InfiniteBSOD Posted March 5, 2023 Share Posted March 5, 2023 Hello, First off: Yes I've read the "Tools" instructions here:Bash Bunny by Hak5 1) Is the "Responder" deb-file mentioned here (post from May 10th 2017) : or here (uploaded on GitHub on April 6th 2017): the latest one? I'm running what I guess is "BashBunny MK I" (a gift from a friend, EAN printed on back is "811342030040") since the "version.txt" reads: 1.7_332 and according to the firmware guide here:Updating the Bash Bunny Firmware - Bash Bunny (hak5.org) "MK II" ships with F/W "1.7" so I gather the device is a "MK II"; a black unbranded plastic cover with a mSDHC-slot. 3) Now I've: * Used the instructions here to share my computers (Windows) internet connection with the BashBunny:Sharing an Internet connection from Windows - Bash Bunny (hak5.org) and ran: apt-get update; apt-get upgrade * Cloned this repo and replaced the files on the BashBunny with the extracted files, replacing the originals:GitHub - hak5/bashbunny-payloads: The Official Bash Bunny Payload Repository 2) Regardless of which ".deb"-file I download in my 1st question I proceed to: * Put BashBunny in "arming"-mode * Drag'n'drop the ".deb"-file to <driveletter>\tools (ex. D:\tools) * Eject BashBunny * Re-insert BashBunny > LED flashes magenta > "deb"-file is gone from <driveletter>\tools and that directory is empty * Even if I use "Putty" and connect to the BashBunny using serial (instructions below) the directory: /tools is empty. Link to connecting using "Putty" while in "arming"-mode on Windows:Bash Bunny by Hak5 What am I missing? Best Regards Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 5, 2023 Share Posted March 5, 2023 1) It's the latest Responder deb file made available for the Bunny (I'm just referring to the one from Hak5, not deb files from any other unknown source). However, it's really old and not the latest Responder available from the official repo on GitHub. Things have happened since 2017, so in order to be successful it's important to use the latest release possible. 2) This method should work and it seems as if it does, but, if you can't see any directory in /tools (that is the "real" /tools in the root of the internal Bunny file system, not on the udisk that is mounted to the target in arming mode) then something isn't working as it should for some reason. In any way, what you will get when using that deb file is just an old version of Responder that will most likely not work that well for you. The latest combo that has worked for me (and still works) is using Python 3.7.9 and Responder 3.0.7.0 along with the Quickcreds payload. 3) Not that much to comment here Comment on the Bunny you are using; it's not a Mark 1 Bunny if it has a Micro SD card slot. Only the Mark 2 Bunny has that feature. Also use the latest documentation as reference, the one you are linking is old and deprecated (even though most of it is the same, at least for the Mark 1 Bunny).https://docs.hak5.org/bash-bunny/ Link to comment Share on other sites More sharing options...
InfiniteBSOD Posted March 14, 2023 Author Share Posted March 14, 2023 On 3/5/2023 at 10:12 PM, dark_pyrro said: 1) It's the latest Responder deb file made available for the Bunny (I'm just referring to the one from Hak5, not deb files from any other unknown source). However, it's really old and not the latest Responder available from the official repo on GitHub. Things have happened since 2017, so in order to be successful it's important to use the latest release possible. 2) This method should work and it seems as if it does, but, if you can't see any directory in /tools (that is the "real" /tools in the root of the internal Bunny file system, not on the udisk that is mounted to the target in arming mode) then something isn't working as it should for some reason. In any way, what you will get when using that deb file is just an old version of Responder that will most likely not work that well for you. The latest combo that has worked for me (and still works) is using Python 3.7.9 and Responder 3.0.7.0 along with the Quickcreds payload. 3) Not that much to comment here Comment on the Bunny you are using; it's not a Mark 1 Bunny if it has a Micro SD card slot. Only the Mark 2 Bunny has that feature. Also use the latest documentation as reference, the one you are linking is old and deprecated (even though most of it is the same, at least for the Mark 1 Bunny).https://docs.hak5.org/bash-bunny/ Thank you for your reply and sorry for my late reply. (Before the more simplified process below I did a reset of the BashBunny MK II as per here) and ran: apt-get update apt-get upgrade however no packages were updated and my language pack is still on the BashBunny but my previously created folders ("/home/downloads/xyz" etc.) are gone. I've been trying to get this sorted and I guess I've gone about it way