Jump to content
Hak5 Forums

Recommended Posts

 

DumpCreds 2.3.3

  • Author: QDBA
  • Version: Version 2.3.1 Build 1013
  • Target: Windows 7, 10

Description

** !!!!! works only at Bash Bunny with FW 1.1+ !!!!! **

Dumps the usernames & plaintext passwords from

  • Browsers (Chrome, FireFox)
  • Wifi Creds
  • SAM Hashes (only if AdminMode=True)
  • Mimimk@tz Dump (only if AdminMode=True)
  • Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist)

without

  • Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
  • Internet connection (becaus Firewall ContentFilter Blocks the download sites)

Problems

  • if you use the payload on a computer th efirst time, it will take some time and tries until the drivers are successfully loaded.
  • If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times)
  • If the payload stops working yellow LED blinks very fast or triples longer than 2min. You get no white LED. Your run into a time out. If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue)
  • Don't use a static IP on Target Computer. ( GET TARGET_IP works only if DHCP is used. )

Configuration

None.

Requirements

  • If you have an other language than us install it according to the Bash Bunny documentation

Download

https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds

Install

  1. Put Bash Bunny in arming mode

  2. Change DUCKY_LANG in config.txt of payload.txt if needed, Edit Get-WifiCreds.ps1 and change ".... | Select-String -Pattern entries to your language if other than "de" or "us"

  3. Copy all files and folders in Githubs DumpCred Folder to your favorit switch folder

  4. eject Bash Bunny safely!!

  5. move switch into right position

  6. if necessary set UAC Mode in payload.txt ( 1 ) Fodhelper UAC (Win 10 only), 0 = Standard UAC (Win 7 + Win 10))

  7. plugin Bash Bunny and have fun....! :-)

STATUS

LED Status
Magenta Solid Setup
Red fast blink Target did not acquire IP address
Yellow single blink Initialization
Yellow double blink HID Stage
Yellow Veryfast Wait for IP coming up, Run Powershell scripts
White Cleanup, copy Files to /loot
Green Finished

Discussion

https://forums.hak5.org/index.php?/topic/40806-payload-new-dumpcreds-22/

Credits

Changelog

Version 2.3.3

[Build 1013]

  • Minor changes
  • Encode Invoke-PowerDump because of caught by AV
  • Add dumpCredStore; Dumps credential from Vault

Version 2.3.2

[Build 1012]

  • Multiple UAC Modes 1 = Fodhelper; 0 = Standard UAC

[Build 1011]

  • Undo all changes in RunMRU and Powershell history

Version 2.3.1

[Build 1009]

  • Merged the UAC Bypass fodhelper changes from valentin-metz

Version 2.2

[Build 1008]

  • Removed DUCKY_LANG from payload.txt because set it in config.txt [FW 1.2]. [Build 1007]
  • Some Errors fixed with Char Encoding and Encrypted PS Payloads in Windows 7

[Build 1006]

  • smbserver stuff removed
  • handshake removed
  • HTTP Server added (Download Powershell scripts, upload loot)
  • Invoke-m1m1d0gz.ps1 AES encrypted to Invoke-M1m1d0gz.enc. Not really neccessary but if you are in storage mode, the AV doesn't remove it. :-)
  • All in all a little bit faster
  • remove the debug code
  • recoded the Get-WiFiCreds.ps1 for working on Windows 7

Version 2.1

[Build 1007]

  • Some Errors fixed with Char Encoding and Encrypted PS Payloads in Windows 7

[Build 1006]

  • smbserver stuff removed
  • handshake removed
  • HTTP Server added (Download Powershell scripts, upload loot)
  • Invoke-m1m1d0gz.ps1 AES encrypted to Invoke-M1m1d0gz.enc. Not really neccessary but if you are in storage mode, the AV doesn't remove it. :-)
  • All in all a little bit faster
  • remove the debug code
  • recoded the Get-WiFiCreds.ps1 for working on Windows 7

Version 2.1

  • Complete new payload.txt code for BashBunny 1.1
  • Added a lot of debug cod into the payload
  • Universal payload. Never mind if you are admin (With UAC Prompt) or not (with Credentials Prompt) the payload works anyway.
Edited by qdba
  • Upvote 1

Share this post


Link to post
Share on other sites

Thanks for your work qdba. I tested it on my Windows 10 box and it seemed to work perfectly (on the 3rd attempt).

