Jump to content
Hak5 Forums
M@$T

Mr Robot Hack

Recommended Posts

Hi Guys, 

was looking at the scripts to snatch the password form a windows PC.. If there a way to instead of upload the file on the web, to save the file locally on the USB? would remove a variable in case the attacked PC does not have a connection..

Share this post


Link to post
Share on other sites

There are a couple of ways to do this.  One involves using a second USB device that acts as a drive, and the other is to use the Composite firmware to present the storage on the ducky as a drive along with the HID it presents.  Either way, you need to look through the forums here to get an idea of how to detect the drive, once it's been plugged in, and understand how the different Composite firmwares work.  For example, the 4cap composite is supposed to present the SD card as a usb drive, and present a HID device, then manually run the payload by hitting the Caps Lock key 4 times in a row.  However, in my testing, the caps lock event did not trigger on the Linux Mint workstation I was testing from.  Plugging it into a Windows 10 workstation read the event just fine and delivered the payload.  In both cases, the ducky would deliver the payload if the physical button on it was pressed.

Share this post


Link to post
Share on other sites

use Twin Duck firmware to redirect the output to the duck itself. I actually ended up storing the invoke-mimikatz on the duck itself to keep from needing to download it. I modified the script so most AV will not catch it. I used a command prompt to find the duck drive, then used that to set the variable. Dumped the creds to a text file back on the duck drive. I found all the information between the newest video from Mr. Robot hack and an older video they reference in that video where they show the same execution without upload. After some mods I was able to make it work pretty well. 

Share this post


Link to post
Share on other sites

Well I attempted to put the mimikatz.exe on the ducky sd with the inject.bin file, but that didn't work. I turned off AV  and Firewall just to rule out that and still nothing. I am thinking your right. It has to be an I'm.ps1 script.

Share this post


Link to post
Share on other sites
On 10/18/2016 at 8:21 PM, Ferryman said:

Well I attempted to put the mimikatz.exe on the ducky sd with the inject.bin file, but that didn't work. I turned off AV  and Firewall just to rule out that and still nothing. I am thinking your right. It has to be an I'm.ps1 script.

You have to rename mimikatz and all the references to it in the ps1 script, AV is only catching the name. Thats what worked for me. 

Share this post


Link to post
Share on other sites
On 9/13/2016 at 4:12 AM, M@$T said:

Hi Guys, 

was looking at the scripts to snatch the password form a windows PC.. If there a way to instead of upload the file on the web, to save the file locally on the USB? would remove a variable in case the attacked PC does not have a connection..

 

I made a payload to steal Windows credentials as well as stored browser passwords, then save the output txt documents to the ducky. I coded it on a Sunday a few weeks back and haven't had the time to go back and clean it up and add all the additional features that I want to yet, but you can see how it works in a video I posted showcasing it. Instead of explaining it all again, you can see more about it in the description of the video. Oh, and I used the on-screen keyboard in the video just to show that the script is set to fire on an LED toggle (caps lock, num lock, or scroll lock key press). Otherwise, it wouldn't have been obvious that I pressed a button on the keyboard to fire it.

Although I wanted to wait until I was finished editing it how I want it, since I've been busy with work, I'll gladly share my source code if anyone is interested. Just leave a comment on the video and I'll get in contact with you (I see YouTube notifications much easier than PMs on here, although I'll eventually catch either one).

 

 

Share this post


Link to post
Share on other sites
4 hours ago, Enzym3 said:

 

I made a payload to steal Windows credentials as well as stored browser passwords, then save the output txt documents to the ducky. I coded it on a Sunday a few weeks back and haven't had the time to go back and clean it up and add all the additional features that I want to yet, but you can see how it works in a video I posted showcasing it. Instead of explaining it all again, you can see more about it in the description of the video. Oh, and I used the on-screen keyboard in the video just to show that the script is set to fire on an LED toggle (caps lock, num lock, or scroll lock key press). Otherwise, it wouldn't have been obvious that I pressed a button on the keyboard to fire it.

Although I wanted to wait until I was finished editing it how I want it, since I've been busy with work, I'll gladly share my source code if anyone is interested. Just leave a comment on the video and I'll get in contact with you (I see YouTube notifications much easier than PMs on here, although I'll eventually catch either one).

 

 

Would love to get a copy of that payload.

Share this post


Link to post
Share on other sites
5 hours ago, Ferryman said:

Would love to get a copy of that payload.

Same here..

Maybe you can make the screens smaller (reduce the PS window size or minimize the windows so that they don't look suspicious) so that they don't really show like in the original payload?

Share this post


Link to post
Share on other sites
4 hours ago, M@$T said:

Same here..

Maybe you can make the screens smaller (reduce the PS window size or minimize the windows so that they don't look suspicious) so that they don't really show like in the original payload?

Most definitely. I intentionally left out a handful of the typical obfuscation tricks just so you could see what's happening in the video since I recorded it just before bed that night instead of doing one with a voiceover and more in depth description. I'm currently driving 15 hours back home for thanksgiving, but sometime after family get togethers today I'll sit down and remote into my home PC and get you guys my source code. I still plan on vastly improving it and adding features, but if any of you make your own changes, I'd love to see what you've come up with!

Happy Thanksgiving!

-Enzym3

Edited by Enzym3

Share this post


Link to post
Share on other sites
9 minutes ago, Enzym3 said:

Most definitely. I intentionally left out a handful of the typical obfuscation tricks just so you could see what's happening in the video since I recorded it just before bed that night instead of doing one with a voiceover and more in depth description. I'm currently driving 15 hours back home for thanksgiving, but sometime after family get togethers today I'll sit down and remote into my home PC and get you guys my source code. I still plan on vastly improving it and adding features, but if any of you make your own changes, I'd love to see what you've come up with!

Happy Thanksgiving!

-Enzym3

great stuff! 

looking forward to seeing the code!

Share this post


Link to post
Share on other sites

Sorry for the delay, everyone.I just now got access to a PC while I'm out of town. I managed to remote into my home PC and upload the necessary files onto my Google Drive. Here's a link to the ZIP archive that contains what you'll need. I included a README file for anyone new to using the ducky. The veterans shouldn't have any issues figuring out how to use it. If anyone has any questions about it, let me know. I'll be back home on Monday and I'll do my best to help you out. If anyone customizes the scripts, I'd love for you to share them here with everyone. I'll certainly keep working on it whenever I get the chance and post my updates as well. Cheers, everyone!

-Enzym3

 

Download (Google Drive)

Share this post


Link to post
Share on other sites
1 hour ago, Mohamed A. Baset said:

We're sorry. You can't access this item because it is in violation of our Terms of Service. !!

Whats this all about?

Share this post


Link to post
Share on other sites

Ugh. Sorry, fellas. I just got back home and saw all the fuss. I don't know what exactly it was about that ZIP archive that violated Google's TOS, but I've never had that issue before. It's possible that maybe their AV scan flagged the browser password stealer tool or one of the powershell scripts as malicious. I'm not certain. I'll see if I can just re-zip the file and add a password to it and hope that it will allow it to get around their AV scan by not allowing it access. I'll play around with it and figure something out.

 

a885fc84f956be6726cd766004bbb95c.png

Edited by Enzym3

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×