to complicated then it has to be: 1) Downloaded the latest version of Responder (3.1.3.0): wget https://github.com/lgandx/Responder/archive/refs/tags/v3.1.3.0.tar.gz tar -xvzf v3.1.3.0.tar.gz rm v3.1.3.0.tar.gz 2) While in the extracted folder for "Responder-3.1.3.0": ./Responder.py /usr/bin/env: python3: No such file or directory Ok so python --version returns: Python 2.7.9 Ok I need to install Python 3: Following this post:python 3.7.3 install on debian jessie - Constantly Outdated (kitabi.eu) fails on step 1 (install dependencies): apt-get install libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev tk-dev libgdbm-dev libc6-dev libbz2-dev with: Reading package lists... Done Building dependency tree Reading state information... Done libc6-dev is already the newest version. libc6-dev set to manually installed. libssl-dev is already the newest version. libsqlite3-dev is already the newest version. Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: libncursesw5-dev : Depends: libtinfo5 (= 5.9+20140913-1+deb8u3) but 6.0+20161126-1+deb9u2 is to be installed Depends: libncursesw5 (= 5.9+20140913-1+deb8u3) but 6.0+20161126-1+deb9u2 is to be installed Depends: libtinfo-dev (= 5.9+20140913-1+deb8u3) but it is not going to be installed libreadline-gplv2-dev : Depends: libtinfo-dev but it is not going to be installed E: Unable to correct problems, you have held broken packages Ok so "libtinfo-dev" seems to hold up the dependencies. "libtinfo-dev" in turn seems to have a dependency of: "libtinfo5" Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 14, 2023 Share Posted March 14, 2023 You can follow the instructions on building Python3 on the Bunny that I have documented in my Codeberg repo https://codeberg.org/dark_pyrro/BB2-Impacket/wiki/Setting-the-Bunny-up-for-Impacket Link to comment Share on other sites More sharing options...
InfiniteBSOD Posted March 14, 2023 Author Share Posted March 14, 2023 Gah. I can't edit my post above. "libtinfo5" seems to already be at its most current version. apt --fix-missing update apt update apt install -f apt autoremove -y apt upgrade -y does nothing. Link to comment Share on other sites More sharing options...
InfiniteBSOD Posted March 14, 2023 Author Share Posted March 14, 2023 2 minutes ago, dark_pyrro said: You can follow the instructions on building Python3 on the Bunny that I have documented in my Codeberg repo https://codeberg.org/dark_pyrro/BB2-Impacket/wiki/Setting-the-Bunny-up-for-Impacket I love you. I will try this tomorrow and report back. Link to comment Share on other sites More sharing options...
InfiniteBSOD Posted March 15, 2023 Author Share Posted March 15, 2023 On 3/14/2023 at 8:49 PM, InfiniteBSOD said: I love you. I will try this tomorrow and report back. Tried it! apt-get clean apt update returns: W: GPG error: http://httpredir.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1668891673 W: GPG error: http://archive.debian.org jessie-backports InRelease: The following signatures were invalid: KEYEXPIRED 1587841717 KEYEXPIRED 1668891673 W: There is no public key available for the following key IDs: 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 apt install build-essential returns: WARNING: The following packages cannot be authenticated! libasan1 libatomic1 libisl10 libcloog-isl4 libgomp1 libmpfr4 libubsan0 libmpc3 bzip2 patch cpp-4.9 cpp libgcc-4.9-dev gcc-4.9 gcc libstdc++-4.9-dev g++-4.9 g++ libtimedate-perl libdpkg-perl dpkg-dev build-essential libfakeroot fakeroot libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libfile-fcntllock-perl apt install libgdbm-dev returns: WARNING: The following packages cannot be authenticated! libgdbm-dev apt install libnss3-dev returns: WARNING: The following packages cannot be authenticated! libnspr4 libnss3 libnspr4-dev libnss3-dev apt install libffi-dev returns: WARNING: The following packages cannot be authenticated! libffi-dev apt install gcc cd /root mkdir python3 cd python3 wget https://www.python.org/ftp/python/3.7.9/Python-3.7.9.tar.xz tar -xvf Python-3.7.9.tar.xz rm Python-3.7.9.tar.xz cd Python-3.7.9 ls pwd returns: /root/python3/Python-3.7.9 mkdir /root/python3/openssl_compiled cd .. pwd returns: /root/python3 wget --no-check-certificates https://www.openssl.org/source/openssl-3.0.0.tar.gz tar -xvf openssl-3.0.0.tar.gz rm openssl-3.0.0.tar.gz cd openssl-3.0.0 timedatectl set-time 'YYYY-MM-DD HH:MM:SS' in my case: timedatectl set-time '2023-03-15 19:44:00' timedatectl list-timezones | grep 'continent' in my case: timedatectl list-timezones | grep 'Europe' timedatectl set-timezone <current-timzone> in my case: timedatectl set-timezone Europe/Stockholm pwd returns: /root/python3/openssl-3.0.0 ./config --prefix=/root/python3/openssl_compiled --openssldir=/root/python3/openssl_compiled -Wl,-Bsymbolic-functions -fPIC shared returns: Configuring OpenSSL version 3.0.0 for