[PAYLOAD] Respashes

[kuyaya]

Hey guys

I made a hash-grabber payload for all platforms. You can look it up here.

If there are any questions or advices for improvement, just post them here and I'll reply.

Happy Hunting!

[The_Whopper]

Thank you

[kuyaya]

8 minutes ago, The_Whopper said:

Thank you

You're welcome 🙂

Does it work?

[Flebbi]

Hey

The payload doesn't work for me.

When I run DumpHash.py by hand it gives me that output:

Quote

Dumping NTLMV2 hashes:
Traceback (most recent call last):
  File "DumpHash.py", line 43, in <module>
    v2 = GetResponderCompleteNTLMv2Hash(cursor)
  File "DumpHash.py", line 28, in GetResponderCompleteNTLMv2Hash
    res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v2%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
sqlite3.OperationalError: no such table: Responder

Any ideas on how to fix it?

[kuyaya]

@Flebbi

Okay, let's see. SSH into the /tools/responder directory and do

Quote

ls -lota

 

[Flebbi]

Did it. That thing came out

 

[kuyaya]

14 minutes ago, Flebbi said:

Did it. That thing came out

 

Oh well

Responder.db is empty. I think that's the cause of the problem.

Have you tried re-installing?

[Flebbi]

Yes, I've already tried that. Still doesn't work.

[kuyaya]

Hm, take a look at that. That looks exactly like your problem. The only difference is, on the turtle there is just the Responder.db stored but on the wrong place. Here it is on the right place but it doesn't has any contents. There is no other directory on the bunny that has something to do with Responder except /tools/responder itself. Proven by typing 'find / -type d -name "responder"' or 'find / -type d -name "Responder"' {sometimes the "r" from responder is written in capital letters, sometimes not.}

Now I need help from somebody where it works, because I don't have access to my BB right now. Can someone please post the Responder.db here? I think it would be even better if we would have the whole working responder here. So if your responder works, please post the whole directory here or upload it somewhere on a free-file-upload-site. If you're too busy then just post the Responder.db. That would be really helpful.

[Bob123]

So this sparked my curiosity.  I plugged in my bash bunny, and checked the responder.db file and it has stuff in it from the last time I ran quickcreds.  I put your payload on a switch, ran it, and it grabbed what was in the responder.db file.  It doesn't appear that it grabs the hashes on the actual machine.  If I run quickcreds first, then your payload second, then it'll show everything that is in responder.db.  Which is what I already had, plus new hashes from what quickcreds grabbed.  I bit odd...I'll keep digging.

[kuyaya]

7 hours ago, Bob123 said:

So this sparked my curiosity.  I plugged in my bash bunny, and checked the responder.db file and it has stuff in it from the last time I ran quickcreds.  I put your payload on a switch, ran it, and it grabbed what was in the responder.db file.  It doesn't appear that it grabs the hashes on the actual machine.  If I run quickcreds first, then your payload second, then it'll show everything that is in responder.db.  Which is what I already had, plus new hashes from what quickcreds grabbed.  I bit odd...I'll keep digging.

Ah, that means my payload is completely useless....

I thought the DumpHash.py would just dump the hashes from the PC, because once I ssh'd into the bunny and ran DumpHash.py and it printed out the hashes. It also worked from a locked machine, but that was only because I ran QuickCreds before. I'm dumb af.

The thing is, the quickcreds payload doesn't work for me anymore. It stays in the blinking yellow stage, but it worked like 1 week ago, which is really strange. I did a reset and after the reset it didn't work anymore. Even though I had the same setup. But that means that it is my fault and not the bunny/payload's fault. I'm just doing something wrong and I don't know what.

Should I delete my payload from github?

[Bob123]

Kuyaya,  I wouldn't delete it.  Lets work on it and see what it can do.  I haven't messed with responder much so I'm going to look at the python scripts and see what they actually do. 

As far as your bunny goes, what does a reset do?  Does it do anything to Linux?  Did you reinstall responder?  I've never done it before which is why I ask.  Course most important question is what is your target pc and did that change at all?  Before getting too deep into this I read that quickcreds doesn't work anymore because there is a MS patch for it.  I personally use a fresh Win10 1903 as my target and it seems to work fine although I'm going to research that more too.

[kuyaya]

Factory reset is explained here(wifi pineapple) or here(BashBunny). I did reinstall responder of course, I mean, the payload doesn't give me an error, it just never finishes.

