This was a workshop I conducted at Black Hat Europe'12. The workshop explains how to program a USB HID, Teensy++ in this case, for usage in offensive security.
2. SamratAshok
Twitter - @nikhil_mitt
Blog – http://labofapenetrationtester.blogspot.com
Creator of Kautilya
Interested in Offensive Information Security, new
attack vectors and methodologies to pwn systems.
Previous Talks
Clubhack’10, Hackfest’11, Clubhack’11, Black hat Abu
Dhabi’11
Upcoming Talks
Troopers’12, PHDays’12, Hack In Paris’12
Training at GrrCON’12
3. A typical Pen Test Scenario
How we are doing it
Need for new methods to break into systems
HID anyone?
4. Introduction to Teensy
Basics of Arduino Development Environment (ADE)
Installing and configuring ADE to use with Teensy
Understanding the basics of programming using ADE
Writing Hello World
Basic usage and programming of Teensy
Introduction to Kautilya
Demonstration of Payloads in Kautilya
Program and perform attacks on a Windows machine
Program and perform advanced attacks on a Windows
machine
Understanding structure of and automation using Kautilya
Understanding Integration of payloads in Kautilya
5. Protection against HID based attacks
Pen Test Stories
Limitations
Future
Conclusion
6. Be as interactive as you can. Query me, ask
nasty questions, insult me.
It is mandatory to laugh on jokes, they be on
slides or cracked by me.
We will start slow and then pick up speed. Be
patient if you know something, everybody is not
good as you.
I don’t have much theory so be ready to see
demos and source code.
Make sure you keep your eyes on. You should be
able to program your device after this. I will keep
checking if everyone is awake ;)
7. A client engagement comes with IP
addresses.
We need to complete the assignment in very
restrictive time frame.
Pressure is on us to deliver a “good” report
with some high severity findings. (That
“High” return inside a red colored box)
9. This is a best case scenario.
Only lucky ones find that.
Generally legacy Enterprise Applications or
Business Critical applications are not
upgraded and are the first targets.
There is almost no fun doing it that way.
12. To gain access to the systems.
This shows the real threat to clients that we
can actually make an impact on their
business. No more “so-what”
We can create reports with “High” Severity
findings which bring $$$
13. Memory Corruption bugs.
Server side
Client Side
Mis-configurations
Open file shares.
Sticky slips.
Man In The Middle (many types)
Unsecured Dumpsters
Humans
<Audience>
14. Many times we get some vulnerabilities but
can’t exploit.
No public exploits available.
Not allowed on the system.
Countermeasure blocking it.
Exploit completed but no session was generated
:P
15. Hardened Systems
Patches in place
Countermeasures blocking scans and exploits
Security incident monitoring and blocking
No network access
We need alternatives.
16.
17.
18. Bad guys are getting smarter.
Smart attacks of 2011
Sony (ok not so smart :P)
RSA (clever attack), chained to Lockheed Martin
Epsilon (Spear Phishing)
Barracuda Networks (WAF turned off for little while)
Some attacks on India
Smart attacks of 2010
Stuxnet
Operation Aurora
And Many more (like Apache in 2009)
19. Breaking into systems is not as easy as done
in the movies.
Those defending the systems have become
smarter (at many places :P) and it is getting
harder to break into “secured” environments.
Everyone is breaking into systems using the
older ways, you need new ways to do it
better.
20. Wikipedia – “A human interface device or HID
is a type of computer device that interacts
directly with, and most often takes input
from, humans and may deliver output to
humans.”
Mice, Keyboards and Joysticks are most
common HID.
What could go
wrong?
21. A USB Micro-controller device.
Storage of about 130 KB.
We will use Teensy ++ which is an updated
version of Teensy.
24. Install Arduino
Windows Serial Installer (only Windows)
Install Teensyduino
Copy Teensy loader executable in Arduino
directory.
Detailed with screenshots here:
http://www.pjrc.com/teensy/td_download.html
25. Make sure to select correct “Board” and “USB
Type” under Tools menu item.
If Teensyduino has been installed
properly, sketch examples could be found at
File->Examples->Teensy
26. Almost C++ like syntax is used in ADE
Two functions are required at minimum
setup() which runs whenever Teensy is plugged or
restarted.
loop() which keeps running after setup()
Basic usage and programming of Teensy
Writing Hello World with Teensy.
28. It’s a toolkit which aims to make Teensy more
useful in Penetration Tests.
