thatalbinofrog Posted June 23, 2017 Share Posted June 23, 2017 (edited) Hey I got my bash bunny onto firmware 1.3 and now I'm trying to use the quick creds payload. I cloned all the github payloads, installed 3 tools and put the quickcreds payload in switch2. When I plug it back in with switch 2, it gets stuck blinking yellow forever. Any help fixing this would be great. Thanks (I'm very new to this) Edited June 24, 2017 by thatalbinofrog Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted June 23, 2017 Share Posted June 23, 2017 Check out this thread. 1 Quote Link to comment Share on other sites More sharing options...
Lord_KamOS Posted June 23, 2017 Share Posted June 23, 2017 I did not know the rubber ducky had switches or a yellow light. 5 hours ago, thatalbinofrog said: I got my rubber ducky onto firmware 1.3 and now I'm trying to use the quick creds payload. I cloned all the github payloads, installed 3 tools and put the quickcreds payload in switch2. When I plug it back in with switch 2, it gets stuck blinking yellow forever. Any help fixing this would be great. Thanks (I'm very new to this) Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted June 23, 2017 Share Posted June 23, 2017 17 minutes ago, Lord_KamOS said: I did not know the rubber ducky had switches or a yellow light. I knew what he meant heheh. 1 Quote Link to comment Share on other sites More sharing options...
dbum Posted June 23, 2017 Share Posted June 23, 2017 What OS is the target? I would start by logging in via serial in arming mode : https://wiki.bashbunny.com/#!./index.md#Connecting_to_to_the_Bash_Bunny_Serial_Console_from_Windows and making sure that you have Responder properly installed ls /tools/responder Should show this: root@bunny:~# ls /tools/responder DumpHash.py Responder.db fingerprint.pyc packets.pyc tools LICENSE Responder.py logs poisoners utils.py README.md certs odict.py servers utils.pyc Report.py files odict.pyc settings.py Responder.conf fingerprint.py packets.py settings.pyc Make sure that Responder.py is there. If not responder is not installed and QuickCreds will not work. Quote Link to comment Share on other sites More sharing options...
dbum Posted June 23, 2017 Share Posted June 23, 2017 Also, I'm pretty sure target has to be logged in or on Lock screen. Can't be at the login screen. I could be wrong on this but I think that's how it works. Quote Link to comment Share on other sites More sharing options...
thatalbinofrog Posted June 24, 2017 Author Share Posted June 24, 2017 12 hours ago, Lord_KamOS said: I did not know the rubber ducky had switches or a yellow light. Ahahah sorry, my mistake, I meant bash bunny (you probably figured that out) 1 Quote Link to comment Share on other sites More sharing options...
thatalbinofrog Posted June 24, 2017 Author Share Posted June 24, 2017 (edited) 7 hours ago, dbum said: What OS is the target? I would start by logging in via serial in arming mode : https://wiki.bashbunny.com/#!./index.md#Connecting_to_to_the_Bash_Bunny_Serial_Console_from_Windows and making sure that you have Responder properly installed ls /tools/responder Should show this: root@bunny:~# ls /tools/responder DumpHash.py Responder.db fingerprint.pyc packets.pyc tools LICENSE Responder.py logs poisoners utils.py README.md certs odict.py servers utils.pyc Report.py files odict.pyc settings.py Responder.conf fingerprint.py packets.py settings.pyc Make sure that Responder.py is there. If not responder is not installed and QuickCreds will not work. Everything lists like that. I'm trying this on a windows 10 machine. I tried opening internet explorer while the payload was running, but a login box pops up. Something about a proxyserver. Do I need to configure the payload before I use it, and what is this login thing? Thanks Edited June 24, 2017 by thatalbinofrog Quote Link to comment Share on other sites More sharing options...
dbum Posted June 24, 2017 Share Posted June 24, 2017 Before I had tried it on a Domain connected Windows 7 machine and that worked with no issues. (lots of authenticated connections). I did see in the logs where it hits a "proxysrv" 2017-05-07 22:11:55,000 - [*] [LLMNR] Poisoned answer sent to 172.16.64.10 for name proxysrv So then I tried it on my Windows 10 Surface (Fully updated). This has a Microsoft account with Windows Hello enabled. Here are my results with that: The first time I plugged in, about 10 seconds later it had the creds (Windows was logged in). After reviewing the logs it had actually picked up on a network share that I had used recently (My home NAS). It had picked up the Microsoft account hashes (they look like they would be a beast to crack if that is even possible). Next I used "net use" and looked at my network sessions and removed them "net use /DELETE \\Foo" Then I plugged back in and I'm sitting here writing this the whole time with it flashing yellow (nothing to pickup). I have tried initiating it various ways without going to a network share and have been unsuccessful thus far. I'm pretty sure If I go to a valid network share it will grab the hashes but that's not very automated and probably wouldn't work via the lock screen for sure. This would probably work most of the time on a Domain network full of shares but getting it to work on a little standalone machine is proving to need a little coaxing. So, the lights have been flashing yellow for about 10 minutes or so and I went to a network share that requires login, even being prompted for login, still didn't capture (waited a while), then entering even a bad password the BB lit up green. I guess Windows 10 knows not to send Microsoft accounts since they would not be used for network shares? Which I guess in reality, if you have no hashes worth getting, then what's the point in getting them? I will continue to look into and let you know if I find out anything else. I've been reading a little from this page: Its a long topic and I've only read the first page (it is for LAN turtle but same principle). May be something in there that might help. I'll stay in touch (not sure if it will be today or tomorrow though). Quote Link to comment Share on other sites More sharing options...
