RazerBlade Posted November 3, 2017 Share Posted November 3, 2017 1 hour ago, TeCHemically said: Oh, I see. Well, doesn't that just reintroduce the same stability issues with hosting payloads? You are still dependent on a network connection for your payload to function. I would rather keep the data written locally and have the option to call on a payload than to have to exfil the data. There's always a chance the exe wont be caught by AV; but if it is hosted and pulled down into memory and executed, then it almost definitely wont get caught by AV. Data exfil brings in its own potential hang ups. I already have a credential payload I'm using for Win that sends creds over the network to a server; but the php script doesn't work right so I just capture them via tcpdump. Yeh. Its a bit of a bummer. Because of that, I have not changed anything. Link to comment Share on other sites More sharing options...
TeCHemically Posted November 3, 2017 Share Posted November 3, 2017 4 hours ago, RazerBlade said: Yeh. Its a bit of a bummer. Because of that, I have not changed anything. Could you show me what method would be used to pull a payload down from a hosted server so I can modify it for my own use? I really like this payload and would like to have both methods available. Link to comment Share on other sites More sharing options...
Tamanbir Posted November 4, 2017 Share Posted November 4, 2017 can anyone tell me simply what changes are reuqired in payload files to run creds payloads. because i am unable to run any creds payload, its making me sick. i have downladed the latest version and also i am using windows 10 . any hak5 fan plz help, i think i have wasted my money on BB Link to comment Share on other sites More sharing options...
TeCHemically Posted November 4, 2017 Share Posted November 4, 2017 5 minutes ago, Tamanbir said: can anyone tell me simply what changes are reuqired in payload files to run creds payloads. because i am unable to run any creds payload, its making me sick. i have downladed the latest version and also i am using windows 10 . any hak5 fan plz help, i think i have wasted my money on BB I feel your pain man. Many of the cred payloads simply don't work. PasswordGrabber does work; but it doesn't grab wifi creds. I am working on adding that functionality; but with great pains in so doing. Link to comment Share on other sites More sharing options...
Tamanbir Posted November 4, 2017 Share Posted November 4, 2017 1 minute ago, TeCHemically said: I feel your pain man. Many of the cred payloads simply don't work. PasswordGrabber does work; but it doesn't grab wifi creds. I am working on adding that functionality; but with great pains in so doing. I tried password grabber as well it creates a file in loot folder but the text file is empty it doesnt show any passwords! Link to comment Share on other sites More sharing options...
TeCHemically Posted November 4, 2017 Share Posted November 4, 2017 Do oyu have any passwords on your target? I have seen that on a test box of mine as well; but its because that VM had nothing interesting in it. Link to comment Share on other sites More sharing options...
Tamanbir Posted November 4, 2017 Share Posted November 4, 2017 Just now, TeCHemically said: Do oyu have any passwords on your target? I have seen that on a test box of mine as well; but its because that VM had nothing interesting in it. yes, i am trying on my own host machine and i have passwords stored! Link to comment Share on other sites More sharing options...
RazerBlade Posted November 4, 2017 Share Posted November 4, 2017 Have you placed laZagne.exe in the paylaod folder? Link to comment Share on other sites More sharing options...
TeCHemically Posted November 4, 2017 Share Posted November 4, 2017 So, any powershell commands that end in a .txt are failing it looks like. firmware 1.4 may resolve this; that is the main problem. Also, any powershell command that is broken up in multiple lines with a pipe at the end od the line is causing an error in parsing and injecting. It looks like version 1.4 may resolve this as well. However, now that my commands are running, i still get no files written to the USB loot folder. I've no idea why this is failing. PasswordGrabber works in writing txt files to the loot folder; but no other payload seems to be able to. Tried basically every credential payload and blackbackup as well. It appears to run; but i get nothing written to the USB part. The only thing the bashbunny had going for it was the ability to write to a local USB partition for exfil and cred dump; and that is effectively broken. Link to comment Share on other sites More sharing options...
sundhaug92 Posted November 5, 2017 Share Posted November 5, 2017 @Tamanbir You might be having problems with your AV. Also, many payloads use an old version of mimikatz (through Invoke-Mimikatz of PowerSploit, upstream tracking-issue 255), which doesn't support newer versions of Windows 10. Link to comment Share on other sites More sharing options...
TeCHemically Posted November 7, 2017 Share Posted November 7, 2017 On 11/5/2017 at 11:44 AM, sundhaug92 said: @Tamanbir You might be having problems with your AV. Also, many payloads use an old version of mimikatz (through Invoke-Mimikatz of PowerSploit, upstream tracking-issue 255), which doesn't support newer versions of Windows 10. Thanks for your reply. I'm not using mimikatz in this payload though and have no AV on my test VM. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 13, 2017 Share Posted November 13, 2017 Man, we get a lot of payloads not working here. :-| Credential payloads are iffy on Windows 10. Using it on Windows 7 with some AV like Avast running is futile unless you put work to obfuscate (mimi will be seen no matter what, its behavior has been recorded though you can sometimes sneak past it with enough obfuscation, see project "Invoke-Obfuscation" on github). So, on Windows 10 accept the majority of your cred payloads to not work. MS is on their game on this version of Windows so expect a more hardened OS. Now, ex filtration methods. I posted about that too in another thread. Going SMB opens up the bunny to the machine's AV scanning and cleaning it if set to scan connected USB drives. ReadOnly prevents this but will still fire off warnings and you cannot write to the drive. Also USB storage writing to the drive requires an eject afterwards for it to be seen by the bunny. This is just USB storage 101, nothing wrong with the BB. Using SMB on the Bunny I have seen to be unstable in only these instances. 1) Your network and smb server is not up yet but you try and interact with it. a) Solution: Add check to script to wait for SMB port to open. Someone posted a payload that uses socket to check for ports. b) Also, dual attack mode and waiting until you get the targets IP to spin up the SMB server and begin quack commands works. 2) On Windows 10 Home sometimes you cannot simply browse to an open SMB, it says access denied. a) Another MS security feature to avoid someone arbitrarily stealing your hash, just detect OS in quacked script and if Windows 10 and you do not care about SMb hashes then create a temporary PS drive to bunny location with a guest username and password for credentials and then use the new psdrive to interact with it. Dump psdrive when done, though I think it vanishes when PS session that made it closes unless set to permanent. I think that is what I can pull from the top of my head. Link to comment Share on other sites More sharing options...
fabrice Posted December 12, 2017 Share Posted December 12, 2017 Are the credentials payloads, like quickcreds, still working with a uptodate windows? Mine is blocked with amber blinking led. (Tools copied and impacket installed). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.