elkentaro Posted March 6, 2017 Share Posted March 6, 2017 So I started to work on the Bash Bunny to be able to handle non-US keyboard layout attacks for ATTACKMODE HID. To enable the SET_LANGUAGE option you need to add a [LanguageDescription].json under /root/tools/language. I used the default "us.json" as a working template. (you wanna back it up and copy it and not work of the original file) Here is an example of Japanese keyboard layout description file: (i.e.:ja.json , however you can make it ja_win.json for specific environments.) ---ja.json (created under /root/tools/languages/ )--- { "__comment": "All numbers here are in hex format and 0x is ignored.", "__comment": " ", "__comment": "This list is in ascending order of 3rd byte (HID Usage ID).", "__comment": " See section 10 Keyboard/Keypad Page (0x07)", "__comment": " of document USB HID Usage Tables Version 1.12.", "__comment": " ", "__comment": "Definition of these 3 bytes can be found", "__comment": " in section B.1 Protocol 1 (Keyboard)", "__comment": " of document Device Class Definition for HID Version 1.11", "__comment": " - byte 1: Modifier keys", "__comment": " - byte 2: Reserved", "__comment": " - byte 3: Keycode 1", "__comment": " ", "__comment": "Both documents can be obtained from link here", "__comment": " http://www.usb.org/developers/hidpage/", "__comment": " ", "__comment": "A = LeftShift + a, { = LeftShift + [", "__comment": " ", "CTRL": "01,00,00", "CONTROL": "01,00,00", "SHIFT": "02,00,00", "ALT": "04,00,00", "GUI": "08,00,00", "WINDOWS": "08,00,00", "CTRL-ALT": "05,00,00", "CTRL-SHIFT": "03,00,00", "ALT-SHIFT": "06,00,00", "__comment": "Below 5 key combinations are for Mac OSX", "__comment": "Example: (COMMAND-OPTION SHIFT t) to open terminal", "COMMAND": "08,00,00", "COMMAND-CTRL": "09,00,00", "COMMAND-CTRL-SHIFT": "0B,00,00", "COMMAND-OPTION": "0C,00,00", "COMMAND-OPTION-SHIFT": "0E,00,00", "a": "00,00,04", "A": "02,00,04", "b": "00,00,05", "B": "02,00,05", "c": "00,00,06", "C": "02,00,06", "d": "00,00,07", "D": "02,00,07", "e": "00,00,08", "E": "02,00,08", "f": "00,00,09", "F": "02,00,09", "g": "00,00,0a", "G": "02,00,0a", "h": "00,00,0b", "H": "02,00,0b", "i": "00,00,0c", "I": "02,00,0c", "j": "00,00,0d", "J": "02,00,0d", "k": "00,00,0e", "K": "02,00,0e", "l": "00,00,0f", "L": "02,00,0f", "m": "00,00,10", "M": "02,00,10", "n": "00,00,11", "N": "02,00,11", "o": "00,00,12", "O": "02,00,12", "p": "00,00,13", "P": "02,00,13", "q": "00,00,14", "Q": "02,00,14", "r": "00,00,15", "R": "02,00,15", "s": "00,00,16", "S": "02,00,16", "t": "00,00,17", "T": "02,00,17", "u": "00,00,18", "U": "02,00,18", "v": "00,00,19", "V": "02,00,19", "w": "00,00,1a", "W": "02,00,1a", "x": "00,00,1b", "X": "02,00,1b", "y": "00,00,1c", "Y": "02,00,1c", "z": "00,00,1d", "Z": "02,00,1d", "1": "00,00,1e", "!": "02,00,1e", "2": "00,00,1f", "\"": "02,00,1f", "#": "02,00,20", "4": "00,00,21", "$": "02,00,21", "5": "00,00,22", "%": "02,00,22", "6": "00,00,23", "&": "02,00,23", "7": "00,00,24", "'": "02,00,24", "8": "00,00,25", "(": "02,00,25", "9": "00,00,26", ")": "02,00,26", "0": "00,00,27", "ENTER": "00,00,28", "ESC": "00,00,29", "ESCAPE": "00,00,29", "BACKSPACE": "00,00,2a", "TAB": "00,00,2b", "ALT-TAB": "04,00,2b", "SPACE": "00,00,2c", " ": "00,00,2c", "-": "00,00,2d", "=": "02,00,2d", "^": "00,00,2e", "~": "02,00,2e", "@": "00,00,2f", "`": "02,00,2f", "[": "00,00,30", "{": "02,00,30", "]": "00,00,32", "}": "02,00,32", ";": "00,00,33", "+": "02,00,33", ":": "00,00,34", "*": "02,00,34", ",": "00,00,36", "<": "02,00,36", ".": "00,00,37", ">": "02,00,37", "\/": "00,00,38", "?": "02,00,38", "CAPSLOCK": "00,00,39", "F1": "00,00,3a", "F2": "00,00,3b", "F3": "00,00,3c", "F4": "00,00,3d", "F5": "00,00,3e", "F6": "00,00,3f", "F7": "00,00,40", "F8": "00,00,41", "F9": "00,00,42", "F10": "00,00,43", "F11": "00,00,44", "F12": "00,00,45", "PRINTSCREEN":"00,00,46", "SCROLLLOCK": "00,00,47", "PAUSE": "00,00,48", "BREAK": "00,00,48", "INSERT": "00,00,49", "HOME": "00,00,4a", "PAGEUP": "00,00,4b", "DELETE": "00,00,4c", "DEL": "00,00,4c", "END": "00,00,4d", "PAGEDOWN": "00,00,4e", "RIGHTARROW": "00,00,4f", "RIGHT": "00,00,4f", "LEFTARROW": "00,00,50", "LEFT": "00,00,50", "DOWNARROW": "00,00,51", "DOWN": "00,00,51", "UPARROW": "00,00,52", "UP": "00,00,52", "NUMLOCK": "00,00,53", "MENU": "00,00,65”, "APP": "00,00,65", "\\": "00,00,87", "_": "02,00,87", "\\": "00,00,89", "|": "02,00,89" } There