As always, Mr.Robot has proven fascinating in its story line and realistic in its hacking. In episode 6 of this Season 2, Angela, Elliot's best friend and now a junior executive at E Corp, is looking for information regarding the toxic chemical leak by E Corp that killed both her mother and Elliot's father. Angela social engineers her boss' secretary to get access to his office and then uses a USB Rubby Ducky to extract his passwords in cleartext (unencrypted). This will presumably give her access to damning information on the Washington Township toxic leak.
Angela made it seem easy to get the boss's password, and in reality it is, if you know what you are doing.
In this tutorial we will discuss and show how a USB device can be used to extract passwords from a Windows machine in clear text (Windows passwords are stored as hashes), just the way Angela did in this episode of Mr. Robot.
A Rubber Ducky is a USB device that emulates a USB keyboard. Each USB device communicates to the operating system what type of device it is, for instance, storage, printer, mouse, keyboard, etc. The Rubber Ducky simply has its firmware flashed with the code of a keyboard rather than storage. As a result, any system that it plugs into will automatically receive input from the Rubber Ducky, just as it would with any keyboard attached to that system. You can buy one at the Hackaday store here for less than $50.
Angela really does not have the hacking skills necessary to extract the passwords, so the f/society team gave this rubber ducky to Angela to make it simple for her to install mimikatz and steal the passwords. Mimikatz doesn't require the Rubber Ducky, but with it, they could install a script on the Rubber Ducky, so that Angela only needed to install the device to get the password.
With a very limited amount of knowledge, you can use mimikatz to extract passwords without a Rubber Ducky.
The program that Angela used to extract her boss's password is named mimikatz. It was developed by Benjamin Delpy, aka gentilkiwi, who developed it to teach himself C and to explore Windows security. Basically, it is capable of extracting various sets of Windows credentials from live memory. If the system is active and the user has logged in, mimikatz can get the user's credentials!
Mimikatz has proven so powerful that Rapid7 has ported a version as a post-exploitation module in Metasploit. You can read about it in my tutorial here. Angela and the f/society use the original standalone module for this hack.
You can download the standalone version of mimikatz here.
It's important to note that mimikatz comes in both a 32- and 64-bit version. Make certain you use the proper version for the target or it will largely be useless.
Let's take a look at how mimikatz works and how you can use it to retrieve users passwords just like Angela did in this episode of Mr Robot.