Jump to content

[Payload] DumpCreds 2.1 New Version


qdba

Recommended Posts

 

DumpCreds 2.1

  • Author: QDBA
  • Version: Version 2.1.0 Build 1004
  • Target: Windows 10

Description

** !!!!! works only at Bash Bunny with FW 1.1 !!!!! **

Dumps the usernames & plaintext passwords from

  • Browsers (Crome, IE, FireFox)
  • Wifi
  • SAM Hashes (only if AdminMode=True)
  • Mimimk@tz Dump (only if AdminMode=True)
  • Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist)

without

  • Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
  • Internet connection (becaus Firewall ContentFilter Blocks the download sites)

Problems

  • if you first use the payload on a computer, it will take some time and tries until the drivers are successfully loaded.
  • If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times)
  • If the payload stops working yellow LED blinks very fast longer than 2min. You get no white LED. Your run in a time out. If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue)

Debug

If you want some debug information, create a file with name "DEBUG" in the payload folder you got the debug information in \loot\DumpCred_2.1\log.txt Folder

Configuration

None needed.

Requirements

impacket  - install it form https://github.com/qdba/MyBashBunny/tree/master/tools

Download

https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds

Install

  1. Put Bash Bunny in arming mode

  2. Copy All Folders into the root of Bunny Flash Drive Mandatory * payloads/library/DumpCreds_2.1 --> the payload Files * payloads/library/DumpCreds_2.1/PS --> the Powershell scripts for the payload * tools --> impacket tools (provide the smbserver.py) (not neccessary if you had already installed) Not neccessary * docs --> this doc file * languages --> languauge files for DUCKY_LANG

  3. eject Bash Bunny safely!!

  4. Insert Bash Bunny in arming mode ( Impacket and languages will be installed )

  5. Put all Files and Folders to payload from payloads /payloads/library/DumpCreds_2.1 to payloads/switch1 or payloads/switch2

  6. eject Bash Bunny safely

  7. move switch in right position

  8. plugin Bash Bunny and have fun....! :-)

STATUS

LED Status
Magenta Solid Setup
Red slow blink Impacket not found
Red fast blink Target did not acquire IP address
Yellow single blink Initialization
Yellow double blink HID Stage
Yellow triple blink Wait for IP coming up
Yellow quad blink Wait for Handshake (SMBServer Coming up)
Yellow very fast blink Powershell scripts running
White fast blink Cleanup, copy Files to /loot
Green Finished
----------------------- --------------------------------------------

Discussion

https://forums.hak5.org/index.php?/topic/40582-payload-drumpcreds-20-wo-internet-wo-usb-storage

Credits

to...... 

https://github.com/EmpireProject/Empire         Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1

Changelog

  • Complete new payload.txt code for BashBunny 1.1
  • Added a lot of debug code into the payload
    For Debugging create a File "DEBUG" to payload Folder. You got the debug log in \loot\Dumpcreds_2.1
  • Impacket.deb included for easy impacket installation
  • Some Ducky languages included (from DuckyInstall Payload)

 

 

Link to post
Share on other sites

why doesnt it save the loot to the loot directory but instead to the payload folder that it runs from.  Is this for a faster payload or to get rid of storage mode during the payload?

Link to post
Share on other sites

you are right. It's to get rid of team storage mode. I don't  know any company who allows Usb storage. the sun ports are almost blocked.

so I store the loot to the payload folder and copy it during cleanup to the /loot folder

Link to post
Share on other sites

I have used this 3 times now on my win10 machine also restarted the win10 machine after the first 2 tries.  The loot folder is created and the bunny led blinks like the description but I never have anything in the loot folder

Link to post
Share on other sites
15 hours ago, b0N3z said:

why doesnt it save the loot to the loot directory but instead to the payload folder that it runs from.  Is this for a faster payload or to get rid of storage mode during the payload?

Plz. can go to DEBUG mode (create a file named DEBUG in the payload folder. look at the file in the /loot/DumpCred_2.1/log.txt 
If there is no log..txt take a look at /tmp/log.txt. If there is something like bunny.service timeout or bunny.service failed you propably run into a timeout. 

This is a Bunny issue in Firmware 1.1 and will bes solved in Fw 1.2 

Look there .....

 

 

 

 

Link to post
Share on other sites
4 hours ago, trumoo said:

url is bad, was this pulled?

edit: https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds

my payload just blinks yellow 4 times endlessly until it times out. nothing is ever run. i can't figure out how to get the debug information.

I updated the URL. 

If you had created the File DEBUG in the payload folder debug information is written to the file /tmp/log.txt. At the end of the payload the log is copied to the /loot folder. 

But If you run into timout neither the debug log nor the loot could be copied to /loot folder.  For debugging you can ssh into the bunny and look at /tmp/log.txt

Link to post
Share on other sites

Thanks. Issue was I didn't change lang from de to us in the payload.txt.

Payload is working now. At the end of the script, it closes the first cmd prompt but leaves open the red elevated cmd prompt. I'm running Windows 10 1607 as an admin.

KmukRMx.png

I added 

# Kill powershell.exe 
kill -processname powershell -ErrorAction SilentlyContinue

to the bottom of my .ps1 to properly terminate the powershell window.