Just to note, if UAC is enabled on the system, it will require quick interaction to choose "yes" when prompted about making changes to the device: http://i.imgur.com/0NdTJPJ.png

Share this post


Link to post
Share on other sites
1 hour ago, Smeege said:

Thanks for your work qdba. I tested it on my Windows 10 box and it seemed to work perfectly (on the 3rd attempt).

Just to note, if UAC is enabled on the system, it will require quick interaction to choose "yes" when prompted about making changes to the device: http://i.imgur.com/0NdTJPJ.png

The payload is doing that. Just change Q ALT j  to Q ALT y  in payload.txt. It's because I'm on German language

 

Edited by qdba

Share this post


Link to post
Share on other sites
1 hour ago, qdba said:

The payload is doing that. Just change Q ALT j  to Q ALT y  in payload.txt. It's because I'm on German language

 

My fault, it's right there in the payload comments :) It seems "Q ALT y" doesn't interact with my UAC prompt because after the powershell command is run the UAC window comes up but it's not in focus or in the foreground so no commands/keys work. However, if I click the UAC window and try "ALT y" it successfully closes the UAC window. Not sure if this is a common BB issue or just something weird with my host.

Share this post


Link to post
Share on other sites

Nevermind, I kind of figured it out, if the UAC setting is the default your script works fine and selects "yes" on the UAC window. If the UAC setting on the host is "do not dim my desktop" then it does not work unless someone manually selects "yes", which isn't a big deal since unlocked access is required anyways. I'll try to find a way which works for both UAC settings unless you have a suggestion.

Share this post


Link to post
Share on other sites

I seem to have trouble where it fails on "Target did not acquire IP address". Any idea how this is possible? I seem to get this when testing on a Windows 10 system.

 

Question 2: i read that to get some hash info to set AdminMode=true, but where do i set this? 

Edited by rizzah

Share this post


Link to post
Share on other sites

I see you are taking my queue and borrowing from the Empire team for some payloads.  Yelp, most of the payloads that are out there for the Bunny are already done in other projects like Nishang, Powersploit and Empire.  You just have to adjust for your needs.  That is the reason why in my project I advise to have your scripts in function format for ease of use.  Because, like you are finding, the other folks out there doing this stuff follows that format (and will not take requests for other people's work unless it follows that format).  Because they are, you can easily adopt them in your own projects by just calling it with different parameters.  Nice selection for credentials.

I see for obfuscation you are AES encrypting with the salt in the beginning and password preset in your agent.  Nice.  Have you thought about just compressing the script and then encoding to send for obfuscation?  Could be done on the python server and the undid in your agent for all your scripts so you do not have to precondition the script for the BB.  I started down the route you are on with utility scripts to preset scripts for a format for obfuscation but then decided to changed it around for the server to just compress it without headers and encode before sending (all handled by the server on the BB) so the bbAgent decompressed and decodes to be ran.  Takes less time than crypto does and obfuscates it from AV.  That way you do not have to encode your scripts before putting on the Bunny for obfuscation, as long as you are not using USB mode or SMB to that folder which will still fire off the AV once seen.

Share this post


Link to post
Share on other sites
13 hours ago, rizzah said:

I seem to have trouble where it fails on "Target did not acquire IP address". Any idea how this is possible? I seem to get this when testing on a Windows 10 system.

 

Question 2: i read that to get some hash info to set AdminMode=true, but where do i set this? 