target linux-armv4 Using os-specific seed configuration Creating configdata.pm Running configdata.pm Creating Makefile.in Creating Makefile ********************************************************************** *** *** *** OpenSSL has been successfully configured *** *** *** *** If you encounter a problem while building, please open an *** *** issue on GitHub <https://github.com/openssl/openssl/issues> *** *** and include the output from the following command: *** *** *** *** perl configdata.pm --dump *** *** *** *** (If you are new to OpenSSL, you might want to consult the *** *** 'Troubleshooting' section in the INSTALL.md file first) *** *** *** ********************************************************************** make returns: <too-much-output> but ends with: make[1]: Leaving directory '/root/python3/openssl-3.0.0' make test returns: Test Summary Report ------------------- 80-test_ssl_new.t (Wstat: 256 Tests: 30 Failed: 1) Failed test: 12 Non-zero exit status: 1 Files=241, Tests=3273, 3751 wallclock secs (63.34 usr 2.77 sys + 3374.59 cusr 241.08 csys = 3681.78 CPU) Result: FAIL More verbose: 80-test_ssl_new.t .................. 11/? # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36 # [2] compared to [0] # INFO: # ExpectedResult mismatch: expected Success, got ClientFail. # 0070F1B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45 # OPENSSL_TEST_RAND_ORDER=1678941550 not ok 2 - iteration 2 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36 # [2] compared to [0] # INFO: # ExpectedResult mismatch: expected Success, got ClientFail. # 0070F1B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45 # OPENSSL_TEST_RAND_ORDER=1678941550 not ok 4 - iteration 4 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36 # [4] compared to [0] # INFO: # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed. # 0070F1B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45 # OPENSSL_TEST_RAND_ORDER=1678941550 not ok 5 - iteration 5 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36 # [4] compared to [0] # INFO: # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed. # 0070F1B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45 # OPENSSL_TEST_RAND_ORDER=1678941550 not ok 6 - iteration 6 # ------------------------------------------------------------------------------ # OPENSSL_TEST_RAND_ORDER=1678941550 not ok 1 - test_handshake # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.none none => 1 not ok 3 - running ssl_test 12-ct.cnf # ------------------------------------------------------------------------------ # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36 # [2] compared to [0] # INFO: # ExpectedResult mismatch: expected Success, got ClientFail. # 0020F6B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45 # OPENSSL_TEST_RAND_ORDER=1678941552 not ok 2 - iteration 2 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36 # [2] compared to [0] # INFO: # ExpectedResult mismatch: expected Success, got ClientFail. # 0020F6B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45 # OPENSSL_TEST_RAND_ORDER=1678941552 not ok 4 - iteration 4 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36 # [4] compared to [0] # INFO: # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed. # 0020F6B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45 # OPENSSL_TEST_RAND_ORDER=1678941552 not ok 5 - iteration 5 # ------------------------------------------------------------------------------ # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36 # [4] compared to [0] # INFO: # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed. # 0020F6B6:error:0A000415:SSL routines:(unknown function):sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45 # OPENSSL_TEST_RAND_ORDER=1678941552 not ok 6 - iteration 6 # ------------------------------------------------------------------------------ # OPENSSL_TEST_RAND_ORDER=1678941552 not ok 1 - test_handshake # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.default default => 1 not ok 6 - running ssl_test 12-ct.cnf # ------------------------------------------------------------------------------ # Failed test 'running ssl_test 12-ct.cnf' # at test/recipes/80-test_ssl_new.t line 171. # Looks like you failed 2 tests of 6. Will troubleshoot this tomorrow Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 15, 2023 Share Posted March 15, 2023 It should work, I know since I've done it several times. Time may change things though, so what was working a bit back in time may not work now. The apt stuff is most likely because of the fact that Jessie is old nowadays and it's not strange that such errors would occur. Getting a more recent debian-archive-keyring package could solve it and/or edit the sources.list file. Or, use apt-key to import keys from a key server (if available). Link to comment Share on other sites More sharing options...
