Does Quickcreds work on recent locked Windows computer ?

[nopnop]

Hi

I recently bought a BashBunny Mark 2 (FW 1.7_332) and I'd like to use it on a Windows 10 locked computer to recover users hashes with Quickcreds Payload

I copied paylaod on switch 1 and install responder DEB file.

When I plug in the USB key, the light starts green, changes to purple, and then stays flashing yellow. I waited about 1H, but it stayed flashing yellow.

If I unlock the computer, the payload works without any problems.

I tried on differents computers,  but always the same problem..

Any idea please ?

Is there another payload to grab the users hashes on locked computer ?

 

Thank you for your help

 

[dark_pyrro]

Worked for me a couple of weeks ago at least. No using the deb package from the forums though, but instead version 3.0.6 of Responder. Both on Win10 and Win11.

[nopnop]

where Can I find the Responder 3.0.6 ? 

Thank you,

 

[dark_pyrro]

In the official Responder repo on GitHub

[nopnop]

humm

It doesn't work.

Maybe because the locked laptop is under bitlocker.

[dark_pyrro]

That shouldn't have any impact on success

In what path did you put Responder on the Bunny?

What's the output if you execute Responder manually on the Bunny?

[nopnop]

Thanks for you Help

First I've downloaded v3.0.6 from this link : https://github.com/lgandx/Responder/tags

then, I switch the Bashbuny into "SSH mode" with a payload and I copied all files in the Zip (Responder-3.0.6.0.zip)  into root@bunny:/tools/responder#

did I make a mistake ?

thank you

[nopnop]

If I launch "root@bunny:/tools/responder# ./Responder.py -I" it seems to be ok.

is there another command I can run to check ?

[dark_pyrro]

That screenshot tells me that you're not running 3.0.6.0, but the older version that comes with the deb from the forums (look at the version displayed = 2.3.3.6).

[nopnop]

Sorry,  here is the screenshot

When I plug the Bashbunny on the laptop,  led start green, then fixed purple, and after red flash.

 

 

[dark_pyrro]

There should be two things that produces the red LED and that's either failing to find responder (slow blink) or fast blink which indicates that the target doesn't get an IP address.

[nopnop]

it's fast blink.

 

[dark_pyrro]

ok, then the Bunny can't hand out any DHCP lease to the target (the computer to which it is connected) for some reason

[dark_pyrro]

Did you at any point set a static IP address for the Bunny on the machine you're trying to run QuickCreds against?

[nopnop]

Yes I set a static IP. Thank You.

So I try on another laptop (windows 10)

This time , LED start Green,  then fixed purple,  and after yellow flash.  Normally it should be a fixed green.

 

Any idea ?

[dark_pyrro]

Yes, if you get a NTLM hash it will turn green. If not, it will continue to blink yellow. There's no guarantee though that it will ever be able to obtain the hash. Also make sure to leave it for a while. It can take all from 2 seconds from when it starts to blink yellow (i.e. attack started) to well over a minute.

[nopnop]

I left the BashBunny plugged in for 2 hours, but still the same "yellow flashing LED"

Does the computer need to be connected to the internet ?

 

[dark_pyrro]

No

[dark_pyrro]

Just to be sure, you have logged in to the PC and then locked it, right? Not just let it boot up without any login.

[nopnop]

The goal is to recover the hash of a locked computer whose session has not been opened. And after Hashcat the hash.

 

The computer is running bitlocker + tpm.

I think I have no other option to unlock it.

 

 

 

[dark_pyrro]

Well, if you try to obtain the hash on a PC that has no logged in user (i.e. a PC that isn't actually locked), I guess you have to prepare yourself to wait until kingdom comes.