Jump to content

Bash Bunny - Student Project Help


Recommended Posts

Hello All,

I'm a student in a Bachelor's program. I've been given an assignment and I have not had time to mess with things as much as I'd have liked. I need to do something interesting. I was wondering if it would be possible to chain scripts together. By that I mean, only put payloads in say Switch 1 mode. Then when say the SMBruteBunny payload completed it would trigger LaZagne and when both completed show an output on screen like an ASCII image or something.

I get that I could run just two payloads with the Switches but I'd like to display an image or ASCII message at the end like a "You've been hacked" thing for fun and it would be more interesting than just doing the bare minimum. I mean I'll use the switches if I have to but I've been trying to figure this out on my own or on reddit and completely forgot to post it here XD

About the test bed it'll be a computer or VM with Windows 10. I'll be setting it up with username which will be added to the payload's userlist with a password from RockYou. I'll then make a few dummy profiles in Firefox with passwords for LaZagne to grab.

Link to post
Share on other sites

In order to give advise, I need to know a bit more about your situation. Have you tried any of the ideas that you describe in the post? If so, what parts do you have problems with? Reading between the lines, I can't seem to get the feeling that you have tried anything yet and it's just an idea at the moment. I can't see why it wouldn't be possible to combine payloads into one as you aren't cemented to use only one predefined payload that you grab from GitHub per switch. You could create a "monstrously" big combined script and execute it using just one switch. If you are studying in a program that will get you a bachelor's degree, I'm pretty sure you are knowledgeable enough to get it all working. My advise as of now is simply to place the SMBruteBunny payload into one of the switch positions, adjust is as needed and get it working fully against the intended target. Then add the LaZagne part to the same payload. Finishing it all by displaying a "hacked" message to the user shouldn't be that much of a challenge as I can see it.

Link to post
Share on other sites

Scripting is not my area of expertise, I'm working on it but I have so many projects and things going on I need a little help getting off the ground on this one. I have them (SMBruteBunny and LaZagne) working individually, though it's been a hot minute since I did LaZagne, SMBruteBunny is a recent switch in so I might do that again while waiting on a reply.

I just want to tie them together and am having trouble breaking them down into the pieces needed. For instance I don't necessarily want all of the passwords on the host, maybe just the browser stuff (like you'd get if you ran LaZagne's browser module). I also do not quite know where to start on the message, is there a way to just have it Echo the message on the screen (maybe using HID to have it 'type' the message in)? These are the things I'm trying to figure out.

Link to post
Share on other sites

I have two weeks to finish this so a couple days is nothing. What I'd be more interested in is your methodology, which would help me replicate things and explain when I have to write it up in my paper. I'm almost done with my other projects and this is supposed to be a more fun assignment. I'm going to start writing up what I've already tried and such for the paper tomorrow after I finish this last assignment I think. What I've tested, what I didn't use and why that kind of stuff.

I'm currently going back and making sure everything works as is (with both SMBruteBunny and Garfield -- I mispoke earlier it's not LaZagne it's Garfield which uses LaZagne -- and I might cut the wordlist down (it helps knowing the right password obviously)

Link to post
Share on other sites

Ok. For some reason I can't get SMBruteBunny to run, though I had it running not long ago. Though at least SMBruteBunny is actually giving me a ppf file in the payloads/switch1/ folder now.

Target:			172.16.64.10
Username count:		9
Password count:		102
Estimated attempts:	918
User-as-Pass Mode:	False
Honey Badger Mode:	False
Verbose:		False
Time:			12:02 AM on November 24, 2020


Ended at:		12:03 AM on November 24, 2020

Traceback (most recent call last):
  File "/root/udisk/payloads/switch1/mmcbrute/mmcbrute.py", line 185, in <module>
    brute.run()
  File "/root/udisk/payloads/switch1/mmcbrute/mmcbrute.py", line 76, in run
    smb_connection = SMBConnection(self.target, self.target)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 74, in __init__
    self.negotiateSession(preferredDialect)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 111, in negotiateSession
    self._timeout, True, flags1=flags1, flags2=flags2, data=negoData)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 159, in _negotiateSession
    timeout)
  File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 833, in __init__
    timeout=timeout, local_type=local_type, sock=sock)
  File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 705, in __init__
    self._sock = self._setup_connection((remote_host, sess_port), timeout)
  File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 844, in _setup_connection
    raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e)
socket.error: [Errno Connection error (172.16.64.10:445)] timed out

Garfield seems to run fine and generates the files in the loot folder but it's empty other than the


Have a nice day ;)

It's not list the dummy passwords I put into Firefox

Link to post
Share on other sites

Yes you can.  You need a way to server the scripts and conditions setup either in the cradle that handles running the script on the local machine or code at the end of each script to run the next.

 

I hate tooting my own horn but that is exactly what the outdated BBTPS does.  You can use it or use it as an example of something like that would work.  Of course it is just an automated way how other post exploit frameworks work like Empire, Metasploit or Convenant.  You create a server with node, python, etc that runs on BB, you quake a command to call server to get first script which should be the agent that will negotiate the whole procedure.  That is it in a nutshell without writing a whole dissertation on it.

Link to post
Share on other sites

Thanks for that @PoSHMagiCOde I'll look into it. I'm somewhat familiar with Empire just kind of outside the scope of this.

 

I'm still not getting any passwords grabbed by Garfield and SMBruteBunny still has that PPF so no idea. Anyone had a chance to look at any of this either the errors or combining anything?

Meant to post this yesterday but just got internet back so Happy Thanksgiving everyone!

Link to post
Share on other sites
5 hours ago, bjlents said:

Thanks for that @PoSHMagiCOde I'll look into it. I'm somewhat familiar with Empire just kind of outside the scope of this.

 

I'm still not getting any passwords grabbed by Garfield and SMBruteBunny still has that PPF so no idea. Anyone had a chance to look at any of this either the errors or combining anything?

Meant to post this yesterday but just got internet back so Happy Thanksgiving everyone!

Yeah sorry, I haven't looked at it yet.

I'll probably do it tommorrow. It's already late here...

Link to post
Share on other sites
19 hours ago, kuyaya said:

Yeah sorry, I haven't looked at it yet.

I'll probably do it tommorrow. It's already late here...

All good. I'm on your schedule. I appreciate you looking at it.

Finally got SMBruteBunny working again. I facepalmed so hard when I realized I hadn't disabled Defender's Firewall when I did my hardware install. Doubt that is the issue preventing Garfield from getting say Firefox's passwords since it runs and shows the text



Have a nice day ;)

Yeah did not help any. I'm thinking it's probably looking in the wrong places maybe?

Edited by bjlents
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...