I like this attack so how can we upgrade/develop this?
I think we need to make lot keyboard support, and how we can add more command? like persistence, or disable UAC without notification?

Where i need to start? i want to add hungarian keyboard support/layout, and Binky said we need to edit sdcard/files/modules/keyseed.py but i dont know how .. :/

Hi,

I am looking for implementing French keyboard layout.
To achieve this, what I plan to do as POC is to change the hid-keylog line 39:

$scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX)
To use the MapVirtualKeyEx that allow to set a locale:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms646307(v=vs.85).aspx

My 2 cents on this, I have not tested already.

Edit: Simply inputting the correct scancode depending on the localle wanted in sdcard/files/modules/keyseed.py should work but seems heavy (but inevitable though)

Hi aemaeth2501,

Keep us posted on your progress!

Hi muts,

I will for sure but:
- I could only look at this lightly for the next 2 weeks since my OSCP exam is the october 17th ;)
- I am far from being an expert, but will be highly interested in contributing to this awesome project !

Keeps you posted :)

Hi all,
I managed to compile a quick SDL program that retrieve the scancode according to a keystroke.
From there I got the scancode list for the keyseed.py file for french layout.
Regarding this, what would be the best way to manage multiple locales in this file? Harcode switches by layout value? Use the java hashtable equivalent in python ?
Once this is defined, i'll add a locale list to the PHP file that calls the keyseed.py.
I might be able to send the SDL (and excel file) to anyone willing to implement another keyboard layout support. Just PM me.

Hi aemaeth2501, this is great news!
I suspect that adding a drop-down to the web interface where users can select their layouts would be the best idea. We will be swapping out the web interface soon, but having all the scripts and logic in place will help us when we port the web interface to a native anrdoid app... Please feel free to share the code!

Hi muts,

Here is the keyseed.py script modified. It has not been tested fully from the interface but by forcing the locale in the script it works well (needs to adjust the AltGr modifier key scancode though), since I'm not familiar with all the chain from php to this script in order to pass the right argument. As this was the more tedious task I prefer to give out the code, in case of someone has time in the next week to have a look to.

Also, the code for the SDL application outputing the correct scancode is attached. Beware : A and a will output the same scancode value. The modifier needs to be added in the keyseed.py.
395
394
Note:
On a french keyboard, the Ctrl+Alt+Key is required to type in some special characters (ex: []@\`). The modifier I used before does not seems to work. I removed those to avoid inputting trash. Though, considering the possibility for multiple layout, it has to be taken in account that all characters might not be acceptable for HID typing on different layout than US (unless, for the french layout case, that someone came up with the right scancode for the AltGr key).

Hy aemaeth250!

Can you make this foe hungarian layout pls? or can you make a tutorial or video how to make it for more layout?

Hi,

Unfortunately I got no more time since I have to prepare a certification exam (beside my actual job work).
Though, I can give you my methodology.

DISCLAIMER: I know that this seems tedious, I might not have used the best methodology, and using excel and such might seem lame but it does work :D

Refer to the excel file in attachment :396
- Compile the SDL source code, with SDL2.0 or later
- Open the Excel file
- The column SymbolUS indicates which character you have to type in the SDL executable windows
- It will output a scancode value that you should enter in the "Returned scancode" field
- If a modifier key is required (Shift, Alt or other), indicate it in the "Modifier Needed" column (keep the formatting and case)

From there, the "Scancode FR" and "New dict" column will be automatically calculated. Beware : I only implemented the Shift and AltGr modifier (the latter will return a void scancode since I did not already find the modifier code).

Once done, copy the content of the "New dict" column and add the following to the keyseed.py (replace XX by the layout identifier)
dict_XX = {
(Content of the "New dict column", with the latest comma removed)
}

Add the following line in findinlist method:


elif locale=="XX" : print '''echo -ne "''' +dict_XX[byte]+ '''" > /dev/hidg0'''


And If needed, add the following line in the win7cmd_elevated method (the "X" should be raplaced by the input key in US format used to confirm execution)


elif locale=="XX" : print '''echo --left-alt X | hid-keyboard /dev/hidg0 keyboard'''


For the moment, I only changed the win7cmd_elevated method, but same treatment will be applied to the other ones.

