I've been playing around with Mubix's Quickcreds payload (awesome payload, Mubix!) and have run into trouble with using it on a Test Mac.
I plug in the device and it goes to flashing yellow LED on the USB but doesn't proceed further. When I plug the USB in under arming mode I can see "TESTs-MBP-1" (Mac's name) in the loot/quickcreds/ folder. The folder is empty.
The payload is set to use ECM_ETHERNET. I see the device under the network section of system preferences with the correct IP address (172.16.64.10).
I see in the payload that yellow LED means that it's running the attack. I have a feeling that it's getting hung up on finding NTLM logs. Mac/Nix doesn't store password hashes in the same way that Windows does, right? So why is it this payload is able to work with Mac/Nix with the only difference being the ECM_ETHERNET vs RNDIS_ETHERNET for Windows?