Jump to content

Installing "Responder" on BashBunny (MK II?) w. F/W 1.7_332


InfiniteBSOD

Recommended Posts

Hello,


First off:
Yes I've read the "Tools" instructions here:
Bash Bunny by Hak5

1) Is the "Responder" deb-file mentioned here (post from May 10th 2017) :

or here (uploaded on GitHub on April 6th 2017):

the latest one?

I'm running what I guess is "BashBunny MK I" (a gift from a friend, EAN printed on back is "811342030040") since the "version.txt" reads:

1.7_332

and according to the firmware guide here:
Updating the Bash Bunny Firmware - Bash Bunny (hak5.org)

"MK II" ships with F/W "1.7" so I gather the device is a "MK II"; a black unbranded plastic cover with a mSDHC-slot.

3) Now I've:
* Used the instructions here to share my computers (Windows) internet connection with the BashBunny:
Sharing an Internet connection from Windows - Bash Bunny (hak5.org)
and ran:

apt-get update; apt-get upgrade

* Cloned this repo and replaced the files on the BashBunny with the extracted files, replacing the originals:
GitHub - hak5/bashbunny-payloads: The Official Bash Bunny Payload Repository

2) Regardless of which ".deb"-file I download in my 1st question I proceed to:
* Put BashBunny in "arming"-mode
* Drag'n'drop the ".deb"-file to <driveletter>\tools (ex. D:\tools)
* Eject BashBunny
* Re-insert BashBunny > LED flashes magenta > "deb"-file is gone from  <driveletter>\tools and that directory is empty
* Even if I use "Putty" and connect to the BashBunny using serial (instructions below) the directory:

/tools

is empty.
Link to connecting using "Putty" while in "arming"-mode on Windows:
Bash Bunny by Hak5

What am I missing?

Best Regards

Link to comment
Share on other sites

1) It's the latest Responder deb file made available for the Bunny (I'm just referring to the one from Hak5, not deb files from any other unknown source). However, it's really old and not the latest Responder available from the official repo on GitHub. Things have happened since 2017, so in order to be successful it's important to use the latest release  possible.

2) This method should work and it seems as if it does, but, if you can't see any directory in /tools (that is the "real" /tools in the root of the internal Bunny file system, not on the udisk that is mounted to the target in arming mode) then something isn't working as it should for some reason. In any way, what you will get when using that deb file is just an old version of Responder that will most likely not work that well for you. The latest combo that has worked for me (and still works) is using Python 3.7.9 and Responder 3.0.7.0 along with the Quickcreds payload.

3) Not that much to comment here

Comment on the Bunny you are using; it's not a Mark 1 Bunny if it has a Micro SD card slot. Only the Mark 2 Bunny has that feature.

Also use the latest documentation as reference, the one you are linking is old and deprecated (even though most of it is the same, at least for the Mark 1 Bunny).
https://docs.hak5.org/bash-bunny/

 

Link to comment
Share on other sites

  • 2 weeks later...
On 3/5/2023 at 10:12 PM, dark_pyrro said:

1) It's the latest Responder deb file made available for the Bunny (I'm just referring to the one from Hak5, not deb files from any other unknown source). However, it's really old and not the latest Responder available from the official repo on GitHub. Things have happened since 2017, so in order to be successful it's important to use the latest release  possible.

2) This method should work and it seems as if it does, but, if you can't see any directory in /tools (that is the "real" /tools in the root of the internal Bunny file system, not on the udisk that is mounted to the target in arming mode) then something isn't working as it should for some reason. In any way, what you will get when using that deb file is just an old version of Responder that will most likely not work that well for you. The latest combo that has worked for me (and still works) is using Python 3.7.9 and Responder 3.0.7.0 along with the Quickcreds payload.

3) Not that much to comment here

Comment on the Bunny you are using; it's not a Mark 1 Bunny if it has a Micro SD card slot. Only the Mark 2 Bunny has that feature.

Also use the latest documentation as reference, the one you are linking is old and deprecated (even though most of it is the same, at least for the Mark 1 Bunny).
https://docs.hak5.org/bash-bunny/

 

Thank you for your reply and sorry for my late reply.

(Before the more simplified process below I did a reset of the BashBunny MK II as per here) and ran:

apt-get update
apt-get upgrade

however no packages were updated and my language pack is still on the BashBunny but my previously created folders ("/home/downloads/xyz" etc.) are gone.