InfiniteBSOD Posted March 19, 2023 Author Share Posted March 19, 2023 On 3/15/2023 at 10:48 PM, dark_pyrro said: It should work, I know since I've done it several times. Time may change things though, so what was working a bit back in time may not work now. The apt stuff is most likely because of the fact that Jessie is old nowadays and it's not strange that such errors would occur. Getting a more recent debian-archive-keyring package could solve it and/or edit the sources.list file. Or, use apt-key to import keys from a key server (if available). Thank you for your help and your guide, helped me a lot! I reset my BB MK II:Factory Reset - Bash Bunny (hak5.org) then did this: /// 1) Set your BashBunny MK II (w. mSDHC-slot) to share your computers internet connection:https://docs.hak5.org/bash-bunny/internet-connectivity/sharing-an-internet-connection-from-windows 2) SSH into the BB MK II by using an SSH-terminal (ex. Bitvise SSH Client) and connect to: 172.16.64.1 User: root Password: hak5bunny ** All commands below are in the SSH-terminal ** 3) Set time and date (and timezone). Execute: timedatectl set-time 'YYYY-MM-DD HH:MM:SS' in my case: timedatectl set-time '2023-03-19 18:14:00' Execute: timedatectl list-timezones | grep 'continent' in my case: timedatectl list-timezones | grep 'Europe' Execute: timedatectl set-timezone <current-timzone> in my case: timedatectl set-timezone Europe/Stockholm 4) Install necessary build-packages. Execute: apt update apt install build-essential libgdbm-dev libnss3-dev libffi-dev gcc 5) Create a directory for all the files which will be downloaded and built and enter it. Execute: mkdir /root/build-dir cd /root/build-dir 6) Download, untar and remove the zip for OpenSSL (latest version as per this post 2023-03-18 is '3.1.0'). Execute: wget https://www.openssl.org/source/openssl-3.1.0.tar.gz tar -xvf openssl-3.1.0.tar.gz rm openssl-3.1.0.tar.gz mkdir openssl-3.1.0_compiled cd openssl-3.1.0 7) Build and install OpenSSL 3.1.0. Source:https://docs.python.org/3.11/using/unix.html#custom-openssl Locate current OpenSSL. Execute: find /etc/ -name openssl.cnf -printf "%h\n" in my case it was "/etc/ssl" which concerns the directory I enter for "--openssldir=". Execute: ./config \ --prefix=/home/build-dir/openssl-3.1.0_compiled \ --libdir=lib \ --openssldir=/etc/ssl should return: Configuring OpenSSL version 3.1.0 for target linux-armv4 Using os-specific seed configuration Created configdata.pm Running configdata.pm Created Makefile.in Created Makefile Created include/openssl/configuration.h ********************************************************************** *** *** *** OpenSSL has been successfully configured *** *** *** *** If you encounter a problem while building, please open an *** *** issue on GitHub <https://github.com/openssl/openssl/issues> *** *** and include the output from the following command: *** *** *** *** perl configdata.pm --dump *** *** *** *** (If you are new to OpenSSL, you might want to consult the *** *** 'Troubleshooting' section in the INSTALL.md file first) *** *** *** ********************************************************************** Execute (official documentation suggest "-j1" which is 1 core, BB MK II have 4 cores therefore "-j4"): make -j4 depend Execute (official documentation suggest "-j8" which is 1 core, BB MK II have 4 cores therefore "-j4"): make -j4 should end with: make[1]: Leaving directory '/root/build-dir/openssl-3.1.0' Execute: make install_sw 😎 Download, untar and remove the zip for Python3 (latest version as per this post 2023-03-18 is '3.11.2'). Execute: wget https://www.python.org/ftp/python/3.11.2/Python-3.11.2.tgz tar -xvf Python-3.11.2.tgz rm Python-3.11.2.tgz mkdir Python-3.11.2_compiled cd Python-3.11.2 9) Build and install Python 3.11.2. Source: https://docs.python.org/3.11/using/unix.html#custom-openssl Execute: ./configure -C \ --with-openssl=/home/build-dir/openssl-3.1.0_compiled \ --with-openssl-rpath=auto \ --prefix=/home/build-dir/Python-3.11.2_compiled Execute (official documentation suggest "-j8" which is 1 core, BB MK II have 4 cores therefore "-j4"): make -j4 Execute: make altinstall Add directory to path: cd ~ nano .bashrc export PATH=/home/build-dir/Python-3.11.2:$PATH . .bashrc 10) Download and install 'netifaces' (requirement for Responder) through pip. Execute: python -m pip install netifaces 11) Upgrade 'pip'. pip3.11 install --upgrade pip 12) Download, untar and remove the zip for Responder (latest version as per this post 2023-03-18 is '3.1.3.0'). Execute: wget https://github.com/lgandx/Responder/archive/refs/tags/v3.1.3.0.tar.gz tar -xvf v3.1.3.0.tar.gz rm v3.1.3.0.tar.gz 13) Launch Responder. cd /root/build-dir/Responder-3.1.3.0 python ./Python.py should return: __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.1.3.0 To support this project: Patreon -> https://www.patreon.com/PythonResponder Paypal -> https://paypal.me/PythonResponder Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C Error: -I <if> mandatory option is missing launching 'DumpHash.py' with: python ./DumpHash.py returns: Dumping NTLMV2 hashes: Traceback (most recent call last): File "/root/build-dir/Responder-3.1.3.0/./DumpHash.py", line 43, in <module> v2 = GetResponderCompleteNTLMv2Hash(cursor) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/root/build-dir/Responder-3.1.3.0/./DumpHash.py", line 28, in GetResponderCompleteNTLMv2Hash res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v2%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)") ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ sqlite3.OperationalError: no such table: Responder /// So I guess that a payload should be in 'Switch Position 1' which invokes 'DumpHash.py' and then 'QuickCreds' should be in 'Switch Position 2'? Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 19, 2023 Share Posted March 19, 2023 38 minutes ago, InfiniteBSOD said: So I guess that a payload should be in 'Switch Position 1' which invokes 'DumpHash.py' and then 'QuickCreds' should be in 'Switch Position 2'? Not quite sure what you mean by that. You let the Bunny run whatever payload is available in the switch position you select. If you select switch position 1, it will run the payload in the switch1 payload directory. And the same logic for switch2. If you haven't purged Python 2 (or created some symlink that starts Python 3 when typing "python"), you should start Responder with python3 specifically, otherwise Responder will start with Python 2. Link to comment Share on other sites More sharing options...
