USB HID FOR PENTEST

root # uname -a I’m a security engineer. I like linux and am a big fan of Mr Robot series. I like working on my hobby so I work in security.

AGENDA- Effective attacks with USB - Social experiment at the University of Illinois Urbana-Champaign - Info adbout USB devices - Making USB drop attack effective: PART 1. BadUsb PART 2. USB Ducky PART 3. USB Ethernet PART 4 . Kali Linux NetHunter PART 5. USB Kill 2.0 PART 6. USB keylogger- Practice USB HID attack on Windows 8

PART 1

SOCIAL EXPERIMENT AT THE UNIVERSITY OF ILLINOIS URBANA-

CHAMPAIGN

USB KEYS CONTENT

USB KEYS APPEARANCE

DROP LOCATION TYPE

DROP ACTION

Total Fraction

Dropped 297

Key picked up 290 98%

Key who get home 135 45%

Key returned 54 19%

People answering

survey

62 21%

ANSWERS

- 16% scanned the drive with their anti-virus software - 8% believed that their operating system or security software would protect them, e.g., “I trust my macbook to be a good defence against viruses”

DEMO

USB drop attack demo - Blackhat USA 2016.mp4

INFO ABOUT USB DEVICES

BACKGROUNDUSB is a very versatile interface. Just think how many devices we connect to it Mice, keyboards, printers, scanners, gamepads, modems, access points, webcams, phones, etc. We do not hesitate to insert the connector into the appropriate socket, OS automatically detects the type of device and loads the appropriate drivers.

FLASH DEVICES

In fact, the operating system does not know anything about the connected device. It has to wait until the device itself tells the class to which it belongs. If we take the simplest example, when we stick a flash drive to the USB-connector, the flash drive tells the operating system if it is only storage or other device.

ALGORITHM INITIALIZE USB DEVICES

Purpose USB-devices is determined by the class codes that communicate USB-host to download the necessary drivers. Class codes allow to unify the work with the same type of devices from different manufacturers. Usual bootable flash drive will have a class code 08h (Mass Storage Device - MSD), while a webcam equipped with a microphone, will be characterized by two already: 01h (Audio) and 0Eh (Video Device Class).

CONNECTING THE USB-DEVICE,When connecting the USB-device, it is registered, receives the address and sends a handle / handles to operating system drivers can be loaded and sent back to the desired configuration. After this, the direct interaction with the device. Upon completion of the work going on deregistration device.

USB ATTACK

PART 1. USB keylogger PART 2. USB Kill 2.0

PART 3. Kali Linux NetHunter PART 4. USB Ethernet

PART 5. Bad UsbPART 6. USB Ducky

USB KEYLOGGER

PARAMETERS

- 4MB flash memory stores 2000 pages of text - Work great with all wired USB keyboards and work with all versions of Windows and Linux - No software or drivers needed - National keyboard layout support - Capable of recording ALL keys

PRICE: $64.99KeyLlama records everything typed on a USB keyboard. Absolutely no software is required and KeyLlama is completely invisible to any software. The KeyLlama USB is the stealthiest hardware keylogger in existence - it is impossible to detect!

USB KILL 2.0

As the company explains, when plugged in, the USB Kill 2.0 stick rapidly charges its capacitors via the USB power supply, and then discharges – all in a matter of seconds. The USB stick discharges 200 volts DC power over the data lines of the host machine and this charge-and-discharge cycle is repeated several numbers of times in just one second, until the USB Kill stick is removed.

WHEN AND FOR WHOM USB KILL WOULD BE USEFUL?

USB Kill stick could be a boon for - whistleblowers, - journalists, - activists - cyber criminals (who want to keep their sensitive data - away from law enforcement as well as cyber thieves) The company claims about 95% of all devices available on the market today are vulnerable to power surge attacks introduced via the USB port. However, the only devices not vulnerable to USB kill attacks are recent models of Apple's MacBook, which optically isolate the data lines on USB ports.

PRICE: 49.95 TUGRIKOV☺

KALI LINUX NETHUNTER +

USB ETHERNET

HID KEYBOARD AND ‘BADUSB’ ATTACKS

Our NetHunter images support programmable HID keyboard attacks, (a-la-teensy), as well as “BadUSB” network attacks, allowing an attacker to easily MITM an unsuspecting target by simply connecting their device to a computer USB port. In addition to these built in features, we’ve got a whole set of native Kali Linux tools available for use, many of which are configurable through a simple web interface.