I've been trying to get this sorted and I guess I've gone about it way to complicated then it has to be:

1) Downloaded the latest version of Responder (3.1.3.0):

wget https://github.com/lgandx/Responder/archive/refs/tags/v3.1.3.0.tar.gz
tar -xvzf v3.1.3.0.tar.gz
 rm v3.1.3.0.tar.gz

2) While in the extracted folder for "Responder-3.1.3.0":

./Responder.py
/usr/bin/env: python3: No such file or directory

Ok so 

python --version

returns:

Python 2.7.9

Ok I need to install Python 3:

Following this post:
python 3.7.3 install on debian jessie - Constantly Outdated (kitabi.eu)
fails on step 1 (install dependencies):

apt-get install libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev tk-dev libgdbm-dev libc6-dev libbz2-dev

with:

Reading package lists... Done
Building dependency tree
Reading state information... Done
libc6-dev is already the newest version.
libc6-dev set to manually installed.
libssl-dev is already the newest version.
libsqlite3-dev is already the newest version.
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libncursesw5-dev : Depends: libtinfo5 (= 5.9+20140913-1+deb8u3) but 6.0+20161126-1+deb9u2 is to be installed
                    Depends: libncursesw5 (= 5.9+20140913-1+deb8u3) but 6.0+20161126-1+deb9u2 is to be installed
                    Depends: libtinfo-dev (= 5.9+20140913-1+deb8u3) but it is not going to be installed
 libreadline-gplv2-dev : Depends: libtinfo-dev but it is not going to be installed
E: Unable to correct problems, you have held broken packages

Ok so "libtinfo-dev" seems to hold up the dependencies.

"libtinfo-dev" in turn seems to have a dependency of:
"libtinfo5"

 

 

Link to comment
Share on other sites

On 3/14/2023 at 8:49 PM, InfiniteBSOD said:

I love you.
I will try this tomorrow and report back.

Tried it!

apt-get clean
apt update

returns:

W: GPG error: http://httpredir.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1668891673
W: GPG error: http://archive.debian.org jessie-backports InRelease: The following signatures were invalid: KEYEXPIRED 1587841717 KEYEXPIRED 1668891673
W: There is no public key available for the following key IDs:
648ACFD622F3D138
 NO_PUBKEY 0E98404D386FA1D9

 

apt install build-essential

returns:

WARNING: The following packages cannot be authenticated!
  libasan1 libatomic1 libisl10 libcloog-isl4 libgomp1 libmpfr4 libubsan0
  libmpc3 bzip2 patch cpp-4.9 cpp libgcc-4.9-dev gcc-4.9 gcc libstdc++-4.9-dev
  g++-4.9 g++ libtimedate-perl libdpkg-perl dpkg-dev build-essential
  libfakeroot fakeroot libalgorithm-diff-perl libalgorithm-diff-xs-perl
  libalgorithm-merge-perl libfile-fcntllock-perl

 

apt install libgdbm-dev

returns:

WARNING: The following packages cannot be authenticated!
  libgdbm-dev

 

apt install libnss3-dev

returns:

WARNING: The following packages cannot be authenticated!
  libnspr4 libnss3 libnspr4-dev libnss3-dev

 

apt install libffi-dev  

returns:

WARNING: The following packages cannot be authenticated!
  libffi-dev

 

apt install gcc

 

cd /root
mkdir python3
cd python3
wget https://www.python.org/ftp/python/3.7.9/Python-3.7.9.tar.xz
tar -xvf Python-3.7.9.tar.xz
rm Python-3.7.9.tar.xz
cd Python-3.7.9
ls

pwd returns:

/root/python3/Python-3.7.9

 

mkdir /root/python3/openssl_compiled
cd ..
pwd returns:
/root/python3
wget --no-check-certificates https://www.openssl.org/source/openssl-3.0.0.tar.gz
tar -xvf openssl-3.0.0.tar.gz
rm openssl-3.0.0.tar.gz
cd openssl-3.0.0

 

timedatectl set-time 'YYYY-MM-DD HH:MM:SS'

in my case:

timedatectl set-time '2023-03-15 19:44:00'

 

timedatectl list-timezones | grep 'continent'

in my case:

timedatectl list-timezones | grep 'Europe'

 

timedatectl set-timezone <current-timzone>

in my case:

timedatectl set-timezone Europe/Stockholm

 

pwd returns:

