DEF CON 23 - Dr Phil Polstra - One Device to Pwn Them All

##########################################
Thanks for coming in the talk a .
Little bit about having some fun with USB and little devices namely to bball black so what I'm going to talk about in particular is a pocket-size buys they can be used as a Dropbox something he can battery power for days as a remote hacking drone you can control from the two miles away as a airborne hacking drawing which you can get by combining one of these devices will hurt the aircraft as a hacking console right is that better.
All right now if I have to go to the chiropractor after the stock I'll be going to see mr Moss for some compensation alright so I've talked about all these things past conferences tonight I wanna talk about some new functionality which is what some yellow here particularly talk about how you can use devices such as a big one black for some USB based attacks and you can do things like write protect us flash drive that you might want to use on somebody's system design USB impersonation this is something I talked about at DEFCON 20 using a.
Microcontroller based device and I'm going to show you how you can do that and do it better with a big warm black using a shell scripting instead of customs ego and also talk about something new a scriptable hit demise also based on the big long black so why should you care about any of this anyway running clinics which is like custom contesting destroy all is nice and small very flexible and you can be networked with other devices in order to do some pretty sophisticated Pentax you can show up with a small bag full of devices and you can do some really cool stuff and it doesn't even cost you a lot of money so far less than the cost of your MacBook you can have your little pen testing army and because these are so useful you might have worn around with you and today on a talk a little bit about how you might be able to exploit some brief physical access that you have to a target and see what kind of damage you can do is just a couple of seconds so who am i right some you might assume around I'm a professor at Bloomsburg University of Pennsylvania teach forensics and testing fun stuff also an author I wrote a book on Linux forensics which was released this morning a pre-release for all the people at DEFCON that we love you everyone else has to weigh couple weeks and pay more so by the way if you want to get a copy of this book and a copy of the VAX get your book come early tomorrow the security booth because we're blasting through our copies also another book hiking interest in acting and penetration testing with low power devices in program for a while since about eat in the same way since I was ten Haken hardware since I was 12 or so also been known to fly their planes to other aviation stuff and right courses for pen tester academy and some other places so we talk about.
So give you real quick overview the deck clinics on the BeagleBone black the BBB and talk about how you can export and attached USB Drive talk about how you can write enable that exported drive and this is some stuff that I talked about a black hat Europe in 2012 and the talk about USB mass storage device impersonation which is a said he talked about DEFCON 20 and also talk about something new a scriptable USB hid keyboard so decklid X Tekken X is based on a bong to its optimized for the big black and similar stuff you can use it as a Dropbox hacking console and here's a couple of devices running it so you can see I have a wide shot running it that's what I call the air DAC she can fly in had people away and I have the Act are you got it nice little system hidden inside a rock band guitar one of my favorites though it's got to be the Trojan da like in this picture he's got a nice little BeagleBone running the dead clinics alpha adapter and it's a usb-powered twice which is awesome so yeah you find a doctor who fanned at your target company and give them a present that keeps on giving back to you and I have some lunch box computers and I'm doing a dental appt tomorrow at noon if you want to see some of these devices in person so I added a few modules the mashed which is experiencing me networking to control your army of devices from up to 2 miles away and also the foredeck to do some printing stuff and today I wanted to talk about the u.k the USB based attacks so first of all a little bit about USB on Lenox so USB on Linux is often done using gadgets so there's a USB gadget composite device and its composite device who has many devices such as mass storage audio networking and all kinds of good stuff and if you have a version for higher colonel you can also have it as a hit a keyboard or mouse so what about the BeagleBone black so if you have a bball black by default it creates a G multi-device gadget multi composite device and it normally will explore the partition the reason that does is this is if you screw up your BeagleBone you want to be able to get some time in the future the way that this is done as they explore taboo purchasing so that you can fix it so the thing actually lose again it's also normally configured to set up internet over the USB and typically what happens unless you change the defaults the BeagleBone black shows up as one energy to 168 . 72 and your PC has a $7 1 address.
Some Linux distributions that you might run also will start at Getty tomorrow process as well now unfortunately the false will conflict with what we want to do so.
