Jump to content
Sign in to follow this  
bunnylover

Jackalope

Recommended Posts

I updated my bashbunny to the latest firmware with the bunnyupdater and copy-pasted the Jackalope into switch one. Then I signed out and plugged the BashBunny into my PC with switch1, but after a few seconds, it always starts blinking red. I added my password to the wordlist and I added my Username to the Userlist. Idk what I'm doing wrong. My Windows Language is swiss german, but my Keyboard is en-US, so it should work. I also changed the login screen to en-US but it still doesn't work. Any ideas?

  • Like 1

Share this post


Link to post
Share on other sites

Im actually having the same issue. Im currently on version 1.6_305 and have put only the username of the local admin account in the Userlist.txt and only the one password into the Wordlist.txt  

Any help would be greatly appreciated.

 

OS: Win 10 Pro

Log File:

PAYLOAD_DIR: /root/udisk/payloads/switch1
MSF_DIR: /tools/metasploit-framework
LOOTDIR: /root/udisk/loot/Jackalope//********
TARGET_IP: 172.16.64.10
TARGET_HOSTNAME: *******
Executing nmap...
Payload failed, no logins found...

 

Share this post


Link to post
Share on other sites

Make sure that SMB port 445 is set to open, you should be able to see the nmap logs within the loot folder, if it's set to filtered, you need to enable SMB and open up the port

Share this post


Link to post
Share on other sites

To test really if any of these SMB payloads are going to work do this first to see if you have outside access from BashBunny.

Set a payload with ATTACKMODE RNDIS_ETHERNET

Load up bash bunny on Windows machine you are testing (make sure you have putty if not WIndows 10 since Win10 has ssh..supposedly).

ssh into bunny from victim machine.

while on bashbunny type the following.

nmap -sS -sV -vv --open -p 445 172.16.64.10

Check and see if it says the port is open.  If it doesn't, you can brute that thing all you want, you will be knocking against a wall...firewall to be exact.

 

@Mohamed A. Baset You should add to your python app a socket check before attempting the brute.  Try and open socket 445 tcp.  If it fails, fail payload with port not open in loot file.

 

Share this post


Link to post
Share on other sites

@PoSHMagiC0de I did it and that thing came out: 

root@bunny:~# nmap -sS -sV -vv --open -p 445 172.16.64.10

Starting Nmap 6.47 ( http://nmap.org ) at 2019-07-10 09:56 PDT
NSE: Loaded 29 scripts for scanning.
Initiating ARP Ping Scan at 09:56
Scanning 172.16.64.10 [1 port]
Completed ARP Ping Scan at 09:56, 0.35s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:56
Completed Parallel DNS resolution of 1 host. at 09:56, 13.00s elapsed
Initiating SYN Stealth Scan at 09:56
Scanning 172.16.64.10 [1 port]
Discovered open port 445/tcp on 172.16.64.10
Completed SYN Stealth Scan at 09:56, 0.32s elapsed (1 total ports)
Initiating Service scan at 09:56
Scanning 1 service on 172.16.64.10
Completed Service scan at 09:56, 6.03s elapsed (1 service on 1 host)
NSE: Script scanning 172.16.64.10.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 09:56
Completed NSE at 09:56, 0.10s elapsed
Nmap scan report for 172.16.64.10
Host is up (0.00030s latency).
Scanned at 2019-07-10 09:56:19 PDT for 21s
PORT    STATE SERVICE       VERSION
445/tcp open  microsoft-ds?
MAC Address: 00:11:22:33:44:55 (Cimsys)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.                 org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.30 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

At Line 10 it says "discovered open port 445/tcp on 172.16.64.10", so I think the port should be open?

Share this post


Link to post
Share on other sites

Last test to do then is after nmap, mount your udisk, go to that payload folder and run the smbbrute python app by hand with the parameters to see if you get any errors or anything.