are still some caveats I need to work out, somehow I can't get " ¥,| "(USB HID Keycode 87) and " ¥_ "(USB HID Keycode 89) to work but the rest seems fine. (I suspect that this is due to the fact these keys do not exist on a regular 101-US keyboard and there are no modifier combinations to trigger it neither, which is gonna be problematic since they are used as a backslash in file paths. But I'll work some more to figure it out.) Workaround for Windows: For Windows you can use powershell to set the layout to a US keyboard by using "New-WinUserLanguageList en-US", which installs a US-keyboard layout then issue a "Set-WinUserLanguageList -LanguageList en-US" to set the default layout to a US keyboard , its a bit slower but if you have the time, this way is easier, you do need to reset the settings with issuing another Set-WinUserLanguageList -LanguageList [WHATEVERLANGUAGE] it was, otherwise the compromise will be detected. ----sample payload.txt--- #!/bin/bash ATTACKMODE HID VID 0x45E PID 0x07B3 Q SET_LANGUAGE ja Q DELAY 5000 Q STRING starting with ja language option Q ENTER Q switch1/quack.txt Q ENTER Q DELAY 200 Q ENTER STRING done LED R ---quack.txt( to test basic and special characters.)--- STRING quacking DELAY 2000 ENTER DELAY 750 STRING abcdefghijklmnop DELAY 500 ENTER STRING ABCDEFGHIJKLMNOP DELAY 500 ENTER STRING 1234567890-^\ DELAY 500 ENTER STRING !"#$%&'()0=~| DELAY 500 ENTER STRING @[;:],./ DELAY 500 ENTER STRING `{+*}<>? DELAY 500 ENTER 2 Quote Link to comment Share on other sites More sharing options...
VincBreaker Posted March 8, 2017 Share Posted March 8, 2017 Nice tutorial, I will surely will take use of it since I already have a fairly good enough mapping for german from my Ducky2Digi transpiler. (Since a ducky was to expensive / not worth it for me, I once bought a small crappy arduino alternative and were to lazy to translate all ducky payloads by hand so I took the definetly smaller effort of writing a small compiler :P) Quote Link to comment Share on other sites More sharing options...
elkentaro Posted March 10, 2017 Author Share Posted March 10, 2017 (edited) So if the case your target is a Windows operating system with powershell, you could setup 2 Set-WinUserLanguageList payloads. 1.To set the keyboard layout to the en-US. (US keyboard layout) 2.To set it back to whatever layout you want. --------Example payload.txt--- #!/bin/bash ATTACKMODE HID VID_0x45E PID_0x0061 Q DELAY 4000 Q switch1/setUS.txt <-------- This sets the layout to en-US Q DELAY 2000 Q switch1/quack.txt <------ Actual payload script Q ENTER Q DELAY 500 Q switch1/setJP.txt <-------- Reset it back to default layout. LED R ------Example SetUS.txt ----- GUI r DELAY 500 STRING powershell -windowstyle hidden Set-WinUserLanguageList -LanguageList en-US -force ENTER ------quack.txt (character testing payload) ----- GUI r DELAY 1000 STRING notepad.exe ENTER DELAY 2000 STRING quacking DELAY 2000 ENTER DELAY 750 STRING abcdefghijklmnopqrstuvwxyz DELAY 1000 ENTER STRING ABCDEFGHIJKLMNOPQRSTUVWXYZ DELAY 1000 ENTER STRING 1234567890-^\\ DELAY 500 ENTER STRING !"#$%&'()0=~| DELAY 500 ENTER STRING @[;:],./ DELAY 500 ENTER STRING `{+*}<>? DELAY 500 ENTER the powershell parameters "-windowstyle hidden" and "-force" will run the powershell without any need for confirmation. Edited March 10, 2017 by elkentaro 1 Quote Link to comment Share on other sites More sharing options...
elkentaro Posted April 5, 2017 Author Share Posted April 5, 2017 (edited) So yea, I think the issue is with basic keys that don't exist on a US keyboard. (which could include media keys like Volume UP etc) . I assume this is due to the HID descriptor being passed, however not sure if modifying the HID descriptor is the way to go... so for now using powershell to remap the default keyboard layout seems the safest way to go. Edited April 5, 2017 by elkentaro added. some more text. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.