Jump to content
Darren Kitchen

[PAYLOAD] Jackalope - SMB Brute Force with Metasploit

Recommended Posts

I'm starting this thread on behalf of @CatatonicPrime who just released his Jackalope payload - which uses ethernet to attempt dictionary attacks against passwords.

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/Jackalope

This post is made pre firmware v1.6 which will include dependencies, however if you wish to attempt this payload beforehand I've included the following snippets.

You'll need to first get your Bash Bunny online, which can be done by following the instructions at https://docs.hak5.org/hc/en-us/sections/360002204213-Internet-Connectivity

Update apt sources

rm -rf /etc/apt/sources.list

echo "deb http://archive.debian.org/debian/ jessie-backports main" | tee -a /etc/apt/sources.list
echo "deb-src http://archive.debian.org/debian/ jessie-backports main" | tee -a /etc/apt/sources.list

echo "deb http://httpredir.debian.org/debian jessie main contrib non-free" | tee -a /etc/apt/sources.list
echo "deb-src http://httpredir.debian.org/debian jessie main contrib non-free" | tee -a /etc/apt/sources.list

echo "deb http://ftp.de.debian.org/debian stretch main" | tee -a /etc/apt/sources.list
echo "deb-src http://ftp.de.debian.org/debian stretch main" | tee -a /etc/apt/sources.list

echo "Acquire::Check-Valid-Until false;" | tee -a /etc/apt/apt.conf.d/10-nocheckvalid
echo "APT::Default-Release \"jessie\";" | tee -a /etc/apt/apt.conf.d/default-release
echo 'Package: *\nPin: origin "archive.debian.org"\nPin-Priority: 500' | tee -a /etc/apt/preferences.d/10-archive-pin

date -s 20190522 # replace with todays date

apt-key update && apt update

Install ruby

apt -y -t stretch install ruby-full

Install rvm

curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -L https://get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh
echo "source /etc/profile.d/rvm.sh" >> /root/.profile

you may need to tell curl to ignore ssl validation

Install metasploit-framework

cd /tools
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
gem install bundler
bundle install

 

Share this post


Link to post
Share on other sites

Though I don't own a BB (I know, shame on me) I instantly thought about this could be great combined with either:

  • grabbing BitLocker keys
  • deploy reverse shell

Share this post


Link to post
Share on other sites

Remember that any other features and payloads can be added on your self to be ran once/if access is gained.  The base payload should stay as is and just take improvements to how it works.

Hmm, how fast does this payload spin up with metasploit?  Wondering if the same bruting could be done with impacket's smbclient?

 

Share this post


Link to post
Share on other sites

Hi, 

You can not execute the commands below:

curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -L https://get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh

Do you know what the problem might be?

Message error:

"root@bunny:~# curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl: (60) SSL certificate problem: certificate is not yet valid
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
root@bunny:~# source /etc/profile.d/rvm.sh
-bash: /etc/profile.d/rvm.sh: No such file or directory"

 

Rgs,

Share this post


Link to post
Share on other sites
6 hours ago, alangastalho said:

"root@bunny:~# curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl: (60) SSL certificate problem: certificate is not yet valid

Execute the first cURL command with the --insecure flag.

Then try executing the second command. If it prompts you with a GPG command, run that, then run the second command again, possibly with the --insecure flag as well.

  • Like 1

Share this post


Link to post
Share on other sites
19 hours ago, MB60893 said:

Execute the first cURL command with the --insecure flag.

Then try executing the second command. If it prompts you with a GPG command, run that, then run the second command again, possibly with the --insecure flag as well.

IIRC I had to add -k but I'm not in front of my BB right now - hence the mention that you may need to ignore validation

4 hours ago, Mohamed A. Baset said:

@Darren Kitchen and @CatatonicPrime The problem is that Metasploit Framework takes forever to load on the humble specifications of BashBunny, I have done this like two years ago: 

 

Yes, it does take a minute to load. This can be sped up in the payload by using the CUCUMBER extension - like CUCUMBER PLAID, get metasploit going, then CUCUMBER DISABLE for the remainder of the payload (I get that this isn't obvious). 

That said, with this sorta payload you're deploying for hours or potentially days depending on the engagement - so what's 60 seconds up front to get the ball rolling?

On 5/23/2019 at 6:14 AM, PoSHMagiC0de said:

Remember that any other features and payloads can be added on your self to be ran once/if access is gained.  The base payload should stay as is and just take improvements to how it works.

