BB vs RP Zero

[Bob123]

So quick question and I apologize if it's been asked already.  But I've been playing with the P4wnP1 for the RP Zero and testing the Windows 10 lockpick.  My understanding is it grabs the ntlm v2 hash, then runs john the ripper to see if it's an easy password (for testing I make the passwords easy) then types in the password and unlocks the computer.  My thought has been great this is more powerful than my Bash Bunny.  However after watching the latest two Hak5 episodes I have to wonder, can the Bash Bunny do this?  I know it can grab the hashes but can it run john the ripper and use a word list that is saved on the BB?  If so I would assume it could then turn into a HID and type in the password.  Could all of this actually work on a Bash Bunny?  If it could then as Darren said in 2225, this guy has a quad core arm chip and fast ssd which is a lot more horse power than a RP Zero.  Which could then mean cracking slightly harder passwords in shorter time???  Just wondering.  Thanks.

[Dave-ee Jones]

Yes, the Bash Bunny has a few payloads that can do that. QuickCreds being one (grabs hashes/passwords while PC is on lock screen).

Yes, it is also true that the Bunny has a lot more brawn then the RPi Zero, however it still isn't very powerful for cracking passwords at all. It can compare passwords more quickly, though.

Someone correct me if I'm wrong, but I'm pretty sure that the John the Ripper/wordlist method encrypts each password in the wordlist and compares it to the hash it grabbed from the locked machine. If it's a match, you have the password, and P4wnP1 will automatically put it in for you. The Bash Bunny could be programmed to do the same thing with a payload.

[Bob123]

I believe your correct in that it just takes the entries in the lookup table/rainbow table and converts them to hashes then compares the hashes. 

I'm glad to hear it's capable of doing that.  I can picture it but I don't know that I'd be able to write it.  I would think one script to call out other smaller scripts, first connect and grab the hash, second load up john and compare the lookup hashes to the one grabbed, then if found type it out and log in to the machine.  Easier said than done.  :)

[Dave-ee Jones]

Haha, yeah. I've never made a payload like that but I've seen it done before. I do want a RPi Zero W to play around with P4wnP1 as the wireless side of pentesting would make the Bash Bunny a bit more powerful (plug it in, walk away for a while, remotely triggering payloads while not even at the PC so no one gets suspicious, then once you're done just walk by and slip your Bunny back in your pocket).

Ez.

[Opticon]

I'm with you 100%, "easier said than done." I chose the Bash Bunny out of loyalty to Hak5, however, I'm wondering if I should have bought the USB Armory instead. Sure it's been discussed on here on separate threads ad nauseam. Still, with some payloads working and others not, I read this about an RP Zero and wonder how the other half lives. You probably have more granular abilities than I do with the BB.

-Cheers

[Dave-ee Jones]

By the sounds of things I doubt I have more granular abilities than you do. I rarely use the Bash Bunny or play around with it anymore. I'm more interested in other things and playing around with other projects atm.

The RPi Zero can do tonnes of other things as well, so it probably is more powerful in that sense as well. E.g. Act as a VPN/DNS/Proxy server, used for a car infotainment system, smart home etc.

[mame82]

When I wrote the 'LockPicker' payload for P4wnP1, the intention was how things could be combined.

Cracking isn't the best idea on neither of the two devices.

Btw. I used JtR Jumbo in its default setting, which means it isn't a pure dictionary attack, but goes on with pattern based  bruteforcing. In fact the behavior of JtR could be modified per config file, which I haven't done for the LockPicker demo.

 

Now as P4wnP1 is able to join an Internet connected WiFi AP and connect to an external SSH server, it wouldn't be a big problem to load up a captured hash to a more powerfull applience. The remotely cracked credentials could than be downloaded again and used to unlock the target.

 

I'm not willing to implement such payloads for P4wnP1, as it is meant to be a framework.

 

A demo using the AutoSSH feature to bring up a remote shell (only communicating through a USB HID interface with the target) and relay it to an external SSH server is in the P4wnP1 repo, which shows the basic capabilities.

 

This unfortunately can't be done with BB due to its hardware limitations. 

 

Here's a tweet with a picture on the basic idea