To test the overall, you need to change the keyseed.py (remove the local argument from methods, force the locale value to be the one you want to test) and you can use the following file (output on the computer should be the same as input).397

aemaeth2501,

Great write up! I've uploaded the excel file here:
https://docs.google.com/a/nethunter.com/spreadsheets/d/1l8vreBS3ecavr9pOfWn6Ut3psLle4_9qp9SvMJl9nDM/edit#gid=1163672638

For those who are a bit nervous/paranoid/scared about opening excel files...

Thank you for taking the time to do that and to provide detailed instructions on how you were able to port over the language.

Hi binkybear,

Here is a final version for the FR layout dictionnary (I finally found the AltGr modifier, equivalent to Ctrl+Alt). 399
Though, I removed 2 characters from it : the ~ and ` as they have tendecy to mangle the next character (both require a space to be printed). Ex: '`'then 'a' gives 'Ã*'.
As those might not be used in payload delivery, it is not an issue imho.

I cannot test on windows XP and 8 thoug (to understand how the cmd is popped principally).

Regarding integration to the UI, any information about the status of the Android application replacing the webserver ?

Note: In the previous post, do not forget to integrate the following lines at the end of the new dictionnary :


"\x0a": "\\x00\\x00\\x00\\x28\\x00\\x00\\x00\\x00",
"\x0d": "\\x00\\x00\\x00\\x28\\x00\\x00\\x00\\x00"

Hey aemaeth2501,

Thanks for the update, I pushed your changes to the french-keyboard branch on the github repo. One thing that prevents me from merging into the main branch is figuring out how to incorporate both layouts (EN/FR) into Nethunter. I'm unsure if we need to make two separate keyseed. Maybe have two layout files then copy each to keyseed.py on selection? Any thoughts?

The android application is still being worked on but I imagine "soon" is a good answer.

Hi binkybear,

The best would be to have a dropdown list in the php page, as for the OS selection (win7/win8). I did not made this since I could not find the php page corresponding (and lack of time). Indeed, this is why I used dictionnary feature in the latest keyseed.py file, and change the signature of the method to pass also the locale as parameter (for the moment, "us" or "fr").

(I promise, if I succeed at my OSCP exam and find time, I'll learn git and use it to facilitate your work)

Keep the good work !

Hi guys it seems you are all working on the keyboard type support.
In related to the playloads, is that possible to allow us programming the payloads by ourselves? And we can select different payloads from web panel to launch on the target.
Further more, by trade nexus device as USB storage, the payloads can execute certain program stored in nexus and launch on target machine (like mimikatz) and the result of execution can be save in nexus.

Hi and thanks for aemaeth2501 and binkybear. I going to trying compile Source.cpp because i want make spanish hid-keyboard and i give this compilation error. Help please:


root@LINUX:~/Descargas# i686-w64-mingw32-gcc source.cpp
/tmp/cc0ug0wH.o:source.cpp:(.text+0x23): undefined reference to `_SDL_Init'
/tmp/cc0ug0wH.o:source.cpp:(.text+0x57): undefined reference to `_SDL_CreateWindow'
/tmp/cc0ug0wH.o:source.cpp:(.text+0x75): undefined reference to `_SDL_CreateRenderer'
/tmp/cc0ug0wH.o:source.cpp:(.text+0x8c): undefined reference to `_SDL_RWFromFile'
/tmp/cc0ug0wH.o:source.cpp:(.text+0x9c): undefined reference to `_SDL_LoadBMP_RW'
/tmp/cc0ug0wH.o:source.cpp:(.text+0xb1): undefined reference to `_SDL_CreateTextureFromSurface'
/tmp/cc0ug0wH.o:source.cpp:(.text+0xbf): undefined reference to `_SDL_FreeSurface'
/tmp/cc0ug0wH.o:source.cpp:(.text+0xea): undefined reference to `_SDL_SetRenderDrawColor'
/tmp/cc0ug0wH.o:source.cpp:(.text+0xf7): undefined reference to `_SDL_WaitEvent'
/tmp/cc0ug0wH.o:source.cpp:(.text+0x132): undefined reference to `_SDL_DestroyTexture'
/tmp/cc0ug0wH.o:source.cpp:(.text+0x13d): undefined reference to `_SDL_DestroyRenderer'
/tmp/cc0ug0wH.o:source.cpp:(.text+0x148): undefined reference to `_SDL_DestroyWindow'
/tmp/cc0ug0wH.o:source.cpp:(.text+0x14d): undefined reference to `_SDL_Quit'
/tmp/cc0ug0wH.o:source.cpp:(.text+0x17e): undefined reference to `_SDL_GetKeyName'
/usr/lib/gcc/i686-w64-mingw32/4.6/../../../../i686-w64-mingw32/lib/../lib/libmingw32.a(lib32_libmingw32_a-crt0_c.o): In function `main':
/build/mingw-w64-RGpMuZ/mingw-w64-2.0.3/build/i686-w64-mingw32/all/mingw-w64-crt/../../../../mingw-w64-crt/crt/crt0_c.c:18: undefined reference to `_WinMain@16'
collect2: ld returned 1 exit status

Hi discipuloosho,

To be able to compile this Source, you have to setup correctly the SDL 2 library. There is plenty of tutorials on how to perform this on Linux (I did it on Windows, using VS Express).
You might find a sarting lead here : http://stackoverflow.com/questions/1837639/how-to-use-sdl-in-linux.

Thanks very much @aemaeth2501 . Here aemaeth2501's keymap program compiled for Win_x86 and for Linux_x64:

https://www.dropbox.com/sh/9y8n0zeq0w6t13l/AADLloN9CU8bBk0zXeEnOquFa?dl=0

Aemaeth2501, your windows's program shows altgr modifier as 0xE6 as rigth alt, but the linux version shows it as 0x6A as F15. :confused::confused:

Aemaeth2501, your windows's program shows altgr modifier as 0xE6 as rigth alt, but the linux version shows it as 0x6A as F15. :confused::confused:

Hi,

Regarding the AltGr case, I noticed odd behaviour too (considered as LCtrl+LAlt). I finally found that the modifier's scancode is 0X05, and tested it against specific characters ('@' for example, but also '[',']', etc) and this modifier output the correct character.

Globally, the program outputs "base scancodes" => modifier should set after (I used the excel file for this purpose)

Ok ok. but @binkybear don't already support for your keyseed.py file in github project. True?

I just saw frech-keyboard github branch, congratulations :D. Now, I've finished the spanish-keyboard keyseed.py file. Here is 404, @binkybear.Thanks @aemaeth2501.

Hi @binkybear,

Here is a quick example on how I was thinking about implementing new locales in the menu (405) with the new keyseed.py (the one provided by @discipuloosho with french and spanish layout) . I saw a lead on the github dedicated branch that based the target locale on the default browser one, but I though providing directly a choice via a dropdown menu would make a more volatile solution.
I will look closer a it this weekend (****, got a job :/) since I need to setup an environment to build and test more easily. And to learn the basics of git...

Have a nice day.

@discipuloosho & @aemaeth2501 - Thank you for all the hard work. I will talk to muts about implementing this into the upcoming app.

Thank for you @binkybear :)

Hi !

Despite my absolute lack of knowledge on this subject (and on github usage), I worked on french keyboard for HIB on github and proposed the initial version of the "french keyboard branch".
Good to see more people involved with a more generic approach that helps to develop other languages "keyseeds" :)

aemaeth2501, would you please check my keyseed version and see how you think some of the french characters missing in your version could be integrated ? (e.g. 'é' aka latin small letter e with acute)
https://github.com/uzyfr/kali-nethunter/blob/master/utils/files/modules/keyseed.py
For some "special characters", I had to manage a two steps approach using a "global_last_char" variable.
(Just for the record, my approach was only to specify in the "french" dictionnary only the characters that differs from the english one (lots of characters are similar).)