Hmm, how fast does this payload spin up with metasploit?  Wondering if the same bruting could be done with impacket's smbclient?

 

The optimal way to do it would be with a purpose built multi threaded application to take advantage of the bunny's four cores. I've seen a PoC that's 100x faster than this implementation which should see the light of day hopefully soon - but that doesn't take away from the coolness of this payloads metasploit exploit (scanner) implementation because it's infinitely repeatable with any of the numerous exploits of the framework. 

Share this post


Link to post
Share on other sites
30 minutes ago, Darren Kitchen said:

Yes, it does take a minute to load. This can be sped up in the payload by using the CUCUMBER extension - like CUCUMBER PLAID, get metasploit going, then CUCUMBER DISABLE for the remainder of the payload (I get that this isn't obvious). 

 That said, with this sorta payload you're deploying for hours or potentially days depending on the engagement - so what's 60 seconds up front to get the ball rolling?


You can watch the video i did, Unfortunately it takes like 3 minutes minimum and with "CUCUMBER PLAID" too, check here: https://github.com/hak5/bashbunny-payloads/blob/master/payloads/library/exploitation/Metasploit-Autopwn/payload.txt

 

Share this post


Link to post
Share on other sites

Yeah, I have been having issues getting my not-domain joined, updated Windows 10 machine to take SMB connections into it unless I screw with the token setting in registry.  So, I assume this is an enterprise payload unless the home user/friend you are picking on is knowledgeable, have Win10 pro and setup a home domain or edited his machine to behave as a domain joined machine.

I was going to work on an impacket implemented payload (use the actual library to make my own suing smbconnection library to spawn through connections.  You could even skip the nmap scan since SMBConnection will throw an error if it cannot connect.

Since there is a fast PoC out there already, I am going to move on to working back on my own tool since I have a week off this week.  Going to use Go on the BB.  Anyway, yeah, it is cool he got MM going on the BB but I knew there would be overhead.

Share this post


Link to post
Share on other sites

I cant seem to get the sources to work

Err http://archive.debian.org jessie-backports InRelease

Err http://ftp.de.debian.org stretch InRelease

Err http://httpredir.debian.org jessie InRelease

Err http://archive.debian.org jessie-backports Release.gpg
  Could not resolve 'archive.debian.org'
Err http://ftp.de.debian.org stretch Release.gpg
  Could not resolve 'ftp.de.debian.org'
Err http://httpredir.debian.org jessie Release.gpg
  Could not resolve 'httpredir.debian.org'
Reading package lists... Done
Segmentation fault
root@bunny:~# apt -y -t stretch install ruby-full
Reading package lists... Done
E: The value 'stretch' is invalid for APT::Default-Release as such a release is not available in the sources

 

Share this post


Link to post
Share on other sites

To allow it to brute force the admin account even if the account name has been changed you should add the following:

call psgetsid.exe

rerun psgetsid with the output and add -500 to the end

grab that output and run the attack against account name

 

This will return the name of the administrator account even if its been renamed.

 

  • Like 1

Share this post


Link to post
Share on other sites

Can somebody confirm that this payload is working while all Windows 10 firewalls (domain, private and public) are "ON"???  The RHDIS Interface is part of a private network. At least the "private" firewall should block nmap scans and smb brute force.  OR???

Share this post


Link to post
Share on other sites
On 5/30/2019 at 11:21 AM, Mohamed A. Baset said:

Here is another refined version: https://github.com/hak5/bashbunny-payloads/pull/383

Waiting for merging the PR.

Cheers!

Can somebody confirm that this payload is working while all Windows 10 firewalls (domain, private and public) are "ON"???  The RHDIS Interface is part of a private network. At least the "private" firewall should block nmap scans and smb brute force.  OR???

Share this post


Link to post
Share on other sites

I was stucking here for a whole day:

root@bunny:~# cd /tools/metasploit-framework
Required ruby-2.6.2 is not installed.
To install do: 'rvm install "ruby-2.6.2"'

There is no 2.6.2 binary files found under  debian/8 with command "rvm install ruby 2.6.2", so  I installed the ruby 2.6.2 manually with :

$ ./configure $ make $ sudo make install

and now my ruby -v is 2.6.2 

But still got this Required ruby-2.6.2  problem

and I ignored this keep on with 

gem install bundler

gave me errors:

ERROR:  Loading command: install (LoadError)
        cannot load such file -- zlib
ERROR:  While executing gem ... (NoMethodError)
    undefined method `invoke_with_build_args' for nil:NilClass

 

can anybody help me with this?

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...