Jump to content

[PAYLOAD] SMBHashGrab


combatwombat27
 Share

Recommended Posts

Hey all! Inspired by Darren's recent blog post, I wanted to put together a version of the duckyscript SMB hash grab that didn't require an external networked SMB server setup. I know there are other ways of grabbing the hash given you have both HID and STORAGE access if you want, but it was a lot of fun to put together at the very least.

Pull Request to Bash Bunny Github Repo

Download

Github SMBHashGrab

Please reach out to me with any bugs or suggestions.

* Author: Combat_Wombat @zac_borders
* Version: Version 1.0

Description
Bash Bunny script to exfiltrate hash via SMB attack standalone against Windows Domain computers.
Inspired by Darren's post.
@hak5darren || Hak5 Blog

Configuration

Run on a domain computer that is logged in.

Requirements

1.   **You must install impacket**
    2.   Download impacket
    3.   Place in /tools
    4.   This will install when you reconnect the drive
    5.   From the BashBunny run:

cd /tools/impacket && python setup.py install

Here you can find the:  Impacket Github


Payload LED STATUS

FAIL.................Missing Requirement Impacket
SETUP.............Setup
STAGE1...........Setting up SMB server
STAGE2...........HID Injection
CLEANUP........Grepping for hash, storing in loot
FINISH.............Light is green trap is clean.

Edited by combatwombat27
Updated url
Link to comment
Share on other sites

  • 2 weeks later...

OK, I also put together a very similar script.  I have found  on my lab systems for my "work" environment, that the timing for mapping the network share had to be increased.  I also ran into issues were the DUKCY ALT F4 did no close the explorer window as I had hoped.  I had to use powershell to kill exploerer.  This "work" system is a windows 7 x64 Laptop on a Active Directory Domain.  One other weird note, due to certain GPO's we have I had to disconnect the hard wired lan cable to get it to properly map to the Bash bunny.  Now , with the faster timing and ALT F4 , I found worked on my non-domain, stand alone windows 10 laptop.  

SO as i side note to anyone using in a professional capacity and environment.  And with all PROPER PERMISSIONS, of course.  May need to adjust timing and do some adjustments for it to work right, depending on any protections the workstation may have.

But I will admit your script is way cleaner than mine.

Link to comment
Share on other sites

5 hours ago, korang said:

OK, I also put together a very similar script.  I have found  on my lab systems for my "work" environment, that the timing for mapping the network share had to be increased.  I also ran into issues were the DUKCY ALT F4 did no close the explorer window as I had hoped.  I had to use powershell to kill exploerer.  This "work" system is a windows 7 x64 Laptop on a Active Directory Domain.  One other weird note, due to certain GPO's we have I had to disconnect the hard wired lan cable to get it to properly map to the Bash bunny.  Now , with the faster timing and ALT F4 , I found worked on my non-domain, stand alone windows 10 laptop.  

SO as i side note to anyone using in a professional capacity and environment.  And with all PROPER PERMISSIONS, of course.  May need to adjust timing and do some adjustments for it to work right, depending on any protections the workstation may have.

But I will admit your script is way cleaner than mine.

 

Awesome to see this getting some testing in the wild! I'm not entirely sure why Alt + F4 would fail in Windows 7 other than it just firing too fast, that is interesting to hear. 

With regards to the GPO and Lan cable, sounds to me like they have some GPOs setting what to use as the primary network connection. I would doubt many attacks written using the networking ATTACKMODE would work well on that machine given they often base their ability to intercept on the fact that being the fastest network connection makes them primary. 

Clean code?! 0.o I didn't expect to hear that of all comments. hahaha Thanks! 

Realistically I feel this isn't the most useful attack given you could use other duckyscript code to export hashes without needing to exploit network connectivity, but it certainly was a fun exercise to create, and if it helps at all then it has done some good. 

Thanks for checking out the tool, and bringing back some useful feedback!

Edited by combatwombat27
Added post quoting
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...