NEXUS 4 & 5 ANDROID PHONE

Nexus 4/5

MITM

A USB DEVICE IS ALL IT TAKES TO STEAL

CREDENTIALS FROM LOCKED PC

USB Ethernet + DHCP + Responder == Creds

Device:

- USB Ethernet - patch cord - laptop Tools:

- Responder - Server dhcp

ATTACK&DEFENCE

TESTED OS

• Windows 98 SE • Windows 2000 SP4 • Windows XP SP3 • Windows 7 SP1 • Windows 10 (Enterprise and Home)

RESPONDER

DATABASE

ATTACK

Lock PC.mp4

PART 2

BAD USB

PHISON 2251-03 (2303) CUSTOM FIRMWARE & EXISTING FIRMWARE

PATCHES

SUPPORTED DEVICES • Patriot 8GB Supersonic • Patriot 8GB Supersonic Xpress • Kingston DataTraveler 3.0 T111 8GB • Silicon power marvel M60 64GB • Patriot Stellar 64 Gb Phison • Toshiba TransMemory-MX USB 3.0 16GB • Toshiba TransMemory-MX USB 3.0 8GB • Kingston DataTraveler G4 64 GB • Patriot PSF16GXPUSB Supersonic Xpress 16GB • Silicon Power 32GB Blaze 30

SOFT • DriveCom -- PC C# application to communicate with Phison drives. • EmbedPayload -- PC C# application to embed Rubber Ducky inject.bin key scripts into custom firmware for execution on the drive. • Injector -- PC C# application to extract addresses/equates from firmware as well as embed patching code into the firmware. • firmware -- this is 8051 custom firmware written in C. • patch -- this is a collection of 8051 patch code written in C. Releases have the following items: • patch -- this is a collection of 8051 patch code written in C. • tools -- these are the compiled binaries of all the tools. • CFW.bin -- this is custom firmware set up to send an embedded HID

payload.

ALL COMANDSC:\fw\Psychson-master\tools\DriveCom.exe /drive=F /action=SetBootMode

C:\fw\Psychson-master\tools\DriveCom.exe /drive=F /action=SendExecutable /burner=C:\fw\fw_bn\BN03V114M.BIN

C:\fw\Psychson-master\tools\DriveCom.exe /drive=F /action=DumpFirmware /firmware=C:\fw\currentfw.bin

java -jar C:\fw\ducky\duckencode.jar -i C:\fw\ducky\hello_world.txt -o C:\fw\ducky\inject.bin

C:\fw\Psychson-master\tools\EmbedPayload.exe C:\fw\ducky\inject.bin C:\fw\Psychson-master\firmware\bin\fw.bin

C:\fw\Psychson-master\tools\DriveCom.exe /drive=F /action=SendFirmware /burner=C:\fw\fw_bn\BN03V114M.BIN /firmware=C:\fw\Psychson-master\firmware\bin\fw.bin

OBTAINING A BURNER IMAGEA burner image is required for dumping or flashing firmware. These burner images are typically named using the following convention: BNxxVyyyz.BIN where xx is the controller version (such as 03 for PS2251-03 (2303)), yyy is the version number (irrelevant), and z indicates the page size. z can be either: • 2KM -- indicates this is for 2K NAND chips. • 4KM -- indicates this is for 4K NAND chips. • M -- indicates this is for 8K NAND chips. All versions of the Patriot 8GB Supersonic Xpress drive (in fact, all USB 3.0 drives) seen so far require an 8K burner. An example of a burner image would be BN03V104M.BIN.

BUILD ENVIRONMENTTo patch or modify existing firmware, you must first set up a build environment. See Setting Up the Environment on the wiki for more information.At a minimum, SDCC needs to be installed to C:\Program Files\SDCC.To run the tools, you need to be on Windows with .NET 4.0 installed.