Another warning I will give you never export mounted filesystem unless it's really only unbowed and it is not cool to take your root file system or something else that you're riding with your own eyes and exported so that somebody else can also write it so how does this work in order to export a USB mass storage device.
Here's a little snippet from shell script first you need to stop the Getty device or the getting process i should say it was running and by the way I'm the DEFCON CD should have all the stuff so you know don't think you have to like take pictures and then type of stuff and later should be on the desk on CD and also be available for download other places later and then you have to uninstall the model that is the G multi-device using modprobe dash R G multi and then I set up a couple of variables to store what's been exported and then have the simple little loop that says hey if there's something called as the something well if it's on the bball blog that must be a thumb drive that you installed so I go through their two little bit of shell script magic and if it's there I i mounted and I added to my list.
Then I strip off some comments from that less and then I exported so I said some variables for a vendor and product I D.
Now how many of you familiar with scripting how many you are gurus bash scripting who knows what the dollar sign double print diseases for one hand I C one hand halfway is like no but I don't want to call me it's not school for those of the you don't know this puts bash in math mode so you'll notice that vendor and product have been set up as integers and this allows you to do things like increment them otherwise these things get treated like strings so just a little tap again you can get all this coat off the CD so I actor ever did that come from go the translators who have fun without one by the vendor I D to a temporary file as well as the product I D in case I want to mount this again as ridable later and then I run a mod program and where I give it G malty and I give it file as an argument now this will take a list of comma separated partitions that you want to mount I tell it CD rom equal 0 which means I am NOT a CD-rom and I said we'd only and I give it a read only for all of the partitions that I mounting say yes it's removable and set the vendor and product I D although honestly for this purpose just to write protected I don't need to do that but we'll see later when we try to do that person nation.
This comes in handy right so let's try demo at the first ever Friday night keynote.
Ok doesn't look like we have any audio so let's see if I can remember how this goes alright so here I have happened so it's an exciting year ago so this is the default behavior I plugged in the BeagleBone and its exported the root filesystem and you'll notice that it just connected me to the network so this is kind of what happens by the fault I do.
Please stand by.
Is that this.
That this.
Yeah.
First I'm gonna might be bomb I'm going to run a script alright let's turn them in this video I want to show you what happens when you normally planning to be home block so here I have a big long black and I'm just gonna plug it into my budget laptop here and it's going to load that USB multi module will take just a little bit and you'll see my computer is going to display a message saying it's connected another network device and as you can see it's also pulled up the boot partition from my MMC and their habitats connected to a wired connection to and here's my boot partition a lot on it and it's done again so that you can recover a broken systems go in there and fix something you screw up on the boot so here I am on my computer if I do and LSUS be I will notice here is that new Linux Foundation they function gadget if config I will see you care enough to get statically assigned IP and it will give you $7 one on the PC side and 72 on the BeagleBone side so if I do a pain it is great so that's the default behavior so what if we want to export drive the first I'm gonna might be hold on I'm going to a script again what do you see you see on my Ubuntu laptop was disconnected as that license gone away which showed up on my other screen today is here is a multiple partitions from that device so this all work so let me go and hoping she'll let Linux machine but if I do I'm out going to see it here I have a read only about just as I want it so there you have it I have exported a thumb drive it was plugged into my building block to a PC is read only right now one thing I should also point out in this demo like running a series of scripts he could very easily set up some buttons and things on the big long black to do this but just to make their demos little bit simpler please talk I didn't do that it's very easily done right now if you decide you're ready to make it right and maybe your drain it feels trade some data please do this after you kill the antivirus and I will leave it up to you to interpret the PDF I you and those you you've ever been a hacker jeopardy should know what that means so you can easily remount it using another bash script and basically I just look for that temporary file and I say hey let's redo that and just make it viable and it was kind of like this so now you've gone on to the system you use all the tools that he had your thumb drive which was mounted as read only have killed the antivirus and all those other things and it's time to text filtrates and data so how can you do that well you just need to remount or drive.
As readable and writable done go back to my PC you'll notice I do PC popped up this drive I also will get reconnected I might Ethernet here on my laptop I run mount you will see that sure enough there you have it I now have a readable and writable partition that has been exported from the thumb drive attached to my beagle black it was that simple.