Share this post


Link to post
Share on other sites

@PoSHMagiC0de

I'm sorry but i really don't get it how to create this python app. I have PyCharm installed on my Pc, so i wanted to copy the mmcbrute.py file from GitHub and convert it to a .exe, but this didn't work because PyCharm tells me that there are some fails in the code. I didn't installed impacked by the command "pip2 install impacket", I did it manually from this site https://github.com/SecureAuthCorp/impacket/releases. It would be really nice if you could explain me how to set up this thing, cuz i really suck in Python

Thanks in advance ^^

Share this post


Link to post
Share on other sites

If py2exe or pyinstaller is not working then I do not know.  I do not do any python stuff on Windows so have not done much with compiling them to exe.  I either go unmanaged code, powershell or C# when it comes to Windows.

Is this still related to running it on the Bashbunny or are you just trying to run impacket on Windows.  On the BB, you do not need to compile it to and exe.

Share this post


Link to post
Share on other sites

@PoSHMagiC0deYes, it's still related to run it on the BB.

So I downloaded Ubuntu shell for windows, and with the shell I downloaded impacket. Is that even necessary to run it on the BB?

When I first tried the payload out, (a week ago) I didnt had the mmcbrute.py on the BB, I only had the passlist, userlist, and payload.txt in the switch1. You don't need the mmcbrute.py to execute the payload right, do you?

Now, I just copy-pasted the code from mmcbrute.py into a .txt file and changed the ending to .py, that's how I "downloaded" the mmcbrute.py

You said I dont need to compile it to a .exe to run it on the BB, so should I just make a new payload that executes mmcbrute.py? How can I execute it, without compiling it to an exe?

Edited by bunnylover

Share this post


Link to post
Share on other sites

I see you are missing what the BB is which is why you are having an issue with understanding my troubleshooting steps.

The BB is a linux machine.  Yes, it is an actual computer, a small one but it is one.  It has RAM, a processor, gets power from USB, has a linux kernel, etc.

So, with that knowledge, if you wanted that linux machine to say run a python script to hit the SMB port of a windows box through the network are you going to compile that thing onto the victim or is the linux machine going to run it?  The answer is the linux machine is going to run it.

 

So, what I am asking is on the udisk partition in a corresponding switch folder is your payload.  Since you already discovered running nmap from the BB that it can see an open smb port, next step is while still on the BB, mount the udisk, cd to your payload folder and run the smbbrute.py python app the same way the payload.txt would run it.  Do not run the payload.txt.  Just find the smbbrute.py line in that file and see how it is ran and do the same by hand.  This way you can actually see the python errors if there is one and troubleshoot.  The program was not meant to be ran on the victim directly.  You have it all mixed up there.

Share this post


Link to post
Share on other sites

@PoSHMagiC0deHey, sorry for my late reply.

I runned the payload in PuTTY as you said, and as expected, there are some errors.

The first error was at the command REQUIRETOOL, it didnt found that command.

Second error was the command CUCUMBER, also didnt found it

Third error was GET. I couldnt make GET TARGET_IP or GET SWITCH_POSITION

The SMBBRUTE didnt store the passwords, but i think thats because of the errors shown above

I attached a screenshot with the whole payload runned on putty

Ah and btw, I also tried it after updating the bunny again and it still didnt work

PuTTY Session.png

Edited by bunnylover

Share this post


Link to post
Share on other sites

Developer of mmcbrute.py here. Maybe I can help with this a bit.  I am not fluent with BB payloads but as far as mmcbrute.py is concerned, you can clone down the original repository from github and follow the usage instructions there. The only differences between the original and BB version is the colors.
 

@PoSHMagiC0de 

Quote

You should add to your python app a socket check before attempting the brute.  Try and open socket 445 tcp.  If it fails, fail payload with port not open in loot file."

Can the BB handle exceptions? If so, the payload could just look for a socket.error exception and assume 445 was closed. Otherwise I could add a return values from the script (ex. return value of 2 == connection failure). It would only take a couple minutes to add, let me know.

@bunnylover

Quote

...
You said I dont need to compile it to a .exe to run it on the BB, so should I just make a new payload that executes mmcbrute.py? How can I execute it, without compiling it to an exe?

 It sounds like we don't fully understand exactly what your needs are. Are you simply trying to use the mmcbrute.py utility? Are you trying to use the payload @Mohamed A. Baset developed? What exactly are you trying to do?

If you're looking to quickly bruteforce the local admin account of any computer you plug the BB into- you want Mohamed's payload. If you're just looking to perform a SMB bruteforce, you'll want mmcbrute.py.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...