InfiniteBSOD Posted March 20, 2023 Author Share Posted March 20, 2023 21 hours ago, dark_pyrro said: Not quite sure what you mean by that. You let the Bunny run whatever payload is available in the switch position you select. If you select switch position 1, it will run the payload in the switch1 payload directory. And the same logic for switch2. If you haven't purged Python 2 (or created some symlink that starts Python 3 when typing "python"), you should start Responder with python3 specifically, otherwise Responder will start with Python 2. I think I am nearly there! I renamed the "Responder-3.1.3.0" folder to "responder" and moved it to the "/tools/" when accessing the BB MK II through SSH and put the "payload.txt" for "QuickCreds" in the "Switch1" folder. I also SSH:ed into the BB MK II and ran "chmod a+x ./responder.py" while in the "/tools/responder/"-directory. I set the network adapter for the BB MK II to "Automatic" instead of the static IP I used (172.16.64.64/24) to be able to SSH into it. Here is what I see when inserting the BB MK II using "Switch1": Solid green Solid magenta ("purple") [Row 27 below] Blinking green [Row ??] Even after ~ 5min its still blinking green. According to the code for "QuickCreds" here:bashbunny-payloads/payload.txt at master · hak5/bashbunny-payloads (github.com) and the legend for LEDs for BB here:LED - Bash Bunny (hak5.org) Row 27 - "# Setup attack" = LED SETUP = Magenta solid Row 56 - "# Set LED yellow, run attack" = LED ATTACK = Yellow single blink Row 80 = "# Light turns green - trap is clean." = LED FINISH = Green very fast blink followed by solid green When setting the BB MK II into "arming mode" and checking the mounted "<driveletter>\loot\quickcreds\" I can see a subfolder with the hostname of my host but no files in it. Any idea? Feels that I'm really close now, thanks to your help 🙂 Update: Row 63 = python Responder.py -I usb0 $RESPONDER_OPTIONS & if I SSH and try to run "Responder.py": root@bunny:/tools/responder# ./Responder.py You need to install python-netifaces or run Responder with python3... Try "apt-get install python-netifaces" or "pip install netifaces" OK not specifying "python" makes it default to "python2" instead of "python3" however running: root@bunny:/tools/responder# python ./Responder.py returns: __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.1.3.0 To support this project: Patreon -> https://www.patreon.com/PythonResponder Paypal -> https://paypal.me/PythonResponder Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C Error: -I <if> mandatory option is missing So just like row 63 in "QuickCreds" it should start "responder" w. Python3? Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 20, 2023 Share Posted March 20, 2023 The LED sequence seems a bit odd. It shouldn't do it that way if either succeeding or failing (failing not equal to "LED FAIL" as per the payload script, but failing to get loot). I guess that Responder fails due to the fact that the payload is using a Responder command line option that is deprecated if I remember it correctly ==> "-r". If you run Responder manually and include the option "-r", it will abort. That could be the reason why the loot directory is created (since that is happening before Responder is executed), but nothing else happens. If Responder was successful in running the payload, it would blink yellow until it got some loot (i.e. some file named something including "NTLM"). Link to comment Share on other sites More sharing options...