Alright so let's have some fun now let's talk about USB Mass Storage impersonation so you know some people may think they can block users from mounting on the horizon thumb drives and typically do this using some endpoint security software and/or some rules such as udev rules to filter by vid and paid now as I said before I presented a microcontroller based in my said that Khan 21 how to do this but you can do the same thing with a big global black and some shell scripting now one important thing to note here is that you can get a lot better performance.
The microcontroller based device that I showed was only capable of full speed or 12 megabits per second.
Versus high speed or four hundred and eighty megabits per second that you can get with the BeagleBone black so basically a little bit of setup again all this should be on a CD I've got a used state land I declare as integers and and pride that's where you get the declared as I and a delay and I part some arguments and I'd slip that it's just kinda boring stuff and this is a picture by the way of that demise that are presented at DEFCON 20 so step to you need to unmount the drive so how do you do that you check and see if the Getty processes running the fit is you stop it you also unload G multi set up some variables in this looks very similar to our previous script with one important their friends and that comes up right about here by the way hopefully you're under mountains little bit more graceful than this lady in this picture.
Getting officeholders alright so I have a file with the entire Linux pit database so what you can do is spend through this file and see if it gets mounted or not and if he gets mounted its not getting blocked you just say great and there you go so let's have a little demo of this corroborates now let's have some fun with USB impersonation so I'm gonna go ahead and run Ellis USB and now I'm gonna plug in a SAN disk drive and I'm gonna rerun at LSU as you can see that it mounted successfully here it is so I want this to impersonate something else so how we gonna do that i'm gonna do that using my beagle all black so let me go ahead and unplug and plug in the BeagleBone black alright so now I've logged on to my own blog and we're gonna go ahead and read my script I'm gonna let it run through a couple of these its mountain I'm not actually blocking in this case but if you see my dog attack on twenty you you know about how it works and everything so now if I go back to my linux machine I will see that sure enough I run my Alice USB my Sandisk drive has suddenly become a mainstay in drive so there you have it I was able to do this with a microcontroller based on lies in some custom codeine and now I have done the exact same thing with a little bit of shell scripting and a big black alright so again a lot faster forty time stature but now let's have some real fun let's do something completely new and show you how you can make a USB HID device again completely in bash script you don't even have to write Python not that I don't love to show you some Python script use with us but how do you do this step one you have to unload that G malty and they should look kind of familiar by now.
Now step to you have to create something called a big file system it's a special pseudo file system if you will by the way this lovely little picture here talking about how you shouldn't mix config file system and separate gadget I didn't make this there's enough people that know that this is a problem that I actually found this little picture on the internet so you have to configure a file system and you will probably have the base directory where this is mounted under says kernel config and it it's there you might have something I want is you want to unmount it and then mounted a new.
Config file system to that place and then you have to create a device so how does that work you take that area and you make a directory for your keyboard device and you go.
Bender IDs product ideas you know pick your favorite and you act 082 buys and USB version as they've done here he added configuration so here I have a configuration and make a new directory and go things like the maximum power and I create new directories hid USB 0 and echoes some more stuff like the subclass protocol report links thanks and then I finalize it so step 5 you need to report descriptor so those of you didn't know something about USB know that everything is as descriptors to describe it said they used for a lot of things and there's something called a hit a report descriptor that's used to define reports from keyboards mice joy sticks etc so you need one of these things and what you have to do is create a symlink for your configuration and activated so first you can copy this report descriptor so I have it just as a bin file and copy it into my config file system create a symlink and then echo you know HDR c.c roared up auto to this specific place and then boom you have a demise so this is the eye test slide for this time no I don't expect you to be able to read this I just put this in here so that when you get the slide deck you can see it but this is the details of what's a binary file and descriptions for every single bite on what this report descriptor looks like that's boring but have a demo so now we're gonna go ahead and create a device so first I'm gonna run my script creates did and if I go back to my Linux system they do in a less USB I won't see a new device now Linux is a little bit smarter than Windows so for the Linux devices it just comes up and it says 1337 1337 because it will actually look it up if you give it a fake vendor and product I D it'll say no that's not right I know that that's not right.
