Jump to content

Payload for PowerMemory to grab Windows 10 creds?


one2

Recommended Posts

I purchased the Rubber Ducky recently to grab windows login creds from Windows 10. I was unaware at the time that it wouldn't quite work as solid on 10 as it does with older versions of windows.

After testing on various other versions and having it upload the .creds to my server nothing happened when I attempted it on my target machine (Windows 10). I played around with quite a bit and finally got the .creds uploading but with 0 data.

Doing some research I came across this page explaining using PowerMemory to edit the registry for storing plaintext credentials. I did this the manual way, rebooted, and viola I have my .creds file on the server with the credentials. However this was done on a test machine and not my target machine.

HERE IS MY REQUEST: Does anyone have or can write a payload to automate this process in a stealth manner much like the Mr Robot payload?

Maybe I am overlooking something as I am so new to this. Also it could be possible that it would have worked without PowerMemory editing the registry as I disabled Windows Defender before trying PM as I saw it has blocked some MK features during my previous attempts.

Any feedback would be greatly appreciated!

Link to comment
Share on other sites

8 minutes ago, jermzz said:

it's not going to work if it needs to run before and after a reboot issuing different key strokes. Especially if it needs to enter an unknown login password

Yeah I guess I should have specified that I would like to primarily add the registry modification into the stealth payload (pulling up the registry and modifying the WDigest "UseLogonCredential" to 1) on the first run, rather than either loading up PowerMemory or modifying the registry manually (allotted time would be minimal). Then wait for the target machine to be rebooted before inserting the RD once more to grab the plain text.

Link to comment
Share on other sites

3 minutes ago, one2 said:

Yeah I guess I should have specified that I would like to primarily add the registry modification into the stealth payload (pulling up the registry and modifying the WDigest "UseLogonCredential" to 1) on the first run, rather than either loading up PowerMemory or modifying the registry manually (allotted time would be minimal). Then wait for the target machine to be rebooted before inserting the RD once more to grab the plain text.

So you need two payloads :)

Link to comment
Share on other sites

17 minutes ago, jermzz said:

So you need two payloads :)

It appears so! I am very new to all of this and not entirely sure how to craft the entire payload to accomplish the following:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

Assuming that is the right command anyway.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...