Named after Chanakya a.k.a. Kautilya.
Written in Ruby.
It’s a menu drive program which let users
select and customize payloads.
Aims to make Teensy part of every
Penetration tester’s tool chest.
29. Payloads are written for teensy without SD Card.
Pastebin is extensively used. Both for uploads
and downloads.
Payloads are commands, powershell scripts or
combination of both.
Payload execution of course depends on
privilege of user logged in when Teensy is
plugged in.
Payloads are mostly for Windows as the victim
of choice generally is a Windows machine.
30. Adds a user with Administrative privileges on
the victim.
Uses net user command.
31. Changes the default DNS for a connection.
Utilizes the netsh command.
32. Edit hosts file to resolve a domain locally.
33. Enables RDP on victim machine.
Starts the service.
Adds exception to Windows firewall.
Adds a user to Administrators group.
34. Installs Telnet on victim machine.
Starts the service.
Adds exception to Windows firewall.
Adds a user to Administrators group and
Telnetclients group..
35. Starts an invisible instance of Internet
Explorer which browses to the given URL.
36. Downloads an exe in text format from
pastebin, converts it back to exe and
executes it.
37. Using registry hacks, calls user defined
executable or command when Shift is
pressed 5 times or Win + U is pressed.
When the system is locked, the called exe is
executed in System context.
39. This payload uses opens up chrome, launches
Remote Desktop plugin, enters credentials
and copies the access key to pastebin.
This payload operates on browser window.
40. Dumps valuable information from
registry, net command and hosts file.
41. This payload pulls the sniffer powershell
script (by Robbie Fost) and executes it on the
victim.
The output is compressed and uploaded to
ftp.
42.
43. This payload pulls powerdump script of msf
from pastebin, schedules it as taks to run in
system context and upload the hashes to
pastebin.
44. This payload logs keys and pastes it to
pastebin every twenty seconds.
There is a separate script to parse the output.
45. This payload creates a hosted network with
user define SSID and key.
It also adds a user to Administrators and
TelnetClients group.
It installs and starts telnet and adds it to
windows firewall exception.
46. This payload forces the victim to connect to
an attacker controlled WiFi AP. The AP in this
case is portable WiFi hotspot on a
smartphone.
Using this either payloads can be pulled from
the smartphone or the internet using the AP
thus effectively bypassing any internet
restriction policies on the system.
47. This payload uses the powershell code
execution script (by Matt from exploit-
monday blog).
A meterpreter shell is executed completely in
memory using this script.
48. This payload browses in background to a url
where Metasploit Java Signed Applet module
is hosted and accepts the run prompt after
few seconds.
49. We were doing internal PT for a large media
house.
The access to network was quite restrictive.
The desktops at Library were left unattended
many times.
Teensy was plugged into one system with a
sethc and utilman backdoor.
Later in the evening the system was accessed
and pwnage ensued.
50. A telecom company.
We had to do perimeter check for the firm.
The Wireless rogue AP payload was used and
teensy was sold to the clients employees
during lunch hours.
Within couple of hours, we got a wireless
network with a administrative user and telnet
ready.
51. A pharma company.
We replaced a user’s data card with a Teensy
inside the data card’s cover.
The payload selected was Keylogger.
“Data card” obviously didn’t worked and we got
multiple keylogging for the user and the
helpdesk.
Helpdesk guys had access to almost everything
in the environment and over a workday, it was
over.
52. Use Endpoint Protector 4 :P :P
Group Policy in Windows which prevent
installation of hardware devices.
53. Limited storage in Teensy. Resolved if you
attach a SD card with Teensy.
Inability to “read” from the system. You have
to assume the responses of victim OS and
there is only one way traffic.
54. Many payloads need Administrative privilege.
Lots of traffic to and from pastebin.
Inability to clear itself after a single run.
Not very stable as it is still a new tool and has
not gone through user tests.
For payloads which use executables you
manually need to convert and paste them to
pastebin.
55. Improvement in current payloads.
Implementation of SD card.
Use some payloads as libraries so that they
can be reused.
Support for Non-English keyboards.
Maybe more Linux payloads.
Implementation of some new payloads which
are under development.
56. Please complete the Speaker Feedback
Surveys.
Questions?
Insults?
Feedback?
Kautilya is available at
http://code.google.com/p/kautilya/
Follow me @nikhil_mitt
http://labofapenetrationtester.blogspot.com/