1.
Do you set the IP of the Remote NDIS Driver on your Computer manually or have you enabled ICS sharing?
The command GET TARGET_IP does onliy work if your Remote NDIS Driver is set to DHCP

 

2.
If you have Admin rights at your computer  (the UAC is working) the script is set to AdminMode=True.  If  your have no Admin rights it doesn't make sense to run mimikatz or hashdump because tis works only if you have Admin rights. So AdminMode shows only if you have admin rights ($true) or not (false).

 

Share this post


Link to post
Share on other sites

@PoSHMagiC0de Thank you for your opinion and suggestion.
I give you 100% , writing scripts in Function format is not so bad. But...

... When I start writing DumpCreds and other scripts for BB I didn't do anything before with powershell. Not even a "Hello World" :rolleyes: . So I'm fighting a lot with the powershell syntax and some effects I did not expect. 
- output Lines are truncated
- piping directly to a file on BB's smbserver.py did not work
- when I piping the output to variables CRs and LFs are vanished
- No idea how to start functions in Background  

I'm CIO and CSIO at 3 different companies with round about 350 Workstation 30 Servers 120 Printers. My team ( 2 other guys) and I do everything you can imagine in the IT.
From installing and configurating firewalls, switches and routers, SAN, NAS,  over 1st, 2nd, 3rd Level Support for the employees in Office and Windows, communication , managing and configure the 30 postfix, exchange, Samba, HTTP,  Secmail File ,.....  Servers, supporting and customizing SAP (MM, PP, Base, WM, user rights management,  ) ,writing Reports and Scripts in ABAP, Perl, Bash, DOS, VB, VBA, QlickView, and so on..... 3 persons for the whole IT stuff with less help from outside.

I need DumpCreds and a Excel Doc with encrypted meterpreter shellcode for a live hacking demo during the training to raise the awareness of our employees in IT Security.  I will sensitize them. 

As I did it, it was the fastest and most effective way for me to learn powershell and  program that script. At the moment I have no time to take care about a well written script. Maybe I will do it in version 3.0 :smile:. (And  I will remove my modifications from the used Empire scripts in 3.0). 

I did the encryption thing because everytime a plugged in BB in arming or storage mode for developing or trying another payload my AV deletes Empires Mimikatz.ps1 script.   A simple obfuscation didn't help a lot.  First I wanted to do it with base64 encoding and compression.  But during my work with the excel doc the base64 encoded meterpreter shellcode was detected by my AV Scanners. I think one day AV Scanneres will detect the encoded mimikatz Script. Especially I pulish the script in the forum. 
If so its very easy to hide the script once more. Only changing the password and/or salt. Encode it new with https://github.com/qdba/MyBashBunny/tree/master/Other/EncDecFiles
and thats it. 

 

Thats the idea behind all...

Edited by qdba

Share this post


Link to post
Share on other sites

Now that you mention the arming mode, I did forget about a couple of my scripts that vanish when I hook up my Bunny in arming mode at work to my Windows machine hahaha.  Yeah, I get what you are saying.  I try to stick with arming this thing on my Linux box because of that.

Meterpreter is a popular framework so every AV has its signatures.  I have a feeling they even got a copy of Veil and made it produce tons of permutations of its obfuscation just so they could put it in their scanner because Veil doesn't seem to do much.  Think they are targeting the packers.  Best bet I seen is to use a Powershell stager. The new API MS has released for AV and apps may make in memory script and code more difficult if companies begin to use it.

Your in my boat for work.  Doing everything in IT. I started at one of the Major Cable providers as IT, then IT and networking, then they saw my development background and I became IT/Network/Internal Developer.  Soon I was Dev Ops.  Then I got tired and quit to go with a smaller company...and I am doing all those things all over again hehe.  My primary coding when working is C# but I practice Node, python and even have gotten into MSIL injecting.  Have not tried but Empire's DLL is not detectable yet (well the original before PoSH is added to it).  Modifying Empire psinject,  or looking how they do it in their dll stager you may be able to reuse to put in your own code. I did a few times but have not really used it for something yet.  Powersploit reflective Injection is not hostile yet to AV, you couple use that in conjunction with the DLL encoded in the script to fire off your stuff.  Downside is you have t be in the right arch (64 bit or 32bit dlls).

