nopnop Posted October 12, 2023 Posted October 12, 2023 Hi I recently bought a BashBunny Mark 2 (FW 1.7_332) and I'd like to use it on a Windows 10 locked computer to recover users hashes with Quickcreds Payload I copied paylaod on switch 1 and install responder DEB file. When I plug in the USB key, the light starts green, changes to purple, and then stays flashing yellow. I waited about 1H, but it stayed flashing yellow. If I unlock the computer, the payload works without any problems. I tried on differents computers, but always the same problem.. Any idea please ? Is there another payload to grab the users hashes on locked computer ? Thank you for your help
dark_pyrro Posted October 12, 2023 Posted October 12, 2023 Worked for me a couple of weeks ago at least. No using the deb package from the forums though, but instead version 3.0.6 of Responder. Both on Win10 and Win11.
nopnop Posted October 13, 2023 Author Posted October 13, 2023 where Can I find the Responder 3.0.6 ? Thank you,
nopnop Posted October 13, 2023 Author Posted October 13, 2023 humm It doesn't work. Maybe because the locked laptop is under bitlocker.
dark_pyrro Posted October 13, 2023 Posted October 13, 2023 That shouldn't have any impact on success In what path did you put Responder on the Bunny? What's the output if you execute Responder manually on the Bunny?
nopnop Posted October 18, 2023 Author Posted October 18, 2023 Thanks for you Help First I've downloaded v3.0.6 from this link : https://github.com/lgandx/Responder/tags then, I switch the Bashbuny into "SSH mode" with a payload and I copied all files in the Zip (Responder-3.0.6.0.zip) into root@bunny:/tools/responder# did I make a mistake ? thank you
nopnop Posted October 18, 2023 Author Posted October 18, 2023 If I launch "root@bunny:/tools/responder# ./Responder.py -I" it seems to be ok. is there another command I can run to check ?
dark_pyrro Posted October 18, 2023 Posted October 18, 2023 That screenshot tells me that you're not running 3.0.6.0, but the older version that comes with the deb from the forums (look at the version displayed = 2.3.3.6).
nopnop Posted October 18, 2023 Author Posted October 18, 2023 Sorry, here is the screenshot When I plug the Bashbunny on the laptop, led start green, then fixed purple, and after red flash.
dark_pyrro Posted October 18, 2023 Posted October 18, 2023 There should be two things that produces the red LED and that's either failing to find responder (slow blink) or fast blink which indicates that the target doesn't get an IP address.
dark_pyrro Posted October 18, 2023 Posted October 18, 2023 ok, then the Bunny can't hand out any DHCP lease to the target (the computer to which it is connected) for some reason
dark_pyrro Posted October 18, 2023 Posted October 18, 2023 Did you at any point set a static IP address for the Bunny on the machine you're trying to run QuickCreds against?
nopnop Posted October 18, 2023 Author Posted October 18, 2023 Yes I set a static IP. Thank You. So I try on another laptop (windows 10) This time , LED start Green, then fixed purple, and after yellow flash. Normally it should be a fixed green. Any idea ?
dark_pyrro Posted October 18, 2023 Posted October 18, 2023 Yes, if you get a NTLM hash it will turn green. If not, it will continue to blink yellow. There's no guarantee though that it will ever be able to obtain the hash. Also make sure to leave it for a while. It can take all from 2 seconds from when it starts to blink yellow (i.e. attack started) to well over a minute.
nopnop Posted October 19, 2023 Author Posted October 19, 2023 I left the BashBunny plugged in for 2 hours, but still the same "yellow flashing LED" Does the computer need to be connected to the internet ?
dark_pyrro Posted October 19, 2023 Posted October 19, 2023 Just to be sure, you have logged in to the PC and then locked it, right? Not just let it boot up without any login.
nopnop Posted October 19, 2023 Author Posted October 19, 2023 The goal is to recover the hash of a locked computer whose session has not been opened. And after Hashcat the hash. The computer is running bitlocker + tpm. I think I have no other option to unlock it.
dark_pyrro Posted October 19, 2023 Posted October 19, 2023 Well, if you try to obtain the hash on a PC that has no logged in user (i.e. a PC that isn't actually locked), I guess you have to prepare yourself to wait until kingdom comes.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.