/root/python3/openssl-3.0.0

 

./config --prefix=/root/python3/openssl_compiled --openssldir=/root/python3/openssl_compiled -Wl,-Bsymbolic-functions -fPIC shared

returns:

Configuring OpenSSL version 3.0.0 for target linux-armv4
Using os-specific seed configuration
Creating configdata.pm
Running configdata.pm
Creating Makefile.in
Creating Makefile

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL.md file first)      ***
***                                                                ***
**********************************************************************

 

make

returns:
<too-much-output> but ends with:

make[1]: Leaving directory '/root/python3/openssl-3.0.0'

 

make test

returns:

Test Summary Report
-------------------
80-test_ssl_new.t                (Wstat: 256 Tests: 30 Failed: 1)
  Failed test:  12
  Non-zero exit status: 1
Files=241, Tests=3273, 3751 wallclock secs (63.34 usr  2.77 sys + 3374.59 cusr 241.08 csys = 3681.78 CPU)
Result: FAIL

More verbose:

80-test_ssl_new.t .................. 11/?
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 0070F1B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1678941550
            not ok 2 - iteration 2
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 0070F1B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1678941550
            not ok 4 - iteration 4
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 0070F1B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1678941550
            not ok 5 - iteration 5
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 0070F1B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1678941550
            not ok 6 - iteration 6
# ------------------------------------------------------------------------------
        # OPENSSL_TEST_RAND_ORDER=1678941550
        not ok 1 - test_handshake
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.none none => 1
    not ok 3 - running ssl_test 12-ct.cnf
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 0020F6B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1678941552
            not ok 2 - iteration 2
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 0020F6B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1678941552
            not ok 4 - iteration 4
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 0020F6B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1678941552
            not ok 5 - iteration 5
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 0020F6B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1678941552
            not ok 6 - iteration 6
# ------------------------------------------------------------------------------
        # OPENSSL_TEST_RAND_ORDER=1678941552
        not ok 1 - test_handshake
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.default default => 1
    not ok 6 - running ssl_test 12-ct.cnf
# ------------------------------------------------------------------------------

    #   Failed test 'running ssl_test 12-ct.cnf'
    #   at test/recipes/80-test_ssl_new.t line 171.
    # Looks like you failed 2 tests of 6.

Will troubleshoot this tomorrow
 

Link to comment
Share on other sites

It should work, I know since I've done it several times. Time may change things though, so what was working a bit back in time may not work now.

The apt stuff is most likely because of the fact that Jessie is old nowadays and it's not strange that such errors would occur. Getting a more recent debian-archive-keyring package could solve it and/or edit the sources.list file. Or, use apt-key to import keys from a key server (if available).

Link to comment
Share on other sites

On 3/15/2023 at 10:48 PM, dark_pyrro said:

It should work, I know since I've done it several times. Time may change things though, so what was working a bit back in time may not work now.

The apt stuff is most likely because of the fact that Jessie is old nowadays and it's not strange that such errors would occur. Getting a more recent debian-archive-keyring package could solve it and/or edit the sources.list file. Or, use apt-key to import keys from a key server (if available).

Thank you for your help and your guide, helped me a lot!

I reset my BB MK II:
Factory Reset - Bash Bunny (hak5.org)

then did this:

///

1) Set your BashBunny MK II (w. mSDHC-slot) to share your computers internet connection:
https://docs.hak5.org/bash-bunny/internet-connectivity/sharing-an-internet-connection-from-windows

2) SSH into the BB MK II by using an SSH-terminal (ex. Bitvise SSH Client) and connect to:
172.16.64.1
User: root
Password: hak5bunny

** All commands below are in the SSH-terminal **

3) Set time and date (and timezone).

Execute:

timedatectl set-time 'YYYY-MM-DD HH:MM:SS'

in my case:

timedatectl set-time '2023-03-19 18:14:00'

Execute:

timedatectl list-timezones | grep 'continent'

in my case:

timedatectl list-timezones | grep 'Europe'

Execute:

timedatectl set-timezone <current-timzone>

in my case:

timedatectl set-timezone Europe/Stockholm

4) Install necessary build-packages.

Execute:

apt update
apt install build-essential libgdbm-dev libnss3-dev libffi-dev gcc

5) Create a directory for all the files which will be downloaded and built and enter it.