Are you using excel to serve a macro for your customers?  If so, hit me up, I can hand you down some obfuscation tricks for macros if you need more ideas.  Some I made up, some I stole from phishers, except for the one that takes song lyrics in the word document and reconstructs the command with the characters from those songs.  People blocking doc formats have phishers embedded macro documents and downloaders in password protected docx files again.  Docx can't run macros but the embedded documents can.  :-P

Some people think I am bashing their code when I offer feedback.  I am not.  I like helping...too much so.  I'm very active in Powershell and C# help forums.  Most of the stuff I know I got from others too and still take advice on better ways to do things.  All in all, if it works, it works. :-)

Share this post


Link to post
Share on other sites
4 minutes ago, PoSHMagiC0de said:

Meterpreter is a popular framework so every AV has its signatures.  I have a feeling they even got a copy of Veil and made it produce tons of permutations of its obfuscation just so they could put it in their scanner because Veil doesn't seem to do much.  Think they are targeting the packers.  Best bet I seen is to use a Powershell stager. The new API MS has released for AV and apps may make in memory script and code more difficult if companies begin to use it.

Most likely, but I have found the python/meterpreter/rev_tcp with pyherion encrypter to still be pretty reliable as far as AV evasion.

As far as the new Defender API, as long as local admin perms are present on the target, you can use Set-MpPreference (Set-MpPreference -DisableRealtimeMonitoring $true for example) to turn off the various features of Defender. This is a bit "noisy", since a notification pops up immediately in the tray, but you could always quickly disable Defender, run mimikatz or some other payload, then re-enable Defender in the cleanup. I'm actually contemplating getting a bunny just for a payload similar to that. Start off in RO mode and disable Defender, loop with Get-MpPreference | fl DisableRealtimeMonitoring until the value becomes True, switch to RW mode and execute a payload, exfil to storage if necessary, switch back to RO mode, re-enable Defender. 

Share this post


Link to post
Share on other sites
41 minutes ago, rottingsun said:

Most likely, but I have found the python/meterpreter/rev_tcp with pyherion encrypter to still be pretty reliable as far as AV evasion.

The aes one for python used to work.  Here is a funny story.  When it was working on my old Kali last year, Veil complained about me missing some of the stuff it was using to create the payload.  Funny thing is the payload worked and no AV warning.  After research, I fixed those issues, now the payload is detectable.  :-P  At a loss on that one hehe.  Maybe I need to break my Veil again so it works again.  :-)

Now, what does work is I created a template for a C# .NET loader for powershell code that I can add my code to and compile.  That one is not detected.  Hmm, maybe they are still working on detecting malicious .NET.  The Veil .NET does not work, it is detected.  :-\

Share this post


Link to post
Share on other sites

Hi, I noticed a problem with confirming the Windows-Elevation request.

It doesn't seem to do it.

How exactly did you implement confirming the UAC ?

Share this post


Link to post
Share on other sites

K, took me a while of tinkering, found out that German-Keyboard uses weird Keys.

Managed to fix it thanks to your good comments in the script.

Very helpful there, keep up the good work !

Share this post


Link to post
Share on other sites
4 hours ago, Feuermagier said:

Additional tip:

If you use leftarrow+enter its universal.

mame who write P4wnP1 decided to use shift-tab and then enter for universal too.

 

On 5/10/2017 at 8:00 AM, rottingsun said:

Most likely, but I have found the python/meterpreter/rev_tcp with pyherion encrypter to still be pretty reliable as far as AV evasion.

