I figured that the Bash Bunny QuickCreds module would be a great way to test out my new toy.
I got a Bash Bunny with the Silicon Valley discount code, and was looking forward to playing with it.
First of all, for those unfamiliar with the attack (or title), then I highly recommend mubix’s original post.
First, I needed to get the payload loaded onto the device and working properly.
I had a ton of issues sharing internet with my Windows machine, so I decided to try a different one.
Additionally, I was also having trouble sharing internet using my Mac.
In the end, I was able to get it working after following the above instructions on my Kali VM. For more information, see the above thread.
- With you [sic] vm turned off and the bunny unplugged, go to Settings > Ports > USB and enable usb 3.0
- Switch the bunny to state 1; plug it in and wait for it to load completely
- Add a usb filter (plus icon) and add the device (mine says “Linux 3.4.39 with sunxi_usb_udc RNDIS/Ethernet Gadget ”)
- Eject the bunny
- Flip the switch to states 2 & 3 and repeat steps 2-4
- Turn on your vm and keep the bunny unplugged
- wget the bb.sh script in the vm
- Run `sudo bash bb.sh` and follow the guided setup
- With the bunny NOT in arm mode (position 3) plug the bunny in after the third step/question
- If you did it right, the script will “detect” the bunny at this stage
- The last step is to press “C” once you see the main menu again to “connect” using the settings you just set up
- You should now be able to ssh in and test the connection with ping
Once I followed the configuration steps, I was able to SSH into my bunny.
Unfortunately, I was unable to properly download anything or update it.
After a few minutes of frustration, I took a look at resolv.conf on the device.
[email protected]:~# ping 220.127.116.11 PING 18.104.22.168 (22.214.171.124) 56(84) bytes of data. 64 bytes from 126.96.36.199: icmp_seq=1 ttl=43 time=26.7 ms ^C --- 188.8.131.52 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 26.766/26.766/26.766/0.000 ms [email protected]:~# ping google.com ^C [email protected]:~# cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 184.108.40.206 nameserver 220.127.116.11
While normally this would not be an issue, I have my pfSense configured to block all outgoing DNS requests. In this case, I just disabled the firewall rule for a little since it made life easier.
Before the Bash Bunny QuickCreds payload would work, I would need Responder on the device as well.
First, I added the ToolsInstaller package into the switch1 payload.
Next, I also added the QuickCreds payload into switch2 while I was at it.
Unfortunately, the installation kept failing for ToolsInstaller.
Next, I tried to manually create the pentest folder.
Once I did that, I manually uploaded impacket and responder to the device.
Unfortunately, I was still getting constant failures with the installation.
At this point, I realized that it was probably time to update my firmware.
Going to the download page, I noticed that 1.3 was the newest version.
I followed the instructions, and properly updated the firmware on my device.
Bash Bunny QuickCreds – Tool Success!
Next, I moved Responder to the new proper location, /tools/responder.
At this point, I thought I would be good to go, so I attempted the quickcreds attack.
Unfortunately, the bunny still had an amber light, and I believed that it was Responder’s fault.
Finally, I found the .deb files, and was able to install Responder successfully!
Bash Bunny QuickCreds – Execution
With everything working, I asked Hacker’s Girlfriend if she would be my guinea pig.
First, I verified that she locked and password protected her laptop.
Next, I plugged in the bunny and watched it switch to the amber light.
Finally, after only a few seconds, it switched to a green light indicating success!
After checking the device, there was a file with NetNTLMv2 hashes this time.
Based on a small hint from the girlfriend, it was time to crack the hashes. Unfortunately, I had to quit hashcat in the middle, so I’m not sure exactly how long the process took.
Rays-MacBook-Pro:testing doyler$ hashcat -a 3 -m 5600 -i --increment-min=1 --increment-max=10 hash.txt ?l?l?l?l?l?l?l?l?l?l hashcat () starting... OpenCL Platform #1: Apple ========================= * Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped. * Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU * Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU Hashes: 2 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Applicable optimizers: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt * Brute-Force Watchdog: Temperature abort trigger disabled. Watchdog: Temperature retain trigger disabled. The wordlist or mask that you are using is too small. This means that hashcat cannot use the full parallel power of your device(s). Unless you supply more work, your cracking speed will drop. For tips on supplying more work, see: https://hashcat.net/faq/morework Approaching final keyspace - workload adjusted. Session..........: hashcat Status...........: Exhausted Hash.Type........: NetNTLMv2 Hash.Target......: GIRLFRIEND::Girlfriend-THINK:dexxxxx...000000 Time.Started.....: Fri Jul 14 19:40:47 2017 (0 secs) Time.Estimated...: Fri Jul 14 19:40:47 2017 (0 secs) Guess.Mask.......: ?l  Guess.Queue......: 1/10 (10.00%) Speed.Dev.#2.....: 0 H/s (0.45ms) Speed.Dev.#3.....: 0 H/s (0.00ms) Speed.Dev.#*.....: 0 H/s Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 26/26 (100.00%) Rejected.........: 0/26 (0.00%) Restore.Point....: 0/1 (0.00%) Candidates.#2....: q -> x Candidates.#3....: [Generating] Session..........: hashcat Status...........: Running Hash.Type........: NetNTLMv2 Hash.Target......: GIRLFRIEND::Girlfriend-THINK:dexxxxx...000000 Time.Started.....: Wed Jul 19 12:28:22 2017 (1 sec) Time.Estimated...: Wed Jul 19 12:28:26 2017 (3 secs) Guess.Mask.......: ?l?l?l?l?l?l?l?l?l?l  Guess.Queue......: 1/1 (100.00%) Speed.Dev.#2.....: 12865.7 kH/s (4.11ms) Speed.Dev.#3.....: 60526.9 kH/s (7.08ms) Speed.Dev.#*.....: 73392.6 kH/s Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: xxxxxxxx/308915776 (xx%) Rejected.........: 0/88440832 (0.00%) Restore.Point....: xxxxxxxx/308915776 (xx%) Candidates.#2....: xxxxxxxxxx -> xxxxxxxxxx Candidates.#3....: xxxxxxxxxx -> xxxxxxxxxx GIRLFRIEND::Girlfriend-THINK:dexxxxx:xxxxx:xxxxx:(password here)
Bash Bunny QuickCreds – Conclusion
After cracking the password, I attempted to use it on her laptop, and it worked!
This was an awesome first payload to use on my bunny, and probably one that I will keep on permanently.
Let me know if you have any ideas or suggestions for other payloads to try or write.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.