2) My test box didn't have a "HarddiskVolumeShadowCopy1" so the script would fail, delete the .vbs files and exit without displaying the error.
I commented out the lines to exit and delete the vbs files and ran vssown.vbs /list to see if "1" existed and it did not. Every time the /create line runs it would increment (11, 12, 13) so I edited the payload to change "1" to the next expected shadowcopy# and then it finally copied the files.
Perhaps the payload should use /list to determine the next shadow created or try the next 25 #s if "HarddiskVolumeShadowCopy1" fails?
[Question] Retrieve Sam And System From A Live File System
in Classic USB Rubber Ducky
Posted
I had problems with it...
1)There are a couple of typos in the USBRD script:
"STRING copy \\?\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM ."
"STRING copy \\?\GLoBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM ."
2) My test box didn't have a "HarddiskVolumeShadowCopy1" so the script would fail, delete the .vbs files and exit without displaying the error.
I commented out the lines to exit and delete the vbs files and ran vssown.vbs /list to see if "1" existed and it did not. Every time the /create line runs it would increment (11, 12, 13) so I edited the payload to change "1" to the next expected shadowcopy# and then it finally copied the files.
Perhaps the payload should use /list to determine the next shadow created or try the next 25 #s if "HarddiskVolumeShadowCopy1" fails?