qdba Posted April 20, 2017 Share Posted April 20, 2017 DumpCreds 2.3.3 Author: QDBA Version: Version 2.3.1 Build 1013 Target: Windows 7, 10 Description ** !!!!! works only at Bash Bunny with FW 1.1+ !!!!! ** Dumps the usernames & plaintext passwords from Browsers (Chrome, FireFox) Wifi Creds SAM Hashes (only if AdminMode=True) Mimimk@tz Dump (only if AdminMode=True) Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist) without Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock) Internet connection (becaus Firewall ContentFilter Blocks the download sites) Problems if you use the payload on a computer th efirst time, it will take some time and tries until the drivers are successfully loaded. If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times) If the payload stops working yellow LED blinks very fast or triples longer than 2min. You get no white LED. Your run into a time out. If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue) Don't use a static IP on Target Computer. ( GET TARGET_IP works only if DHCP is used. ) Configuration None. Requirements If you have an other language than us install it according to the Bash Bunny documentation Download https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds Install Put Bash Bunny in arming mode Change DUCKY_LANG in config.txt of payload.txt if needed, Edit Get-WifiCreds.ps1 and change ".... | Select-String -Pattern entries to your language if other than "de" or "us" Copy all files and folders in Githubs DumpCred Folder to your favorit switch folder eject Bash Bunny safely!! move switch into right position if necessary set UAC Mode in payload.txt ( 1 ) Fodhelper UAC (Win 10 only), 0 = Standard UAC (Win 7 + Win 10)) plugin Bash Bunny and have fun....! :-) STATUS LED Status Magenta Solid Setup Red fast blink Target did not acquire IP address Yellow single blink Initialization Yellow double blink HID Stage Yellow Veryfast Wait for IP coming up, Run Powershell scripts White Cleanup, copy Files to /loot Green Finished Discussion https://forums.hak5.org/index.php?/topic/40806-payload-new-dumpcreds-22/ Credits special thx to illwill & tux for the server.py (HTTP_Server) https://github.com/EmpireProject/Empire (Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1,dumpCredStore.ps1) Valentin-Metz for inserting the Fodhelper UAC-Bypass ( Resource: https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1 ) Changelog Version 2.3.3 [Build 1013] Minor changes Encode Invoke-PowerDump because of caught by AV Add dumpCredStore; Dumps credential from Vault Version 2.3.2 [Build 1012] Multiple UAC Modes 1 = Fodhelper; 0 = Standard UAC [Build 1011] Undo all changes in RunMRU and Powershell history Version 2.3.1 [Build 1009] Merged the UAC Bypass fodhelper changes from valentin-metz Version 2.2 [Build 1008] Removed DUCKY_LANG from payload.txt because set it in config.txt [FW 1.2]. [Build 1007] Some Errors fixed with Char Encoding and Encrypted PS Payloads in Windows 7 [Build 1006] smbserver stuff removed handshake removed HTTP Server added (Download Powershell scripts, upload loot) Invoke-m1m1d0gz.ps1 AES encrypted to Invoke-M1m1d0gz.enc. Not really neccessary but if you are in storage mode, the AV doesn't remove it. :-) All in all a little bit faster remove the debug code recoded the Get-WiFiCreds.ps1 for working on Windows 7 Version 2.1 [Build 1007] Some Errors fixed with Char Encoding and Encrypted PS Payloads in Windows 7 [Build 1006] smbserver stuff removed handshake removed HTTP Server added (Download Powershell scripts, upload loot) Invoke-m1m1d0gz.ps1 AES encrypted to Invoke-M1m1d0gz.enc. Not really neccessary but if you are in storage mode, the AV doesn't remove it. :-) All in all a little bit faster remove the debug code recoded the Get-WiFiCreds.ps1 for working on Windows 7 Version 2.1 Complete new payload.txt code for BashBunny 1.1 Added a lot of debug cod into the payload Universal payload. Never mind if you are admin (With UAC Prompt) or not (with Credentials Prompt) the payload works anyway. Link to comment Share on other sites More sharing options...