InfiniteBSOD Posted March 20, 2023 Author Share Posted March 20, 2023 32 minutes ago, dark_pyrro said: The LED sequence seems a bit odd. It shouldn't do it that way if either succeeding or failing (failing not equal to "LED FAIL" as per the payload script, but failing to get loot). I guess that Responder fails due to the fact that the payload is using a Responder command line option that is deprecated if I remember it correctly ==> "-r". If you run Responder manually and include the option "-r", it will abort. That could be the reason why the loot directory is created (since that is happening before Responder is executed), but nothing else happens. If Responder was successful in running the payload, it would blink yellow until it got some loot (i.e. some file named something including "NTLM"). Tried executing Responder.py manually: root@bunny:/tools/responder# python Responder.py -I usb0 -w -d -P -v returns: <some-omitted-stuff> [!] Error starting SSL server on port 5986, check permissions or other servers running. [!] Error starting SSL server on port 443, check permissions or other servers running. while looking which services that use "5986" or "443": root@bunny:/tools/responder# netstat -lnpt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 430/sshd tcp6 0 0 :::22 :::* LISTEN 430/sshd it seems no services are. In regards to "-r" being deprecated that seems to be the case: root@bunny:/tools/responder# python Responder.py -I usb0 -w -d -r -P -v __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.1.3.0 To support this project: Patreon -> https://www.patreon.com/PythonResponder Paypal -> https://paypal.me/PythonResponder Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C Usage: python Responder.py -I eth0 -w -d or: python Responder.py -I eth0 -wd Responder.py: error: no such option: -r removed -r references · lgandx/Responder@03fa9a7 (github.com) Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 20, 2023 Share Posted March 20, 2023 I quote myself 22 hours ago, dark_pyrro said: If you haven't purged Python 2 (or created some symlink that starts Python 3 when typing "python"), you should start Responder with python3 specifically, otherwise Responder will start with Python 2. If you use "python" only, you should under normal circumstances be starting Python 2 on the Bunny. To use Python 3 you need to specify it when starting Responder, i.e. use "python3" (both manually at the command line or in the payload script), not just "python". There is a shebang on the first line of the Responder.py file that could/should make the script use python3. Better though to start Responder with python3 from command line to be sure it is used. Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 20, 2023 Share Posted March 20, 2023 Also make sure you install netifaces for the correct Python environment (not for Python 2). Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 20, 2023 Share Posted March 20, 2023 To really make sure netifaces is installed and available for Python 3, then enter the Python 3 prompt, by running: python3 Enter: import netifaces There should be no error message(s) if netifaces is installed correctly for Python 3 Just to test it further, list available interfaces: netifaces.interfaces() Link to comment Share on other sites More sharing options...
InfiniteBSOD Posted March 20, 2023 Author Share Posted March 20, 2023 26 minutes ago, dark_pyrro said: To really make sure netifaces is installed and available for Python 3, then enter the Python 3 prompt, by running: python3 Enter: import netifaces There should be no error message(s) if netifaces is installed correctly for Python 3 Just to test it further, list available interfaces: netifaces.interfaces() root@bunny:~# python --version Python 3.11.2 root@bunny:~# python3 --version Python 3.4.2 so I'm unsure why python3 leads to 3.4.2 and not 3.11.2 and python leads to 3.11.2. I guess python should lead to python2 and python3 should lead to 3.11.2 although: root@bunny:~# which python /root/build-dir/Python-3.11.2/python root@bunny:~# which python3 /usr/bin/python3 root@bunny:~# which python2 /usr/bin/python2 root@bunny:~# python Python 3.11.2 (main, Mar 19 2023, 19:58:51) [GCC 4.9.2] on linux Type "help", "copyright", "credits" or "license" for more information. >>> help('modules') Please wait a moment while I gather a list of all available modules... test_sqlite3: testing with version '2.6.0', sqlite_version '3.8.7.1' /home/build-dir/Python-3.11.2_compiled/lib/python3.11/site-packages/_distutils_hack/__init__.py:33: UserWarning: Setuptools is replacing distutils. warnings.warn("Setuptools is replacing distutils.") __future__ _thread graphlib select __hello__ _threading_local grp selectors __phello__ _tokenize gzip setuptools _abc _tracemalloc hashlib shelve _aix_support _typing heapq shlex _ast _warnings hmac shutil _asyncio _weakref html signal _bisect _weakrefset http site _blake2 _xxsubinterpreters idlelib smtpd _bootsubprocess _xxtestfuzz imaplib smtplib _codecs _zoneinfo