[PAYLOAD] Jackalope - SMB Brute Force with Metasploit

[Darren Kitchen]

I'm starting this thread on behalf of @CatatonicPrime who just released his Jackalope payload - which uses ethernet to attempt dictionary attacks against passwords.

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/Jackalope

This post is made pre firmware v1.6 which will include dependencies, however if you wish to attempt this payload beforehand I've included the following snippets.

You'll need to first get your Bash Bunny online, which can be done by following the instructions at https://docs.hak5.org/hc/en-us/sections/360002204213-Internet-Connectivity

Update apt sources

rm -rf /etc/apt/sources.list

echo "deb http://archive.debian.org/debian/ jessie-backports main" | tee -a /etc/apt/sources.list
echo "deb-src http://archive.debian.org/debian/ jessie-backports main" | tee -a /etc/apt/sources.list

echo "deb http://httpredir.debian.org/debian jessie main contrib non-free" | tee -a /etc/apt/sources.list
echo "deb-src http://httpredir.debian.org/debian jessie main contrib non-free" | tee -a /etc/apt/sources.list

echo "deb http://ftp.de.debian.org/debian stretch main" | tee -a /etc/apt/sources.list
echo "deb-src http://ftp.de.debian.org/debian stretch main" | tee -a /etc/apt/sources.list

echo "Acquire::Check-Valid-Until false;" | tee -a /etc/apt/apt.conf.d/10-nocheckvalid
echo "APT::Default-Release \"jessie\";" | tee -a /etc/apt/apt.conf.d/default-release
echo 'Package: *\nPin: origin "archive.debian.org"\nPin-Priority: 500' | tee -a /etc/apt/preferences.d/10-archive-pin

date -s 20190522 # replace with todays date

apt-key update && apt update

Install ruby

apt -y -t stretch install ruby-full

Install rvm

curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -L https://get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh
echo "source /etc/profile.d/rvm.sh" >> /root/.profile

you may need to tell curl to ignore ssl validation

Install metasploit-framework

cd /tools
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
gem install bundler
bundle install

 

[Darren Kitchen]

 

[Broti]

Though I don't own a BB (I know, shame on me) I instantly thought about this could be great combined with either:

• grabbing BitLocker keys
• deploy reverse shell

[PoSHMagiC0de]

Remember that any other features and payloads can be added on your self to be ran once/if access is gained.  The base payload should stay as is and just take improvements to how it works.

Hmm, how fast does this payload spin up with metasploit?  Wondering if the same bruting could be done with impacket's smbclient?

 

[alangastalho]

Hi, 

You can not execute the commands below:

curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -L https://get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh

Do you know what the problem might be?

Message error:

"root@bunny:~# curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl: (60) SSL certificate problem: certificate is not yet valid
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
root@bunny:~# source /etc/profile.d/rvm.sh
-bash: /etc/profile.d/rvm.sh: No such file or directory"
 

Rgs,

[MB60893]

6 hours ago, alangastalho said:

"root@bunny:~# curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl: (60) SSL certificate problem: certificate is not yet valid

Execute the first cURL command with the --insecure flag.

Then try executing the second command. If it prompts you with a GPG command, run that, then run the second command again, possibly with the --insecure flag as well.

[Mohamed A. Baset]

@Darren Kitchen and @CatatonicPrime The problem is that Metasploit Framework takes forever to load on the humble specifications of BashBunny, I have done this like two years ago: 

 

[Darren Kitchen]

19 hours ago, MB60893 said:

Execute the first cURL command with the --insecure flag.

Then try executing the second command. If it prompts you with a GPG command, run that, then run the second command again, possibly with the --insecure flag as well.