Smeege Posted April 20, 2017 Share Posted April 20, 2017 Thanks for your work qdba. I tested it on my Windows 10 box and it seemed to work perfectly (on the 3rd attempt). Just to note, if UAC is enabled on the system, it will require quick interaction to choose "yes" when prompted about making changes to the device: http://i.imgur.com/0NdTJPJ.png Link to comment Share on other sites More sharing options...
qdba Posted April 20, 2017 Author Share Posted April 20, 2017 1 hour ago, Smeege said: Thanks for your work qdba. I tested it on my Windows 10 box and it seemed to work perfectly (on the 3rd attempt). Just to note, if UAC is enabled on the system, it will require quick interaction to choose "yes" when prompted about making changes to the device: http://i.imgur.com/0NdTJPJ.png The payload is doing that. Just change Q ALT j to Q ALT y in payload.txt. It's because I'm on German language Link to comment Share on other sites More sharing options...
Smeege Posted April 20, 2017 Share Posted April 20, 2017 1 hour ago, qdba said: The payload is doing that. Just change Q ALT j to Q ALT y in payload.txt. It's because I'm on German language My fault, it's right there in the payload comments :) It seems "Q ALT y" doesn't interact with my UAC prompt because after the powershell command is run the UAC window comes up but it's not in focus or in the foreground so no commands/keys work. However, if I click the UAC window and try "ALT y" it successfully closes the UAC window. Not sure if this is a common BB issue or just something weird with my host. Link to comment Share on other sites More sharing options...
Smeege Posted April 20, 2017 Share Posted April 20, 2017 Nevermind, I kind of figured it out, if the UAC setting is the default your script works fine and selects "yes" on the UAC window. If the UAC setting on the host is "do not dim my desktop" then it does not work unless someone manually selects "yes", which isn't a big deal since unlocked access is required anyways. I'll try to find a way which works for both UAC settings unless you have a suggestion. Link to comment Share on other sites More sharing options...
Mohamed A. Baset Posted April 21, 2017 Share Posted April 21, 2017 @qdba New version works like a charm. See when you get rid of SMB :D Nice work! Link to comment Share on other sites More sharing options...
rizzah Posted May 9, 2017 Share Posted May 9, 2017 I seem to have trouble where it fails on "Target did not acquire IP address". Any idea how this is possible? I seem to get this when testing on a Windows 10 system. Question 2: i read that to get some hash info to set AdminMode=true, but where do i set this? Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 9, 2017 Share Posted May 9, 2017 I see you are taking my queue and borrowing from the Empire team for some payloads. Yelp, most of the payloads that are out there for the Bunny are already done in other projects like Nishang, Powersploit and Empire. You just have to adjust for your needs. That is the reason why in my project I advise to have your scripts in function format for ease of use. Because, like you are finding, the other folks out there doing this stuff follows that format (and will not take requests for other people's work unless it follows that format). Because they are, you can easily adopt them in your own projects by just calling it with different parameters. Nice selection for credentials. I see for obfuscation you are AES encrypting with the salt in the beginning and password preset in your agent. Nice. Have you thought about just compressing the script and then encoding to send for obfuscation? Could be done on the python server and the undid in your agent for all your scripts so you do not have to precondition the script for the BB. I started down the route you are on with utility scripts to preset scripts for a format for obfuscation but then decided to changed it around for the server to just compress it without headers and encode before sending (all handled by the server on the BB) so the bbAgent decompressed and decodes to be ran. Takes less time than crypto does and obfuscates it from AV. That way you do not have to encode your scripts before putting on the Bunny for obfuscation, as long as you are not using USB mode or SMB to that folder which will still fire off the AV once seen. Link to comment Share on other sites More sharing options...
qdba Posted May 10, 2017 Author Share Posted May 10, 2017 13 hours ago, rizzah said: I seem to have trouble where it fails on "Target did not acquire IP address". Any idea how this is possible? I seem to get this when testing on a Windows 10 system. Question 2: i read that to get some hash info to set AdminMode=true, but where do i set this? 1. Do you set the IP of the Remote NDIS Driver on your Computer manually or have you enabled ICS sharing? The command GET TARGET_IP does onliy work if your Remote NDIS Driver is set to DHCP 2. If you have Admin rights at your computer (the UAC is working) the script is set to AdminMode=True. If your have no Admin rights it doesn't make sense to run mimikatz or hashdump because tis works only if you have Admin rights. So AdminMode shows only if you have admin rights ($true) or not (false). Link to comment Share on other sites More sharing options...
