Troboard

Team M30W

Outline

  • Introduction
  • Attack Method
  • Demo

Attacker model

  • Windows OS
  • victim will plug our raspberry pi
  • non-super privileged

Goal

  • remote control 
  • desktop sharing
  • leak keyboard log

Motivation

  • hack classmate's computer
  • USB is easy to get
  • Poisontap is interesting?
  • 127's childhood dream

Fake USB

USB classes

Faking classes -> Faking device 

Stage - 1

ssh pi -> keyboard signal -> victim

Victim

Attacker

Generate Payload

Relay Payload

Pi

Problems

  • Attacker need to be close by
  • Attack does not persist after pi is disconnected
  • Victim may notice he's hacked!

Remote Desktop!

-> Inject Trojan

Stage - 2

insert pi -> keyboard signal -> wget trojan

Victim

wget

Victim

Server

Client

Connect

Control

Then... We can

  • Windows + R -> open powershell
  • problem: 中文輸入法 (Shift not works)
  • Solution: Ctrl+Space

Simulate What?

However

if network is down

:(

USB Hub

Not only a keyboard,

but also a USB storage!

Use cmd to move our file from USB storage to victim

  • easy be detected

Hide it ?

But...

Everyone loves it

However...

OS want to protect system file!

Well...

Creating system files is easy : )

attrib +s +h file_name

What if the victim reboot?

Put our program under /user/.../startup

-> execute as routine startup

Stage - 3

insert pi -> & act as USB & Keyboard ->
Move trojan from USB

Victim

copy

Victim

Server

Client

Connect

Control

RCE again

Demo

Problem of
Hidden Remote Desktop

RCE

Victim

Our Server

Connect

Our server's ip will be exposed to victim!

Large Traffic Detection

Victim

?

Screen

Slow Network Detected

RCE ->

Leak Information

Stage - Extra

Leak Infromation?

Eavesdrop your keyboard & window!

IP Exposure?

Upload to trusted server, like youtube stream

tlk.io!

Victim

tlk.io

send key

Meow

peep key

Trusted Chatting Server!

Demo

Conclusion

Don't plug unknown USB :)

Don't plug untrusted IoT :)

Q&A