Last point concerning the locale : I proposed to use the default browser locale because I guess french people would mostly use this attack on computers using french layout.
However, to extend aemaeth2501's proposal, a dropdown menu that select by default the browser locale and allows user to specify the one he wants to use may be a good solution ?

See you soon !

Hi !


aemaeth2501, would you please check my keyseed version and see how you think some of the french characters missing in your version could be integrated ? (e.g. 'é' aka latin small letter e with acute)


I asked myself the 'é', 'è' and other french specificities questions. My conclusion was based on the fact that those characters would not be intergrated in any payload (powershell or raw Base64 encoded). But it is possible to integrate them in the dictionnary for completeness purposes.



(Just for the record, my approach was only to specify in the "french" dictionnary only the characters that differs from the english one (lots of characters are similar).

I tried this approach with the use of python dictionnaries, and finally I prefered working fully on the charset than 'by delta' vs. US layout. This clarifies (imo) the new locale dictionnary creation.



Last point concerning the locale : I proposed to use the default browser locale because I guess french people would mostly use this attack on computers using french layout.
However, to extend aemaeth2501's proposal, a dropdown menu that select by default the browser locale and allows user to specify the one he wants to use may be a good solution ?


That is a good idea at first, since indeed frenchs pops frenchs boxes ;) But for example, in my personnal case, I work for a company having multiple nationalities, hence layouts.

For now, I will wait for the android app. At least, the tedious scancode identification job is now done.

Hi, here is a 418 with a german layout. Umlauts won't work but are probably not needed. the rest should be fine, but isn't thoroughly tested. :o
Feel free to use and/or edit it.

Hi stinkybit,


I added the scancodes provided in the attached file as a new dictionnary in the actual keyseed file.
Just a question : on a windows machine (german OS), what is the confirmation keystroke you need to perform to confirm the "run as admin" (on english one, it is the alt+y for "yes", on french one it is the alt+o for "oui").

Hi aemaeth2501,

sorry, i didn't consider this part so far. It would be alt+j for "ja".

Hi aemaeth2501,

sorry, i didn't consider this part so far. It would be alt+j for "ja".

Thanks, it is integrated on my side.
I am working on the complete integration of the locale through the UI (as a dropdown near the platform one).

For the moment I am testing the overall and will issue a pull request of the entire locale management files (including FR, ES and DE locales).

Can anyone make a tutorial video how to make new keyseed.py? I want to make hun layout
/sry for my bad eng/

@aemaeth2501 - I have pulled the keyboard layout branch into development branch. Also, we have the source available for the nethunter android application: https://github.com/offensive-security/nethunter-app

We don't currently have a dropdown/selection within the app to choose a language. I think the original thought was to have a dropdown on the web interface which would pass the locale, but the web interface is now removed. I think the idea is that we should have an option before launching to choose the language, but I assume the $LANG variable is the only thing that needs to be passed?

@binkybear - Hi, I am currently testing a wrap-up of the locale selection functionnality. Unfortunately, it is not possible (from my point of view of low-level programmer) to pass the locale as parameter in the different py scripts (e.g. start-hid-cmd.sh). And doooh, it could be passed through an anvironment variable indeed.

For the moment, I am using a configuration file as for the payload (hid-cmd-locale.conf placed on the sdcard/file folder). Works well when unit testing but I have different behavior between the unit tests (Windows machine) and the Nexus. (in a nutshell : findinlist output is correct in Windows but not in Nethunter - fixed : minors bugs linked to deployment method).

To sum-up the integration of new locale:
This keyseed file is the final one (integrating German) 422, and the only thing to achieve local management is to change the hid-cmd-*.py scripts to pass the locale 2 digit code to the different functions (findinlist, wincmd, win7cmd_elevated and win8cmd_elevated) using either:
- an environment variable (not tested)
- a configuration file, writable from the app
422

Since the Android app keeps the "same mechanics" as the web interface did, it should be easier to use the local configuration file instead of an env variable I think.

https://github.com/offensive-security/kali-nethunter/commit/e1bc4cab489bd5a75ce9c9a998743d30e6c3117e <-- I believe I have a working script with your keyseed.py. Need to test with nethunter-app but I was finally able to spend an hour or two on it.

https://github.com/offensive-security/kali-nethunter/commit/e1bc4cab489bd5a75ce9c9a998743d30e6c3117e <-- I believe I have a working script with your keyseed.py. Need to test with nethunter-app but I was finally able to spend an hour or two on it.

