kuyaya Posted July 26, 2019 Share Posted July 26, 2019 I updated my bashbunny to the latest firmware with the bunnyupdater and copy-pasted the Jackalope into switch one. Then I signed out and plugged the BashBunny into my PC with switch1, but after a few seconds, it always starts blinking red. I added my password to the wordlist and I added my Username to the Userlist. Idk what I'm doing wrong. My Windows Language is swiss german, but my Keyboard is en-US, so it should work. I also changed the login screen to en-US but it still doesn't work. Any ideas? Link to comment Share on other sites More sharing options...
TheDavisKing Posted August 12, 2019 Share Posted August 12, 2019 Im actually having the same issue. Im currently on version 1.6_305 and have put only the username of the local admin account in the Userlist.txt and only the one password into the Wordlist.txt Any help would be greatly appreciated. OS: Win 10 Pro Log File: PAYLOAD_DIR: /root/udisk/payloads/switch1 MSF_DIR: /tools/metasploit-framework LOOTDIR: /root/udisk/loot/Jackalope//******** TARGET_IP: 172.16.64.10 TARGET_HOSTNAME: ******* Executing nmap... Payload failed, no logins found... Link to comment Share on other sites More sharing options...
ZetaScrub Posted August 15, 2019 Share Posted August 15, 2019 Make sure that SMB port 445 is set to open, you should be able to see the nmap logs within the loot folder, if it's set to filtered, you need to enable SMB and open up the port Link to comment Share on other sites More sharing options...
Mohamed A. Baset Posted August 25, 2019 Share Posted August 25, 2019 + If you want more speed try this payload: https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/SMBruteBunny Link to comment Share on other sites More sharing options...
kuyaya Posted August 26, 2019 Author Share Posted August 26, 2019 @ZetaScrub I checked if SMB port 445 is open (with cmd by typing netstat -na) and it is open (listening). It still doesnt work @Mohamed A. Baset I'm having the same issue with the SMBruteBunny payload Link to comment Share on other sites More sharing options...
Mohamed A. Baset Posted August 26, 2019 Share Posted August 26, 2019 What about the firewall? Because sometimes the port is locally opened but filtered by the firewall to be accessed from outside the local machine! Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted August 26, 2019 Share Posted August 26, 2019 To test really if any of these SMB payloads are going to work do this first to see if you have outside access from BashBunny. Set a payload with ATTACKMODE RNDIS_ETHERNET Load up bash bunny on Windows machine you are testing (make sure you have putty if not WIndows 10 since Win10 has ssh..supposedly). ssh into bunny from victim machine. while on bashbunny type the following. nmap -sS -sV -vv --open -p 445 172.16.64.10 Check and see if it says the port is open. If it doesn't, you can brute that thing all you want, you will be knocking against a wall...firewall to be exact. @Mohamed A. Baset You should add to your python app a socket check before attempting the brute. Try and open socket 445 tcp. If it fails, fail payload with port not open in loot file. Link to comment Share on other sites More sharing options...
Mohamed A. Baset Posted August 28, 2019 Share Posted August 28, 2019 @PoSHMagiC0de In fact it's not my python script but a good idea and can be implemented! Link to comment Share on other sites More sharing options...
kuyaya Posted August 29, 2019 Author Share Posted August 29, 2019 @PoSHMagiC0de I did it and that thing came out: root@bunny:~# nmap -sS -sV -vv --open -p 445 172.16.64.10 Starting Nmap 6.47 ( http://nmap.org ) at 2019-07-10 09:56 PDT NSE: Loaded 29 scripts for scanning. Initiating ARP Ping Scan at 09:56 Scanning 172.16.64.10 [1 port] Completed ARP Ping Scan at 09:56, 0.35s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:56 Completed Parallel DNS resolution of 1 host. at 09:56, 13.00s elapsed Initiating SYN Stealth Scan at 09:56 Scanning 172.16.64.10 [1 port] Discovered open port 445/tcp on 172.16.64.10 Completed SYN Stealth Scan at 09:56, 0.32s elapsed (1 total ports) Initiating Service scan at 09:56 Scanning 1 service on 172.16.64.10 Completed Service scan at 09:56, 6.03s elapsed (1 service on 1 host) NSE: Script scanning 172.16.64.10. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 09:56 Completed NSE at 09:56, 0.10s elapsed Nmap scan report for 172.16.64.10 Host is up (0.00030s latency). Scanned at 2019-07-10 09:56:19 PDT for 21s PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? MAC Address: 00:11:22:33:44:55 (Cimsys) Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at http://nmap. org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.30 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B) At Line 10 it says "discovered open port 445/tcp on 172.16.64.10", so I think the port should be open? Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted August 29, 2019 Share Posted August 29, 2019 Last test to do then is after nmap, mount your udisk, go to that payload folder and run the smbbrute python app by hand with the parameters to see if you get any errors or anything. Link to comment Share on other sites More sharing options...
kuyaya Posted August 30, 2019 Author Share Posted August 30, 2019 @PoSHMagiC0de I'm sorry but i really don't get it how to create this python app. I have PyCharm installed on my Pc, so i wanted to copy the mmcbrute.py file from GitHub and convert it to a .exe, but this didn't work because PyCharm tells me that there are some fails in the code. I didn't installed impacked by the command "pip2 install impacket", I did it manually from this site https://github.com/SecureAuthCorp/impacket/releases. It would be really nice if you could explain me how to set up this thing, cuz i really suck in Python Thanks in advance ^^ Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted September 1, 2019 Share Posted September 1, 2019 If py2exe or pyinstaller is not working then I do not know. I do not do any python stuff on Windows so have not done much with compiling them to exe. I either go unmanaged code, powershell or C# when it comes to Windows. Is this still related to running it on the Bashbunny or are you just trying to run impacket on Windows. On the BB, you do not need to compile it to and exe. Link to comment Share on other sites More sharing options...
kuyaya Posted September 1, 2019 Author Share Posted September 1, 2019 @PoSHMagiC0deYes, it's still related to run it on the BB. So I downloaded Ubuntu shell for windows, and with the shell I downloaded impacket. Is that even necessary to run it on the BB? When I first tried the payload out, (a week ago) I didnt had the mmcbrute.py on the BB, I only had the passlist, userlist, and payload.txt in the switch1. You don't need the mmcbrute.py to execute the payload right, do you? Now, I just copy-pasted the code from mmcbrute.py into a .txt file and changed the ending to .py, that's how I "downloaded" the mmcbrute.py You said I dont need to compile it to a .exe to run it on the BB, so should I just make a new payload that executes mmcbrute.py? How can I execute it, without compiling it to an exe? Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted September 3, 2019 Share Posted September 3, 2019 I see you are missing what the BB is which is why you are having an issue with understanding my troubleshooting steps. The BB is a linux machine. Yes, it is an actual computer, a small one but it is one. It has RAM, a processor, gets power from USB, has a linux kernel, etc. So, with that knowledge, if you wanted that linux machine to say run a python script to hit the SMB port of a windows box through the network are you going to compile that thing onto the victim or is the linux machine going to run it? The answer is the linux machine is going to run it. So, what I am asking is on the udisk partition in a corresponding switch folder is your payload. Since you already discovered running nmap from the BB that it can see an open smb port, next step is while still on the BB, mount the udisk, cd to your payload folder and run the smbbrute.py python app the same way the payload.txt would run it. Do not run the payload.txt. Just find the smbbrute.py line in that file and see how it is ran and do the same by hand. This way you can actually see the python errors if there is one and troubleshoot. The program was not meant to be ran on the victim directly. You have it all mixed up there. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted September 3, 2019 Share Posted September 3, 2019 Sorry, the app was mmcbrute.py. Link to comment Share on other sites More sharing options...
