USB-устройства, такие как клавиатуры и мыши, могут быть использованы для взлома персональных компьютеров в качестве потенциального нового класса атак, которые обходят все известные механизмы защиты. Я покажу все типы USB атак и вы увидите эффективность USB атак на практике.
2. root # uname -a
I’m a security engineer. I like linux and am a big fan of Mr Robot series. I like
working on my hobby so I work in security.
3. AGENDA
- Effective attacks with USB
- Social experiment at the University of Illinois Urbana-Champaign
- Info adbout USB devices
- Making USB drop attack effective:
PART 1. BadUsb
PART 2. USB Ducky
PART 3. USB Ethernet
PART 4 . Kali Linux NetHunter
PART 5. USB Kill 2.0
PART 6. USB keylogger
- Practice USB HID attack on Windows 8
13. Total Fraction
Dropped 297
Key picked up 290 98%
Key who get home 135 45%
Key returned 54 19%
People answering
survey
62 21%
14. ANSWERS
- 16% scanned the drive with their anti-virus software
- 8% believed that their operating system or security software would protect them,
e.g., “I trust my macbook to be a good defence against viruses”
17. BACKGROUND
USB is a very versatile interface. Just think how many devices we connect to it Mice,
keyboards, printers, scanners, gamepads, modems, access points, webcams, phones,
etc. We do not hesitate to insert the connector into the appropriate socket, OS
automatically detects the type of device and loads the appropriate drivers.
18. FLASH DEVICES
In fact, the operating system does not know anything about the connected device.
It has to wait until the device itself tells the class to which it belongs.
If we take the simplest example, when we stick a flash drive to the USB-connector,
the flash drive tells the operating system if it is only storage or other device.
19. ALGORITHM INITIALIZE USB DEVICES
Purpose USB-devices is determined by the class codes that communicate USB-
host to download the necessary drivers. Class codes allow to unify the work with the same
type of devices from different manufacturers.
Usual bootable flash drive will have a class code 08h (Mass Storage Device -
MSD), while a webcam equipped with a microphone, will be characterized by two already: 01h
(Audio) and 0Eh (Video Device Class).
20. CONNECTING THE USB-DEVICE,
When connecting the USB-device, it is registered, receives the address and sends a handle /
handles to operating system drivers can be loaded and sent back to the desired configuration.
After this, the direct interaction with the device. Upon completion of the work going on
deregistration device.
21. USB ATTACK
PART 1. USB keylogger
PART 2. USB Kill 2.0
PART 3. Kali Linux NetHunter
PART 4. USB Ethernet
PART 5. Bad Usb
PART 6. USB Ducky
23. PARAMETERS
- 4MB flash memory stores 2000 pages of text
- Work great with all wired USB keyboards and work with all versions of Windows and Linux
- No software or drivers needed
- National keyboard layout support
- Capable of recording ALL keys
24. PRICE: $64.99
KeyLlama records everything typed on a USB keyboard. Absolutely no software is required and
KeyLlama is completely invisible to any software. The KeyLlama USB is the stealthiest hardware
keylogger in existence - it is impossible to detect!
26. As the company explains, when plugged in, the USB Kill 2.0 stick rapidly charges
its capacitors via the USB power supply, and then discharges – all in a matter of seconds.
The USB stick discharges 200 volts DC power over the data lines of the host
machine and this charge-and-discharge cycle is repeated several numbers of times in just one
second, until the USB Kill stick is removed.
27. WHEN AND FOR WHOM USB KILL WOULD BE
USEFUL?
USB Kill stick could be a boon for
- whistleblowers,
- journalists,
- activists
- cyber criminals (who want to keep their sensitive data
- away from law enforcement as well as cyber thieves)
The company claims about 95% of all devices available on the market today are
vulnerable to power surge attacks introduced via the USB port. However, the only devices not
vulnerable to USB kill attacks are recent models of Apple's MacBook, which optically isolate
the data lines on USB ports.
30. HID KEYBOARD AND ‘BADUSB’ ATTACKS
Our NetHunter images support programmable HID keyboard attacks, (a-la-teensy), as
well as “BadUSB” network attacks, allowing an attacker to easily MITM an unsuspecting target by
simply connecting their device to a computer USB port. In addition to these built in features, we’ve
got a whole set of native Kali Linux tools available for use, many of which are configurable through
a simple web interface.
