Jump to content

Quick Creds


thatalbinofrog
 Share

Recommended Posts

Hey

I got my bash bunny onto firmware 1.3 and now I'm trying to use the quick creds payload.

I cloned all the github payloads, installed 3 tools and put the quickcreds payload in switch2.

When I plug it back in with switch 2, it gets stuck blinking yellow forever.

Any help fixing this would be great. Thanks (I'm very new to this)

 

Edited by thatalbinofrog
Link to comment
Share on other sites

I did not know the rubber ducky had switches or a yellow light. 

 

5 hours ago, thatalbinofrog said:

I got my rubber ducky onto firmware 1.3 and now I'm trying to use the quick creds payload.

I cloned all the github payloads, installed 3 tools and put the quickcreds payload in switch2.

When I plug it back in with switch 2, it gets stuck blinking yellow forever.

Any help fixing this would be great. Thanks (I'm very new to this)

 

Link to comment
Share on other sites

What OS is the target?

I would start by logging in via serial in arming mode : https://wiki.bashbunny.com/#!./index.md#Connecting_to_to_the_Bash_Bunny_Serial_Console_from_Windows

and making sure that you have Responder properly installed

ls /tools/responder

Should show this:

root@bunny:~# ls /tools/responder
DumpHash.py     Responder.db    fingerprint.pyc  packets.pyc   tools
LICENSE         Responder.py    logs             poisoners     utils.py
README.md       certs           odict.py         servers       utils.pyc
Report.py       files           odict.pyc        settings.py
Responder.conf  fingerprint.py  packets.py       settings.pyc
 

Make sure that Responder.py is there.  If not responder is not installed and QuickCreds will not work.

Link to comment
Share on other sites

7 hours ago, dbum said:

What OS is the target?

I would start by logging in via serial in arming mode : https://wiki.bashbunny.com/#!./index.md#Connecting_to_to_the_Bash_Bunny_Serial_Console_from_Windows

and making sure that you have Responder properly installed

ls /tools/responder

Should show this:

root@bunny:~# ls /tools/responder
DumpHash.py     Responder.db    fingerprint.pyc  packets.pyc   tools
LICENSE         Responder.py    logs             poisoners     utils.py
README.md       certs           odict.py         servers       utils.pyc
Report.py       files           odict.pyc        settings.py
Responder.conf  fingerprint.py  packets.py       settings.pyc
 

Make sure that Responder.py is there.  If not responder is not installed and QuickCreds will not work.

Everything lists like that. I'm trying this on a windows 10 machine. I tried opening internet explorer while the payload was running, but a login box pops up. Something about a proxyserver. Do I need to configure the payload before I use it, and what is this login thing?

 

Thanks

Edited by thatalbinofrog
Link to comment
Share on other sites

Before I had tried it on a Domain connected Windows 7 machine and that worked with no issues. (lots of authenticated connections).  I did see in the logs where it hits a "proxysrv"

2017-05-07 22:11:55,000 - [*] [LLMNR]  Poisoned answer sent to 172.16.64.10 for name proxysrv

So then I tried it on my Windows 10 Surface (Fully updated).  This has a Microsoft account with Windows Hello enabled.  Here are my results with that:

The first time I plugged in, about 10 seconds later it had the creds (Windows was logged in).  After reviewing the logs it had actually picked up on a network share that I had used recently (My home NAS).  It had picked up the Microsoft account hashes (they look like they would be a beast to crack if that is even possible).

Next I used "net use" and looked at my network sessions and removed them "net use /DELETE \\Foo"

Then I plugged back in and I'm sitting here writing this the whole time with it flashing yellow (nothing to pickup).  I have tried initiating it various ways without going to a network share and have been unsuccessful thus far.  I'm pretty sure If I go to a valid network share it will grab the hashes but that's not very automated and probably wouldn't work via the lock screen for sure.  This would probably work most of the time on a Domain network full of shares but getting it to work on a little standalone machine is proving to need a little coaxing.

So, the lights have been flashing yellow for about 10 minutes or so and I went to a network share that requires login, even being prompted for login, still didn't capture (waited a while), then entering even a bad password the BB lit up green.  I guess Windows 10 knows not to send Microsoft accounts since they would not be used for network shares?  Which I guess in reality, if you have no hashes worth getting, then what's the point in getting them?

I will continue to look into and let you know if I find out anything else.  I've been reading a little from this page: 

Its a long topic and I've only read the first page (it is for LAN turtle but same principle).  May be something in there that might help.

I'll stay in touch (not sure if it will be today or tomorrow though).