 

I love this script, thank you for all your hard work!

Link to post
Share on other sites

@Mohamed A. BasetSorry It should be looked that I ignore your post. You are right. SMB is really a nightmare. In the ner future I will rewrite the payload. But I'm waiting for bunn FW 1.2. Sebkinne said FW 1.2 will come asap.

 

Link to post
Share on other sites
5 hours ago, trumoo said:

Thanks. Issue was I didn't change lang from de to us in the payload.txt.

Payload is working now. At the end of the script, it closes the first cmd prompt but leaves open the red elevated cmd prompt. I'm running Windows 10 1607 as an admin.

KmukRMx.png

I added 

# Kill powershell.exe 
kill -processname powershell -ErrorAction SilentlyContinue

to the bottom of my .ps1 to properly terminate the powershell window.

 

I love this script, thank you for all your hard work!

The powershell window stays open, because your are in debug mode. Delelet the DEBUG file from payload folder and all all will be ok.

 

Link to post
Share on other sites

First, thank you qdba for your work.

On 4/10/2017 at 6:40 PM, trumoo said:

Thanks. Issue was I didn't change lang from de to us in the payload.txt.

At first I was plugging in, receiving 4 yellow blinks and after a while received a solid yellow. Nothing was created in the debug file or /tmp/log file. After changing the lang from de to us I now see powershell commands running however it seems to stop working (hangs) at the red cmd Administrator (c:\windows\system32) prompt. Again no debug or log information was written.

Host is W10, I've also tried on Win7 VM. BB is 1.1 with impacket and responder. I've tried it many times and still not working, not sure what the issue is.

SIbiXxp.png

Link to post
Share on other sites
7 hours ago, qdba said:

open the file /usr/local/bunny/bin/bunny_framework with an editor. At the end of the file there is the comnand

Hello qdba,

Unfortunately the worst happened. So I went to / usr / local / bunny / bin / bunny_framework. Then I modified the bunny_framework file with nano. As you specified, i completed the command hop with a &, resulting hop & ().

As a result, switchs 1 and 2 no longer work. The .deb file installation in the tools file, either. So i ran a factory reset, then an update with firmware 1.1. Unfortunately, no more files are installed ("docs", "languages", etc.).

I went back to / usr / local / bunny / bin /, but I can not go further than / usr / local / because the file "bunny" seems to be no longer existing ...

I am currently a little lost. I hope you will be able to give me valuable help.

Thank you very much.

 

Link to post
Share on other sites

so do a Clean Factory reset. November

Stay at fw  1.0 .Test if you can reach the bunny

 

Link to post
Share on other sites
26 minutes ago, qdba said:

 

so do a Clean Factory reset.

 

Thank you for your reply. Unfortunately, I find myself at the same point as previously mentioned: still no access to the file bunny_framework, no folders created during restoration, finally no switchs works, this in FW 1.0 ...

Link to post
Share on other sites

had you plug off the bunny during recovery or installation fw1.1

could you login with serial in arming mode.

Link to post
Share on other sites

I don't have plugged off the Bunny during recovery or installation, and yes, i could login with serial in arming mod.

Edit: This is interesting, the bunny_framework file seems to have been erased ... I notice that even after a complete restoration with the original firmware, the situation does not work out. The file is always missing, precisely the following path: usr/local/bunny/bin/bunny_framework.
Would there be a solution to put it all back together?

Link to post
Share on other sites

in version FW 1.0 there is no bunny_framework. Important that you can login to bunny, so the bunny works.

You put the & at the wrong place.I got the advice with the & from sebkinne, but during writing the patch I'm not sure if it works right. Therefor I removed the post from this list. Please wait for the patch. Or wait for FW 1.2 which will come asap.

 

Link to post
Share on other sites

I made some changes to the payload, instead of cmd calling powershell to open another cmd, i have it opening a powershell as admin (more tools). And I have made another section which closes all open cmd and powershell just in case one lingers for what ever reason, oh and of course clearing the run dialog.

Link to post
Share on other sites
6 hours ago, Fang_Shadow said:

I made some changes to the payload, instead of cmd calling powershell to open another cmd, i have it opening a powershell as admin (more tools). And I have made another section which closes all open cmd and powershell just in case one lingers for what ever reason, oh and of course clearing the run dialog.

does it work if you are no admin and there is no uac prompt?

 

Link to post
Share on other sites

@qdbaHi, i just tried your payload, got it off your github. Tried v2.2 (alltho the readme still said 2.1) figured i try the latest. What i run into is the part where it waits for the IP to come up. it stalls there when testing on a win7 (VM) machine. Next are some errors (see screenshot). I also tried it on a native win10 system. Here it starts blinking red also at the same stage as waiting for the IP to come up. However i think this last part has another cause. Also when running the quickcred payload it fails on getting the system IP. I have no clue what that is about. 

Screen Shot 2017-04-14 at 11.01.12.jpg

Link to post
Share on other sites

2.2 is heavy under development and not ready for use. 

- Payload not ready

-  main.ps1 50% ready

all powershell files were aes encoded  they will encoded direct to memory so av scanner does not detect them too fast.

- Encode Decode Script ready

Please wait a few days until all is working fine.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...