IIRC I had to add -k but I'm not in front of my BB right now - hence the mention that you may need to ignore validation

4 hours ago, Mohamed A. Baset said:

@Darren Kitchen and @CatatonicPrime The problem is that Metasploit Framework takes forever to load on the humble specifications of BashBunny, I have done this like two years ago: 

 

Yes, it does take a minute to load. This can be sped up in the payload by using the CUCUMBER extension - like CUCUMBER PLAID, get metasploit going, then CUCUMBER DISABLE for the remainder of the payload (I get that this isn't obvious). 

That said, with this sorta payload you're deploying for hours or potentially days depending on the engagement - so what's 60 seconds up front to get the ball rolling?

On 5/23/2019 at 6:14 AM, PoSHMagiC0de said:

Remember that any other features and payloads can be added on your self to be ran once/if access is gained.  The base payload should stay as is and just take improvements to how it works.

Hmm, how fast does this payload spin up with metasploit?  Wondering if the same bruting could be done with impacket's smbclient?

 

The optimal way to do it would be with a purpose built multi threaded application to take advantage of the bunny's four cores. I've seen a PoC that's 100x faster than this implementation which should see the light of day hopefully soon - but that doesn't take away from the coolness of this payloads metasploit exploit (scanner) implementation because it's infinitely repeatable with any of the numerous exploits of the framework. 

[Mohamed A. Baset]

30 minutes ago, Darren Kitchen said:

Yes, it does take a minute to load. This can be sped up in the payload by using the CUCUMBER extension - like CUCUMBER PLAID, get metasploit going, then CUCUMBER DISABLE for the remainder of the payload (I get that this isn't obvious). 

 That said, with this sorta payload you're deploying for hours or potentially days depending on the engagement - so what's 60 seconds up front to get the ball rolling?

You can watch the video i did, Unfortunately it takes like 3 minutes minimum and with "CUCUMBER PLAID" too, check here: https://github.com/hak5/bashbunny-payloads/blob/master/payloads/library/exploitation/Metasploit-Autopwn/payload.txt

 

[PoSHMagiC0de]

Yeah, I have been having issues getting my not-domain joined, updated Windows 10 machine to take SMB connections into it unless I screw with the token setting in registry.  So, I assume this is an enterprise payload unless the home user/friend you are picking on is knowledgeable, have Win10 pro and setup a home domain or edited his machine to behave as a domain joined machine.

I was going to work on an impacket implemented payload (use the actual library to make my own suing smbconnection library to spawn through connections.  You could even skip the nmap scan since SMBConnection will throw an error if it cannot connect.

Since there is a fast PoC out there already, I am going to move on to working back on my own tool since I have a week off this week.  Going to use Go on the BB.  Anyway, yeah, it is cool he got MM going on the BB but I knew there would be overhead.

[Mohamed A. Baset]

Here is another refined version: https://github.com/hak5/bashbunny-payloads/pull/383

Waiting for merging the PR.

Cheers!

[PoSHMagiC0de]

7 hours ago, Mohamed A. Baset said:

Here is another refined version: https://github.com/hak5/bashbunny-payloads/pull/383

Waiting for merging the PR.

Cheers!

Awesome.  I would only add 1 thing.  A require_tool impacket.

Smbconnection requires impacket.

 

[Ghost Dragon]

I cant seem to get the sources to work

Err http://archive.debian.org jessie-backports InRelease

Err http://ftp.de.debian.org stretch InRelease

Err http://httpredir.debian.org jessie InRelease

Err http://archive.debian.org jessie-backports Release.gpg
  Could not resolve 'archive.debian.org'
Err http://ftp.de.debian.org stretch Release.gpg
  Could not resolve 'ftp.de.debian.org'
Err http://httpredir.debian.org jessie Release.gpg
  Could not resolve 'httpredir.debian.org'
Reading package lists... Done
Segmentation fault
root@bunny:~# apt -y -t stretch install ruby-full
Reading package lists... Done
E: The value 'stretch' is invalid for APT::Default-Release as such a release is not available in the sources

 

[Ghost Dragon]

tried on linux still no luck any ideas @Darren Kitchen

[crackruckles]

To allow it to brute force the admin account even if the account name has been changed you should add the following:

call psgetsid.exe

rerun psgetsid with the output and add -500 to the end

grab that output and run the attack against account name

 

This will return the name of the administrator account even if its been renamed.

