制作Wi-Fi Ducky遠程HID攻擊設備
1、介紹WIFI DUCKY
它是一個Wi-Fi控制的BadUSB設備來遠程執行Ducky Scripts。
使用充當鍵盤的USB設備來註入攻擊,Hak5 的 USB Rubber Ducky 是這種攻擊的黑客小工具。它引入了一個簡單的腳本語言,稱為Ducky Script,這個項目也是這樣使用的。
該設備使用 ESP8266 + ATMEGA32U4 創建WIFI信號,進行遠程上傳、保存和運行腳本進行攻擊
但是為什麽要添加Wi-Fi,你可能會問。
使用Wi-Fi,您可以遠程上傳並運行Ducky Script。
只需將設備插入,連接到其Wi-Fi網絡,即可完全控制目標機器。
它還給你一個比其他BadUSB更大的優勢,你可以測試你的腳本!您不需要將它們復制到micro-sd卡或編譯它們。您可以通過web界面直接運行它們,這使得它非常容易測試和改進腳本。
它還為不同的攻擊增加了很多可能性。您可以使目標從Wi-Fi網絡下載可執行文件,而不是互聯網。或者執行不同的攻擊並將結果發回。或者打開ESP8266s Wi-Fi上的反向Shell。
等等...有這麽多的可能性,趕快動手做起來吧!
2、所需材料:
1.CJMCU-Beetle Leonardo USB ATMEGA32U4
2.ESP8266-12F
3.AMS1117-3.3V電源模塊
3、所需軟件:
ARDUINO IDE 下載地址:https://www.arduino.cc/en/Main/Software
NodeMCU Flasher 下載地址:https://github.com/nodemcu/nodemcu-flasher
4、接線圖:
5、寫入固件到ESP8266
首先,然後將下列代碼上傳到Arduino:
int program_pin = 12; int enable_pin = 13; void setup() { Serial1.begin(115200); Serial.begin(115200); pinMode(enable_pin, OUTPUT); pinMode(program_pin, OUTPUT); digitalWrite(program_pin, LOW); digitalWrite(enable_pin,HIGH); }void loop() { while(Serial1.available()){ Serial.write((uint8_t)Serial1.read()); } if(Serial.available()){ while(Serial.available()){ Serial1.write((uint8_t)Serial.read()); } } }
將設備連接PC,打開Arduino IDE,選擇開發板和端口
然後點擊 上傳 將代碼寫入Arduino
寫入成功後,前往 https://github.com/spacehuhn/wifi_ducky/releases 下載 esp8266_wifi_duck_4mb.bin 固件
然後打開 NodeMCU Flasher 寫入軟件
將參數設置如下
然後選擇固件
選擇端口,點擊 Flash 開始寫入固件
寫入完成後需要將 GPIO0 的線斷開,變成如下的接線,即可進行下一步寫入代碼
6、寫入代碼到ATMEGA32U4
#include <Keyboard.h> #define BAUD_RATE 57200 #define ExternSerial Serial1 String bufferStr = ""; String last = ""; int defaultDelay = 0; void Line(String _line) { int firstSpace = _line.indexOf(" "); if(firstSpace == -1) Press(_line); else if(_line.substring(0,firstSpace) == "STRING"){ for(int i=firstSpace+1;i<_line.length();i++) Keyboard.write(_line[i]); } else if(_line.substring(0,firstSpace) == "DELAY"){ int delaytime = _line.substring(firstSpace + 1).toInt(); delay(delaytime); } else if(_line.substring(0,firstSpace) == "DEFAULTDELAY") defaultDelay = _line.substring(firstSpace + 1).toInt(); else if(_line.substring(0,firstSpace) == "REM"){} //nothing :/ else if(_line.substring(0,firstSpace) == "REPLAY") { int replaynum = _line.substring(firstSpace + 1).toInt(); while(replaynum) { Line(last); --replaynum; } } else{ String remain = _line; while(remain.length() > 0){ int latest_space = remain.indexOf(" "); if (latest_space == -1){ Press(remain); remain = ""; } else{ Press(remain.substring(0, latest_space)); remain = remain.substring(latest_space + 1); } delay(5); } } Keyboard.releaseAll(); delay(defaultDelay); } void Press(String b){ if(b.length() == 1) Keyboard.press(char(b[0])); else if (b.equals("ENTER")) Keyboard.press(KEY_RETURN); else if (b.equals("CTRL")) Keyboard.press(KEY_LEFT_CTRL); else if (b.equals("SHIFT")) Keyboard.press(KEY_LEFT_SHIFT); else if (b.equals("ALT")) Keyboard.press(KEY_LEFT_ALT); else if (b.equals("GUI")) Keyboard.press(KEY_LEFT_GUI); else if (b.equals("UP") || b.equals("UPARROW")) Keyboard.press(KEY_UP_ARROW); else if (b.equals("DOWN") || b.equals("DOWNARROW")) Keyboard.press(KEY_DOWN_ARROW); else if (b.equals("LEFT") || b.equals("LEFTARROW")) Keyboard.press(KEY_LEFT_ARROW); else if (b.equals("RIGHT") || b.equals("RIGHTARROW")) Keyboard.press(KEY_RIGHT_ARROW); else if (b.equals("DELETE")) Keyboard.press(KEY_DELETE); else if (b.equals("PAGEUP")) Keyboard.press(KEY_PAGE_UP); else if (b.equals("PAGEDOWN")) Keyboard.press(KEY_PAGE_DOWN); else if (b.equals("HOME")) Keyboard.press(KEY_HOME); else if (b.equals("ESC")) Keyboard.press(KEY_ESC); else if (b.equals("BACKSPACE")) Keyboard.press(KEY_BACKSPACE); else if (b.equals("INSERT")) Keyboard.press(KEY_INSERT); else if (b.equals("TAB")) Keyboard.press(KEY_TAB); else if (b.equals("END")) Keyboard.press(KEY_END); else if (b.equals("CAPSLOCK")) Keyboard.press(KEY_CAPS_LOCK); else if (b.equals("F1")) Keyboard.press(KEY_F1); else if (b.equals("F2")) Keyboard.press(KEY_F2); else if (b.equals("F3")) Keyboard.press(KEY_F3); else if (b.equals("F4")) Keyboard.press(KEY_F4); else if (b.equals("F5")) Keyboard.press(KEY_F5); else if (b.equals("F6")) Keyboard.press(KEY_F6); else if (b.equals("F7")) Keyboard.press(KEY_F7); else if (b.equals("F8")) Keyboard.press(KEY_F8); else if (b.equals("F9")) Keyboard.press(KEY_F9); else if (b.equals("F10")) Keyboard.press(KEY_F10); else if (b.equals("F11")) Keyboard.press(KEY_F11); else if (b.equals("F12")) Keyboard.press(KEY_F12); else if (b.equals("SPACE")) Keyboard.press(‘ ‘); //else Serial.println("not found :‘"+b+"‘("+String(b.length())+")"); } void setup() { Serial.begin(BAUD_RATE); ExternSerial.begin(BAUD_RATE); pinMode(13,OUTPUT); digitalWrite(13,HIGH); Keyboard.begin(); } void loop() { if(ExternSerial.available()) { bufferStr = ExternSerial.readStringUntil("END"); Serial.println(bufferStr); } if(bufferStr.length() > 0){ bufferStr.replace("\r","\n"); bufferStr.replace("\n\n","\n"); while(bufferStr.length() > 0){ int latest_return = bufferStr.indexOf("\n"); if(latest_return == -1){ Serial.println("run: "+bufferStr); Line(bufferStr); bufferStr = ""; } else{ Serial.println("run: ‘"+bufferStr.substring(0, latest_return)+"‘"); Line(bufferStr.substring(0, latest_return)); last=bufferStr.substring(0, latest_return); bufferStr = bufferStr.substring(latest_return + 1); } } bufferStr = ""; ExternSerial.write(0x99); Serial.println("done"); } }
等提示 寫入成功,把設備拔出,重新連接PC
7、如何使用它
這時用手機搜索WIFI會找到
WIFI:WIFI DUCK PASSWD:quackquack
打開瀏覽器,輸入 http://192.168.4.1 進入管理地址
在這裏,你可以上傳,查看,刪除和運行新的Ducky Scripts。
請註意,腳本的每行最大長度為600個字符。
如何寫Ducky Scripts:https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript
8、通過Web界面更新ESP8266固件
如想更新固件,可以通過Web界面進行更新。
轉到192.168.4.1/info並上傳新的.bin文件
(在Arduino IDE中點擊 Sketch->Export compiled Binary 編譯.bin文件)
9、制作過程視頻(生肉)
*視頻上傳中*
10、參考資料
https://github.com/spacehuhn/wifi_ducky
https://github.com/basic4/WiDucky
http://www.cnblogs.com/k1two2/p/6849941.html(文章末尾有網友"g0ttl"的演示作品)
制作Wi-Fi Ducky遠程HID攻擊設備