imghdr sndhdr _codecs_cn abc imp socket _codecs_hk aifc importlib socketserver _codecs_iso2022 antigravity inspect spwd _codecs_jp argparse io sqlite3 _codecs_kr array ipaddress sre_compile _codecs_tw ast itertools sre_constants _collections asynchat json sre_parse _collections_abc asyncio keyword ssl _compat_pickle asyncore lib2to3 stat _compression atexit linecache statistics _contextvars audioop locale string _crypt base64 logging stringprep _csv bdb lzma struct _ctypes binascii mailbox subprocess _ctypes_test bisect mailcap sunau _datetime builtins marshal symtable _dbm bz2 math sys _decimal cProfile mimetypes sysconfig _distutils_hack calendar mmap syslog _elementtree cgi modulefinder tabnanny _functools cgitb msilib tarfile _gdbm chunk multiprocessing telnetlib _hashlib cmath netifaces tempfile _heapq cmd netrc termios _imp code nis test _io codecs nntplib textwrap _json codeop ntpath this _locale collections nturl2path threading _lsprof colorsys numbers time _markupbase compileall opcode timeit _md5 concurrent operator tkinter _multibytecodec configparser optparse token _multiprocessing contextlib os tokenize _opcode contextvars ossaudiodev tomllib _operator copy pathlib trace _osx_support copyreg pdb traceback _pickle crypt pickle tracemalloc _posixshmem csv pickletools tty _posixsubprocess ctypes pip turtle _py_abc curses pipes turtledemo _pydecimal dataclasses pkg_resources types _pyio datetime pkgutil typing _queue dbm platform unicodedata _random decimal plistlib unittest _sha1 difflib poplib urllib _sha256 dis posix uu _sha3 distutils posixpath uuid _sha512 doctest pprint venv _signal email profile warnings _sitebuiltins encodings pstats wave _socket ensurepip pty weakref _sqlite3 enum pwd webbrowser _sre errno py_compile wsgiref _ssl faulthandler pyclbr xdrlib _stat fcntl pydoc xml _statistics filecmp pydoc_data xmlrpc _string fileinput pyexpat xxlimited _strptime fnmatch queue xxlimited_35 _struct fractions quopri xxsubtype _symtable ftplib random zipapp _sysconfigdata__linux_arm-linux-gnueabihf functools re zipfile _testbuffer gc reprlib zipimport _testcapi genericpath resource zlib _testclinic getopt rlcompleter zoneinfo _testimportmultiple getpass runpy _testinternalcapi gettext sched _testmultiphase glob secrets Enter any module name to get more help. Or, type "modules spam" to search for modules whose name or summary contain the string "spam". >>> netifaces.interfaces() Traceback (most recent call last): File "<stdin>", line 1, in <module> NameError: name 'netifaces' is not defined >>> import netifaces >>> netifaces.interfaces() ['lo', 'eth0', 'tunl0', 'gre0', 'sit0', 'ip6tnl0', 'usb0'] 'netifaces' should be installed for python (a.k.a. 3.11.2) Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 20, 2023 Share Posted March 20, 2023 This is most likely due to the fact that Python 3 was installed using apt before you built Python3 from source. I would recommend purging the version installed using apt, or simply do a factory reset to start with a clean slate and not install Python 3 using apt, but only build the relevant version for Responder. Link to comment Share on other sites More sharing options...
InfiniteBSOD Posted March 20, 2023 Author Share Posted March 20, 2023 1 hour ago, dark_pyrro said: This is most likely due to the fact that Python 3 was installed using apt before you built Python3 from source. I would recommend purging the version installed using apt, or simply do a factory reset to start with a clean slate and not install Python 3 using apt, but only build the relevant version for Responder. If my memory is correct the 'apt'-version of Python3 was automatically installed as a dependency for one of these deb-packages: build-essential libgdbm-dev libnss3-dev libffi-dev gcc I just tried to download the old / deprecated "responder.deb", moved it to the mounted "tools"-directory with the BB MK II in "arming"-mode and then put the "QuickCreds" "payload.txt" into "Switch1" and it works. So I thank you for all your help and will close this for now, it works as intended and I'll revisit this in the future. Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 21, 2023 Share Posted March 21, 2023 I wouldn't agree to the fact that Python 3 is installed as a dependency when just installing the mentioned packages. I would have noted that when I was working on the previously linked instruction on how to get a more recent version of Impacket on the Bunny. I did quite a lot of iterations before I had sorted out all the issues that was involved in getting that working so it would have been quite obvious that any Python 3 version installed by apt would need to be removed first (and that would be a part of the instruction in that case). When you say that the older responder.deb works; does it work in the way that it just runs or do you get NTLM hashes from a target? What OS is the target running in that case? A fully updated Windows 10 or 11? Just curious. Link to comment Share on other sites More sharing options...