33. A USB DEVICE IS ALL IT TAKES TO
STEAL
CREDENTIALS FROM LOCKED PC
USB Ethernet + DHCP + Responder == Creds
Device:
- USB Ethernet
- patch cord
- laptop
Tools:
- Responder
- Server dhcp
44. SOFT
• DriveCom -- PC C# application to communicate with Phison drives.
• EmbedPayload -- PC C# application to embed Rubber Ducky inject.bin
key scripts into custom firmware for execution on the drive.
• Injector -- PC C# application to extract addresses/equates from firmware
as well as embed patching code into the firmware.
• firmware -- this is 8051 custom firmware written in C.
• patch -- this is a collection of 8051 patch code written in C.
Releases have the following items:
• patch -- this is a collection of 8051 patch code written in C.
• tools -- these are the compiled binaries of all the tools.
• CFW.bin -- this is custom firmware set up to send an embedded HID
payload.
46. OBTAINING A BURNER IMAGE
A burner image is required for dumping or flashing firmware.
These burner images are typically named using the following convention:
BNxxVyyyz.BIN
where xx is the controller version (such as 03 for PS2251-03 (2303)), yyy is the version
number (irrelevant), and z indicates the page size.
z can be either:
• 2KM -- indicates this is for 2K NAND chips.
• 4KM -- indicates this is for 4K NAND chips.
• M -- indicates this is for 8K NAND chips.
All versions of the Patriot 8GB Supersonic Xpress drive (in fact, all USB 3.0 drives) seen so
far require an 8K burner. An example of a burner image would be BN03V104M.BIN.
47. BUILD ENVIRONMENT
To patch or modify existing firmware, you must first set up a build environment.
See Setting Up the Environment on the wiki for more information.
At a minimum, SDCC needs to be installed to C:Program FilesSDCC.
To run the tools, you need to be on Windows with .NET 4.0 installed.
To set up a build environment, you need to:
• Install Visual Studio 201
2 Express (for building the tools).
• Install SDCC (Small Device C Compiler) suite to C:Program FilesSDCC
Run DriveCom as below to obtain information about your drive:
DriveCom.exe /drive=E /action=GetInfo
48. DUMPING FIRMWARE
Run DriveCom, passing in the drive letter representing the drive you want to flash, the path of
the burner image you obtained, and the destination path for the firmware image:
C:fwPsychson-mastertoolsDriveCom.exe /drive=F /action=DumpFirmware /firmware=C:fw
currentfw.bin
where E is the drive letter, BN03V104M.BIN is the path to the burner image, and fw.bin is the
resulting firmware dump.
Currently, only 200KB firmware images can be dumped (which is what the Patriot 8GB
Supersonic Xpress drive uses).
49. FLASHING CUSTOM FIRMWARE
Run DriveCom, passing in the drive letter representing the drive you want to flash, the path of
the burner image you obtained, and the path of the firmware image you want to flash:
C:fwPsychson-mastertoolsDriveCom.exe /drive=F /action=SendExecutable /
burner=C:fwfw_bnBN03V114M.BIN
where E is the drive letter, BN03V104M.BIN is the path to the burner image, and fw.bin is the
path to the firmware image.
50. CREATE PAYLOAD
Create a key script in Rubber Ducky format, then use Duckencoder to create an
inject.bin version of it:
java -jar duckencoder.java -i keys.txt -o inject.bin
where keys.txt is the path to your key script.
You may notice the delays are not quite the same between
the Rubber Ducky and the drive -- you may need to adjust your scripts to compensate.
58. RUBBER DUCKY, WHEN THE USB IS A
USB KEYBOARD
The principle of action of the USB Rubber Ducky
key marketed by Hak5, is simple to understand.
The USB stick poses as a key to the system and
will, at launch, perform actions on the system , with
the image of a autorun.exe, except that it will be
entering keyboard keys.
62. AS CREATE PAYLOAD OR ARE YOU SURE THAT
YOU CREATE IT?
ducktoolkit-411.rhcloud.com
ducktoolkit.com
63. YOU CAN
RECON SCRIPT EXPLOIT SCRIPT REPORT SCRIPT
Computer Information
USB Information
User Information
Shared Drive Information
Installed Program
Information
Installed Updates
User Documents
Network Information
Network Scan
Port Scan
Wireless Profile
Screen Capture
Firefox Profile
Extract SAM
Disable Firewall
Find and FTP a File
Add Administrative User
Open Port
Start WIFI Access Point
Share C Drive
Enable RDP
Reverse Shell
Download .exe and Execute
DNS Cache Poison
Sticky Keys Swap
Remove Windows Update
Save To USB
Upload Report via FTP
Email Report via GMAIL
Save To Computer