Execute:

mkdir /root/build-dir
cd /root/build-dir

6) Download, untar and remove the zip for OpenSSL (latest version as per this post 2023-03-18 is '3.1.0').

Execute:

wget https://www.openssl.org/source/openssl-3.1.0.tar.gz
tar -xvf openssl-3.1.0.tar.gz
rm openssl-3.1.0.tar.gz
mkdir openssl-3.1.0_compiled
cd openssl-3.1.0

7) Build and install OpenSSL 3.1.0.
Source:
https://docs.python.org/3.11/using/unix.html#custom-openssl

Locate current OpenSSL.

Execute:

find /etc/ -name openssl.cnf -printf "%h\n"

in my case it was "/etc/ssl" which concerns the directory I enter for "--openssldir=".

Execute:

./config \
    --prefix=/home/build-dir/openssl-3.1.0_compiled \
    --libdir=lib \
    --openssldir=/etc/ssl

should return:

Configuring OpenSSL version 3.1.0 for target linux-armv4
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL.md file first)      ***
***                                                                ***
**********************************************************************

Execute (official documentation suggest "-j1" which is 1 core, BB MK II have 4 cores therefore "-j4"):

make -j4 depend

Execute (official documentation suggest "-j8" which is 1 core, BB MK II have 4 cores therefore "-j4"):

make -j4

should end with:

make[1]: Leaving directory '/root/build-dir/openssl-3.1.0'

Execute:

make install_sw

😎 Download, untar and remove the zip for Python3 (latest version as per this post 2023-03-18 is '3.11.2').

Execute:

wget https://www.python.org/ftp/python/3.11.2/Python-3.11.2.tgz
tar -xvf Python-3.11.2.tgz
rm Python-3.11.2.tgz
mkdir Python-3.11.2_compiled
cd Python-3.11.2

9) Build and install Python 3.11.2.
Source: https://docs.python.org/3.11/using/unix.html#custom-openssl

Execute:

./configure -C \
    --with-openssl=/home/build-dir/openssl-3.1.0_compiled \
    --with-openssl-rpath=auto \
    --prefix=/home/build-dir/Python-3.11.2_compiled

Execute (official documentation suggest "-j8" which is 1 core, BB MK II have 4 cores therefore "-j4"):

make -j4

Execute:

make altinstall

Add directory to path:

cd ~
nano .bashrc
export PATH=/home/build-dir/Python-3.11.2:$PATH
. .bashrc

10) Download and install 'netifaces' (requirement for Responder) through pip.

Execute:

python -m pip install netifaces

11) Upgrade 'pip'.

pip3.11 install --upgrade pip

12) Download, untar and remove the zip for Responder (latest version as per this post 2023-03-18 is '3.1.3.0').

Execute:

wget https://github.com/lgandx/Responder/archive/refs/tags/v3.1.3.0.tar.gz
tar -xvf v3.1.3.0.tar.gz
rm v3.1.3.0.tar.gz

13) Launch Responder.

cd /root/build-dir/Responder-3.1.3.0
python ./Python.py

should return:

                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C

Error: -I <if> mandatory option is missing

launching 'DumpHash.py' with:

python ./DumpHash.py

returns:

Dumping NTLMV2 hashes:
Traceback (most recent call last):
  File "/root/build-dir/Responder-3.1.3.0/./DumpHash.py", line 43, in <module>
    v2 = GetResponderCompleteNTLMv2Hash(cursor)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/build-dir/Responder-3.1.3.0/./DumpHash.py", line 28, in GetResponderCompleteNTLMv2Hash
    res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v2%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
sqlite3.OperationalError: no such table: Responder

///

So I guess that a payload should be in 'Switch Position 1' which invokes 'DumpHash.py' and then 'QuickCreds' should be in 'Switch Position 2'?

Link to comment
Share on other sites

38 minutes ago, InfiniteBSOD said:

So I guess that a payload should be in 'Switch Position 1' which invokes 'DumpHash.py' and then 'QuickCreds' should be in 'Switch Position 2'?

Not quite sure what you mean by that. You let the Bunny run whatever payload is available in the switch position you select. If you select switch position 1, it will run the payload in the switch1 payload directory. And the same logic for switch2.

If you haven't purged Python 2 (or created some symlink that starts Python 3 when typing "python"), you should start Responder with python3 specifically, otherwise Responder will start with Python 2.