 

[fneagle]

Can somebody confirm that this payload is working while all Windows 10 firewalls (domain, private and public) are "ON"???  The RHDIS Interface is part of a private network. At least the "private" firewall should block nmap scans and smb brute force.  OR???

[fneagle]

On 5/30/2019 at 11:21 AM, Mohamed A. Baset said:

Here is another refined version: https://github.com/hak5/bashbunny-payloads/pull/383

Waiting for merging the PR.

Cheers!

Can somebody confirm that this payload is working while all Windows 10 firewalls (domain, private and public) are "ON"???  The RHDIS Interface is part of a private network. At least the "private" firewall should block nmap scans and smb brute force.  OR???

[Rogrid]

I was stucking here for a whole day:

root@bunny:~# cd /tools/metasploit-framework
Required ruby-2.6.2 is not installed.
To install do: 'rvm install "ruby-2.6.2"'

There is no 2.6.2 binary files found under  debian/8 with command "rvm install ruby 2.6.2", so  I installed the ruby 2.6.2 manually with :

$ ./configure $ make $ sudo make install

and now my ruby -v is 2.6.2 

But still got this Required ruby-2.6.2  problem

and I ignored this keep on with 

gem install bundler

gave me errors:

ERROR:  Loading command: install (LoadError)
        cannot load such file -- zlib
ERROR:  While executing gem ... (NoMethodError)
    undefined method `invoke_with_build_args' for nil:NilClass
 

can anybody help me with this?

 

[Ture]

Have the same error and need help

[Ture]

On ‎6‎/‎26‎/‎2019 at 7:29 AM, Ture said:

Following Darrens guide but I can't get the Ruby installation right even if I try to install Ruby "the right way"

root@bunny:/tools# cd metasploit-framework
Required ruby-2.6.2 is not installed.
To install do: 'rvm install "ruby-2.6.2"'
root@bunny:/tools/metasploit-framework# rvm install ruby-2.6.2
Searching for binary rubies, this might take some time.
No binary rubies available for: debian/8/armhf/ruby-2.6.2.
Continuing with compilation. Please read 'rvm help mount' to get more information on binary rubies.
Checking requirements for debian.
Installing requirements for debian.
Updating system....
....
Installing required packages: gawk, autoconf, automake, bison, libffi-dev, libgdbm-dev, libncurses5-dev, libsqlite3-dev, libtool, libyaml-dev, pkg-config, sqlite3, zlib1g-dev, libreadline6-dev, libssl-dev...
Error running 'requirements_debian_libs_install gawk autoconf automake bison libffi-dev libgdbm-dev libncurses5-dev libsqlite3-dev libtool libyaml-dev pkg-config sqlite3 zlib1g-dev libreadline6-dev libssl-dev',
please read /usr/local/rvm/log/1561977653_ruby-2.6.2/package_install_gawk_autoconf_automake_bison_libffi-dev_libgdbm-dev_libncurses5-dev_libsqlite3-dev_libtool_libyaml-dev_pkg-config_sqlite3_zlib1g-dev_libreadline6-dev_libssl-dev.log
Requirements installation failed with status: 100.
root@bunny:/tools/metasploit-framework# ruby -v
ruby 2.1.5p273 (2014-11-13) [arm-linux-gnueabihf]
root@bunny:/tools/metasploit-framework# gem install bundler

^HERROR:  Error installing bundler:
        bundler requires Ruby version >= 2.3.0.
root@bunny:/tools/metasploit-framework#
root@bunny:/tools/metasploit-framework#

 

 

---------------

Please give me some "helpful" advice - PLEASE!

[n4bs]

Quote

 

root@bunny:/tools/metasploit-framework# bundle install

Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on

this machine.

