bjlents Posted November 20, 2020 Share Posted November 20, 2020 Hello All, I'm a student in a Bachelor's program. I've been given an assignment and I have not had time to mess with things as much as I'd have liked. I need to do something interesting. I was wondering if it would be possible to chain scripts together. By that I mean, only put payloads in say Switch 1 mode. Then when say the SMBruteBunny payload completed it would trigger LaZagne and when both completed show an output on screen like an ASCII image or something. I get that I could run just two payloads with the Switches but I'd like to display an image or ASCII message at the end like a "You've been hacked" thing for fun and it would be more interesting than just doing the bare minimum. I mean I'll use the switches if I have to but I've been trying to figure this out on my own or on reddit and completely forgot to post it here XD About the test bed it'll be a computer or VM with Windows 10. I'll be setting it up with username which will be added to the payload's userlist with a password from RockYou. I'll then make a few dummy profiles in Firefox with passwords for LaZagne to grab. Link to comment Share on other sites More sharing options...
chrizree Posted November 20, 2020 Share Posted November 20, 2020 In order to give advise, I need to know a bit more about your situation. Have you tried any of the ideas that you describe in the post? If so, what parts do you have problems with? Reading between the lines, I can't seem to get the feeling that you have tried anything yet and it's just an idea at the moment. I can't see why it wouldn't be possible to combine payloads into one as you aren't cemented to use only one predefined payload that you grab from GitHub per switch. You could create a "monstrously" big combined script and execute it using just one switch. If you are studying in a program that will get you a bachelor's degree, I'm pretty sure you are knowledgeable enough to get it all working. My advise as of now is simply to place the SMBruteBunny payload into one of the switch positions, adjust is as needed and get it working fully against the intended target. Then add the LaZagne part to the same payload. Finishing it all by displaying a "hacked" message to the user shouldn't be that much of a challenge as I can see it. Link to comment Share on other sites More sharing options...
bjlents Posted November 22, 2020 Author Share Posted November 22, 2020 Scripting is not my area of expertise, I'm working on it but I have so many projects and things going on I need a little help getting off the ground on this one. I have them (SMBruteBunny and LaZagne) working individually, though it's been a hot minute since I did LaZagne, SMBruteBunny is a recent switch in so I might do that again while waiting on a reply. I just want to tie them together and am having trouble breaking them down into the pieces needed. For instance I don't necessarily want all of the passwords on the host, maybe just the browser stuff (like you'd get if you ran LaZagne's browser module). I also do not quite know where to start on the message, is there a way to just have it Echo the message on the screen (maybe using HID to have it 'type' the message in)? These are the things I'm trying to figure out. Link to comment Share on other sites More sharing options...
kuyaya Posted November 22, 2020 Share Posted November 22, 2020 If you can give me a few days I'll combine them for you Link to comment Share on other sites More sharing options...
bjlents Posted November 22, 2020 Author Share Posted November 22, 2020 I have two weeks to finish this so a couple days is nothing. What I'd be more interested in is your methodology, which would help me replicate things and explain when I have to write it up in my paper. I'm almost done with my other projects and this is supposed to be a more fun assignment. I'm going to start writing up what I've already tried and such for the paper tomorrow after I finish this last assignment I think. What I've tested, what I didn't use and why that kind of stuff. I'm currently going back and making sure everything works as is (with both SMBruteBunny and Garfield -- I mispoke earlier it's not LaZagne it's Garfield which uses LaZagne -- and I might cut the wordlist down (it helps knowing the right password obviously) Link to comment Share on other sites More sharing options...
bjlents Posted November 24, 2020 Author Share Posted November 24, 2020 Ok. For some reason I can't get SMBruteBunny to run, though I had it running not long ago. Though at least SMBruteBunny is actually giving me a ppf file in the payloads/switch1/ folder now. Target: 172.16.64.10 Username count: 9 Password count: 102 Estimated attempts: 918 User-as-Pass Mode: False Honey Badger Mode: False Verbose: False Time: 12:02 AM on November 24, 2020 Ended at: 12:03 AM on November 24, 2020 Traceback (most recent call last): File "/root/udisk/payloads/switch1/mmcbrute/mmcbrute.py", line 185, in <module> brute.run() File "/root/udisk/payloads/switch1/mmcbrute/mmcbrute.py", line 76, in run smb_connection = SMBConnection(self.target, self.target) File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 74, in __init__ self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 111, in negotiateSession self._timeout, True, flags1=flags1, flags2=flags2, data=negoData) File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 159, in _negotiateSession timeout) File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 833, in __init__ timeout=timeout, local_type=local_type, sock=sock) File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 705, in __init__ self._sock = self._setup_connection((remote_host, sess_port), timeout) File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 844, in _setup_connection raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e) socket.error: [Errno Connection error (172.16.64.10:445)] timed out Garfield seems to run fine and generates the files in the loot folder but it's empty other than the Have a nice day ;) It's not list the dummy passwords I put into Firefox Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 25, 2020 Share Posted November 25, 2020 Yes you can. You need a way to server the scripts and conditions setup either in the cradle that handles running the script on the local machine or code at the end of each script to run the next.  I hate tooting my own horn but that is exactly what the outdated BBTPS does. You can use it or use it as an example of something like that would work. Of course it is just an automated way how other post exploit frameworks work like Empire, Metasploit or Convenant. You create a server with node, python, etc that runs on BB, you quake a command to call server to get first script which should be the agent that will negotiate the whole procedure. That is it in a nutshell without writing a whole dissertation on it. Link to comment Share on other sites More sharing options...