Link to comment
Share on other sites

21 hours ago, dark_pyrro said:

Not quite sure what you mean by that. You let the Bunny run whatever payload is available in the switch position you select. If you select switch position 1, it will run the payload in the switch1 payload directory. And the same logic for switch2.

If you haven't purged Python 2 (or created some symlink that starts Python 3 when typing "python"), you should start Responder with python3 specifically, otherwise Responder will start with Python 2.

I think I am nearly there!

I renamed the "Responder-3.1.3.0" folder to "responder" and moved it to the "/tools/" when accessing the BB MK II through SSH and put the "payload.txt" for "QuickCreds" in the "Switch1" folder.

I also SSH:ed into the BB MK II and ran "chmod a+x ./responder.py" while in the "/tools/responder/"-directory.

I set the network adapter for the BB MK II to "Automatic" instead of the static IP I used (172.16.64.64/24) to be able to SSH into it.

Here is what I see when inserting the BB MK II using "Switch1":
Solid green
Solid magenta ("purple") [Row 27 below]
Blinking green [Row ??]

Even after ~ 5min its still blinking green.

According to the code for "QuickCreds" here:
bashbunny-payloads/payload.txt at master · hak5/bashbunny-payloads (github.com)
and the legend for LEDs for BB here:
LED - Bash Bunny (hak5.org)

Row 27 - "# Setup attack" = LED SETUP = Magenta solid
Row 56 - "# Set LED yellow, run attack" = LED ATTACK = Yellow single blink
Row 80 = "# Light turns green - trap is clean." = LED FINISH = Green very fast blink followed by solid green

When setting the BB MK II into "arming mode" and checking the mounted "<driveletter>\loot\quickcreds\" I can see a subfolder with the hostname of my host but no files in it.

Any idea?

Feels that I'm really close now, thanks to your help 🙂

Update:
Row 63 = 

python Responder.py -I usb0 $RESPONDER_OPTIONS &

if I SSH and try to run "Responder.py":

root@bunny:/tools/responder# ./Responder.py
You need to install python-netifaces or run Responder with python3...
Try "apt-get install python-netifaces" or "pip install netifaces"

OK not specifying "python" makes it default to "python2" instead of "python3" however running:

root@bunny:/tools/responder# python ./Responder.py

returns:

                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C

Error: -I <if> mandatory option is missing

So just like row 63 in "QuickCreds" it should start "responder" w. Python3?

Link to comment
Share on other sites

The LED sequence seems a bit odd. It shouldn't do it that way if either succeeding or failing (failing not equal to "LED FAIL" as per the payload script, but failing to get loot). I guess that Responder fails due to the fact that the payload is using a Responder command line option that is deprecated if I remember it correctly ==> "-r". If you run Responder manually and include the option "-r", it will abort. That could be the reason why the loot directory is created (since that is happening before Responder is executed), but nothing else happens. If Responder was successful in running the payload, it would blink yellow until it got some loot (i.e. some file named something including "NTLM").

Link to comment
Share on other sites

32 minutes ago, dark_pyrro said:

The LED sequence seems a bit odd. It shouldn't do it that way if either succeeding or failing (failing not equal to "LED FAIL" as per the payload script, but failing to get loot). I guess that Responder fails due to the fact that the payload is using a Responder command line option that is deprecated if I remember it correctly ==> "-r". If you run Responder manually and include the option "-r", it will abort. That could be the reason why the loot directory is created (since that is happening before Responder is executed), but nothing else happens. If Responder was successful in running the payload, it would blink yellow until it got some loot (i.e. some file named something including "NTLM").

Tried executing Responder.py manually:

root@bunny:/tools/responder# python Responder.py -I usb0 -w -d -P -v

returns:
<some-omitted-stuff>

[!] Error starting SSL server on port 5986, check permissions or other servers running.
[!] Error starting SSL server on port 443, check permissions or other servers running.

while looking which services that use "5986" or "443":

root@bunny:/tools/responder# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      430/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      430/sshd

it seems no services are.

In regards to "-r" being deprecated that seems to be the case:

root@bunny:/tools/responder# python Responder.py -I usb0 -w -d -r -P -v
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C

Usage: python Responder.py -I eth0 -w -d
or:
python Responder.py -I eth0 -wd

Responder.py: error: no such option: -r

removed -r references · lgandx/Responder@03fa9a7 (github.com)

Link to comment
Share on other sites

I quote myself

22 hours ago, dark_pyrro said:

If you haven't purged Python 2 (or created some symlink that starts Python 3 when typing "python"), you should start Responder with python3 specifically, otherwise Responder will start with Python 2.