General is the case it's a lot smarter than Windows so there you have it I have my kid now I do if I do in a less USB desk we d 1337 1337 you'll see it gives me a bunch of information and right here tells me this is in fact ahead and it's a keyboard alright so now we have a device but we're not quite ready to do anything useful with it so in order to do something useful with this devise you have to send some reports and the format for these reports is pretty simple there is a modifier and so do you have a shift key control key which shift key accepte and there's a reserved by.
And then we have a bunch of key codes and you're allowed to press up to six keys at a time why you would want to do this I don't know but it's an aspect so how can you do this now I should say this you created the device and you can just a co-star to the device again on the command line but who was do that we like pipeline right side and is every Penn testers friend so how can you do this in pipeline to make it a little easier so some tree limbs in the pipeline code you import a few things like struct in time and identifying key modifiers for the different shift keys exacta and then I create a little less of a ski two key mappings so that you can mAb key codes to ASCII codes because of course they're not the same why would they be the same that would be easy easy then people won't get jobs right we have to make it hard you have to be smart to do this stuff and then we get paid more money so the next thing I do is I create a class and how many of you familiar with ok so you know to create classes and pipeline and here I have a constructor where you can toss and optionally what is the HID device file name and I defined a whole bunch of nice little helper functions such as Sandy now if you send a key you have to send to reports unless you want to fill the screen with the same key right you have to send a report that says I pressed ickes another report that says I stopped pressing the game that's what you'll see here it says right to report and then it sends a nice zeroed out report which means I stopped pushing buttons and then of course they did find some other helpful functions such as a shitty key send a character send a stray cetera and I didn't show up here but I have a whole bunch of nice little key things such as please lock the screen plays club the screen upside down if you're running Windows bring up a terminal running Linux X so let's do a simple index attack so here is my script I'm just going to type out your environment variables I'm going to run Nano and create a new file called hacked and I'm just gonna put in a couple of strings you are so high and then I'm gonna send some keys to exit now and save your file of course and then I'm going to cut your password file to your passwords txt and then I'm gonna clear this great so how does this look I created the USB HID device but we haven't done anything useful with it yet.
In order to do that we can run our python script is gonna go ahead and run this script I've attached to my Linux computer and I just ran a bunch of stuff he didn't even see it was so fast I do in Dallas txt you'll notice that I created a new file and another one called got your passwords so if I cat I see it says you're so hot and if I cat got your passwords and in fact brings up my password file so there you have it pretty simple all right now.
Hacking attacking what makes this fun but come on Windows enforcement right.
I mean when is a good for anything else so might as well be good for an attack target so let's do a simple little windows attack so you know i sat here but also good for anyway so here and I'm gonna do as I'm gonna create a device I'm gonna send the window are key which says please write something and then I'm gonna send the line no bad please and then I'm gonna again put a buncha taxed enough I'll I'm gonna send alt and then acts which will save and except I'll head and her to say yes please say my file I will send the lying act txt when it says what would you like to call it file and then I'm going to send the windows upside down screen command which will flip your screen upside down and then I'm gonna lock the screen so it's a nice upside down lockscreen potentially so let's go ahead and run this.
I'm gonna go ahead in the TAC windows.
By the way I sent a command to the screen which didn't work in this case because it's running in a virtual box but normally it would have if I log back in and I look like documents I see a new file so of course I could use some other fun stuff but I think you guys get the point.
And given that it's late just let you know if you have any questions tomorrow at noon to 2 I'm doing a demo lab also you might find me change to the security to boot over in the vendor area so one thing you can do there yesterday I talked about this new device that's come out called the catch wire and the manufacture is graciously donated some nice little bundles with their devices running and testing clinics that we're giving away see if you drop by the booth you can register to win free stuff which you like free stuff I like free stuff too so you know you can get a nice gift set over 600 bucks forget 209 202 sorry of those to get away and of course you can always say hello so I'll have all my toys tomorrow so I have my lunch box computers I'll have a bigger bomb black that's running this stuff and a couple of catch wires as well if you want to see that so everything and I talked about today everything I talked about yesterday you want to come you know get touchy feely it's that kind of conference I'll let you touch my junk if you want to come tomorrow at noon is so thanks for comin at seven o'clock on a Friday and I'll see you guys around.


##########################################