one2 Posted December 31, 2016 Share Posted December 31, 2016 I purchased the Rubber Ducky recently to grab windows login creds from Windows 10. I was unaware at the time that it wouldn't quite work as solid on 10 as it does with older versions of windows. After testing on various other versions and having it upload the .creds to my server nothing happened when I attempted it on my target machine (Windows 10). I played around with quite a bit and finally got the .creds uploading but with 0 data. Doing some research I came across this page explaining using PowerMemory to edit the registry for storing plaintext credentials. I did this the manual way, rebooted, and viola I have my .creds file on the server with the credentials. However this was done on a test machine and not my target machine. HERE IS MY REQUEST: Does anyone have or can write a payload to automate this process in a stealth manner much like the Mr Robot payload? Maybe I am overlooking something as I am so new to this. Also it could be possible that it would have worked without PowerMemory editing the registry as I disabled Windows Defender before trying PM as I saw it has blocked some MK features during my previous attempts. Any feedback would be greatly appreciated! Quote Link to comment Share on other sites More sharing options...
jermzz Posted January 2, 2017 Share Posted January 2, 2017 it's not going to work if it needs to run before and after a reboot issuing different key strokes. Especially if it needs to enter an unknown login password Quote Link to comment Share on other sites More sharing options...
one2 Posted January 2, 2017 Author Share Posted January 2, 2017 8 minutes ago, jermzz said: it's not going to work if it needs to run before and after a reboot issuing different key strokes. Especially if it needs to enter an unknown login password Yeah I guess I should have specified that I would like to primarily add the registry modification into the stealth payload (pulling up the registry and modifying the WDigest "UseLogonCredential" to 1) on the first run, rather than either loading up PowerMemory or modifying the registry manually (allotted time would be minimal). Then wait for the target machine to be rebooted before inserting the RD once more to grab the plain text. Quote Link to comment Share on other sites More sharing options...
jermzz Posted January 2, 2017 Share Posted January 2, 2017 3 minutes ago, one2 said: Yeah I guess I should have specified that I would like to primarily add the registry modification into the stealth payload (pulling up the registry and modifying the WDigest "UseLogonCredential" to 1) on the first run, rather than either loading up PowerMemory or modifying the registry manually (allotted time would be minimal). Then wait for the target machine to be rebooted before inserting the RD once more to grab the plain text. So you need two payloads :) Quote Link to comment Share on other sites More sharing options...
one2 Posted January 2, 2017 Author Share Posted January 2, 2017 17 minutes ago, jermzz said: So you need two payloads :) It appears so! I am very new to all of this and not entirely sure how to craft the entire payload to accomplish the following: reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 Assuming that is the right command anyway. Quote Link to comment Share on other sites More sharing options...
xcoder Posted January 6, 2017 Share Posted January 6, 2017 down vote Beginning with Windows 8.1, the plaintext of a user's password is usually no longer kept in memory Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.