Jump to content
Covert Error

@smb_exfiltrator

Recommended Posts

I have been trying to figure out a problem with this payload and for some reason I just cant get it work i have impacket in my tools file and installed when I plug my Bunny in it goes throw the colors but it gets stuck in the blue color and i cant figure out why? Do anyone have the same problem?

Share this post


Link to post
Share on other sites
On 3/18/2018 at 1:02 PM, Covert Error said:

I have been trying to figure out a problem with this payload and for some reason I just cant get it work i have impacket in my tools file and installed when I plug my Bunny in it goes throw the colors but it gets stuck in the blue color and i cant figure out why? Do anyone have the same problem?

I am also having the same issue. I updated my Bash Bunny the latest firmware and placed impacket from the stick link on the forum. After that I unplugged and plugged the BB back in on arming mode to install impacket and the unplugged and switched it to switch 1 and I can see it load the drivers for Ethernet and also open up RUN along with a powershell window that closes very fast. 

It that just flashes blue and I have even left it for 5 minutes just in case something needed to load. I have used the USB exfiltration and so I know the test files should copy and are the right file format.

When I check the loot I see the smb folder but it is empty.

Also during the blue blinking light of the attack I did a netstat and I could not see a connection to 172.16.64.1.

  • Upvote 1

Share this post


Link to post
Share on other sites
Posted (edited)

@WV09 - Try my modified version.  It works correctly on both Bash Bunnies I own.  I also added SMB ver. 2 support as well as slightly changed the LED pattern to suite my tastes.

I even added extra file types in the s.ps1 file and I can share those if you'd like. 🙂

https://github.com/jblk01/bashbunny-payloads/blob/master/payloads/library/exfiltration/smb_exfiltrator/payload.txt

Edited by jblk01

Share this post


Link to post
Share on other sites
22 minutes ago, jblk01 said:

@WV09 - Try my modified version.  It works correctly on both Bash Bunnies I own.  I also added SMB ver. 2 support as well as slightly changed the LED pattern to suite my tastes.

I even added extra file types in the s.ps1 file and I can share those if you'd like. 🙂

https://github.com/jblk01/bashbunny-payloads/blob/master/payloads/library/exfiltration/smb_exfiltrator/payload.txt

Many thanks, I downloaded the payload but now it sticks on a light turquoise colour instead of blue. But the SMB ver 2 go me thinking, I am sure Win 10 latest version blocks unauthenticated shares by default. 

So I tried to navigate to the file share and I get the above message. BB-Copy.png

Share this post


Link to post
Share on other sites
35 minutes ago, jblk01 said:

@WV09 - Try my modified version.  It works correctly on both Bash Bunnies I own.  I also added SMB ver. 2 support as well as slightly changed the LED pattern to suite my tastes.

I even added extra file types in the s.ps1 file and I can share those if you'd like. 🙂

https://github.com/jblk01/bashbunny-payloads/blob/master/payloads/library/exfiltration/smb_exfiltrator/payload.txt

 

3 minutes ago, WV09 said:

Many thanks, I downloaded the payload but now it sticks on a light turquoise colour instead of blue. But the SMB ver 2 go me thinking, I am sure Win 10 latest version blocks unauthenticated shares by default. 

So I tried to navigate to the file share and I get the above message. BB-Copy.png

A quick google confirmed that Microsoft have indeed blocked unauthended/guest on the latest version of Windows 10. 

https://support.microsoft.com/en-gb/help/4046019/guest-access-in-smb2-disabled-by-default-in-windows-10-and-windows-ser

Would it be possible to setup an authenticated share some instead? I will be honest I only got my BB the other day so I am new to the whole thing.

The reason I am wanting to get the SMB exfil working is that a lot of enterprise environments block 

Share this post


Link to post
Share on other sites

...block unencrypted USB or block USB storage media completely but this would by pass that. Also many have IDS/IPS so exfil through ftp would also be blocked or detected. 

Share this post


Link to post
Share on other sites

Have been digging a bit more and once you enable unauthenticated guest access (see link, only works on pro and enterprise) I still could not get it to work.

http://wdc.custhelp.com/app/answers/detail/a_id/21016/~/share-access-failure---organization-policies-block-unauthenticated-guest-access#subject1

I can see the file share now but the powershell on the file share is not getting triggered. 

Manually triggering the powershell on the file share works and the files are copied and the light goes green.

 

Share this post


Link to post
Share on other sites
Posted (edited)

@WV09 - I have updates.

 

I factory reset my Bunny, then I installed the latest firmware (1.6).

 

From there I did the following:

 

Quote

1. apt update ; apt install gcc
2. pip install impacket
3. cd /tools/
4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz
5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/
6. python impacket/examples/smbserver -h

You should now see a '-username' and  a '-password' option.  Setting these in the payload.txt along with telling Windows to authenticate with it via NET USE should make this work.  I am now on my way to get my Windows 10 machine from my friend's place.  I'll keep you posted.

Edited by jblk01
  • Upvote 2

Share this post


Link to post
Share on other sites

Apologies for the late reply. I followed your instructions and it works perfectly 🙂

Hopefully it gets added to the main repo as going forward this it a perfect way of exfiltration on fully patched/updated Win 10 machines.

Share this post


Link to post
Share on other sites

@WV09 - I'm glad it works for you!  My first time modifying a payload to that degree, so I was worried it might fail.  I hope they add it to the main repo too.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...