Bash Bunny - Student Project Help

[bjlents]

Hello All,

I'm a student in a Bachelor's program. I've been given an assignment and I have not had time to mess with things as much as I'd have liked. I need to do something interesting. I was wondering if it would be possible to chain scripts together. By that I mean, only put payloads in say Switch 1 mode. Then when say the SMBruteBunny payload completed it would trigger LaZagne and when both completed show an output on screen like an ASCII image or something.

I get that I could run just two payloads with the Switches but I'd like to display an image or ASCII message at the end like a "You've been hacked" thing for fun and it would be more interesting than just doing the bare minimum. I mean I'll use the switches if I have to but I've been trying to figure this out on my own or on reddit and completely forgot to post it here XD

About the test bed it'll be a computer or VM with Windows 10. I'll be setting it up with username which will be added to the payload's userlist with a password from RockYou. I'll then make a few dummy profiles in Firefox with passwords for LaZagne to grab.

[chrizree]

In order to give advise, I need to know a bit more about your situation. Have you tried any of the ideas that you describe in the post? If so, what parts do you have problems with? Reading between the lines, I can't seem to get the feeling that you have tried anything yet and it's just an idea at the moment. I can't see why it wouldn't be possible to combine payloads into one as you aren't cemented to use only one predefined payload that you grab from GitHub per switch. You could create a "monstrously" big combined script and execute it using just one switch. If you are studying in a program that will get you a bachelor's degree, I'm pretty sure you are knowledgeable enough to get it all working. My advise as of now is simply to place the SMBruteBunny payload into one of the switch positions, adjust is as needed and get it working fully against the intended target. Then add the LaZagne part to the same payload. Finishing it all by displaying a "hacked" message to the user shouldn't be that much of a challenge as I can see it.

[bjlents]

Scripting is not my area of expertise, I'm working on it but I have so many projects and things going on I need a little help getting off the ground on this one. I have them (SMBruteBunny and LaZagne) working individually, though it's been a hot minute since I did LaZagne, SMBruteBunny is a recent switch in so I might do that again while waiting on a reply.

I just want to tie them together and am having trouble breaking them down into the pieces needed. For instance I don't necessarily want all of the passwords on the host, maybe just the browser stuff (like you'd get if you ran LaZagne's browser module). I also do not quite know where to start on the message, is there a way to just have it Echo the message on the screen (maybe using HID to have it 'type' the message in)? These are the things I'm trying to figure out.

[kuyaya]

If you can give me a few days I'll combine them for you

[bjlents]

I have two weeks to finish this so a couple days is nothing. What I'd be more interested in is your methodology, which would help me replicate things and explain when I have to write it up in my paper. I'm almost done with my other projects and this is supposed to be a more fun assignment. I'm going to start writing up what I've already tried and such for the paper tomorrow after I finish this last assignment I think. What I've tested, what I didn't use and why that kind of stuff.

I'm currently going back and making sure everything works as is (with both SMBruteBunny and Garfield -- I mispoke earlier it's not LaZagne it's Garfield which uses LaZagne -- and I might cut the wordlist down (it helps knowing the right password obviously)

[bjlents]

Ok. For some reason I can't get SMBruteBunny to run, though I had it running not long ago. Though at least SMBruteBunny is actually giving me a ppf file in the payloads/switch1/ folder now.

Target:			172.16.64.10
Username count:		9
Password count:		102
Estimated attempts:	918
User-as-Pass Mode:	False
Honey Badger Mode:	False
Verbose:		False
Time:			12:02 AM on November 24, 2020


Ended at:		12:03 AM on November 24, 2020

Traceback (most recent call last):
  File "/root/udisk/payloads/switch1/mmcbrute/mmcbrute.py", line 185, in <module>
    brute.run()
  File "/root/udisk/payloads/switch1/mmcbrute/mmcbrute.py", line 76, in run
    smb_connection = SMBConnection(self.target, self.target)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 74, in __init__
    self.negotiateSession(preferredDialect)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 111, in negotiateSession
    self._timeout, True, flags1=flags1, flags2=flags2, data=negoData)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 159, in _negotiateSession
    timeout)
  File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 833, in __init__
    timeout=timeout, local_type=local_type, sock=sock)
  File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 705, in __init__
    self._sock = self._setup_connection((remote_host, sess_port), timeout)
  File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 844, in _setup_connection
    raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e)
socket.error: [Errno Connection error (172.16.64.10:445)] timed out

Garfield seems to run fine and generates the files in the loot folder but it's empty other than the

Have a nice day ;)

It's not list the dummy passwords I put into Firefox

[PoSHMagiC0de]

Yes you can.  You need a way to server the scripts and conditions setup either in the cradle that handles running the script on the local machine or code at the end of each script to run the next.

 

I hate tooting my own horn but that is exactly what the outdated BBTPS does.  You can use it or use it as an example of something like that would work.  Of course it is just an automated way how other post exploit frameworks work like Empire, Metasploit or Convenant.  You create a server with node, python, etc that runs on BB, you quake a command to call server to get first script which should be the agent that will negotiate the whole procedure.  That is it in a nutshell without writing a whole dissertation on it.

