Path: blob/master/payloads/extensions/os_detect.txt
2968 views
EXTENSION OS_DETECTION1REM VERSION 1.12REM AUTHOR: Korben34REM_BLOCK DOCUMENTATION5USB Rubber Ducky Host OS Detection6Generic OS detection at a high view is a moving target7results may vary greatly depending8on a combination of many variables:9- number of testing stages10- specific devices and versions tested against11- number of systems testing for (scope)12- detection techniques (passive/invisible/active/hybrid)13- overall speed14- overall accuracy1516If all you require is windows vs <anything other os> detection, the17PASSIVE_WINDOWS_DETECT extension is recommended over this extension.1819TARGET:20DEFAULT - Windows, Mac, Linux21ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android2223USAGE:24Uncomment the function call below to run this extension inline (here)25or call DETECT_OS() anywhere in your payload after the extension26Place this extension and the DETECT_OS() before27you would like to first reference $_OS to execute payload code conditionally2829FEEDBACK:30As mentioned above, this a moving target (especially for mac systems)31Please report any issues identifying specific operating systems.32Your feedback will greatly help solidify the robustness of this extension3334DEBUGGING:35SET DEBUGGING_OUTPUT DEFINE to TRUE, deploy on a target with text editor open for debug output36END_REM3738REM CONFIGURATION:39REM For Debugging:40DEFINE #DEBUGGING_OUTPUT FALSE41DEFINE #ADVANCED_DETECTION FALSE42REM Timing fine tuning:43DEFINE #STARTUP_DELAY 150044DEFINE #RESTART_WAIT 100045DEFINE #CONNECT_WAIT 100046DEFINE #OS_DETECT_MODE HID47DEFINE #OS_DETECT_VID VID_05AC48DEFINE #OS_DETECT_PID PID_021E49DEFINE #WINDOWS_HOST_REQUEST_COUNT 250DEFINE #HOST_RESPONSE_TIMEOUT 10005152FUNCTION DETECT_OS()53$_HOST_CONFIGURATION_REQUEST_COUNT = 054ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID55DELAY #STARTUP_DELAY56SAVE_HOST_KEYBOARD_LOCK_STATE5758IF_DEFINED_TRUE #DEBUGGING_OUTPUT59IF_DEFINED_TRUE #ADVANCED_DETECTION60STRING ADVANCED OS DETECT61ELSE_DEFINED62STRING OS DETECT63END_IF_DEFINED6465ENTER66STRING test caps67END_IF_DEFINED6869IF ($_CAPSLOCK_ON == FALSE) THEN70LED_R71CAPSLOCK72DELAY #HOST_RESPONSE_TIMEOUT73END_IF74LED_OFF7576IF_DEFINED_TRUE #DEBUGGING_OUTPUT77ENTER78STRING test done79END_IF_DEFINED8081IF $_RECEIVED_HOST_LOCK_LED_REPLY THEN82IF_DEFINED_TRUE #DEBUGGING_OUTPUT83ENTER84STRING received led response85END_IF_DEFINED86LED_G87IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN88IF_DEFINED_TRUE #DEBUGGING_OUTPUT89ENTER90STRING prediction: Windows91END_IF_DEFINED92$_OS = WINDOWS93ELSE94IF_DEFINED_TRUE #DEBUGGING_OUTPUT95ENTER96STRING prediction: Linux97END_IF_DEFINED98$_OS = LINUX99END_IF100ELSE101IF_DEFINED_TRUE #DEBUGGING_OUTPUT102ENTER103STRING no led response104ENTER105STRING prediciton: MacOS106END_IF_DEFINED107$_OS = MACOS108END_IF109110IF_DEFINED_TRUE #ADVANCED_DETECTION111IF ( $_OS == LINUX ) THEN112IF_DEFINED_TRUE #DEBUGGING_OUTPUT113ENTER114STRING soft reconnect115END_IF_DEFINED116ATTACKMODE OFF117DELAY #RESTART_WAIT118ATTACKMODE #OS_DETECT_MODE #OS_DETECT_VID #OS_DETECT_PID119DELAY #CONNECT_WAIT120IF_DEFINED_TRUE #DEBUGGING_OUTPUT121ENTER122STRING reconnected123END_IF_DEFINED124IF ($_CAPSLOCK_ON == TRUE) THEN125IF_DEFINED_TRUE #DEBUGGING_OUTPUT126ENTER127STRING caps led on128ENTER129STRING test numlock130END_IF_DEFINED131NUMLOCK132DELAY #HOST_RESPONSE_TIMEOUT133IF_DEFINED_TRUE #DEBUGGING_OUTPUT134ENTER135STRING test done136END_IF_DEFINED137IF ($_NUMLOCK_ON == FALSE) THEN138IF_DEFINED_TRUE #DEBUGGING_OUTPUT139ENTER140STRING no numlock led141ENTER142STRING prediciton: ChromeOS143END_IF_DEFINED144$_OS = CHROMEOS145ELSE146IF_DEFINED_TRUE #DEBUGGING_OUTPUT147ENTER148STRING numlock led on149ENTER150STRING testing scrolllock151END_IF_DEFINED152SCROLLLOCK153DELAY #HOST_RESPONSE_TIMEOUT154IF_DEFINED_TRUE #DEBUGGING_OUTPUT155ENTER156STRING test done157END_IF_DEFINED158IF ($_SCROLLLOCK_ON == TRUE) THEN159IF_DEFINED_TRUE #DEBUGGING_OUTPUT160ENTER161STRING scrolllock led on162ENTER163STRING prediciton: Android164END_IF_DEFINED165$_OS = ANDROID166ELSE167IF_DEFINED_TRUE #DEBUGGING_OUTPUT168ENTER169STRING no scrolllock reply170ENTER171STRING prediction: Linux172END_IF_DEFINED173$_OS = LINUX174END_IF175END_IF176END_IF177ELSE IF ($_OS == MACOS) THEN178IF ($_CAPSLOCK_ON == TRUE) THEN179IF_DEFINED_TRUE #DEBUGGING_OUTPUT180ENTER181STRING caps led on182ENTER183STRING prediction: iOS184END_IF_DEFINED185$_OS = IOS186ELSE187IF_DEFINED_TRUE #DEBUGGING_OUTPUT188ENTER189STRING no caps reply190ENTER191STRING prediction: MacOS192END_IF_DEFINED193$_OS = MACOS194END_IF195ELSE IF ($_OS == WINDOWS) THEN196IF_DEFINED_TRUE #DEBUGGING_OUTPUT197ENTER198STRING Confident Windows Prediction199END_IF_DEFINED200$_OS = WINDOWS201END_IF202END_IF_DEFINED203204RESTORE_HOST_KEYBOARD_LOCK_STATE205206IF_DEFINED_TRUE #DEBUGGING_OUTPUT207ENTER208STRING OS_DETECT complete209ENTER210END_IF_DEFINED211END_FUNCTION212213REM Uncomment the function call below to run this extension inline (here)214REM or call DETECT_OS() anywhere in your payload after the extension215REM DETECT_OS()216END_EXTENSION217218219