Jump to content

Super devious exfiltration


richrumble
 Share

Recommended Posts

I've noticed if you use the OnScreeKeyboard (osk.exe for windows) that each key that is pressed on that KB seems to register with the physical keyboard, like the two are working on a parrallel line, each can see what the other is doing.

Could the rubberducky sniff/record keystrokes, or could a keystroke logger, and you could base64 or hex encode binaries without the need for USB drive, Network or Wifi?

The RD might have to first write a keyboarding exe/binary to the HDD first, then type/echo binary.exe through the keyboarding program, then sniff. Maybe it's been done?

Perhaps ducky is always listening for some arbitrary BOF and EOF sequence and can "record" until EOF

nineninesinarow (BOF)

4D5A90`v```!```$$``B8```````40```````````````````````````````````80```0E1FBA0E`B409CD21B8^[CD21546869732070726Fb72P6D20YP6E6E6F%2062652072756E20696E20&4F53206D6FR652E0D0D0A~```````_u``[^v`*7Ds52````````E0`Tv>^'15`B0v``=```D0!`A07F#``E0!``90#```40``=```'``!```^```!````````A0#``=``````v`````20``=````=``=``````=````````````90#`D8```````````````````````````````````````````````````````````94S#`k```````````````````````````````````````````````````55_58i`````D0!``=```````'``````````````80``E055_5831`````B0v``E0!``Kv``'``````````````40``E055_58j`````=```90#``'```AEv`````````````40``C0332EiL`55_58210D090E0AxE31DF3C9c20BB@58#`.fv``1A#`490E`62kv`2AA36D5C2327F3A4A1]1De;70.7BD576E3)e07E5FCC755CAB691W(d&SVCEQk5959D8}0A1FE911AAC3'E3$1ACF9946B2.A2F7,fC8Y705670143319o49EAEA71139A^71Hs90dABb5B4F620DBCB24375EEA8$F2&C0^SUCDDC7ED25DD8,wFCD8FDF1w2A*Lz3Fq}826FDAA768c~3Cr28F4A691C7138F22B21D562698A6910C31F4d42A5^9A`5E77EA42s91C32AB9)/nC6$09bCAA8=8DK0AA9B5CD91rA3F4@6D41QA958'54CD7By95^)FE 12 6E719AdE15DF8A1XF085CE25CEC0P1585FED2YDF:3C75D47D3111AD2540252ED9DB%68F222E9E12A8A*YBFC2D8#UD2C09EDFut4BC5E1l_2C29555D35/43a0E7Eo:0AqCE2765710A)c-7EEACB6BtF3EDEE.c65CB52C92FDF8596233EF1F3,85TD1F3@6831ADC25E7B72D6>/BCC0B65C59D5F6F3221F40X,:BB7Ea5AE3zA97B6828SZ2ECCB5C9B06858C0C81C54A7540DE3u3CA5_8A%F7g0D517EE9)+7E-yF3A6oi8D54T623151EDd1AR^9DCAm71BC1D5E342ACCE0A7E92CFC20 GB5AEZA0Nh}9111CB8AD2A73FjDAC26DC5d960D221AAD12D5C2B626+=E1B972AE46A1W0CXC9A8S7BO5615B1BC?98F0AE12gC6H$90Q9A211CC0:}51I`0D5AAEt
etc...

eighteightsinarow (EOF)

RD types a keyboarding binary to the HDD, types a decode script, runs against the base64 and turns it into kb.exe again. The EXE can accept other base64 input piped into it, and it can buffer and slow down the pipe to a rate the RD can handle. Inception duck.

I was reading about the Exfiltrator, but when I found out it just uses/comes with a USB 4G flash drive, I was all "lame... I'd keylog a file myself and get the files that way". So I'm going to go buy the Delux now :) I hope some one can code a small keystroke maker or there is another way to echo base64/hex on to the KB bus to record. Might have to be small files only, but they can have some good info in them too.

EDIT

It could be scriptable... windows has "sendkeys", so maybe that could work. The kb.exe could actually do the base64 converion of a binary (or other data)to then be captured by a keylogger or RD itself.

-rich

Edited by richrumble
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...