To set up a build environment, you need to: • Install Visual Studio 201

2 Express (for building the tools). • Install SDCC (Small Device C Compiler) suite to C:\Program Files\SDCC

Run DriveCom as below to obtain information about your drive:

DriveCom.exe /drive=E /action=GetInfo

DUMPING FIRMWARERun DriveCom, passing in the drive letter representing the drive you want to flash, the path of the burner image you obtained, and the destination path for the firmware image:

C:\fw\Psychson-master\tools\DriveCom.exe /drive=F /action=DumpFirmware /firmware=C:\fw\currentfw.bin

where E is the drive letter, BN03V104M.BIN is the path to the burner image, and fw.bin is the resulting firmware dump. Currently, only 200KB firmware images can be dumped (which is what the Patriot 8GB Supersonic Xpress drive uses).

FLASHING CUSTOM FIRMWARE

Run DriveCom, passing in the drive letter representing the drive you want to flash, the path of the burner image you obtained, and the path of the firmware image you want to flash:

C:\fw\Psychson-master\tools\DriveCom.exe /drive=F /action=SendExecutable /burner=C:\fw\fw_bn\BN03V114M.BIN

where E is the drive letter, BN03V104M.BIN is the path to the burner image, and fw.bin is the path to the firmware image.

CREATE PAYLOAD

Create a key script in Rubber Ducky format, then use Duckencoder to create an inject.bin version of it:

java -jar duckencoder.java -i keys.txt -o inject.bin

where keys.txt is the path to your key script. You may notice the delays are not quite the same between the Rubber Ducky and the drive -- you may need to adjust your scripts to compensate.

INSERT HID PAYLOAD IN FIRMWARE &DOWNLOAD THE FIRMWARE EMBEDDED

HID PAYLOAD

C:\fw\Psychson-master\tools\EmbedPayload.exe C:\fw\ducky\inject.bin C:\fw\Psychson-master\firmware\bin\fw.bin

C:\fw\Psychson-master\tools\DriveCom.exe /drive=F /action=SendFirmware /burner=C:\fw\fw_bn\BN03V114M.BIN /firmware=C:\fw\Psychson-master\firmware\bin\fw.bin

RESULT

VIRTUAL KEYBOARD

WORK

RECOVERY

PROOF

BaDusb.webm

USB DUCKY

RUBBER DUCKY, WHEN THE USB IS A USB KEYBOARDThe principle of action of the USB Rubber Ducky key marketed by Hak5, is simple to understand. The USB stick poses as a key to the system and will, at launch, perform actions on the system , with the image of a autorun.exe, except that it will be entering keyboard keys.

RUBBER DUCKY

Ideas: Use bash to create a reverse shell use nohup to spawn the reverse shell as a background process

LINUX PAYLOAD

PAYLOAD

Windows 10

MacOS

AS CREATE PAYLOAD OR ARE YOU SURE THAT YOU CREATE IT?

ducktoolkit-411.rhcloud.com

ducktoolkit.com

YOU CAN

RECON SCRIPT EXPLOIT SCRIPT REPORT SCRIPT

Computer Information USB Information User Information

Shared Drive Information Installed Program

Information Installed Updates User Documents

Network Information Network Scan

Port Scan Wireless Profile Screen Capture Firefox Profile Extract SAM

Disable Firewall Find and FTP a File

Add Administrative User Open Port

Start WIFI Access Point Share C Drive Enable RDP

Reverse Shell Download .exe and Execute

DNS Cache Poison Sticky Keys Swap

Remove Windows Update

Save To USB Upload Report via FTP

Email Report via GMAIL Save To Computer

ENCODE

CREATE PAYLOADhttps://code.google.com/p/simple-ducky-payload-generator/downloads/detail? name=installer_v1.1.1_debian.sh&can=2&q root@kali:~# chmod +x installer_v1.1.1_debian.sh root@kali:~# ./installer_v1.1.1_debian.sh root@kali:~# rm installer_v1.1.1_debian.sh To run the program; root@kali:~# simple-ducky

AUTOMATION

Install ip, port and delay time

REVERSE SHELL

PRACTICAL• Open BEEF in browser • Create Reverse Shell (Avast )

OPEN BEEF IN BROWSER

Beef.mov

CREATE REVERSE SHELL (AVAST )

DNS tunneling.mov

INFO- https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-jhind-

dns_tunnels_with_ai.pdf - https://github.com/LightWind/malusb/tree/master/payload - http://www.slideshare.net/elie-bursztein/does-dropping-usb-drives-really-work-blackhat-

usa-2016 - https://ducktoolkit.com/encoder/ - https://github.com/brandonlw/Psychson - http://habrahabr.net/thread/1011