely the following path: usr/local/bunny/bin/bunny_framework. Would there be a solution to put it all back together? Edited April 12, 2017 by Epoc Quote
qdba Posted April 12, 2017 Author Posted April 12, 2017 in version FW 1.0 there is no bunny_framework. Important that you can login to bunny, so the bunny works. You put the & at the wrong place.I got the advice with the & from sebkinne, but during writing the patch I'm not sure if it works right. Therefor I removed the post from this list. Please wait for the patch. Or wait for FW 1.2 which will come asap. Quote
Epoc Posted April 12, 2017 Posted April 12, 2017 Thank you for your advice and reply. I'll be waiting for the patch or the official update. Quote
Fang_Shadow Posted April 14, 2017 Posted April 14, 2017 I made some changes to the payload, instead of cmd calling powershell to open another cmd, i have it opening a powershell as admin (more tools). And I have made another section which closes all open cmd and powershell just in case one lingers for what ever reason, oh and of course clearing the run dialog. Quote
qdba Posted April 14, 2017 Author Posted April 14, 2017 6 hours ago, Fang_Shadow said: I made some changes to the payload, instead of cmd calling powershell to open another cmd, i have it opening a powershell as admin (more tools). And I have made another section which closes all open cmd and powershell just in case one lingers for what ever reason, oh and of course clearing the run dialog. does it work if you are no admin and there is no uac prompt? Quote
rizzah Posted April 14, 2017 Posted April 14, 2017 @qdbaHi, i just tried your payload, got it off your github. Tried v2.2 (alltho the readme still said 2.1) figured i try the latest. What i run into is the part where it waits for the IP to come up. it stalls there when testing on a win7 (VM) machine. Next are some errors (see screenshot). I also tried it on a native win10 system. Here it starts blinking red also at the same stage as waiting for the IP to come up. However i think this last part has another cause. Also when running the quickcred payload it fails on getting the system IP. I have no clue what that is about. Quote
qdba Posted April 14, 2017 Author Posted April 14, 2017 2.2 is heavy under development and not ready for use. - Payload not ready - main.ps1 50% ready all powershell files were aes encoded they will encoded direct to memory so av scanner does not detect them too fast. - Encode Decode Script ready Please wait a few days until all is working fine. Quote
rizzah Posted April 14, 2017 Posted April 14, 2017 I got the same issues with the older versions (forgot to mention that before). But i will wait for you to finish v2.2. Thanks for your reply! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.