Skip to content

!!! Deprecated See ESPloitV2 !!! Original PoC(Released: Sep 11, 2016) - WiFi controlled keystroke injection Using ESP8266 and 32u4 based Arduino HID Keyboard Emulator

Notifications You must be signed in to change notification settings

exploitagency/github-ESPloit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 

Repository files navigation

ESPloit

Please see ESPloitV2 for the latest version: https://github.com/exploitagency/ESPloitV2

Written by Corey Harding from http://www.LegacySecurityGroup.com

WiFi controlled HID Keyboard Emulator

Demo at: https://legacysecuritygroup.com/index.php/categories/11-hardware/27-esploit

ESPloit uses an ESP8266 to host a web server acting as a command and control server for the "payloads"(keypresses) that get sent to the Arduino which acts as a keyboard emulator. The end result is not as good as a Hak5 USB Rubber Ducky and the language for writing the payloads is not as good as DuckyScript either. However this is a really simple project to replicate for under $20 plus it has WiFi, its kind of like an IoT keystroke injection attack. It is still a work in progress and its main purpose is to be a proof of concept.

Hardware Required:
Adafruit Huzzah ESP8266 Board (Web Interface/Command and Control Server)
Arduino Beetle by CJMCU - ATmega32u4 Chip (HID Keyboard Emulator)
Alternative Hardware:
Cactus Micro rev2 (Esp03 & ATmega32u4 on one board)
Cactus Micro rev2 Porting/Testing made possible by minkione
Optional Hardware:
USB Hub or Enclosure (To Hide Device Inside Of)


Software used:
Arduino IDE: Arduino IDE 1.6.11
Board Manager/Libraries: esp8266 by ESP8266 Community version 2.3.0


Setup Network:
By default ESPloit creates an access point with a hidden SSID of "Exploit" and a WPA2 PASSWORD of "DotAgency".
You can change this in the source of esp-sketch and even set it to join an existing network.
The comments in the code should be able to walk you through things.
Also this is the time to choose an IP Address for the server while your in the source.(default is 192.168.1.1)


Flash Boards:
arduino-sketch.ino goes to the 32u4 based board
esp-sketch.ino goes to the esp8266 device
Note for Cactus Micro rev2: If using this board then please use the arduino-sketch-cactus.ino and esp-sketch-cactus.ino sketches.
NOTE: On first boot of the ESP8266 it may take up to around 90 seconds while the SPIFFS file system is formatted for the first time. Also the ESP8266 is a power hungry beast my FTDI cable only put out enough current to program it(Adafruit Huzzah Breakout Board HACKADAY Edition) but not enough to allow it to fully boot. So use a a separate power supply to boot it. I am using a YWROBOT MB102 at 3v3 on a breadboard for testing.


Wire it Up:
This assumes you are using an Adafruit Huzzah and a CJMCU Beetle Clone with the default software serial pins set in the sketches.
Note: No wiring or pin changes are required when using a Cactus Micro rev2!
Arduino --- ESP8266 Huzzah
--------------------------
5v --- V+ Pin(Huzzah Breakout) or USB Pin(Feather) //If your ESP8266 does not have a voltage regulator to convert 5v-3v3 then do not do this instead use a voltage regulator
GND --- GND
D10(Soft-RX) --- Pin 4(Soft-TX) //This is ok to do because we are transmitting from the 3v3 logic of the ESP8266 to the soft-rx of the Arduino, do NOT connect the 5v logic soft-tx of the Arduino to the 3v3 logic soft-rx of the ESP8266. If it were real serial pins and not software serial and the Adafruit Huzzah family then this would be ok, but only with the physical tx/rx serial pins since the Huzzah has a level shifter on the serial rx pin.
Now you can solder the pins on the usb plug of the CJMCU Beetle Arduino Clone to the corresponding USB wires inside a USB Hub or heat shrink the project and use it as is or hide it in clever usb enclosure.


Writing a Payload:
Please refer to example_payloads folder and decimal_key_reference folder for reference.

For individual keypresses or combinations of key presses
"Press:X" or "Press:X+Y" or "Press:X+Y+Z" and so forth
--Expects DECIMAL Values for X,Y,Z,etc
--"Press:131+114" would output KEY_LEFT_GUI(Windows_Key)+r thus launching the run prompt if connected to a Windows machine
--List of modifier keys(GUI,ALT,CTRL,ETC) at https://www.arduino.cc/en/Reference/KeyboardModifiers
--ASCII table lookup at http://www.asciitable.com/

To type out strings of text
"Print:XYZ" Types out "XYZ"
--"Print:www.Exploit.Agency" would type out "www.Exploit.Agency" on the machine connected via USB

To type out strings of text followed by the ENTER Key
"PrintLine:XYZ" Types out "XYZ" then presses enter
--"PrintLine:www.Exploit.Agency" would type out "www.Exploit.Agency" on the machine connected via USB and then press ENTER

To make a delay
"Delay"
--"Delay" would wait for X seconds(length of delay set in esp8266 sketch default=2000ms) before proceeding to next line in the payload


Uploading Payload:
In web browser type 192.168.1.1(or IP you set)
Click "Upload Payload"
Select the File for the payload you wrote
Click Upload
NOTE: There is a 21 character limit to the file name including the DOT and EXTENSION. Example of a good filename: "video-demo-winpro.txt" and a bad file name: "video-demo-windows-pro.txt". If your file does not show up in the payload list after uploading it then this will likely be the reason why.


Running your Payload:
In web browser type 192.168.1.1(or IP you set)
Click "Choose Payload"
Click on the payload you want to run
It will display the contents of the payload
Press the "Run Payload" button to start running the payload

About

!!! Deprecated See ESPloitV2 !!! Original PoC(Released: Sep 11, 2016) - WiFi controlled keystroke injection Using ESP8266 and 32u4 based Arduino HID Keyboard Emulator

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Other 100.0%