Nick Kwiecien Posted June 5, 2017 Share Posted June 5, 2017 really confused on how to setup quick creds on the bash bunny...Found different steps to take but no tutorials or documentation on the configuration and setup. Also another thing I was thinking about is what if I am out on an engagement and said company has 2 step verification. Does this attack still work? Quote Link to comment Share on other sites More sharing options...
craig131 Posted June 5, 2017 Share Posted June 5, 2017 Download the Responder package from the pinned post here: Drop the .deb file into your /tools directory. Safely eject, remount. Then run the payload just as you would any other. Works great on locked machines! 1 Quote Link to comment Share on other sites More sharing options...
Nick Kwiecien Posted June 9, 2017 Author Share Posted June 9, 2017 On 6/5/2017 at 4:09 PM, craig131 said: Thank you sir! Drop the .deb file into your /tools directory. Safely eject, remount. Then run the payload just as you would any other. Works great on locked machines! Quote Link to comment Share on other sites More sharing options...
Nick Kwiecien Posted June 9, 2017 Author Share Posted June 9, 2017 The sits there forever blinking yellow trying to find ntlm hashes but are never found Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted June 10, 2017 Share Posted June 10, 2017 On 6/9/2017 at 8:11 AM, Nick Kwiecien said: The sits there forever blinking yellow trying to find ntlm hashes but are never found One way to test to make sure it is working is plug it into a Windows machine and then when it is working to launch Internet Explorer (because it will pass hashes) and browser anywhere. Another test is to launch file explorer and put in a unc path to anywhere like "\\somewhere". Those will trigger the event that gets the hash immediately. If that works and you get hashes then the payload is working, the machine is not running any services that are reaching out that can pass NTLM hashes. I seen it not work on locked machines after they have blanked the screen. If you catch it before the screen blanks then it seems to work. After it blanks though, that person will need to sign in to kick off their services again. Quote Link to comment Share on other sites More sharing options...
Nick Kwiecien Posted June 12, 2017 Author Share Posted June 12, 2017 On 6/10/2017 at 2:07 PM, PoSHMagiC0de said: One way to test to make sure it is working is plug it into a Windows machine and then when it is working to launch Internet Explorer (because it will pass hashes) and browser anywhere. Another test is to launch file explorer and put in a unc path to anywhere like "\\somewhere". Those will trigger the event that gets the hash immediately. If that works and you get hashes then the payload is working, the machine is not running any services that are reaching out that can pass NTLM hashes. I seen it not work on locked machines after they have blanked the screen. If you catch it before the screen blanks then it seems to work. After it blanks though, that person will need to sign in to kick off their services again. It worked on the first try opening up the browser while it was running! Thank you for the help. So yes I think you were correct about the machine not being able to reach out and grab the ntlm hashes Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.