XenoByte Posted July 17, 2017 Posted July 17, 2017 Hi, I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried: BrowserCreds MrRobot BunnyTap QuickCreds JackRabbit WindowsCookies I've tried those on two different PC's, one with Windows 10 and one with Windows 7. What also kinda bothered me is that i can't get the internet sharing working on Kali Linux. What i've tried: Create a payload.txt file with "ATTACKMODE ECM_ETHERNET" on it. Started my BashBunny on the switch the file was located ( Switch 1 ). Download bb.sh from bashbunny.com Started it with root privileges. Tried both Guided and Manual but both ended up in having no network at all. But, beside those things. I really love the BashBunny and its features. Also the shipping was really quick. If anyone got some tips to get those payloads working, please post them.
XenoByte Posted July 17, 2017 Author Posted July 17, 2017 Made a typo: "I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried:" Must be: "I received my BB a week ago and 'till now all of the credential payloads i've tested did not work. Here's a list i've tried:"
Dave-ee Jones Posted July 17, 2017 Posted July 17, 2017 Uhmm, so are you saying it's fixed? :P The first one was correct, I believe..The way it's worded is a bit confusing. First thing to do - update firmware to 1.3. Then try the latest QuickCreds. I wouldn't be surprised if all those payloads didn't work as most of them are outdated, especially if you are using firmware 1.0. Also, my payload Slydoor does a similar thing to those. Maybe copy the bat/ps1 file to the Slydoor directory and tell it to run that instead (MODE option - though the file has to have a .ps1 extension to be run by Slydoor). OR, even better, make your own passer :D
XenoByte Posted July 17, 2017 Author Posted July 17, 2017 1 hour ago, Dave-ee Jones said: Uhmm, so are you saying it's fixed? :P The first one was correct, I believe..The way it's worded is a bit confusing. First thing to do - update firmware to 1.3. Then try the latest QuickCreds. I wouldn't be surprised if all those payloads didn't work as most of them are outdated, especially if you are using firmware 1.0. Also, my payload Slydoor does a similar thing to those. Maybe copy the bat/ps1 file to the Slydoor directory and tell it to run that instead (MODE option - though the file has to have a .ps1 extension to be run by Slydoor). OR, even better, make your own passer :D Sorry, it is kinda late lol. No, they're still not working and i'm running the latest version, which is 1.3. I will check out your payload and eventually try to make something myself. Most payloads ended up with a empty folder/txt file.
Dave-ee Jones Posted July 17, 2017 Posted July 17, 2017 44 minutes ago, XenoByte said: Sorry, it is kinda late lol. No, they're still not working and i'm running the latest version, which is 1.3. I will check out your payload and eventually try to make something myself. Most payloads ended up with a empty folder/txt file. Ah so they did run just didn't execute the DUCKY script? Sounds like a broken driver..
XenoByte Posted July 17, 2017 Author Posted July 17, 2017 17 minutes ago, Dave-ee Jones said: Ah so they did run just didn't execute the DUCKY script? Sounds like a broken driver.. Sorry for not being clear enough. The DUCKY scripts run, so does the Ethernet drivers ( for other payloads ). Mostly they'll fail at the POWERSHELL part. I have no clue where i can find/get a log so i can't provide one.
Dave-ee Jones Posted July 17, 2017 Posted July 17, 2017 Ah. Sounds like the language your using is the issue. What's your PCs language? You need to have the Bunny's language the same as the PC's, otherwise when it injects keystrokes it won't interpret them correctly. Below shows how to change them. Refer: https://wiki.bashbunny.com/#!./index.md#Languages
thefragile99 Posted July 17, 2017 Posted July 17, 2017 I've noticed this too with the credential extracting payloads. QuickCreds works fine but the rest not so much. I'll check out the languages section of the FAQ.
Dave-ee Jones Posted July 17, 2017 Posted July 17, 2017 9 hours ago, thefragile99 said: I've noticed this too with the credential extracting payloads. QuickCreds works fine but the rest not so much. I'll check out the languages section of the FAQ. Yeah, could be that QuickCreds sets the language before it runs the payloads, whereas the others don't so it doesn't interpret it properly.
RazerBlade Posted July 19, 2017 Posted July 19, 2017 Try the password grabber payload, I created it because I myself hade these problems and for me its very stable.
thefragile99 Posted July 20, 2017 Posted July 20, 2017 Is there possibly a payload that can launch the Mac version (python) of LaZagne via the Bash?
RazerBlade Posted July 20, 2017 Posted July 20, 2017 I think it can. I will have to see if thats possible but I will try when I get my hackingtosh working or getting a Mac
thefragile99 Posted July 20, 2017 Posted July 20, 2017 Cool - tried running LaZagne.py on my MBP but I get a 'key3 file not found'
nokia1556 Posted July 31, 2017 Posted July 31, 2017 On 17/7/2017 at 4:36 AM, XenoByte said: Hi, I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried: BrowserCreds MrRobot BunnyTap QuickCreds JackRabbit WindowsCookies I've tried those on two different PC's, one with Windows 10 and one with Windows 7. What also kinda bothered me is that i can't get the internet sharing working on Kali Linux. What i've tried: Create a payload.txt file with "ATTACKMODE ECM_ETHERNET" on it. Started my BashBunny on the switch the file was located ( Switch 1 ). Download bb.sh from bashbunny.com Started it with root privileges. Tried both Guided and Manual but both ended up in having no network at all. But, beside those things. I really love the BashBunny and its features. Also the shipping was really quick. If anyone got some tips to get those payloads working, please post them. Hi, I have the same problem than you. Could you make it work? Please, if so, I would like to know how. I am getting mad about my BB. Thanks
maddin81 Posted September 8, 2017 Posted September 8, 2017 On 31.7.2017 at 5:00 PM, nokia1556 said: Hi, I have the same problem than you. Could you make it work? Please, if so, I would like to know how. I am getting mad about my BB. Thanks Same Here. Any solution??
