FYI: This is nothing new, I’m just documenting how I configured and used my new Bash Bunny for “SNAGGING CREDS FROM LOCKED MACHINES” as Mubix explained.
After setting up my Bash Bunny, I used it on a locked Windows 10 machine to get netNTLMv2 hashes, here is the video:
After collecting the hashes, I can recover them from the Bash Bunny:
I put my Bash Bunny into arming mode: put the switch in position 3 (switch position closest to the USB connector). I insert my Bash Bunny in my Windows machine. The removable storage on the Bash Bunny gets assigned drive letter D: on my machine.
Inside folder D:\loot\quickcreds there are folders created each time I use this payload on a machine. Here is the content for the Windows 10 machine I collected hashes from (DESKTOP-DEMO):
File Proxy-Auth-NTLMv2-172.16.64.10.txt contains the hashes:
These can be cracked, for example with John The Ripper:
Here is what I did to setup my Bash Bunny after unboxing it:
First I updated the payloads on my Bash Bunny from the GitHub repository.
I put my Bash Bunny into arming mode: put the switch in position 3 (switch position closest to the USB connector). I insert my Bash Bunny in my Windows machine. The removable storage on the Bash Bunny gets assigned drive letter D: on my machine.
I copy the content of the GitHub repository payloads folder to the payloads folder on the Bash Bunny: d:\payloads\ (overwriting existing files).
To install the tools: I copy D:\payloads\library\tools_installer\ to D:\payloads\switch1\ (overwriting existing files).
I eject the Bash Bunny, put the switch in position 1 (payload 1, switch position closest to the LED). I insert the Bash Bunny in my Windows machine, and wait for a white solid LED: this takes about 10 seconds.
I eject the Bash Bunny, put the switch in position 3 and re-insert it into my Windows machine.
Then I set the QuickCreds payload (responder) as payload 2 on my Bash Bunny: copy D:\payloads\library\QuickCreds\ to D:\payloads\switch2\ (overwriting existing files).
I eject the Bash Bunny, put the switch in position 2 (payload 2, switch position in the middle) and insert it into my test Windows machine. After some time, the Bash Bunny displays a green LED, indicating that hashes were collected.
Article Link: https://blog.didierstevens.com/2017/04/06/quickpost-using-my-bash-bunny-to-snag-creds-from-a-locked-machine/