InfiniteBSOD Posted March 21, 2023 Author Share Posted March 21, 2023 10 hours ago, dark_pyrro said: I wouldn't agree to the fact that Python 3 is installed as a dependency when just installing the mentioned packages. I would have noted that when I was working on the previously linked instruction on how to get a more recent version of Impacket on the Bunny. I did quite a lot of iterations before I had sorted out all the issues that was involved in getting that working so it would have been quite obvious that any Python 3 version installed by apt would need to be removed first (and that would be a part of the instruction in that case). When you say that the older responder.deb works; does it work in the way that it just runs or do you get NTLM hashes from a target? What OS is the target running in that case? A fully updated Windows 10 or 11? Just curious. You are right, I had to have gotten Python3 as a dependency for something else: root@bunny:~/loot/quickcreds/my-hostname# apt install build-essential libgdbm-dev libnss3-dev libffi-dev gcc Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: fonts-dejavu-core libdrm-freedreno1 libdrm-radeon1 libdrm2 libelf1 libfontenc1 libgl1-mesa-glx libglapi-mesa libice6 libjs-bowser libjs-events libjs-inherits libjs-is-typedarray libjs-merge libjs-rtcninja libjs-sdp-transform libjs-typedarray-to-buffer libjs-util libllvm3.5 libsm6 libtxc-dxtn-s2tc0 libutempter0 libuv1-dev libx11-xcb1 libxaw7 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-shape0 libxcb-sync1 libxcomposite1 libxdamage1 libxfixes3 libxi6 libxinerama1 libxmu6 libxpm4 libxrandr2 libxrender1 libxshmfence1 libxss1 libxt6 libxtst6 libxv1 libxxf86dga1 libxxf86vm1 node-bowser node-debug node-events node-inherits node-is-typedarray node-merge node-nan node-rtcninja node-sdp-transform node-typedarray-to-buffer node-util x11-common xbitmaps Use 'apt-get autoremove' to remove them. The following extra packages will be installed: bzip2 cpp cpp-4.9 dpkg-dev fakeroot g++ g++-4.9 gcc-4.9 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan1 libatomic1 libcloog-isl4 libdpkg-perl libfakeroot libfile-fcntllock-perl libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libnspr4 libnspr4-dev libnss3 libstdc++-4.9-dev libtimedate-perl libubsan0 patch Suggested packages: bzip2-doc cpp-doc gcc-4.9-locales debian-keyring gcc-4.9-doc libstdc++6-4.9-dbg gcc-multilib autoconf automake libtool flex bison gdb gcc-doc libgcc1-dbg libgomp1-dbg libitm1-dbg libatomic1-dbg libasan1-dbg liblsan0-dbg libtsan0-dbg libubsan0-dbg libcilkrts5-dbg libquadmath-dbg libstdc++-4.9-doc ed diffutils-doc The following NEW packages will be installed: build-essential bzip2 cpp cpp-4.9 dpkg-dev fakeroot g++ g++-4.9 gcc gcc-4.9 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan1 libatomic1 libcloog-isl4 libdpkg-perl libfakeroot libffi-dev libfile-fcntllock-perl libgcc-4.9-dev libgdbm-dev libgomp1 libisl10 libmpc3 libmpfr4 libnspr4 libnspr4-dev libnss3 libnss3-dev libstdc++-4.9-dev libtimedate-perl libubsan0 patch 0 upgraded, 34 newly installed, 0 to remove and 0 not upgraded. Need to get 1700 kB/28.0 MB of archives. After this operation, 68.9 MB of additional disk space will be used. Do you want to continue? [Y/n] Using Responder 2.3.3.6 (the "deb"-version) on: Windows 11 Pro Ver 22H2 (OS Build: 22621.1413) Windows 10 Home Ver 22H2 (OS Build: 19045.2006) returns an NTLMv2-hash and the other log-files in "/loot/quickcreds/<hostname>/" Link to comment Share on other sites More sharing options...
Terraphice Posted September 16, 2023 Share Posted September 16, 2023 On 3/21/2023 at 3:54 AM, dark_pyrro said: I wouldn't agree to the fact that Python 3 is installed as a dependency when just installing the mentioned packages. I would have noted that when I was working on the previously linked instruction on how to get a more recent version of Impacket on the Bunny. I did quite a lot of iterations before I had sorted out all the issues that was involved in getting that working so it would have been quite obvious that any Python 3 version installed by apt would need to be removed first (and that would be a part of the instruction in that case). When you say that the older responder.deb works; does it work in the way that it just runs or do you get NTLM hashes from a target? What OS is the target running in that case? A fully updated Windows 10 or 11? Just curious. Just wanted to chime in here for the folks following along at home. I followed your instructions (stopping at installing Rust) for Impacket (just to get Python 3 built), and I also had the same issues with Responder that InfiniteBSOD had. (Same failures with DumpHash.py and Responder.py.)I ensured Netifaces was installed with Python 3, I never installed Python 3 beforehand (clean install), and I verified that I followed all the steps accurately. So it would seem there is either a fundamental mistake with instruction, or an issue with Responder compatibility, or something else I'm not considering. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.