Jump to content

Much credentials payloads are not working


XenoByte
 Share

Recommended Posts

1 hour ago, TeCHemically said:

Oh, I see. Well, doesn't that just reintroduce the same stability issues with hosting payloads? You are still dependent on a network connection for your payload to function. I would rather keep the data written locally and have the option to call on a payload than to have to exfil the data. There's always a chance the exe wont be caught by AV; but if it is hosted and pulled down into memory and executed, then it almost definitely wont get caught by AV. Data exfil brings in its own potential hang ups. I already have a credential payload I'm using for Win that sends creds over the network to a server; but the php script doesn't work right so I just capture them via tcpdump.

Yeh. Its a bit of a bummer. Because of that, I have not changed anything.

Link to comment
Share on other sites

4 hours ago, RazerBlade said:

Yeh. Its a bit of a bummer. Because of that, I have not changed anything.

Could you show me what method would be used to pull a payload down from a hosted server so I can modify it for my own use? I really like this payload and would like to have both methods available.

Link to comment
Share on other sites

can anyone tell me simply what changes are reuqired in payload files to run creds payloads. because i am unable to run any creds payload, its making me sick. i have downladed the latest version and also i am using windows 10 . any hak5 fan plz help, i think i have wasted my money on BB

Link to comment
Share on other sites

5 minutes ago, Tamanbir said:

can anyone tell me simply what changes are reuqired in payload files to run creds payloads. because i am unable to run any creds payload, its making me sick. i have downladed the latest version and also i am using windows 10 . any hak5 fan plz help, i think i have wasted my money on BB

I feel your pain man. Many of the cred payloads simply don't work. PasswordGrabber does work; but it doesn't grab wifi creds. I am working on adding that functionality; but with great pains in so doing. 

Link to comment
Share on other sites

1 minute ago, TeCHemically said:

I feel your pain man. Many of the cred payloads simply don't work. PasswordGrabber does work; but it doesn't grab wifi creds. I am working on adding that functionality; but with great pains in so doing. 

I tried password grabber as well it creates a file in loot folder but the text file is empty it doesnt show any passwords!

Link to comment
Share on other sites

So, any powershell commands that end in a .txt are failing it looks like. firmware 1.4 may resolve this; that is the main problem. Also, any powershell command that is broken up in multiple lines with a pipe at the end od the line is causing an error in parsing and injecting. It looks like version 1.4 may resolve this as well. However, now that my commands are running, i still get no files written to the USB loot folder. I've no idea why this is failing. PasswordGrabber works in writing txt files to the loot folder; but no other payload seems to be able to. Tried basically every credential payload and blackbackup as well. It appears to run; but i get nothing written to the USB part. The only thing the bashbunny had going for it was the ability to write to a local USB partition for exfil and cred dump; and that is effectively broken.

Link to comment
Share on other sites

On 11/5/2017 at 11:44 AM, sundhaug92 said:

@Tamanbir You might be having problems with your AV. Also, many payloads use an old version of mimikatz (through Invoke-Mimikatz of PowerSploit, upstream tracking-issue 255), which doesn't support newer versions of Windows 10. 

Thanks for your reply. I'm not using mimikatz in this payload though and have no AV on my test VM.

Link to comment
Share on other sites

Man, we get a lot of payloads not working here.  :-|

Credential payloads are iffy on Windows 10.  Using it on Windows 7 with some AV like Avast running is futile unless you put work to obfuscate (mimi will be seen no matter what, its behavior has been recorded though you can sometimes sneak past it with enough obfuscation, see project "Invoke-Obfuscation" on github).

So, on Windows 10 accept the majority of your cred payloads to not work.  MS is on their game on this version of Windows so expect a more hardened OS.

 

Now, ex filtration methods.  I posted about that too in another thread.  Going SMB opens up the bunny to the machine's AV scanning and cleaning it if set to scan connected USB drives.  ReadOnly prevents this but will still fire off warnings and you cannot write to the drive.  Also USB storage writing to the drive requires an eject afterwards for it to be seen by the bunny.  This is just USB storage 101, nothing wrong with the BB.

Using SMB on the Bunny I have seen to be unstable in only these instances.

1) Your network and smb server is not up yet but you try and interact with it.

    a) Solution: Add check to script to wait for SMB port to open.  Someone posted a payload that uses socket to check for ports.

    b) Also, dual attack mode and waiting until you get the targets IP to spin up the SMB server and begin quack commands works.

2) On Windows 10 Home sometimes you cannot simply browse to an open SMB, it says access denied.

    a) Another MS security feature to avoid someone arbitrarily stealing your hash, just detect OS in quacked script and if Windows 10 and you do not care about SMb hashes then create a temporary PS drive to bunny location with a guest username and password for credentials and then use the new psdrive to interact with it.  Dump psdrive when done, though I think it vanishes when PS session that made it closes unless set to permanent.

 

I think that is what I can pull from the top of my head.

Link to comment
Share on other sites

  • 5 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...