Quickcreds Macintosh/Nix

[Batman]

Hi everyone,

I've been playing around with Mubix's Quickcreds payload (awesome payload, Mubix!) and have run into trouble with using it on a Test Mac. 

I plug in the device and it goes to flashing yellow LED on the USB but doesn't proceed further. When I plug the USB in under arming mode I can see "TESTs-MBP-1" (Mac's name) in the loot/quickcreds/ folder. The folder is empty.

The payload is set to use ECM_ETHERNET. I see the device under the network section of system preferences with the correct IP address (172.16.64.10). 

I see in the payload that yellow LED means that it's running the attack. I have a feeling that it's getting hung up on finding NTLM logs. Mac/Nix doesn't store password hashes in the same way that Windows does, right? So why is it this payload is able to work with Mac/Nix with the only difference being the ECM_ETHERNET vs RNDIS_ETHERNET for Windows?

 

Thanks.

Edited May 30, 2017 by Batman
left out "." in ip address of bunny

[Batman]

Same thing happened on a linux computer. Payload creates a folder in the /loot/quickcreds/ folder with the computer's hostname but the folder is empty. Bunny had a flashing yellow LED. 

[b0N3z]

Ive never had much luck with it on OSX but I also have my machine encrypted and a couple other things on with the latest OS updates.  Mubix said he never really tested it on Linux either.  it seems to be more of a windows thing.

[Batman]

Thanks for the response, b0N3z. 

 

My test MB Pro is up to date with IOS updates, etc. No encryption on the HD. I thought it was weird that this script would be cross platform with just the change of two lines. Can't be that easy since credentials are stored in Windows completely differently than they are in Mac. 

I'm determined to do some research and see what is needed to create a payload like this for Mac's.

[PoSHMagiC0de]

Good luck getting a *NIX machine to cough up creds with responder.  This is mainly to be used against Windows devices that just love to share stuff.  Unless you have some service setup to forward some cached creds, *nix will most likely prompt if it needs creds, not pass the local user creds.  So on Windows it pretending to be a 2GB network it basically puts windows into a authtrap where anything send will ask for creds which windows will cough up the current user usually unless it is patched and reg setting is set to not to.

Nix will ask you for creds to send unless it is creds you already put in and is still alive (You have them set to remember forever or while you are logged on instead of for a specific session).  Even then it will only be for that url or unc but the BB authTrap will respond to it in which it will get those hashed creds then.  

[b0N3z]

3 hours ago, PoSHMagiC0de said:

Good luck getting a *NIX machine to cough up creds with responder.  This is mainly to be used against Windows devices that just love to share stuff.  Unless you have some service setup to forward some cached creds, *nix will most likely prompt if it needs creds, not pass the local user creds.  So on Windows it pretending to be a 2GB network it basically puts windows into a authtrap where anything send will ask for creds which windows will cough up the current user usually unless it is patched and reg setting is set to not to.

Nix will ask you for creds to send unless it is creds you already put in and is still alive (You have them set to remember forever or while you are logged on instead of for a specific session).  Even then it will only be for that url or unc but the BB authTrap will respond to it in which it will get those hashed creds then.  

OSX is just like linux, when OSX needs creds for something you have to enter them. Its not a remeber forever kind of setup