Automated sticky keys hack. Post exploitation it grabs browser passwords, history, and network passwords. Here’s the plan. We create a way to automate doing the sticky keys windows hack from a bootable USB which we can call as WinPirate. Then, we automate getting as many saved passwords as possible, drop a listener, and delete all traces that we were there.
All without being detected by antivirus. We should add a mimikittenz option if the computer was found running and unlocked, otherwise we can just run it later remotely.
How to Use WinPirate
Requirements : a linux bootable USB, this repo on the USB (not in the OS, just put it in the root directory)
Note : chromepasswords.py requires PyWin32
If the computer is locked:
- shutdown windows (make sure not hibernating by holding shift while pressing shut down)
- hit F12 and select USB
fdisk -l(note: if you’re on Kali Linux, run
mount /dev/WHATEVERTHEWINDOWSPARTITIONWASCALLED /media/windows -t ntfs
- run Stickykeys.sh
- restart and boot to Windows
- hit Shift 5 times fast, a command prompt will appear
- cd to the USB and run WinPirate.bat
If the computer isn’t locked:
cd to the USB and run Run.bat (this will run WinPirate.bat silently in the background, it should be done in < 10 seconds
- The chrome passwords grabber that I made is still a .py For it to work, I need to convert it to exe so it doesn’t require python to be installed on the system.
You can run it with
python chromepasswords.py -csvand it will decrypt the Chrome saved passwords database and export it as a CSV
- The sticky keys automation doesn’t speed the process up as much as I previously thought, as evident by the lengthy “How to Use” section
- I haven’t been able to write any tools that grab passwords for IE or Firefox