qdba Posted May 10, 2017 Author Share Posted May 10, 2017 @PoSHMagiC0de Thank you for your opinion and suggestion. I give you 100% , writing scripts in Function format is not so bad. But... ... When I start writing DumpCreds and other scripts for BB I didn't do anything before with powershell. Not even a "Hello World" . So I'm fighting a lot with the powershell syntax and some effects I did not expect. - output Lines are truncated - piping directly to a file on BB's smbserver.py did not work - when I piping the output to variables CRs and LFs are vanished - No idea how to start functions in Background I'm CIO and CSIO at 3 different companies with round about 350 Workstation 30 Servers 120 Printers. My team ( 2 other guys) and I do everything you can imagine in the IT. From installing and configurating firewalls, switches and routers, SAN, NAS, over 1st, 2nd, 3rd Level Support for the employees in Office and Windows, communication , managing and configure the 30 postfix, exchange, Samba, HTTP, Secmail File ,..... Servers, supporting and customizing SAP (MM, PP, Base, WM, user rights management, ) ,writing Reports and Scripts in ABAP, Perl, Bash, DOS, VB, VBA, QlickView, and so on..... 3 persons for the whole IT stuff with less help from outside. I need DumpCreds and a Excel Doc with encrypted meterpreter shellcode for a live hacking demo during the training to raise the awareness of our employees in IT Security. I will sensitize them. As I did it, it was the fastest and most effective way for me to learn powershell and program that script. At the moment I have no time to take care about a well written script. Maybe I will do it in version 3.0 . (And I will remove my modifications from the used Empire scripts in 3.0). I did the encryption thing because everytime a plugged in BB in arming or storage mode for developing or trying another payload my AV deletes Empires Mimikatz.ps1 script. A simple obfuscation didn't help a lot. First I wanted to do it with base64 encoding and compression. But during my work with the excel doc the base64 encoded meterpreter shellcode was detected by my AV Scanners. I think one day AV Scanneres will detect the encoded mimikatz Script. Especially I pulish the script in the forum. If so its very easy to hide the script once more. Only changing the password and/or salt. Encode it new with https://github.com/qdba/MyBashBunny/tree/master/Other/EncDecFiles and thats it. Thats the idea behind all... Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 10, 2017 Share Posted May 10, 2017 Now that you mention the arming mode, I did forget about a couple of my scripts that vanish when I hook up my Bunny in arming mode at work to my Windows machine hahaha. Yeah, I get what you are saying. I try to stick with arming this thing on my Linux box because of that. Meterpreter is a popular framework so every AV has its signatures. I have a feeling they even got a copy of Veil and made it produce tons of permutations of its obfuscation just so they could put it in their scanner because Veil doesn't seem to do much. Think they are targeting the packers. Best bet I seen is to use a Powershell stager. The new API MS has released for AV and apps may make in memory script and code more difficult if companies begin to use it. Your in my boat for work. Doing everything in IT. I started at one of the Major Cable providers as IT, then IT and networking, then they saw my development background and I became IT/Network/Internal Developer. Soon I was Dev Ops. Then I got tired and quit to go with a smaller company...and I am doing all those things all over again hehe. My primary coding when working is C# but I practice Node, python and even have gotten into MSIL injecting. Have not tried but Empire's DLL is not detectable yet (well the original before PoSH is added to it). Modifying Empire psinject, or looking how they do it in their dll stager you may be able to reuse to put in your own code. I did a few times but have not really used it for something yet. Powersploit reflective Injection is not hostile yet to AV, you couple use that in conjunction with the DLL encoded in the script to fire off your stuff. Downside is you have t be in the right arch (64 bit or 32bit dlls). Are you using excel to serve a macro for your customers? If so, hit me up, I can hand you down some obfuscation tricks for macros if you need more ideas. Some I made up, some I stole from phishers, except for the one that takes song lyrics in the word document and reconstructs the command with the characters from those songs. People blocking doc formats have phishers embedded macro documents and downloaders in password protected docx files again. Docx can't run macros but the embedded documents can. :-P Some people think I am bashing their code when I offer feedback. I am not. I like helping...too much so. I'm very active in Powershell and C# help forums. Most of the stuff I know I got from others too and still take advice on better ways to do things. All in all, if it works, it works. :-) Link to comment Share on other sites More sharing options...