Awesome ! Thanks you very much :)

Hi,

Unfortunately I got no more time since I have to prepare a certification exam (beside my actual job work).
Though, I can give you my methodology.

DISCLAIMER: I know that this seems tedious, I might not have used the best methodology, and using excel and such might seem lame but it does work :D

Refer to the excel file in attachment :396
- Compile the SDL source code, with SDL2.0 or later
- Open the Excel file
- The column SymbolUS indicates which character you have to type in the SDL executable windows
- It will output a scancode value that you should enter in the "Returned scancode" field
- If a modifier key is required (Shift, Alt or other), indicate it in the "Modifier Needed" column (keep the formatting and case)

From there, the "Scancode FR" and "New dict" column will be automatically calculated. Beware : I only implemented the Shift and AltGr modifier (the latter will return a void scancode since I did not already find the modifier code).

Once done, copy the content of the "New dict" column and add the following to the keyseed.py (replace XX by the layout identifier)
dict_XX = {
(Content of the "New dict column", with the latest comma removed)
}

Add the following line in findinlist method:


elif locale=="XX" : print '''echo -ne "''' +dict_XX[byte]+ '''" > /dev/hidg0'''


And If needed, add the following line in the win7cmd_elevated method (the "X" should be raplaced by the input key in US format used to confirm execution)


elif locale=="XX" : print '''echo --left-alt X | hid-keyboard /dev/hidg0 keyboard'''


For the moment, I only changed the win7cmd_elevated method, but same treatment will be applied to the other ones.

To test the overall, you need to change the keyseed.py (remove the local argument from methods, force the locale value to be the one you want to test) and you can use the following file (output on the computer should be the same as input).397

I've added Swedish to keyseed.py according to your instructions and made a pull request on github to the development branch. Here's the excel document with the Swedish scancodes: https://docs.google.com/spreadsheets/d/1DWh18sYjjzCslKV6LV4NqTV585AhrGmk-L9ZwBrkxg8/edit?usp=sharing

Please let me know if there's anything else I can help out with :)
Best Regards,
Si

https://github.com/offensive-security/kali-nethunter/commit/e1bc4cab489bd5a75ce9c9a998743d30e6c3117e <-- I believe I have a working script with your keyseed.py. Need to test with nethunter-app but I was finally able to spend an hour or two on it.

Hi binkybear,

I just had a look at the code.

elif locale=="de" : print '''echo --left-alt y | hid-keyboard /dev/hidg0 keyboard''' #to be confirmed
should probably be replaced with:

elif locale=="de" : print '''echo --left-alt j | hid-keyboard /dev/hidg0 keyboard'''

New nethunter release includes all changes by everyone who contributed. Feel free to leave feedback if something is broken or works. Thanks everyone!

New nethunter release includes all changes by everyone who contributed. Feel free to leave feedback if something is broken or works. Thanks everyone!

New release? I didn't see anything new on download page.. Never mind, just didn't look in the right place.

@binkybear:
I haven't tested every single key, but UAC bypass works great with a german keyboard and win7. :cool:

Love the new UI and I am looking forward to check out the new features. Great work!! :)

New nethunter release includes all changes by everyone who contributed. Feel free to leave feedback if something is broken or works. Thanks everyone!

Great job on the new release! I'm working on getting all the hid language attacks working, if anyone got any input on that please give me a shout!
Thanks,
Si

New nethunter release includes all changes by everyone who contributed. Feel free to leave feedback if something is broken or works. Thanks everyone!

Thanks for this new release.
HID CMD works fully for unelevated and W7 elevated with FR layout from my side.

hey i was wondering if this was possible, so at my school if a teacher takes away your phone they sometimes give it to the princpal and he tries cracking the password. he has done this on ios and android, and i was thinking if it was possible that if he were to connect my phone to his PC that a script would run and trash it like a Fork bomb or a drive wiper, would this work or does this fall under badusb.