Fetching gem metadata from https://rubygems.org/..............

Using rake 12.3.3

Using Ascii85 1.0.3

Using concurrent-ruby 1.0.5

Using i18n 0.9.5

Using minitest 5.11.3

Using thread_safe 0.3.6

Using tzinfo 1.2.5

Using activesupport 4.2.11.1

Using builder 3.2.3

Using erubis 2.7.0

Using mini_portile2 2.4.0

Fetching nokogiri 1.10.4

Installing nokogiri 1.10.4 with native extensions

Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

 

    current directory: /var/lib/gems/2.3.0/gems/nokogiri-1.10.4/ext/nokogiri

/usr/bin/ruby2.3 -r ./siteconf20190823-8734-xik7rr.rb extconf.rb

checking if the C compiler accepts ... *** extconf.rb failed ***

Could not create Makefile due to some reason, probably lack of necessary

libraries and/or headers.  Check the mkmf.log file for more details.  You may

need configuration options.

 

Provided configuration options:

--with-opt-dir

--without-opt-dir

--with-opt-include

--without-opt-include=${opt-dir}/include

--with-opt-lib

--without-opt-lib=${opt-dir}/lib

--with-make-prog

--without-make-prog

--srcdir=.

--curdir

--ruby=/usr/bin/$(RUBY_BASE_NAME)2.3

--help

--clean

/usr/lib/ruby/2.3.0/mkmf.rb:456:in `try_do': The compiler failed to generate an executable file. (RuntimeError)

You have to install development tools first.

from /usr/lib/ruby/2.3.0/mkmf.rb:571:in `block in try_compile'

from /usr/lib/ruby/2.3.0/mkmf.rb:522:in `with_werror'

from /usr/lib/ruby/2.3.0/mkmf.rb:571:in `try_compile'

from extconf.rb:138:in `nokogiri_try_compile'

from extconf.rb:162:in `block in add_cflags'

from /usr/lib/ruby/2.3.0/mkmf.rb:629:in `with_cflags'

from extconf.rb:161:in `add_cflags'

from extconf.rb:416:in `<main>'

 

To see why this extension failed to compile, please check the mkmf.log which can be found here:

 

  /var/lib/gems/2.3.0/extensions/arm-linux/2.3.0/nokogiri-1.10.4/mkmf.log

 

extconf failed, exit code 1

 

Gem files will remain installed in /var/lib/gems/2.3.0/gems/nokogiri-1.10.4 for inspection.

Results logged to /var/lib/gems/2.3.0/extensions/arm-linux/2.3.0/nokogiri-1.10.4/gem_make.out

 

An error occurred while installing nokogiri (1.10.4), and Bundler cannot continue.

Make sure that `gem install nokogiri -v '1.10.4' --source 'https://rubygems.org/'` succeeds before bundling.

 

In Gemfile:

  factory_bot_rails was resolved to 5.0.2, which depends on

    railties was resolved to 4.2.11.1, which depends on

      actionpack was resolved to 4.2.11.1, which depends on

        actionview was resolved to 4.2.11.1, which depends on

          rails-dom-testing was resolved to 1.0.9, which depends on

            nokogiri

root@bunny:/tools/metasploit-framework# 

 

Please give me some "helpful" advice - PLEASE!

[Altrez]

Hello Everyone,

This Payload works great on every Non-Domain workstation I try it on. However is a user is logged in as mydomain.local\hackme it will not work. Has anyone made any adjustments to fix this?

Thanks!

[kuyaya]

On 8/30/2019 at 2:23 AM, Altrez said:

Hello Everyone,

This Payload works great on every Non-Domain workstation I try it on. However is a user is logged in as mydomain.local\hackme it will not work. Has anyone made any adjustments to fix this?

Thanks!

Hey

I guess this is a username problem (it's on metasploit, not the bunny). I'm sure there are some videos that show how to use it on domain machines.