w1r3d.au Posted August 24, 2023 Share Posted August 24, 2023 (edited) Hi fellow Hak5 users, I am trying to get the Qucikcreds module to work on my lan turtle. I have just also installed a 1tb sd card for storage to be able to run this module. When I go into configure the module I get a message 'an sd card is required to install this module' Is my sd card too big?? what could be the issue? When I run the module on startup I get the numbered Creds folders with a ifconfig_dump.log file which does not look to have the creds of the user just some network stuff. What I am I doing wrong? from Darrens vidoe it looked so easy maybe too easy I was able to format the sd card while it was in the turle without any issues. Changed it to a 64gb sd card to test the size limits Edited August 24, 2023 by w1r3d.au Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted August 24, 2023 Share Posted August 24, 2023 When you get the message An SD card is required to install this module. then exit the Turtle "text UI" to get to the terminal and run grep "/sd" /proc/mounts or mount | grep "/sd" Does it return a line that shows that (or "how" really) /sd is mounted on the system? I have no actual reason to question your choice of Micro SD card size since I have no idea what your plans and intentions are, but using a 1 TB card with the Turtle seems a bit overkill to me. Especially for Quickcreds. I would go for far less than that. The loot that Quickcreds generates (if successful) does not need that amount of storage at all. The only thing that will need additional storage is the "components" that is used by Quickcreds, but even those won't require that much storage (however, the onboard storage of the Turtle is limited so it for sure needs the extra extension that the Micro SD card can offer in order to get everything in place for execution). Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted August 24, 2023 Share Posted August 24, 2023 I might add that there are other issues with the Quickcreds module, but try the things above to sort out what might be the issue when it comes to the Micro SD card first. Quote Link to comment Share on other sites More sharing options...
w1r3d.au Posted August 24, 2023 Author Share Posted August 24, 2023 (edited) So when I plugged in my Lan Turtle this morning I was able to install the dependencies for Quicikcreds without having to manually install them however I still cannot get the module to complete with saved creds. I am testing on a Windows 10 22H2 workstation that is only locked. When I plug in the Lan Turle I get the usual boot flashes and once the module is running I can see the led flashing on for a second then off for a second. Once I open the ifconfig_dump.log file with 'cat' command I can only see the status features of the ethernet eh0, eth1 and lo connections. eth0 Link encap:Ethernet HWaddr 00:13:37:A9:A6:F2 inet addr:172.16.84.1 Bcast:172.16.84.255 Mask:255.255.255.0 inet6 addr: fe80::213:37ff:fea9:a6f2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:142 errors:0 dropped:3 overruns:0 frame:0 TX packets:29 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:27148 (26.5 KiB) TX bytes:3770 (3.6 KiB) Interrupt:4 eth1 Link encap:Ethernet HWaddr 00:13:37:A9:A6:F0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:5 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:816 (816.0 B) TX bytes:816 (816.0 B) When I open the responder.log I can see that the module was started but no creds. Creds1 - Initiating Responder attack... Creds1 - Stopping dnsmasq Creds1 - Starting screen and Responder Creds1 - LED blink pattern during attack enabled Creds2 - Initiating Responder attack... Creds2 - Stopping dnsmasq Creds2 - Starting screen and Responder Creds2 - LED blink pattern during attack enabled Creds1 - Initiating Responder attack... Creds1 - Stopping dnsmasq Creds1 - Starting screen and Responder Creds1 - LED blink pattern during attack enabled Creds2 - Initiating Responder attack... Creds2 - Stopping dnsmasq Creds2 - Starting screen and Responder Creds2 - LED blink pattern during attack enabled Creds1 - Initiating Responder attack... Creds1 - Stopping dnsmasq Creds1 - Starting screen and Responder Creds1 - LED blink pattern during attack enabled Creds2 - Initiating Responder attack... Creds2 - Stopping dnsmasq Creds2 - Starting screen and Responder Creds2 - LED blink pattern during attack enabled Creds3 - Initiating Responder attack... Creds3 - Stopping dnsmasq Creds3 - Starting screen and Responder Creds3 - LED blink pattern during attack enabled Creds1 - Initiating Responder attack... Creds1 - Stopping dnsmasq Creds1 - Starting screen and Responder Creds1 - LED blink pattern during attack enabled Creds2 - Initiating Responder attack... Creds2 - Stopping dnsmasq Creds2 - Starting screen and Responder Creds2 - LED blink pattern during attack enabled It feels like I am very close to getting this module to work and really appreciate the help Edited August 24, 2023 by w1r3d.au Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted August 25, 2023 Share Posted August 25, 2023 First of all; Quickcreds (or Responder actually) isn't anything that offers 100% success at each and every attempt. Sometimes it works, sometimes it don't. So the fact that there aren't any creds captured doesn't necessarily mean that there are issues with the setup. With that said, there