If you use "python" only, you should under normal circumstances be starting Python 2 on the Bunny. To use Python 3 you need to specify it when starting Responder, i.e. use "python3" (both manually at the command line or in the payload script), not just "python". There is a shebang on the first line of the Responder.py file that could/should make the script use python3. Better though to start Responder with python3 from command line to be sure it is used.

Link to comment
Share on other sites

To really make sure netifaces is installed and available for Python 3, then enter the Python 3 prompt, by running:
python3

Enter:
import netifaces

There should be no error message(s) if netifaces is installed correctly for Python 3

Just to test it further, list available interfaces:
netifaces.interfaces()

 

Link to comment
Share on other sites

26 minutes ago, dark_pyrro said:

To really make sure netifaces is installed and available for Python 3, then enter the Python 3 prompt, by running:
python3

Enter:
import netifaces

There should be no error message(s) if netifaces is installed correctly for Python 3

Just to test it further, list available interfaces:
netifaces.interfaces()

 

 

root@bunny:~# python --version
Python 3.11.2
root@bunny:~# python3 --version
Python 3.4.2

so I'm unsure why python3 leads to 3.4.2 and not 3.11.2 and python leads to 3.11.2.
I guess python should lead to python2 and python3 should lead to 3.11.2 although:

root@bunny:~# which python
/root/build-dir/Python-3.11.2/python
root@bunny:~# which python3
/usr/bin/python3
root@bunny:~# which python2
/usr/bin/python2

 

root@bunny:~# python
Python 3.11.2 (main, Mar 19 2023, 19:58:51) [GCC 4.9.2] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> help('modules')

Please wait a moment while I gather a list of all available modules...

test_sqlite3: testing with version '2.6.0', sqlite_version '3.8.7.1'
/home/build-dir/Python-3.11.2_compiled/lib/python3.11/site-packages/_distutils_hack/__init__.py:33: UserWarning: Setuptools is replacing distutils.
  warnings.warn("Setuptools is replacing distutils.")
__future__          _thread             graphlib            select
__hello__           _threading_local    grp                 selectors
__phello__          _tokenize           gzip                setuptools
_abc                _tracemalloc        hashlib             shelve
_aix_support        _typing             heapq               shlex
_ast                _warnings           hmac                shutil
_asyncio            _weakref            html                signal
_bisect             _weakrefset         http                site
_blake2             _xxsubinterpreters  idlelib             smtpd
_bootsubprocess     _xxtestfuzz         imaplib             smtplib
_codecs             _zoneinfo           imghdr              sndhdr
_codecs_cn          abc                 imp                 socket
_codecs_hk          aifc                importlib           socketserver
_codecs_iso2022     antigravity         inspect             spwd
_codecs_jp          argparse            io                  sqlite3
_codecs_kr          array               ipaddress           sre_compile
_codecs_tw          ast                 itertools           sre_constants
_collections        asynchat            json                sre_parse
_collections_abc    asyncio             keyword             ssl
_compat_pickle      asyncore            lib2to3             stat
_compression        atexit              linecache           statistics
_contextvars        audioop             locale              string
_crypt              base64              logging             stringprep
_csv                bdb                 lzma                struct
_ctypes             binascii            mailbox             subprocess
_ctypes_test        bisect              mailcap             sunau
_datetime           builtins            marshal             symtable
_dbm                bz2                 math                sys
_decimal            cProfile            mimetypes           sysconfig
_distutils_hack     calendar            mmap                syslog
_elementtree        cgi                 modulefinder        tabnanny
_functools          cgitb               msilib              tarfile
_gdbm               chunk               multiprocessing     telnetlib
_hashlib            cmath               netifaces           tempfile
_heapq              cmd                 netrc               termios
_imp                code                nis                 test
_io                 codecs              nntplib             textwrap
_json               codeop              ntpath              this
_locale             collections         nturl2path          threading
_lsprof             colorsys            numbers             time
_markupbase         compileall          opcode              timeit
_md5                concurrent          operator            tkinter
_multibytecodec     configparser        optparse            token
_multiprocessing    contextlib          os                  tokenize
_opcode             contextvars         ossaudiodev         tomllib
_operator           copy                pathlib             trace
_osx_support        copyreg             pdb                 traceback
_pickle             crypt               pickle              tracemalloc
_posixshmem         csv                 pickletools         tty
_posixsubprocess    ctypes              pip                 turtle
_py_abc             curses              pipes               turtledemo
_pydecimal          dataclasses         pkg_resources       types
_pyio               datetime            pkgutil             typing
_queue              dbm                 platform            unicodedata
_random             decimal             plistlib            unittest
_sha1               difflib             poplib              urllib
_sha256             dis                 posix               uu
_sha3               distutils           posixpath           uuid
_sha512             doctest             pprint              venv
_signal             email               profile             warnings
_sitebuiltins       encodings           pstats              wave
_socket             ensurepip           pty                 weakref
_sqlite3            enum                pwd                 webbrowser
_sre                errno               py_compile          wsgiref
_ssl                faulthandler        pyclbr              xdrlib
_stat               fcntl               pydoc               xml
_statistics         filecmp             pydoc_data          xmlrpc
_string             fileinput           pyexpat             xxlimited
_strptime           fnmatch             queue               xxlimited_35
_struct             fractions           quopri              xxsubtype
_symtable           ftplib              random              zipapp
_sysconfigdata__linux_arm-linux-gnueabihf functools           re                  zipfile
_testbuffer         gc                  reprlib             zipimport
_testcapi           genericpath         resource            zlib
_testclinic         getopt              rlcompleter         zoneinfo
_testimportmultiple getpass             runpy
_testinternalcapi   gettext             sched
_testmultiphase     glob                secrets

Enter any module name to get more help.  Or, type "modules spam" to search
for modules whose name or summary contain the string "spam".

>>> netifaces.interfaces()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
NameError: name 'netifaces' is not defined
>>> import netifaces
>>> netifaces.interfaces()
['lo', 'eth0', 'tunl0', 'gre0', 'sit0', 'ip6tnl0', 'usb0']

'netifaces' should be installed for python (a.k.a. 3.11.2)

Link to comment
Share on other sites

This is most likely due to the fact that Python 3 was installed using apt before you built Python3 from source. I would recommend purging the version installed using apt, or simply do a factory reset to start with a clean slate and not install Python 3 using apt, but only build the relevant version for Responder.

Link to comment
Share on other sites

1 hour ago, dark_pyrro said:

This is most likely due to the fact that Python 3 was installed using apt before you built Python3 from source. I would recommend purging the version installed using apt, or simply do a factory reset to start with a clean slate and not install Python 3 using apt, but only build the relevant version for Responder.

If my memory is correct the 'apt'-version of Python3 was automatically installed as a dependency for one of these deb-packages:

build-essential libgdbm-dev libnss3-dev libffi-dev gcc

I just tried to download the old / deprecated "responder.deb", moved it to the mounted "tools"-directory with the BB MK II in "arming"-mode and then put the "QuickCreds" "payload.txt" into "Switch1" and it works.

So I thank you for all your help and will close this for now, it works as intended and I'll revisit this in the future.

Link to comment
Share on other sites

I wouldn't agree to the fact that Python 3 is installed as a dependency when just installing the mentioned packages. I would have noted that when I was working on the previously linked instruction on how to get a more recent version of Impacket on the Bunny. I did quite a lot of iterations before I had sorted out all the issues that was involved in getting that working so it would have been quite obvious that any Python 3 version installed by apt would need to be removed first (and that would be a part of the instruction in that case).

When you say that the older responder.deb works; does it work in the way that it just runs or do you get NTLM hashes from a target? What OS is the target running in that case? A fully updated Windows 10 or 11? Just curious.

Link to comment
Share on other sites

10 hours ago, dark_pyrro said:

I wouldn't agree to the fact that Python 3 is installed as a dependency when just installing the mentioned packages. I would have noted that when I was working on the previously linked instruction on how to get a more recent version of Impacket on the Bunny. I did quite a lot of iterations before I had sorted out all the issues that was involved in getting that working so it would have been quite obvious that any Python 3 version installed by apt would need to be removed first (and that would be a part of the instruction in that case).

When you say that the older responder.deb works; does it work in the way that it just runs or do you get NTLM hashes from a target? What OS is the target running in that case? A fully updated Windows 10 or 11? Just curious.

