Troboard
Team M30W
Outline
- Introduction
- Attack Method
- Demo
Attacker model
- Windows OS
- victim will plug our raspberry pi
- non-super privileged
Goal
- remote control
- desktop sharing
- leak keyboard log
Motivation
- hack classmate's computer
- USB is easy to get
- Poisontap is interesting?
- 127's childhood dream
Fake USB
USB classes
Faking classes -> Faking device
Stage - 1
ssh pi -> keyboard signal -> victim
Victim
Attacker
Generate Payload
Relay Payload
Pi
Problems
- Attacker need to be close by
- Attack does not persist after pi is disconnected
- Victim may notice he's hacked!
Remote Desktop!
-> Inject Trojan
Stage - 2
insert pi -> keyboard signal -> wget trojan
Victim
wget
Victim
Server
Client
Connect
Control
Then... We can
- Windows + R -> open powershell
- problem: 中文輸入法 (Shift not works)
- Solution: Ctrl+Space
Simulate What?
However
if network is down
:(
USB Hub
Not only a keyboard,
but also a USB storage!
Use cmd to move our file from USB storage to victim
- easy be detected
Hide it ?
But...
Everyone loves it
However...
OS want to protect system file!
Well...
Creating system files is easy : )
attrib +s +h file_name
What if the victim reboot?
Put our program under /user/.../startup
-> execute as routine startup
Stage - 3
insert pi -> & act as USB & Keyboard ->
Move trojan from USB
Victim
copy
Victim
Server
Client
Connect
Control
RCE again
Demo
Problem of
Hidden Remote Desktop
RCE
Victim
Our Server
Connect
Our server's ip will be exposed to victim!
Large Traffic Detection
Victim
?
Screen
Slow Network Detected
RCE ->
Leak Information
Stage - Extra
Leak Infromation?
Eavesdrop your keyboard & window!
IP Exposure?
Upload to trusted server, like youtube stream
tlk.io!
Victim
tlk.io
send key
Meow
peep key
Trusted Chatting Server!
Demo
Conclusion
Don't plug unknown USB :)
Don't plug untrusted IoT :)
Q&A
Troboard
By Arvin Liu
Troboard
Spoofing keyboard by Raspberry Pi & Inject Trojan that can remote desktop control