rottingsun Posted May 10, 2017 Share Posted May 10, 2017 4 minutes ago, PoSHMagiC0de said: Meterpreter is a popular framework so every AV has its signatures. I have a feeling they even got a copy of Veil and made it produce tons of permutations of its obfuscation just so they could put it in their scanner because Veil doesn't seem to do much. Think they are targeting the packers. Best bet I seen is to use a Powershell stager. The new API MS has released for AV and apps may make in memory script and code more difficult if companies begin to use it. Most likely, but I have found the python/meterpreter/rev_tcp with pyherion encrypter to still be pretty reliable as far as AV evasion. As far as the new Defender API, as long as local admin perms are present on the target, you can use Set-MpPreference (Set-MpPreference -DisableRealtimeMonitoring $true for example) to turn off the various features of Defender. This is a bit "noisy", since a notification pops up immediately in the tray, but you could always quickly disable Defender, run mimikatz or some other payload, then re-enable Defender in the cleanup. I'm actually contemplating getting a bunny just for a payload similar to that. Start off in RO mode and disable Defender, loop with Get-MpPreference | fl DisableRealtimeMonitoring until the value becomes True, switch to RW mode and execute a payload, exfil to storage if necessary, switch back to RO mode, re-enable Defender. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 10, 2017 Share Posted May 10, 2017 41 minutes ago, rottingsun said: Most likely, but I have found the python/meterpreter/rev_tcp with pyherion encrypter to still be pretty reliable as far as AV evasion. The aes one for python used to work. Here is a funny story. When it was working on my old Kali last year, Veil complained about me missing some of the stuff it was using to create the payload. Funny thing is the payload worked and no AV warning. After research, I fixed those issues, now the payload is detectable. :-P At a loss on that one hehe. Maybe I need to break my Veil again so it works again. :-) Now, what does work is I created a template for a C# .NET loader for powershell code that I can add my code to and compile. That one is not detected. Hmm, maybe they are still working on detecting malicious .NET. The Veil .NET does not work, it is detected. :-\ Link to comment Share on other sites More sharing options...
Feuermagier Posted September 8, 2017 Share Posted September 8, 2017 Hi, I noticed a problem with confirming the Windows-Elevation request. It doesn't seem to do it. How exactly did you implement confirming the UAC ? Link to comment Share on other sites More sharing options...
Feuermagier Posted September 8, 2017 Share Posted September 8, 2017 K, took me a while of tinkering, found out that German-Keyboard uses weird Keys. Managed to fix it thanks to your good comments in the script. Very helpful there, keep up the good work ! Link to comment Share on other sites More sharing options...
Feuermagier Posted September 8, 2017 Share Posted September 8, 2017 Additional tip: If you use leftarrow+enter its universal. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted September 8, 2017 Share Posted September 8, 2017 4 hours ago, Feuermagier said: Additional tip: If you use leftarrow+enter its universal. mame who write P4wnP1 decided to use shift-tab and then enter for universal too. On 5/10/2017 at 8:00 AM, rottingsun said: Most likely, but I have found the python/meterpreter/rev_tcp with pyherion encrypter to still be pretty reliable as far as AV evasion. As far as the new Defender API, as long as local admin perms are present on the target, you can use Set-MpPreference (Set-MpPreference -DisableRealtimeMonitoring $true for example) to turn off the various features of Defender. This is a bit "noisy", since a notification pops up immediately in the tray, but you could always quickly disable Defender, run mimikatz or some other payload, then re-enable Defender in the cleanup. I'm actually contemplating getting a bunny just for a payload similar to that. Start off in RO mode and disable Defender, loop with Get-MpPreference | fl DisableRealtimeMonitoring until the value becomes True, switch to RW mode and execute a payload, exfil to storage if necessary, switch back to RO mode, re-enable Defender. I have been finding myself using msfvenom to generate a payload and then create my own obfuscation for it since mot of the standard from veil have been getting detected lately. Even been using a veil payload to further obfuscate like getting the payload into a .NET format so I can obfuscate it for powershell to use reflections to load. If I need to modify it while it is in .NET compiled form I would just use ilspy and reflexil plugin to adjust it accordingly so I can launch it from memory easier. Link to comment Share on other sites More sharing options...