You are right, I had to have gotten Python3 as a dependency for something else:

root@bunny:~/loot/quickcreds/my-hostname# apt install build-essential libgdbm-dev libnss3-dev libffi-dev gcc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  fonts-dejavu-core libdrm-freedreno1 libdrm-radeon1 libdrm2 libelf1 libfontenc1 libgl1-mesa-glx
  libglapi-mesa libice6 libjs-bowser libjs-events libjs-inherits libjs-is-typedarray libjs-merge
  libjs-rtcninja libjs-sdp-transform libjs-typedarray-to-buffer libjs-util libllvm3.5 libsm6
  libtxc-dxtn-s2tc0 libutempter0 libuv1-dev libx11-xcb1 libxaw7 libxcb-dri2-0 libxcb-dri3-0
  libxcb-glx0 libxcb-present0 libxcb-shape0 libxcb-sync1 libxcomposite1 libxdamage1 libxfixes3
  libxi6 libxinerama1 libxmu6 libxpm4 libxrandr2 libxrender1 libxshmfence1 libxss1 libxt6 libxtst6
  libxv1 libxxf86dga1 libxxf86vm1 node-bowser node-debug node-events node-inherits
  node-is-typedarray node-merge node-nan node-rtcninja node-sdp-transform
  node-typedarray-to-buffer node-util x11-common xbitmaps
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  bzip2 cpp cpp-4.9 dpkg-dev fakeroot g++ g++-4.9 gcc-4.9 libalgorithm-diff-perl
  libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan1 libatomic1 libcloog-isl4 libdpkg-perl
  libfakeroot libfile-fcntllock-perl libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libnspr4
  libnspr4-dev libnss3 libstdc++-4.9-dev libtimedate-perl libubsan0 patch
Suggested packages:
  bzip2-doc cpp-doc gcc-4.9-locales debian-keyring gcc-4.9-doc libstdc++6-4.9-dbg gcc-multilib
  autoconf automake libtool flex bison gdb gcc-doc libgcc1-dbg libgomp1-dbg libitm1-dbg
  libatomic1-dbg libasan1-dbg liblsan0-dbg libtsan0-dbg libubsan0-dbg libcilkrts5-dbg
  libquadmath-dbg libstdc++-4.9-doc ed diffutils-doc
The following NEW packages will be installed:
  build-essential bzip2 cpp cpp-4.9 dpkg-dev fakeroot g++ g++-4.9 gcc gcc-4.9
  libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan1 libatomic1
  libcloog-isl4 libdpkg-perl libfakeroot libffi-dev libfile-fcntllock-perl libgcc-4.9-dev
  libgdbm-dev libgomp1 libisl10 libmpc3 libmpfr4 libnspr4 libnspr4-dev libnss3 libnss3-dev
  libstdc++-4.9-dev libtimedate-perl libubsan0 patch
0 upgraded, 34 newly installed, 0 to remove and 0 not upgraded.
Need to get 1700 kB/28.0 MB of archives.
After this operation, 68.9 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Using Responder 2.3.3.6 (the "deb"-version) on:
Windows 11 Pro Ver 22H2 (OS Build: 22621.1413)
Windows 10 Home Ver 22H2 (OS Build: 19045.2006)
returns an NTLMv2-hash and the other log-files in "/loot/quickcreds/<hostname>/"

Link to comment
Share on other sites

  • 5 months later...
On 3/21/2023 at 3:54 AM, dark_pyrro said:

I wouldn't agree to the fact that Python 3 is installed as a dependency when just installing the mentioned packages. I would have noted that when I was working on the previously linked instruction on how to get a more recent version of Impacket on the Bunny. I did quite a lot of iterations before I had sorted out all the issues that was involved in getting that working so it would have been quite obvious that any Python 3 version installed by apt would need to be removed first (and that would be a part of the instruction in that case).

When you say that the older responder.deb works; does it work in the way that it just runs or do you get NTLM hashes from a target? What OS is the target running in that case? A fully updated Windows 10 or 11? Just curious.

Just wanted to chime in here for the folks following along at home. I followed your instructions (stopping at installing Rust) for Impacket (just to get Python 3 built), and I also had the same issues with Responder that InfiniteBSOD had. (Same failures with DumpHash.py and Responder.py.)I  ensured Netifaces was installed with Python 3, I never installed Python 3 beforehand (clean install), and I verified that I followed all the steps accurately.

So it would seem there is either a fundamental mistake with instruction, or an issue with Responder compatibility, or something else I'm not considering.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...