Edit:
Swearing

hey i was wondering if this was possible, so at my school if a teacher takes away your phone they sometimes give it to the princpal and the **** tries cracking the password. he has done this on ios and android, and i was thinking if it was possible that if he were to connect my phone to his PC that a script would run and trash it like a Fork bomb or a drive wiper, would this work or does this fall under badusb.

I actually like the idea of offensively defending my device. :D

Haven't tested it, but maybe it works with an event-trigger app (like AutomateIt) and running the hid-attack python script within a terminal...

Not sure if windows7/8 are vulnerable against fork bombs - IMHO a modern operating system should limit the number of processes per user. Also, not sure if a "format c:" or similar would work even in an elevated session. But I'm sure, a "funny" payload isn't the problem. ;)

My guess is, that starting cmd from your nethunter device is too slow, since your principal is most probably not just sitting in front of his computer and watches start menu and cmd popping up but kind of interacts with his pc, which would "disturb" the whole process of the hid-attack.

hmm.. thanks for your feedback, would a badUSB attack work better then since it executes silently.

I agree its an interesting idea, incorrect pin/password to unlock. Executes script. Although id rather it connect to a waiting msf listener and be more for if device was lost/stolen.

hmm.. thanks for your feedback, would a badUSB attack work better then since it executes silently.

badUSB is intercepting network traffic and not an "active" attack on the target itself. Maybe you could work with BDF-Proxy or something, but this would require your principal to download and execute a file while your device is connected.

yo devs what do you think? would a self defence type thing be cool or a wast of time.

Great job on the new release! I'm working on getting all the hid language attacks working, if anyone got any input on that please give me a shout!
Thanks,
Si

Thanks for your corrections.

Anyone can make a tutorial video, how to make a new keyseed.py? I want to make hungarian layout for hid attack

teensy all the way or rubber ducky...........

teensy all the way or rubber ducky...........

teensy is more flexible and its cheaper.

a cool script for teensy

https://github.com/samyk/usbdriveby

teensy is more flexible and its cheaper.

a cool script for teensy

https://github.com/samyk/usbdriveby

awesome thanks for link this looks great ill be testig tomorrow

Running the HID attack from terminal with "su" "bootkali start-rev-met --us --hid7cmd" clears the terminal, shows only cursor for 15 seconds and drops back to root@A0001.

Tried to run USB keyboard, this shows that the kernel isn't compatible.
When checking kernel it shows;
3.4.104
root@fringe #1
Sat jan 3 15:52

Anybody a idea what the issue could be? looks like right kernel as alfa on OTG is working :)

Serendipity - What device are you running?

Hi!

Sorry for the late reply, I'm rocking a bacon / one plus one 64gb.

Thanks for the help!

The teensy is great, solder it right into a brand new flashy keyboard then lay it somewhere IT usually can't resist especially if it has flashy light whoo :)

I know that people use base64 encoding and decoding for this most of the time to evade AV I made a project that you can use custom character sets to make it harder for AV

Simple C program

git clone https://github.com/lillypad/chameleon.git
cd chameleon
make
./chameleon --help

Enjoy :p

Running the HID attack from terminal with "su" "bootkali start-rev-met --us --hid7cmd" clears the terminal, shows only cursor for 15 seconds and drops back to root@A0001.

Tried to run USB keyboard, this shows that the kernel isn't compatible.
When checking kernel it shows;
3.4.104
root@fringe #1
Sat jan 3 15:52

Anybody a idea what the issue could be? looks like right kernel as alfa on OTG is working :)

Hi Serendipity,

Since a couple of days, I have an OPO with Nethunter, too.

Have you tried turning ADB on?
With ADB running, it works fine for me. Without ADB I can reproduce exactly your behaviour (which is probably normal - looks the same on my N7).

there should be an update to kali nethunter to make it more stable like teensy :confused:

Solved....

Feel free to leave feedback if something is broken or works. Thanks everyone!