As far as the new Defender API, as long as local admin perms are present on the target, you can use Set-MpPreference (Set-MpPreference -DisableRealtimeMonitoring $true for example) to turn off the various features of Defender. This is a bit "noisy", since a notification pops up immediately in the tray, but you could always quickly disable Defender, run mimikatz or some other payload, then re-enable Defender in the cleanup. I'm actually contemplating getting a bunny just for a payload similar to that. Start off in RO mode and disable Defender, loop with Get-MpPreference | fl DisableRealtimeMonitoring until the value becomes True, switch to RW mode and execute a payload, exfil to storage if necessary, switch back to RO mode, re-enable Defender. 

I have been finding myself using msfvenom to generate a payload and then create my own obfuscation for it since mot of the standard from veil have been getting detected lately.  Even been using a veil payload to further obfuscate like getting the payload into a .NET format so I can obfuscate it for powershell to use reflections to load.  If I need to modify it while it is in .NET compiled form I would just use ilspy and reflexil plugin to adjust it accordingly so I can launch it from memory easier.

Share this post


Link to post
Share on other sites
29 minutes ago, Feuermagier said:

I did a complete rework of how the UAC-Bypass is done (Complete Bypass by Windows-Exploit, no Popup)

https://github.com/qdba/bashbunny-payloads/blob/00d4720b6b8496f5c4b9aff3f162d2de8ec8a7a1/payloads/library/credentials/DumpCreds/payload.txt

I hope for Feedback and test results.

Quite good, Going to test it...

  • Like 1

Share this post


Link to post
Share on other sites
4 hours ago, qdba said:

Quite good, Going to test it...

Nice.

I just did another patch to make the first Powershell hidden, too.

https://github.com/Valentin-Metz/bashbunny-payloads/blob/8c9052c022262cb2183493bc3b6ae73c830b256c/payloads/library/credentials/DumpCreds/payload.txt

The "On Screen Time" is now under 2 seconds.

Would be great if you could help me find a way to start the fodhelper hidden.

Then we would be completely silent.

Share this post


Link to post
Share on other sites
On ‎11‎.‎09‎.‎2017 at 3:02 PM, qdba said:

Quite good, Going to test it...

 

19 hours ago, Feuermagier said:

Nice.

I just did another patch to make the first Powershell hidden, too.

https://github.com/Valentin-Metz/bashbunny-payloads/blob/8c9052c022262cb2183493bc3b6ae73c830b256c/payloads/library/credentials/DumpCreds/payload.txt

The "On Screen Time" is now under 2 seconds.

Would be great if you could help me find a way to start the fodhelper hidden.

Then we would be completely silent.

 

I merged your path to the master branch. Did some patches so fodhelper starts hidden.  

https://github.com/qdba/bashbunny-payloads/blob/master/payloads/library/credentials/DumpCreds/payload.txt

 

Edited by qdba
  • Upvote 1

Share this post


Link to post
Share on other sites

Nice !

I just tested it, and I have to say it works great.

Btw, the payload.txt still says "Dump Creds 2.1" in the Title.

Maybe you should actually go for 2.3, as it is quite a big change.

It is really great, only a split second Window, works out really well.

Very easy to hide.

Does hak5 not update the main branch anymore ? The Version they have in Repository is outdated.

Also I noticed, that we leave 2 Powershells open at end of script. Maybe we should clean these up.

Share this post


Link to post
Share on other sites
7 hours ago, Feuermagier said:

Nice !

I just tested it, and I have to say it works great.

Btw, the payload.txt still says "Dump Creds 2.1" in the Title.

Maybe you should actually go for 2.3, as it is quite a big change.

It is really great, only a split second Window, works out really well.

Very easy to hide.

Does hak5 not update the main branch anymore ? The Version they have in Repository is outdated.

Also I noticed, that we leave 2 Powershells open at end of script. Maybe we should clean these up.

  • Updated the repo so hak5 could merge it to the master branch 
  • Changed Version to 2.3
  • Add taskill /F /IM powershell.exe at the end of main.ps1

 

  • Upvote 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×