Link to comment
Share on other sites

14 hours ago, dbum said:

Before I had tried it on a Domain connected Windows 7 machine and that worked with no issues. (lots of authenticated connections).  I did see in the logs where it hits a "proxysrv"

2017-05-07 22:11:55,000 - [*] [LLMNR]  Poisoned answer sent to 172.16.64.10 for name proxysrv

So then I tried it on my Windows 10 Surface (Fully updated).  This has a Microsoft account with Windows Hello enabled.  Here are my results with that:

The first time I plugged in, about 10 seconds later it had the creds (Windows was logged in).  After reviewing the logs it had actually picked up on a network share that I had used recently (My home NAS).  It had picked up the Microsoft account hashes (they look like they would be a beast to crack if that is even possible).

Next I used "net use" and looked at my network sessions and removed them "net use /DELETE \\Foo"

Then I plugged back in and I'm sitting here writing this the whole time with it flashing yellow (nothing to pickup).  I have tried initiating it various ways without going to a network share and have been unsuccessful thus far.  I'm pretty sure If I go to a valid network share it will grab the hashes but that's not very automated and probably wouldn't work via the lock screen for sure.  This would probably work most of the time on a Domain network full of shares but getting it to work on a little standalone machine is proving to need a little coaxing.

So, the lights have been flashing yellow for about 10 minutes or so and I went to a network share that requires login, even being prompted for login, still didn't capture (waited a while), then entering even a bad password the BB lit up green.  I guess Windows 10 knows not to send Microsoft accounts since they would not be used for network shares?  Which I guess in reality, if you have no hashes worth getting, then what's the point in getting them?

I will continue to look into and let you know if I find out anything else.  I've been reading a little from this page: 

Its a long topic and I've only read the first page (it is for LAN turtle but same principle).  May be something in there that might help.

I'll stay in touch (not sure if it will be today or tomorrow though).

Holy shit thanks man, here's a photo of what happens - 594f2a30a135c_Screenshot(10).thumb.png.433e56425d59b7e2b68198c06d9fd715.png

This occurs when I plug the bunny in, wait for the payload to start flashing yellow and then open up internet explorer.

Thanks so much for the help

Screenshot (10).png

Link to comment
Share on other sites

Does it capture any creds when you submit that box?  You don't need a valid login, just send anything and see if the Bunny stops blinking Yellow.  Are you getting anything in the loot folder?  Do you have any network shares you can try as well?  I finished reading the other forum topic and learned about running responder from the command line.  I think this could help figure out what is not working properly.  Like I said, I've used this on other computers and have not had any issues so I'm thinking maybe it is something that Win 10 is doing to mitigate this attack.  It is hard to troubleshoot when everything is working right but I did see the same as you after removing all save LAN networked shares from the computer.  Do you have any local network shares that you could try to see if that causes the payload to finish?

Link to comment
Share on other sites

Windows 10 has put some measures in place to defend against this:

https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-and-credential-guard-demystified/

http://www.alex-ionescu.com/blackhat2015.pdf

You could probably still use HID emulation to get the computer to "reach" out for responder but that would obviously require the computer to be a in a "logged in" state.

I am going to go cry.

Link to comment
Share on other sites

Actually, as I keep reading that, I'm not sure if that is 100% true or not.  I will continue to look, but I have ran responder manually watching exactly what it would respond to and not and I just don't see anything that would trigger sending the hashes while the computer is locked.  Yeah it takes advantage of wpad (if its on), and will probably trigger if you have recently used network shares / mapped drives but on regular Windows 10 computer that is locked I'm starting to lose faith. :(

Link to comment
Share on other sites

  • 2 weeks later...

Updated to latest firmware, latest repository for payloads and when I go to run the Quick Creds payload on any machine, it gives me a solid purple LED followed by a flashing red light. Not sure what I am doing wrong, but any help would be greatly appreciated. 

Link to comment
Share on other sites

4 hours ago, wolfie808 said:

Updated to latest firmware, latest repository for payloads and when I go to run the Quick Creds payload on any machine, it gives me a solid purple LED followed by a flashing red light. Not sure what I am doing wrong, but any help would be greatly appreciated. 

What is your target machine's OS?  Solid purple is the "setup" stage, there are actually two red blinking errors for this payload.  if the red light is on about as long as it is off, then it is not seeing the responder package (this has to be installed - See sticky forum post) and if the red light is blinking where the light is off more than it is on (quick blink), then the issue is that the target did not get an IP address from the bb.  This may be due to the wrong ATTACKMODE depending on what the target OS is.

Link to comment
Share on other sites

It is a Windows 10 machine. And I have all of the tools installed in the tools directory. I cd in to tools directory and both impacket and responder are there. It is a quick red blink. Does the payload itself dictate what attackmode to use or do I need to modify the payload depending on the OS that I am going to use. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...