kuyaya Posted September 8, 2019 Author Share Posted September 8, 2019 @PoSHMagiC0deHey, sorry for my late reply. I runned the payload in PuTTY as you said, and as expected, there are some errors. The first error was at the command REQUIRETOOL, it didnt found that command. Second error was the command CUCUMBER, also didnt found it Third error was GET. I couldnt make GET TARGET_IP or GET SWITCH_POSITION The SMBBRUTE didnt store the passwords, but i think thats because of the errors shown above I attached a screenshot with the whole payload runned on putty Ah and btw, I also tried it after updating the bunny again and it still didnt work Link to comment Share on other sites More sharing options...
Gilks Posted September 12, 2019 Share Posted September 12, 2019 Developer of mmcbrute.py here. Maybe I can help with this a bit. I am not fluent with BB payloads but as far as mmcbrute.py is concerned, you can clone down the original repository from github and follow the usage instructions there. The only differences between the original and BB version is the colors. @PoSHMagiC0de Quote You should add to your python app a socket check before attempting the brute. Try and open socket 445 tcp. If it fails, fail payload with port not open in loot file." Can the BB handle exceptions? If so, the payload could just look for a socket.error exception and assume 445 was closed. Otherwise I could add a return values from the script (ex. return value of 2 == connection failure). It would only take a couple minutes to add, let me know. @bunnylover Quote ... You said I dont need to compile it to a .exe to run it on the BB, so should I just make a new payload that executes mmcbrute.py? How can I execute it, without compiling it to an exe? It sounds like we don't fully understand exactly what your needs are. Are you simply trying to use the mmcbrute.py utility? Are you trying to use the payload @Mohamed A. Baset developed? What exactly are you trying to do? If you're looking to quickly bruteforce the local admin account of any computer you plug the BB into- you want Mohamed's payload. If you're just looking to perform a SMB bruteforce, you'll want mmcbrute.py. Link to comment Share on other sites More sharing options...
kuyaya Posted November 3, 2019 Author Share Posted November 3, 2019 @PoSHMagiC0de @Gilks Okay, i'm here to clarify things again. SMBruteBunny payload: I didn't knew that the BB was a Linux machine, and I didn't knew how to use mmcbrute.py. I thought you don't need mccbrute.py for the payload and you have to just execute it if you want to do it manually. But you need it, I realised that by looking at the ppf.txt, after I got a LED FAIL (mmcbrute.py is missing). Jackalope payload: I thought that metasploit is automatically on the BB on 1.6, but you need to download it (tools by sebkinne in the forum). That's why it didn't work, I didnt had metasploit I think. So after I reformatted my whole BB (https://forums.hak5.org/topic/50128-is-my-bashbunny-broken/) I installed everything and tried the payloads again. I got a fail on both. SMBrutebunny: Target: 172.16.64.10 Username count: 2 Password count: 101 Estimated attempts: 202 User-as-Pass Mode: False Honey Badger Mode: False Verbose: False Time: 09:43 AM on July 10, 2019 Ended at: 09:43 AM on July 10, 2019 After the attack, it always adds my hostname to the passlist and the userlist. Should I even add the hostname to the userlist? I'm wondering why it also adds the hostname to the passlist. Idk why it doesn't work, I added my password to the passlist. Jackalope: [-] *** [-] * WARNING: No database support: No database YAML file [-] *** RHOSTS => 172.16.64.10 USER_FILE => /root/udisk/payloads/switch1/userlist.txt PASS_FILE => /root/udisk/payloads/switch1/wordlist.txt [*] 172.16.64.10:445 - 172.16.64.10:445 - Starting SMB login bruteforce [-] 172.16.64.10:445 - 172.16.64.10:445 - Failed: '.\DESKTOP-MV3FSAI:123456', [!] 172.16.64.10:445 - No active DB -- Credential data will not be saved! [-] 172.16.64.10:445 - 172.16.64.10:445 - Failed: '.\DESKTOP-MV3FSAI:307789', [*] 172.16.64.10:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed It says, that 307789 has failed, even though that's my password. I tried it with my hostname (DESKTOP-MV3FSAI) and my username (Alois Marti) but both didn't work. Is it maybe because of this [!] 172.16.64.10:445 - No active DB -- Credential data will not be saved! line? Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 11, 2019 Share Posted November 11, 2019 If you are testing on Windows 10, impacket that is currently in tools doesn't do the new smb versions so it fails all the time. The newest version of impacket needs to be installed which some of us have been having issues doing. You might be running into that issue. I am going to test out one other tool though when I get time that will do SMB and the correct version. It is written in python and called crackmapexec. https://github.com/byt3bl33d3r/CrackMapExec Link to comment Share on other sites More sharing options...
