hak5 @smb_exfiltrator

[Covert Error]

I have been trying to figure out a problem with this payload and for some reason I just cant get it work i have impacket in my tools file and installed when I plug my Bunny in it goes throw the colors but it gets stuck in the blue color and i cant figure out why? Do anyone have the same problem?

[WV09]

On 3/18/2018 at 1:02 PM, Covert Error said:

I have been trying to figure out a problem with this payload and for some reason I just cant get it work i have impacket in my tools file and installed when I plug my Bunny in it goes throw the colors but it gets stuck in the blue color and i cant figure out why? Do anyone have the same problem?

I am also having the same issue. I updated my Bash Bunny the latest firmware and placed impacket from the stick link on the forum. After that I unplugged and plugged the BB back in on arming mode to install impacket and the unplugged and switched it to switch 1 and I can see it load the drivers for Ethernet and also open up RUN along with a powershell window that closes very fast. 

It that just flashes blue and I have even left it for 5 minutes just in case something needed to load. I have used the USB exfiltration and so I know the test files should copy and are the right file format.

When I check the loot I see the smb folder but it is empty.

Also during the blue blinking light of the attack I did a netstat and I could not see a connection to 172.16.64.1.

[jblk01]

@WV09 - Try my modified version.  It works correctly on both Bash Bunnies I own.  I also added SMB ver. 2 support as well as slightly changed the LED pattern to suite my tastes.

I even added extra file types in the s.ps1 file and I can share those if you'd like. 🙂

https://github.com/jblk01/bashbunny-payloads/blob/master/payloads/library/exfiltration/smb_exfiltrator/payload.txt

Edited July 21, 2019 by jblk01

[WV09]

22 minutes ago, jblk01 said:

@WV09 - Try my modified version.  It works correctly on both Bash Bunnies I own.  I also added SMB ver. 2 support as well as slightly changed the LED pattern to suite my tastes.

I even added extra file types in the s.ps1 file and I can share those if you'd like. 🙂

https://github.com/jblk01/bashbunny-payloads/blob/master/payloads/library/exfiltration/smb_exfiltrator/payload.txt

Many thanks, I downloaded the payload but now it sticks on a light turquoise colour instead of blue. But the SMB ver 2 go me thinking, I am sure Win 10 latest version blocks unauthenticated shares by default. 

So I tried to navigate to the file share and I get the above message. 

[WV09]

35 minutes ago, jblk01 said:

@WV09 - Try my modified version.  It works correctly on both Bash Bunnies I own.  I also added SMB ver. 2 support as well as slightly changed the LED pattern to suite my tastes.

I even added extra file types in the s.ps1 file and I can share those if you'd like. 🙂

https://github.com/jblk01/bashbunny-payloads/blob/master/payloads/library/exfiltration/smb_exfiltrator/payload.txt

 

3 minutes ago, WV09 said:

Many thanks, I downloaded the payload but now it sticks on a light turquoise colour instead of blue. But the SMB ver 2 go me thinking, I am sure Win 10 latest version blocks unauthenticated shares by default. 

So I tried to navigate to the file share and I get the above message. 

A quick google confirmed that Microsoft have indeed blocked unauthended/guest on the latest version of Windows 10. 

https://support.microsoft.com/en-gb/help/4046019/guest-access-in-smb2-disabled-by-default-in-windows-10-and-windows-ser

Would it be possible to setup an authenticated share some instead? I will be honest I only got my BB the other day so I am new to the whole thing.

The reason I am wanting to get the SMB exfil working is that a lot of enterprise environments block 

[WV09]

...block unencrypted USB or block USB storage media completely but this would by pass that. Also many have IDS/IPS so exfil through ftp would also be blocked or detected. 

[WV09]

Have been digging a bit more and once you enable unauthenticated guest access (see link, only works on pro and enterprise) I still could not get it to work.

http://wdc.custhelp.com/app/answers/detail/a_id/21016/~/share-access-failure---organization-policies-block-unauthenticated-guest-access#subject1

I can see the file share now but the powershell on the file share is not getting triggered. 

Manually triggering the powershell on the file share works and the files are copied and the light goes green.

 

[jblk01]

@WV09 - I have updates.

 

I factory reset my Bunny, then I installed the latest firmware (1.6).

 

From there I did the following:

 

Quote

1. apt update ; apt install gcc
2. pip install impacket
3. cd /tools/
4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
6. python impacket/examples/smbserver -h

You should now see a '-username' and  a '-password' option.  Setting these in the payload.txt along with telling Windows to authenticate with it via NET USE should make this work.  I am now on my way to get my Windows 10 machine from my friend's place.  I'll keep you posted.

Edited July 23, 2019 by jblk01

[jblk01]

Okay, I got it working on my machine so that Windows does not complain.

Here is my pull request:  https://github.com/hak5/bashbunny-payloads/pull/392

And the files are here: https://github.com/jblk01/bashbunny-payloads/tree/master/payloads/library/exfiltration/smb_exfiltratorV2.0

Edited July 23, 2019 by jblk01

[WV09]

Apologies for the late reply. I followed your instructions and it works perfectly 🙂

Hopefully it gets added to the main repo as going forward this it a perfect way of exfiltration on fully patched/updated Win 10 machines.

[jblk01]

@WV09 - I'm glad it works for you!  My first time modifying a payload to that degree, so I was worried it might fail.  I hope they add it to the main repo too.