Tamanbir Posted September 9, 2017 Posted September 9, 2017 On 7/17/2017 at 8:06 AM, XenoByte said: Hi, I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried: BrowserCreds MrRobot BunnyTap QuickCreds JackRabbit WindowsCookies I've tried those on two different PC's, one with Windows 10 and one with Windows 7. What also kinda bothered me is that i can't get the internet sharing working on Kali Linux. What i've tried: Create a payload.txt file with "ATTACKMODE ECM_ETHERNET" on it. Started my BashBunny on the switch the file was located ( Switch 1 ). Download bb.sh from bashbunny.com Started it with root privileges. Tried both Guided and Manual but both ended up in having no network at all. But, beside those things. I really love the BashBunny and its features. Also the shipping was really quick. If anyone got some tips to get those payloads working, please post them. SAME PROBLEM KINDLY HELP!
TeCHemically Posted November 2, 2017 Posted November 2, 2017 I am having similar issues. It has been very frustrating. I identified what is broken in the jackrabbit payload; but don't understand why it is failing. All the details are here: I hope this helps someone; and if I figure this out, I will post my solution in that jackrabbit payload post.
TeCHemically Posted November 3, 2017 Posted November 3, 2017 On 7/19/2017 at 4:30 PM, RazerBlade said: Try the password grabber payload, I created it because I myself hade these problems and for me its very stable. Does Password Grabber get windows passwords and wireless profile passwords? I ran it; and it is running; but i'm not getting any passwords in the output file it creates. Thanks for your reply.
TeCHemically Posted November 3, 2017 Posted November 3, 2017 I modified the xcopy section as follows to grab information on the wireless networks on the client: REM if Exist %USERPROFILE%\Documents ( if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* ( REM /C Continues copying even if errors occur. REM /Q Does not display file names while copying. REM /G Allows the copying of encrypted files to destination that does not support encryption. REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. REM /E Copies directories and subdirectories, including empty ones. xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul REM Same as above but does not create empty directories REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul ) I have confirmed this works and much thanks to RazerBlade for a BB cred payload that actually works! Not only that; but it is insanely fast too! I think we could host the lazagne.exe file on a website we control to get around the read only issue they were discussing on hak5. However, I like the option of being able to do it all locally if possible. What would it take to modify this so we can pull it down from a server and run it? RazerBlade, is that something you could change real fast and make available so we can have an all local copy like we have now and a hosted version like JackRabbit? Thanks again! Also, now that I have these wireless profiles, what is the best use of them? The passphrases are hashed or something. Can these be cracked or used in another way?
sundhaug92 Posted November 3, 2017 Posted November 3, 2017 All bashbunny-payloads should now be updated for 1.3+, which mean they should work with newer firmware and other languages. For languages other than en-US you still have to change the language-setting at the root of the device.
RazerBlade Posted November 3, 2017 Posted November 3, 2017 7 hours ago, TeCHemically said: I modified the xcopy section as follows to grab information on the wireless networks on the client: REM if Exist %USERPROFILE%\Documents ( if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* ( REM /C Continues copying even if errors occur. REM /Q Does not display file names while copying. REM /G Allows the copying of encrypted files to destination that does not support encryption. REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. REM /E Copies directories and subdirectories, including empty ones. xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul REM Same as above but does not create empty directories REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul ) I have confirmed this works and much thanks to RazerBlade for a BB cred payload that actually works! Not only that; but it is insanely fast too! I think we could host the lazagne.exe file on a website we control to get around the read only issue they were discussing on hak5. However, I like the option of being able to do it all locally if possible. What would it take to modify this so we can pull it down from a server and run it? RazerBlade, is that something you could change real fast and make available so we can have an all local copy like we have now and a hosted version like JackRabbit? Thanks again! Also, now that I have these wireless profiles, what is the best use of them? The passphrases are hashed or something. Can these be cracked or used in another way? I was thinking of doing the exfiltration via network, but in my experience, it is not as reliable. The best solution for this payload I think is to use read only storage and then have another partition on the Bunny writable so the documents can easily be exfiltrated.
TeCHemically Posted November 3, 2017 Posted November 3, 2017 6 hours ago, RazerBlade said: I was thinking of doing the exfiltration via network, but in my experience, it is not as reliable. The best solution for this payload I think is to use read only storage and then have another partition on the Bunny writable so the documents can easily be exfiltrated. I agree that is best; but would still like the option. Is there a write up on implementing a read only partition to the bb for this yet? I am working on adding plaintext wifi cred dumping to your payload. I am having powershell syntax issues; but should have it working once that is worked out. I'll share once it is done.
RazerBlade Posted November 3, 2017 Posted November 3, 2017 Read only storage is now an attackmode. If you use it, you probley need to exfiltrate the data via network by using some fancy powershell script
TeCHemically Posted November 3, 2017 Posted November 3, 2017 57 minutes ago, RazerBlade said: Read only storage is now an attackmode. If you use it, you probley need to exfiltrate the data via network by using some fancy powershell script Oh, I see. Well, doesn't that just reintroduce the same stability issues with hosting payloads? You are still dependent on a network connection for your payload to function. I would rather keep the data written locally and have the option to call on a payload than to have to exfil the data. There's always a chance the exe wont be caught by AV; but if it is hosted and pulled down into memory and executed, then it almost definitely wont get caught by AV. Data exfil brings in its own potential hang ups. I already have a credential payload I'm using for Win that sends creds over the network to a server; but the php script doesn't work right so I just capture them via tcpdump.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.