thatalbinofrog Posted June 25, 2017 Author Share Posted June 25, 2017 14 hours ago, dbum said: Before I had tried it on a Domain connected Windows 7 machine and that worked with no issues. (lots of authenticated connections). I did see in the logs where it hits a "proxysrv" 2017-05-07 22:11:55,000 - [*] [LLMNR] Poisoned answer sent to 172.16.64.10 for name proxysrv So then I tried it on my Windows 10 Surface (Fully updated). This has a Microsoft account with Windows Hello enabled. Here are my results with that: The first time I plugged in, about 10 seconds later it had the creds (Windows was logged in). After reviewing the logs it had actually picked up on a network share that I had used recently (My home NAS). It had picked up the Microsoft account hashes (they look like they would be a beast to crack if that is even possible). Next I used "net use" and looked at my network sessions and removed them "net use /DELETE \\Foo" Then I plugged back in and I'm sitting here writing this the whole time with it flashing yellow (nothing to pickup). I have tried initiating it various ways without going to a network share and have been unsuccessful thus far. I'm pretty sure If I go to a valid network share it will grab the hashes but that's not very automated and probably wouldn't work via the lock screen for sure. This would probably work most of the time on a Domain network full of shares but getting it to work on a little standalone machine is proving to need a little coaxing. So, the lights have been flashing yellow for about 10 minutes or so and I went to a network share that requires login, even being prompted for login, still didn't capture (waited a while), then entering even a bad password the BB lit up green. I guess Windows 10 knows not to send Microsoft accounts since they would not be used for network shares? Which I guess in reality, if you have no hashes worth getting, then what's the point in getting them? I will continue to look into and let you know if I find out anything else. I've been reading a little from this page: Its a long topic and I've only read the first page (it is for LAN turtle but same principle). May be something in there that might help. I'll stay in touch (not sure if it will be today or tomorrow though). Holy shit thanks man, here's a photo of what happens - This occurs when I plug the bunny in, wait for the payload to start flashing yellow and then open up internet explorer. Thanks so much for the help Quote Link to comment Share on other sites More sharing options...
dbum Posted June 26, 2017 Share Posted June 26, 2017 Does it capture any creds when you submit that box? You don't need a valid login, just send anything and see if the Bunny stops blinking Yellow. Are you getting anything in the loot folder? Do you have any network shares you can try as well? I finished reading the other forum topic and learned about running responder from the command line. I think this could help figure out what is not working properly. Like I said, I've used this on other computers and have not had any issues so I'm thinking maybe it is something that Win 10 is doing to mitigate this attack. It is hard to troubleshoot when everything is working right but I did see the same as you after removing all save LAN networked shares from the computer. Do you have any local network shares that you could try to see if that causes the payload to finish? Quote Link to comment Share on other sites More sharing options...
dbum Posted June 26, 2017 Share Posted June 26, 2017 Windows 10 has put some measures in place to defend against this: https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-and-credential-guard-demystified/http://www.alex-ionescu.com/blackhat2015.pdf You could probably still use HID emulation to get the computer to "reach" out for responder but that would obviously require the computer to be a in a "logged in" state. I am going to go cry. Quote Link to comment Share on other sites More sharing options...
dbum Posted June 26, 2017 Share Posted June 26, 2017 Actually, as I keep reading that, I'm not sure if that is 100% true or not. I will continue to look, but I have ran responder manually watching exactly what it would respond to and not and I just don't see anything that would trigger sending the hashes while the computer is locked. Yeah it takes advantage of wpad (if its on), and will probably trigger if you have recently used network shares / mapped drives but on regular Windows 10 computer that is locked I'm starting to lose faith. :( Quote Link to comment Share on other sites More sharing options...
wolfie808 Posted July 11, 2017 Share Posted July 11, 2017 Updated to latest firmware, latest repository for payloads and when I go to run the Quick Creds payload on any machine, it gives me a solid purple LED followed by a flashing red light. Not sure what I am doing wrong, but any help would be greatly appreciated. Quote Link to comment Share on other sites More sharing options...
dbum Posted July 11, 2017 Share Posted July 11, 2017 4 hours ago, wolfie808 said: Updated to latest firmware, latest repository for payloads and when I go to run the Quick Creds payload on any machine, it gives me a solid purple LED followed by a flashing red light. Not sure what I am doing wrong, but any help would be greatly appreciated. What is your target machine's OS? Solid purple is the "setup" stage, there are actually two red blinking errors for this payload. if the red light is on about as long as it is off, then it is not seeing the responder package (this has to be installed - See sticky forum post) and if the red light is blinking where the light is off more than it is on (quick blink), then the issue is that the target did not get an IP address from the bb. This may be due to the wrong ATTACKMODE depending on what the target OS is. Quote Link to comment Share on other sites More sharing options...
wolfie808 Posted July 11, 2017 Share Posted July 11, 2017 It is a Windows 10 machine. And I have all of the tools installed in the tools directory. I cd in to tools directory and both impacket and responder are there. It is a quick red blink. Does the payload itself dictate what attackmode to use or do I need to modify the payload depending on the OS that I am going to use. Quote Link to comment Share on other sites More sharing options...
wolfie808 Posted July 12, 2017 Share Posted July 12, 2017 I have ran it numerous times, re-flashed, installed tools etc. Each time it gives the quick continuous blink. I am at a loss of how to rectify it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.