kuyaya Posted November 13, 2019 Author Share Posted November 13, 2019 But the Jackalope payload doesn't need impacket, or am I wrong? Only the mmcbrutebunny payload does need it. I think I made something wrong with the setup on both payloads.... Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 13, 2019 Share Posted November 13, 2019 Do not know. It might be pure Ruby implementation. I have not used it. Meta is too heavy to be running on the BB in my opinion. Takes a while to spin up and do its thing so never pursued it. I just saw the talk went toward the impacket way and joined in. I have been looking, when I have time and remember, on doing the same without Metasploit on the BB. Impacket was the way until the new SMB implementations like no more SMB1 and adding SMB3. Link to comment Share on other sites More sharing options...
Cookie Posted March 27, 2020 Share Posted March 27, 2020 Hey there i got the problem that the Port 445 on windows i set to listening but when i run nmap -sS -sV -vv -p 445 172.16.64.10 on my BB its filtered and therfore the Payload doesnt work. Link to comment Share on other sites More sharing options...
kuyaya Posted March 27, 2020 Author Share Posted March 27, 2020 3 hours ago, Cookie said: Hey there i got the problem that the Port 445 on windows i set to listening but when i run nmap -sS -sV -vv -p 445 172.16.64.10 on my BB its filtered and therfore the Payload doesnt work. Can you please put the output of the nmap scan here? If you're sure that it is blocked then make a new firewall rule to open 445. Link to comment Share on other sites More sharing options...
Cookie Posted March 31, 2020 Share Posted March 31, 2020 I will do so next monday. I don't get the chance earlier Link to comment Share on other sites More sharing options...
Cookie Posted April 6, 2020 Share Posted April 6, 2020 Hey there, so in Windows it is looking like this TCP [::]:445 Desktop-*******:0 Listening on the bunny like this. root@bunny:~# nmap -sS -sV -vv -p 455 172.16.64.10 Starting Nmap 6.47 ( http://nmap.org ) at 2020-03-27 02:36 PDT NSE: Loaded 29 scripts for scanning. Initiating ARP Ping Scan at 02:36 Scanning 172.16.64.10 [1 port] Completed ARP Ping Scan at 02:36, 0.31s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 02:36 Completed Parallel DNS resolution of 1 host. at 02:36, 13.00s elapsed Initiating SYN Stealth Scan at 02:36 Scanning 172.16.64.10 [1 port] Completed SYN Stealth Scan at 02:36, 0.34s elapsed (1 total ports) Initiating Service scan at 02:36 NSE: Script scanning 172.16.64.10. NSE: Starting runlevel 1 (of 1) scan. Nmap scan report for 172.16.64.10 Host is up (0.00078s latency). Scanned at 2020-03-27 02:36:34 PDT for 14s PORT STATE SERVICE VERSION 455/tcp filtered unknown MAC Address: 00:11:22:33:44:55 (Cimsys) Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.13 seconds Raw packets sent: 3 (116B) | Rcvd: 1 (28B) root@bunny:~# So on the bunny its stated thats its filtered Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.