[bjlents]

Thanks for that @PoSHMagiCOde I'll look into it. I'm somewhat familiar with Empire just kind of outside the scope of this.

 

I'm still not getting any passwords grabbed by Garfield and SMBruteBunny still has that PPF so no idea. Anyone had a chance to look at any of this either the errors or combining anything?

Meant to post this yesterday but just got internet back so Happy Thanksgiving everyone!

[kuyaya]

5 hours ago, bjlents said:

Thanks for that @PoSHMagiCOde I'll look into it. I'm somewhat familiar with Empire just kind of outside the scope of this.

 

I'm still not getting any passwords grabbed by Garfield and SMBruteBunny still has that PPF so no idea. Anyone had a chance to look at any of this either the errors or combining anything?

Meant to post this yesterday but just got internet back so Happy Thanksgiving everyone!

Yeah sorry, I haven't looked at it yet.

I'll probably do it tommorrow. It's already late here...

[bjlents]

19 hours ago, kuyaya said:

Yeah sorry, I haven't looked at it yet.

I'll probably do it tommorrow. It's already late here...

All good. I'm on your schedule. I appreciate you looking at it.

Finally got SMBruteBunny working again. I facepalmed so hard when I realized I hadn't disabled Defender's Firewall when I did my hardware install. Doubt that is the issue preventing Garfield from getting say Firefox's passwords since it runs and shows the text

Have a nice day ;)

Yeah did not help any. I'm thinking it's probably looking in the wrong places maybe?

[kuyaya]

@bjlentsHey man, I think I'm almost finished. One last thing:

Have you made any changes to the payload.txt from SMBbrutebunny?

If so, could you please send me the whole file?

I don't think you've made changes to mmcbrute.py, so sending this one wouldn't be necessary.

[bjlents]

No I've not edited anything. I've been trying to dissect the payloads (SMBruteBunny and Garfield) to figure out how I'd combine them but haven't gotten far. The other road block I had was banging my head on the wall after starting the thread because I forgot to disable Defender Firewall which prevented SMBruteBunny from bruteforcing the password.

 

I still haven't figured out what is causing Garfield to not see the passwords in Firefox (or anything else)

[kuyaya]

3 hours ago, bjlents said:

No I've not edited anything. I've been trying to dissect the payloads (SMBruteBunny and Garfield) to figure out how I'd combine them but haven't gotten far. The other road block I had was banging my head on the wall after starting the thread because I forgot to disable Defender Firewall which prevented SMBruteBunny from bruteforcing the password.

 

I still haven't figured out what is causing Garfield to not see the passwords in Firefox (or anything else)

Okay, so the problem is that LaZagne gets removed by Windows Defender (even if you set exclusions) which pretty much screwed up most of my work on the payload. Maybe the same happens to Garfield, idk.

So I assume an Invoke-Mimikatz is also fine?

If you have a presentation and you could show it type crypto-stuff and then output mimikatz, that'd be even cooler, right?

I'm just gonna work ~15min on the Invoke-Mimikatz one and then send it to you. Of course with the SMBBruteBunny included.

Another question: are you gonna show it on a fresh Windows 10 VM with just some passwords on it?

[kuyaya]

Finished with the whole Invoke-Mimikatz payload 🙂

However, it doesn't save it in a file. It just outputs it to the terminal (powershell). It wouldn't be hard to save it to a file, if you want it that way.

Update: It does now save it to a file :).

[bjlents]

Thanks.

I meant to post that I managed to get Garfield to output:

|====================================================================|
|                                                                    |
|                        The LaZagne Project                         |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|


[+] 0 passwords have been found.
For more information launch it again with the -v option

elapsed time = 6.19400000572

Have a nice day ;)

Not quite sure what it's missing as I was getting some output before, but whatever.

I'll be showing it on a fresh VM yeah, I'm just going to put in some dummy passwords like garfield@gmail.com would be LaZagne for instance. Does Mimikatz give passwords for browsers and things? I thought it was just for grabbing the Windows password.

[kuyaya]

8 hours ago, bjlents said:

I'll be showing it on a fresh VM yeah, I'm just going to put in some dummy passwords like garfield@gmail.com would be LaZagne for instance. Does Mimikatz give passwords for browsers and things? I thought it was just for grabbing the Windows password.

Yes it only does output windows passwords. I know that this is not from the browser, but if you have outlook installed (the app) and click on "remember my login", it will get it in plaintext.

So you could just download the app, set it up for your fake gmail account and it should work.

Or what would also be interesting, is that you could try to then use Pass the Hash (with the hash you got from Mimikatz) and get remote access with that.

Does the Mimikatz, which I sent you, work?

[bjlents]

Sent you a message. Looks like it has a bit of an error. Going to try and dissect it while I wait on your reply.