:begin Introduction
The concept of Plug and Prey: Malicious USB Devices device by Irongeek at Shmoocon, bad usb by Karsten Nohl at Blackhat or the Rubber ducky by Hak5, these are super interesting concepts that are leveraged at every Red Team enagement that is conducted by a Red Team Operator. Any such exploitation requires good amount of social engineering. I recommend people should have exhausted every possible trick in the book to compromise from the external network of the organization before attempting to breach physical security.
Use of malicious USB is quite obvious, and you can’t actually walk up to the victim and ask him to plug in the USB. Ok! So you succeed in social engineering him to allow you to plug in the USB drive? Good luck explaining the command prompt opening, random characters getting entered and the command prompt closing in its own. Yes! Even if it takes half a second for the execution, human eye can see at a speed of 60 fps, according to research ofcourse. Obviously, you are a success if some idiot manages to leave his system unlocked (which you’ll have to lurk around and wait for).
Malicious mouse attack, or what I like to call The Red Team’s Ratatouille gives you the perfect excuse as an attacker. 0 wait time. Just go upto your victim and ask, “Can I check if this mouse is working on your system?” Assuming you are a red teamer and know how to speak to people, you’ll end up with a system in your credential bank. :) From here, Happy hacking!
:begin Technical Details
This attack doesn’t vary a lot from bad USB w.r.t concepts. We only stuff our microcontroller device into the body of a mouse.
:goto Ingredients
- Teensy 3.2 Microcontroller
- Arduino IDE
- Teensyduino software
- Basic programming-fu
- Mouse that need not necessarily work
- MicroUSB cable (To connect the teensy to the USB, preferred color would be the black)
- Basic Social Engineering skills
:goto Cooking
- Step 1: Rip apart that mouse.
- Step 2: Setup your teensy - https://www.pjrc.com/teensy/tutorial
- Step 3: Learn the keyboard library - https://www.arduino.cc/en/Reference/KeyboardModifiers
- Step 4: Stuff them all into the mouse.
:goto Building an exploit
First and foremost, let us not forget - USBDriveBy code that is written by Samy Kamkar. Quite a lot of people utilize this code with their teensy device. Another tool used is the Social Engineering Toolkit, which gives you a powershell payload that you would require to execute to pwn the system.
But, what is a hacker without the knowledge of what he does? So, before starting, hope you know some basic Arduino Programming. This sample code will open notepad and type You have been Hax0red on it. To begin, we build the algorithm that we want to program (Manual method).
Base Teensy Code
|
|
Run Window Function
|
|
As can be seen above, we will now need to send a string (in this case- ‘notepad’) and it would be run from the Run Window. Accordindly, we define the setup() function now.
Now ofcourse, this could be weaponized in more harmful ways, which I would leave to you Red Teamers out there to attempt. I love to have my Teensy with a reverse shell code. This code can be saved on a raspberry pi and weaponized everytime, depending on your client environment.
Full Code
|
|