The target PC didn't change, and I mean, if it would, that shouldn't make a difference because the payload should work on all PC's shouldnt it? On my laptop I have also Win10 1903, I don't know what version of win10 on my pc is. Anyways, it doesn't work on both. I'll try to experiment a bit and look what I can fix.

[Irukandji]

2 hours ago, kuyaya said:

I don't know what version of win10 on my pc is.

Win + r. winver. enter.

[kuyaya]

Quote

Win + r. winver. enter.

Yes, I know xd. But I'm not home yet. I meant that I don't know the Winver of my PC by heart. I can look it up this evening.

Update: Winver of my PC is 1809.

[Bob123]

Ever get quickcreds to work again?  I finally had time to sit down and run dumphash.py and it dumped what i had in the responder.db file.  I did run it against a new pc (quickcreds that is) so the db was updated then running dumphash showed everything including the updated hash.  So I guess if you just want a simple script/payload that dumps what's in your db file, yours works great for that.  So I'll hold onto it.

[kuyaya]

12 hours ago, Bob123 said:

Ever get quickcreds to work again?  I finally had time to sit down and run dumphash.py and it dumped what i had in the responder.db file.  I did run it against a new pc (quickcreds that is) so the db was updated then running dumphash showed everything including the updated hash.  So I guess if you just want a simple script/payload that dumps what's in your db file, yours works great for that.  So I'll hold onto it.

Yes, my script just dumps what is in the db file, but that was not what I wanted. So you got quickcreds to work? I gave it up, since i don't know what I'm doing wrong. I'm working on a payload using impacket. I'm working on it.

[kuyaya]

On 2/28/2020 at 2:38 AM, Bob123 said:

Ever get quickcreds to work again?  I finally had time to sit down and run dumphash.py and it dumped what i had in the responder.db file.  I did run it against a new pc (quickcreds that is) so the db was updated then running dumphash showed everything including the updated hash.  So I guess if you just want a simple script/payload that dumps what's in your db file, yours works great for that.  So I'll hold onto it.

@Bob123I have a question to the QuickCreds payload: are you getting the hashes from locked machines? Or do you have to open a browser or something? Because the idea of the payload is that you get the hashes from locked machines (I think so). On unlocked machines you could just run LaZagne and you get the hashes + many other plaintext passwords.

Could you please empty the responder.db file and run the QuickCreds payload at a locked machine? I wonder if it still works.

[Bob123]

I've always locked the pc before running quickcreds.  But I can try what your asking.

[kuyaya]

3 hours ago, Bob123 said:

I've always locked the pc before running quickcreds.  But I can try what your asking.

I would be glad if you would do this for me ^^

[Bob123]

Ok I deleted the db file, locked the computer and tried it again.  It got the hash without issue.  Took a bit longer, probably because it had to recreate the db file.  And then I also tried it with the computer unlocked and it worked too.  Again this is with a vanilla win10 box 1903.  Just a username and simple password.  What does yours do?

On a side note, I've never tried LaZagne.  I'll try that one next.

[kuyaya]

6 hours ago, Bob123 said:

Ok I deleted the db file, locked the computer and tried it again.  It got the hash without issue.  Took a bit longer, probably because it had to recreate the db file.  And then I also tried it with the computer unlocked and it worked too.  Again this is with a vanilla win10 box 1903.  Just a username and simple password.  What does yours do?

On a side note, I've never tried LaZagne.  I'll try that one next.

What my QuickCreds payload does? Nothing. I waited +40 minutes and it stayed in LED ATTACK forever. It looked like it wouldn't find the hash I guess. I'm thinking about making a video of showing my setup and everything and then run it. Maybe that would help troubleshooting, because you could see what I'm doing wrong.

To your side note: lazagne also dumps the login hashes, besides other plaintext passwords. That's why it wouldn't make sense if you had to unlock the computer to successfully run QuickCreds. But as you wrote, QuickCreds works from a locked computer, so everything is fine.

[garret]

What could we do to get raspashes work?

[garret]

What could we do to get raspashes work?

[kuyaya]

5 hours ago, garret said:

What could we do to get raspashes work?

The question is more, what tool should we use to get it to work. I mean, it's not "not working", in fact it does work, it just dumps the logs from responder to a lootfile. It doesn't grab the hashes. I'm searching for some tools that could grab hashes from locked computers.