are issues... the Turtle implementation of Quickcreds in its latest form shouldn't really work, or will have problems for sure. Not to criticize the authors, but sometimes things have a "best before date" if they aren't being updated to follow what happens over time in the world outside the Turtle. One thing is that Responder has moved over to use Python3. I haven't seen any official information that it's "Python3 only", but it at least complains (kind of) if you try to start Responder with Python2. It either tells you to start Responder with Python3 or make sure netifaces is installed if trying to use Python2 (at least valid for Responder 3.1.3.0 which is the latest version available when writing this post). So... since the Turtle doesn't have Python3 out of the box, there are two possible roads to travel. Either install netifaces for Python2 (and hope everything works), or install Python3. Doing the latter will require some tweaking since the Turtle most likely won't have enough free storage space to install everything needed. That requires an installation to an alternative location and that is the Micro SD card. When doing an installation to the Micro SD card, it's also needed to manually set/configure additional paths to make Python3 work since this isn't taken care of by opkg during installation. The module itself also needs adjustments. For example (if Python3 is used), the line that starts Responder needs to specify that python3 is going to be used when executing Responder. There is also a parameter that Responder isn't using anymore and that is "-r". If "-r" is specified, Responder will just stop execution and exit complaining that an unknown parameter has been passed to the Python script ("error: no such option: -r"). The fact that the orange LED is blinking as it should when Responder is assumed to be running on the Turtle (1 sec on/1 sec off) doesn't really mean that it is actually executing. It's just the "start" function of the module that has managed to reach that part of the script (the while loop where the module sits and waits for anything named "*NTLM*" in the Responder logs directory). There's nothing that actively checks that Responder is up and running, or capturing any errors that might get thrown back upon execution. So, the LED status can be a bit misleading. All in all, there are some things to take care of to even get to the state where Responder "should work". That is however no guarantee for success. There might be other things that needs to be looked at to really be sure that it will produce NTLM hashes. It has been quite a while since I last used Responder along with the Turtle, so I haven't been digging deeper into it. I've used it on the Bash Bunny though and it's the same thing there (of course), things needs adjustment to be possible to use with later versions of Responder. One thing that could be tried is to use the version of Responder that was available at the time when the latest version of the Quickcreds module for the Turtle was published (early April 2021), and that is Responder version 3.0.3.0. Doing so might have downsides though since tools develop over time and the "offense/defense game" is constantly moving forward, sometimes making tools obsolete. Other than the above, there are some questionable handling involving how paths are built up using constants and strings in the script plus some checks that perhaps could be better, but that is minor "glitches" as I see it. As a side note, the "ifconfig_dump.log" file isn't really relevant at all. It just acts as "proof" that the interface needed is up when the module is executed/started. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted August 25, 2023 Share Posted August 25, 2023 Just a comment about my suggestion to use an older version (3.0.3.0) of Responder along with the existing quickcreds module. It seems to work. I managed to get the Turtle to grab NTLM hashes on a Win10 box now. Haven't changed the module code to do everything needed, but I did a "semi-automatic" execution of Responder (in a similar way as the module) and it was successful. Quote Link to comment Share on other sites More sharing options...
w1r3d.au Posted August 27, 2023 Author Share Posted August 27, 2023 Can you give me the steps and code you used wih the older version of responder? Do I need to factory reset or delete all the modules and start from scratch? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted August 29, 2023 Share Posted August 29, 2023 I will most likely post something more detailed soon (if I get the time). But essentially, you need to change the download URL and the part where the downloaded file is handled in the module (around line 80-90) since the downloaded file isn't called "master.zip" and the unpacked directory isn't called "Responder-master". The URL to use for RESPURL is https://github.com/lgandx/Responder/archive/refs/tags/v3.0.3.0.zip Up to 3.0.6.0 should be fine as well. It's from 3.0.7.0 that Python3 is starting to be mentioned in the Responder scripts. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted Thursday at 04:13 PM Share Posted Thursday at 04:13 PM And here's some PoC code that runs an older Responder version (3.0.6.0), better late than never... https://codeberg.org/dark_pyrro/LAN-Turtle-1stGen-Quickcreds Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.