bjlents Posted November 27, 2020 Author Share Posted November 27, 2020 Thanks for that @PoSHMagiCOde I'll look into it. I'm somewhat familiar with Empire just kind of outside the scope of this. Â I'm still not getting any passwords grabbed by Garfield and SMBruteBunny still has that PPF so no idea. Anyone had a chance to look at any of this either the errors or combining anything? Meant to post this yesterday but just got internet back so Happy Thanksgiving everyone! Link to comment Share on other sites More sharing options...
kuyaya Posted November 27, 2020 Share Posted November 27, 2020 5 hours ago, bjlents said: Thanks for that @PoSHMagiCOde I'll look into it. I'm somewhat familiar with Empire just kind of outside the scope of this. Â I'm still not getting any passwords grabbed by Garfield and SMBruteBunny still has that PPF so no idea. Anyone had a chance to look at any of this either the errors or combining anything? Meant to post this yesterday but just got internet back so Happy Thanksgiving everyone! Yeah sorry, I haven't looked at it yet. I'll probably do it tommorrow. It's already late here... Link to comment Share on other sites More sharing options...
bjlents Posted November 28, 2020 Author Share Posted November 28, 2020 19 hours ago, kuyaya said: Yeah sorry, I haven't looked at it yet. I'll probably do it tommorrow. It's already late here... All good. I'm on your schedule. I appreciate you looking at it. Finally got SMBruteBunny working again. I facepalmed so hard when I realized I hadn't disabled Defender's Firewall when I did my hardware install. Doubt that is the issue preventing Garfield from getting say Firefox's passwords since it runs and shows the text Have a nice day ;) Yeah did not help any. I'm thinking it's probably looking in the wrong places maybe? Link to comment Share on other sites More sharing options...
kuyaya Posted November 30, 2020 Share Posted November 30, 2020 @bjlentsHey man, I think I'm almost finished. One last thing: Have you made any changes to the payload.txt from SMBbrutebunny? If so, could you please send me the whole file? I don't think you've made changes to mmcbrute.py, so sending this one wouldn't be necessary. Link to comment Share on other sites More sharing options...
bjlents Posted November 30, 2020 Author Share Posted November 30, 2020 No I've not edited anything. I've been trying to dissect the payloads (SMBruteBunny and Garfield) to figure out how I'd combine them but haven't gotten far. The other road block I had was banging my head on the wall after starting the thread because I forgot to disable Defender Firewall which prevented SMBruteBunny from bruteforcing the password. Â I still haven't figured out what is causing Garfield to not see the passwords in Firefox (or anything else) Link to comment Share on other sites More sharing options...
kuyaya Posted November 30, 2020 Share Posted November 30, 2020 3 hours ago, bjlents said: No I've not edited anything. I've been trying to dissect the payloads (SMBruteBunny and Garfield) to figure out how I'd combine them but haven't gotten far. The other road block I had was banging my head on the wall after starting the thread because I forgot to disable Defender Firewall which prevented SMBruteBunny from bruteforcing the password. Â I still haven't figured out what is causing Garfield to not see the passwords in Firefox (or anything else) Okay, so the problem is that LaZagne gets removed by Windows Defender (even if you set exclusions) which pretty much screwed up most of my work on the payload. Maybe the same happens to Garfield, idk. So I assume an Invoke-Mimikatz is also fine? If you have a presentation and you could show it type crypto-stuff and then output mimikatz, that'd be even cooler, right? I'm just gonna work ~15min on the Invoke-Mimikatz one and then send it to you. Of course with the SMBBruteBunny included. Another question: are you gonna show it on a fresh Windows 10 VM with just some passwords on it? Link to comment Share on other sites More sharing options...
kuyaya Posted November 30, 2020 Share Posted November 30, 2020 Finished with the whole Invoke-Mimikatz payload 🙂 However, it doesn't save it in a file. It just outputs it to the terminal (powershell). It wouldn't be hard to save it to a file, if you want it that way. Update: It does now save it to a file :). Link to comment Share on other sites More sharing options...
bjlents Posted November 30, 2020 Author Share Posted November 30, 2020 Thanks. I meant to post that I managed to get Garfield to output: |====================================================================| | | | The LaZagne Project | | | | ! BANG BANG ! | | | |====================================================================| [+] 0 passwords have been found. For more information launch it again with the -v option elapsed time = 6.19400000572 Have a nice day ;) Not quite sure what it's missing as I was getting some output before, but whatever. I'll be showing it on a fresh VM yeah, I'm just going to put in some dummy passwords like garfield@gmail.com would be LaZagne for instance. Does Mimikatz give passwords for browsers and things? I thought it was just for grabbing the Windows password. Link to comment Share on other sites More sharing options...
kuyaya Posted December 1, 2020 Share Posted December 1, 2020 8 hours ago, bjlents said: I'll be showing it on a fresh VM yeah, I'm just going to put in some dummy passwords like garfield@gmail.com would be LaZagne for instance. Does Mimikatz give passwords for browsers and things? I thought it was just for grabbing the Windows password. Yes it only does output windows passwords. I know that this is not from the browser, but if you have outlook installed (the app) and click on "remember my login", it will get it in plaintext. So you could just download the app, set it up for your fake gmail account and it should work. Or what would also be interesting, is that you could try to then use Pass the Hash (with the hash you got from Mimikatz) and get remote access with that. Does the Mimikatz, which I sent you, work? Link to comment Share on other sites More sharing options...
bjlents Posted December 1, 2020 Author Share Posted December 1, 2020 Sent you a message. Looks like it has a bit of an error. Going to try and dissect it while I wait on your reply. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.