Feuermagier Posted September 11, 2017 Share Posted September 11, 2017 I did a complete rework of how the UAC-Bypass is done (Complete Bypass by Windows-Exploit, no Popup) https://github.com/qdba/bashbunny-payloads/blob/00d4720b6b8496f5c4b9aff3f162d2de8ec8a7a1/payloads/library/credentials/DumpCreds/payload.txt I hope for Feedback and test results. Link to comment Share on other sites More sharing options...
qdba Posted September 11, 2017 Author Share Posted September 11, 2017 29 minutes ago, Feuermagier said: I did a complete rework of how the UAC-Bypass is done (Complete Bypass by Windows-Exploit, no Popup) https://github.com/qdba/bashbunny-payloads/blob/00d4720b6b8496f5c4b9aff3f162d2de8ec8a7a1/payloads/library/credentials/DumpCreds/payload.txt I hope for Feedback and test results. Quite good, Going to test it... Link to comment Share on other sites More sharing options...
Feuermagier Posted September 11, 2017 Share Posted September 11, 2017 4 hours ago, qdba said: Quite good, Going to test it... Nice. I just did another patch to make the first Powershell hidden, too. https://github.com/Valentin-Metz/bashbunny-payloads/blob/8c9052c022262cb2183493bc3b6ae73c830b256c/payloads/library/credentials/DumpCreds/payload.txt The "On Screen Time" is now under 2 seconds. Would be great if you could help me find a way to start the fodhelper hidden. Then we would be completely silent. Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted September 12, 2017 Share Posted September 12, 2017 You could use ATTACKMODE OFF instead of killing the server, as well. Just a thought. Link to comment Share on other sites More sharing options...
qdba Posted September 12, 2017 Author Share Posted September 12, 2017 On 11.09.2017 at 3:02 PM, qdba said: Quite good, Going to test it... 19 hours ago, Feuermagier said: Nice. I just did another patch to make the first Powershell hidden, too. https://github.com/Valentin-Metz/bashbunny-payloads/blob/8c9052c022262cb2183493bc3b6ae73c830b256c/payloads/library/credentials/DumpCreds/payload.txt The "On Screen Time" is now under 2 seconds. Would be great if you could help me find a way to start the fodhelper hidden. Then we would be completely silent. I merged your path to the master branch. Did some patches so fodhelper starts hidden. https://github.com/qdba/bashbunny-payloads/blob/master/payloads/library/credentials/DumpCreds/payload.txt Link to comment Share on other sites More sharing options...
Feuermagier Posted September 12, 2017 Share Posted September 12, 2017 Nice ! I just tested it, and I have to say it works great. Btw, the payload.txt still says "Dump Creds 2.1" in the Title. Maybe you should actually go for 2.3, as it is quite a big change. It is really great, only a split second Window, works out really well. Very easy to hide. Does hak5 not update the main branch anymore ? The Version they have in Repository is outdated. Also I noticed, that we leave 2 Powershells open at end of script. Maybe we should clean these up. Link to comment Share on other sites More sharing options...
qdba Posted September 12, 2017 Author Share Posted September 12, 2017 7 hours ago, Feuermagier said: Nice ! I just tested it, and I have to say it works great. Btw, the payload.txt still says "Dump Creds 2.1" in the Title. Maybe you should actually go for 2.3, as it is quite a big change. It is really great, only a split second Window, works out really well. Very easy to hide. Does hak5 not update the main branch anymore ? The Version they have in Repository is outdated. Also I noticed, that we leave 2 Powershells open at end of script. Maybe we should clean these up. Updated the repo so hak5 could merge it to the master branch Changed Version to 2.3 Add taskill /F /IM powershell.exe at the end of main.ps1 Link to comment Share on other sites More sharing options...
Feuermagier Posted September 13, 2017 Share Posted September 13, 2017 Great job ! I will immideatly test it. Will also see if i can find some stuff that could add to it's effectiveness further. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.