panadero Posted February 22, 2019 Share Posted February 22, 2019 After much chagrin and googling, we found that QuickCreds will not work on the lan turtle because of disk space issues. Here's our fix! (we take no responsibility if you break something/somebody. Only hack when you have prior approval and authorization!) Factory reset, or push the turtle-5.bin firmware to reset (probably need to upgrade to v5 anyway). This makes sure you are set to base. YMMV. Open the lan turtle, push and hold the reset button for at least 5 seconds after plugging it into the machine ssh in to 172.16.84.1, sh3llz, change password Update the modules list Only install QuickCreds for now, so we have enough space Select QuickCreds and configure Let it install it's dependencies You can now set QuickCreds to 'Enable' so that it will start at boot DO NOT REBOOT YET! At this point, we're going to exit and git clone the responder package DO NOT INSTALL RESPONDER FROM THE TURTLE MODULES LIST ITSELF Exit 'turtle' back to a basic root shell Git clone the Responder package first to /tmp since there is plenty of space. git clone git://github.com/lgandx/Responder /tmp/Responder BUT DON'T REBOOT YET, CAUSE YOU'LL LOSE EVERYTHING IN /tmp du -sh /tmp/Responder 3.8M rm -rf /tmp/Responder/.git rm -rf /tmp/Responder/tools/MultiRelay/ du -sh /tmp/Responder 450.5k We also want to remove the git package as it takes up >1MB of space. QuickCreds installs it /only/ to git the Responder package 😕 opkg remove git df -h 1.2M available on / Move the Responder package back to /etc/turtle/ for QuckCreds to find it mv /tmp/Responder/ /etc/turtle/ df -h 1.1M still available on / now (w00t) The QuickCreds module is hardcoded to use br-lan as the interface. This doesn't exist, so we need to change it to eth0. Another 😕 sed -i 's/br-lan/eth0/' /etc/turtle/modules/QuickCreds You should now have at least 1MB of storage on / and plenty of space for /root/loot to write to, as well as have Responder available for QuickCreds Pop the turtle in a Windows system and wait about 30 seconds until the amber light goes solid, CREDS!!! Copy and paste the hash from /root/loot/#/HTTP-NTLMv2-172.16.84.127.txt Paste into a hash file and send it to john with a wordlist john hash.txt --wordlist=wordlist.txt Testing shows this works whether the laptop is locked or not locked. These hashes can not be replayed, only cracked. You still have plenty of space to return to the turtle shell and install any other modules you need at this point. You may need git for something else, but probably not enough space. This set up is for the "Grab creds from a locked Workstation" scenario. You may need MultiRelay for something else...? Not needed for QuickCreds. ENJOY! 2 1 Quote Link to comment Share on other sites More sharing options...
BBK Posted January 23, 2020 Share Posted January 23, 2020 I have an original Lan Turtle with no SD card. I just updated to the 6.2 firmware, and was found that Quick Creds acted like it was working, but the folders (e.g. ~/loot/1/) were empty. This post solved the issue. For anyone looking at this later, there are a few minor adjustments: I did stay on 6.2 firmware (didn't factory reset to 5) When I got to "git clone git://github.com/lgandx/Responder /tmp/Responder", I didn't have git, and git wouldn't install due to lack of space. Instead I went to https://github.com/lgandx/Responder/releases, copied the tar.gz link to the latest release, and then on my Lan Turtle did "wget https://github.com/lgandx/Responder/archive/v3.0.0.0.tar.gz" while inside /tmp/ I un-tared this, and then more or less continued with the instructions. There was no .git directory to remove, but I did remove /tools/MultiRelay, and of course I never had to opkg remove git. When it came time to move /tmp/Responder to /etc/turtle/, I was told that the Responder folder (/etc/turtle/Responder) already existed. It appears that they may have somewhat fixed the dependencies? Still, it hadn't worked, so I removed it (rm -rf /etc/turtle/Responder), and copied my up-to-date version over it. Moving on, /etc/turtle/modules/QuickCreds has been renamed with lowercase characters (/etc/turtle/modules/quickcreds). So sed -i 's/br-lan/eth0/' /etc/turtle/modules/quickcreds Looking back on it, since the dependencies may have been fixed, I wonder if replacing br-lan with eth0 was the only thing that needed to be done? Still, it's working now, so I'm not messing with it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.