Didier Stevens

Thursday 6 April 2017

Quickpost: Using My Bash Bunny To “Snag Creds From A Locked Machine”

Filed under: Bash Bunny,Entertainment,Hacking,Hardware,Quickpost — Didier Stevens @ 23:22

FYI: This is nothing new, I’m just documenting how I configured and used my new Bash Bunny for “SNAGGING CREDS FROM LOCKED MACHINES” as Mubix explained.

After setting up my Bash Bunny, I used it on a locked Windows 10 machine to get netNTLMv2 hashes, here is the video:

 

After collecting the hashes, I can recover them from the Bash Bunny:

I put my Bash Bunny into arming mode: put the switch in position 3 (switch position closest to the USB connector). I insert my Bash Bunny in my Windows machine. The removable storage on the Bash Bunny gets assigned drive letter D: on my machine.

Inside folder D:\loot\quickcreds there are folders created each time I use this payload on a machine. Here is the content for the Windows 10 machine I collected hashes from (DESKTOP-DEMO):

File Proxy-Auth-NTLMv2-172.16.64.10.txt contains the hashes:

These can be cracked, for example with John The Ripper:

Here is what I did to setup my Bash Bunny after unboxing it:

First I updated the payloads on my Bash Bunny from the GitHub repository.

I put my Bash Bunny into arming mode: put the switch in position 3 (switch position closest to the USB connector). I insert my Bash Bunny in my Windows machine. The removable storage on the Bash Bunny gets assigned drive letter D: on my machine.

I copy the content of the GitHub repository payloads folder to the payloads folder on the Bash Bunny: d:\payloads\ (overwriting existing files).

To install the tools: I copy D:\payloads\library\tools_installer\ to D:\payloads\switch1\ (overwriting existing files).

I eject the Bash Bunny, put the switch in position 1 (payload 1, switch position closest to the LED). I insert the Bash Bunny in my Windows machine, and wait for a white solid LED: this takes about 10 seconds.

I eject the Bash Bunny, put the switch in position 3 and re-insert it into my Windows machine.

Then I set the QuickCreds payload (responder) as payload 2 on my Bash Bunny: copy D:\payloads\library\QuickCreds\ to D:\payloads\switch2\ (overwriting existing files).

I eject the Bash Bunny, put the switch in position 2 (payload 2, switch position in the middle) and insert it into my test Windows machine. After some time, the Bash Bunny displays a green LED, indicating that hashes were collected.


Quickpost info


2 Comments »

  1. […] Quickpost is for my Bash Bunny with the original firmware. Since my first Bash Bunny post a couple of days ago, firmware 1.1 was released, but I have not yet […]

    Pingback by Quickpost: Bash Bunny & Keyboard Layouts | Didier Stevens — Sunday 9 April 2017 @ 12:51

  2. […] Blog post: Quickpost: Using My Bash Bunny To “Snag Creds From A Locked Machine” […]

    Pingback by Didier Stevens Videos — Saturday 22 April 2017 @ 22:21


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: