Jump to content

Bunnypicker (Win10 Lockpicker for Bash Bunny) clarification for documentation

elsevero

By elsevero
in Payloads

 Share

Recommended Posts

elsevero Newbie

elsevero

Posted
Posted

Hi there,

 

I started playing with Bash Bunny, I would like to unlock a Windows PC, without knowing the password, for security measures I cannot reset the password. I have seen the Bunnypicker (Win10 Lockpicker for Bash Bunny) payload, listed on official GitHub repo.


Has anyone worked with it?

I have the following question as this person mentioned in the GitHub issue.

I will list the questions here as well:

1. What does JtR means?

2. Where do I run the following commands? In Windows, on the Setup machine (a Windows where I setup the BashBunny USB stick) ?

Based on what I have seen, the below commands can be run on a Windows Machine with Linux subsystem activated (WSL2). Am I missing something?

Link to comment
Share on other sites
dark_pyrro Grand Master

dark_pyrro

Posted
Posted
7 hours ago, elsevero said:

What does JtR means?

That can't be too difficult to do a Google search on. Especially since "John" is also mentioned in the payload readme/instructions plus the fact that the GitHub repo is linked in the instructions. So... JtR stands for "John the Ripper", it's a tool.

https://github.com/openwall/john

https://en.wikipedia.org/wiki/John_the_Ripper

https://www.openwall.com/john/

7 hours ago, elsevero said:

Where do I run the following commands?

You haven't included any commands in the post, but I guess that you are referring to the commands in the payload instructions. They should be executed on the Bunny itself (when it has been configured to be able to reach the internet). You will most likely run into a bunch of errors while running the apt commands since Jessie is EOL and the upstream package repos aren't maintained anymore.

The payload itself is interesting as a concept, but nothing I would use that much since it's rather limited in the way that it is only able to try a limited amount of possible passwords. I would go with QuickCreds/Responder instead and do any "password restoring" on something more powerful than the Bunny. The Responder version that is used in the payload is also older than needed.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...