nopnop Posted October 12, 2023 Share Posted October 12, 2023 Hi I recently bought a BashBunny Mark 2 (FW 1.7_332) and I'd like to use it on a Windows 10 locked computer to recover users hashes with Quickcreds Payload I copied paylaod on switch 1 and install responder DEB file. When I plug in the USB key, the light starts green, changes to purple, and then stays flashing yellow. I waited about 1H, but it stayed flashing yellow. If I unlock the computer, the payload works without any problems. I tried on differents computers, but always the same problem.. Any idea please ? Is there another payload to grab the users hashes on locked computer ? Thank you for your help Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 12, 2023 Share Posted October 12, 2023 Worked for me a couple of weeks ago at least. No using the deb package from the forums though, but instead version 3.0.6 of Responder. Both on Win10 and Win11. Quote Link to comment Share on other sites More sharing options...
nopnop Posted October 13, 2023 Author Share Posted October 13, 2023 where Can I find the Responder 3.0.6 ? Thank you, Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 13, 2023 Share Posted October 13, 2023 In the official Responder repo on GitHub Quote Link to comment Share on other sites More sharing options...
nopnop Posted October 13, 2023 Author Share Posted October 13, 2023 humm It doesn't work. Maybe because the locked laptop is under bitlocker. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 13, 2023 Share Posted October 13, 2023 That shouldn't have any impact on success In what path did you put Responder on the Bunny? What's the output if you execute Responder manually on the Bunny? Quote Link to comment Share on other sites More sharing options...
nopnop Posted October 18, 2023 Author Share Posted October 18, 2023 Thanks for you Help First I've downloaded v3.0.6 from this link : https://github.com/lgandx/Responder/tags then, I switch the Bashbuny into "SSH mode" with a payload and I copied all files in the Zip (Responder-3.0.6.0.zip) into root@bunny:/tools/responder# did I make a mistake ? thank you Quote Link to comment Share on other sites More sharing options...
nopnop Posted October 18, 2023 Author Share Posted October 18, 2023 If I launch "root@bunny:/tools/responder# ./Responder.py -I" it seems to be ok. is there another command I can run to check ? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 18, 2023 Share Posted October 18, 2023 That screenshot tells me that you're not running 3.0.6.0, but the older version that comes with the deb from the forums (look at the version displayed = 2.3.3.6). Quote Link to comment Share on other sites More sharing options...
nopnop Posted October 18, 2023 Author Share Posted October 18, 2023 Sorry, here is the screenshot When I plug the Bashbunny on the laptop, led start green, then fixed purple, and after red flash. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 18, 2023 Share Posted October 18, 2023 There should be two things that produces the red LED and that's either failing to find responder (slow blink) or fast blink which indicates that the target doesn't get an IP address. Quote Link to comment Share on other sites More sharing options...
nopnop Posted October 18, 2023 Author Share Posted October 18, 2023 it's fast blink. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 18, 2023 Share Posted October 18, 2023 ok, then the Bunny can't hand out any DHCP lease to the target (the computer to which it is connected) for some reason Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 18, 2023 Share Posted October 18, 2023 Did you at any point set a static IP address for the Bunny on the machine you're trying to run QuickCreds against? Quote Link to comment Share on other sites More sharing options...
nopnop Posted October 18, 2023 Author Share Posted October 18, 2023 Yes I set a static IP. Thank You. So I try on another laptop (windows 10) This time , LED start Green, then fixed purple, and after yellow flash. Normally it should be a fixed green. Any idea ? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 18, 2023 Share Posted October 18, 2023 Yes, if you get a NTLM hash it will turn green. If not, it will continue to blink yellow. There's no guarantee though that it will ever be able to obtain the hash. Also make sure to leave it for a while. It can take all from 2 seconds from when it starts to blink yellow (i.e. attack started) to well over a minute. Quote Link to comment Share on other sites More sharing options...
nopnop Posted October 19, 2023 Author Share Posted October 19, 2023 I left the BashBunny plugged in for 2 hours, but still the same "yellow flashing LED" Does the computer need to be connected to the internet ? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 19, 2023 Share Posted October 19, 2023 No Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 19, 2023 Share Posted October 19, 2023 Just to be sure, you have logged in to the PC and then locked it, right? Not just let it boot up without any login. Quote Link to comment Share on other sites More sharing options...
nopnop Posted October 19, 2023 Author Share Posted October 19, 2023 The goal is to recover the hash of a locked computer whose session has not been opened. And after Hashcat the hash. The computer is running bitlocker + tpm. I think I have no other option to unlock it. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted October 19, 2023 Share Posted October 19, 2023 Well, if you try to obtain the hash on a PC that has no logged in user (i.e. a PC that isn't actually locked), I guess you have to prepare yourself to wait until kingdom comes. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.