Creating Havoc using Human Interface Device
-
Upload
positive-hack-days -
Category
Technology
-
view
1.119 -
download
1
description
Transcript of Creating Havoc using Human Interface Device
![Page 1: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/1.jpg)
Creating Havoc using Human Interface Device
Nikhil Mittal
![Page 2: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/2.jpg)
About Me
• SamratAshok• Twitter - @nikhil_mitt• Blog – http://labofapenetrationtester.blogspot.com• Creator of Kautilya, Mareech and Nishang• Interested in Offensive Information Security, new attack
vectors and methodologies to pwn systems.• Previous Talks
– Clubhack’10, Hackfest’11, Clubhack’11, Black hat Abu Dhabi’11, Troopers’12
• Upcoming Talks– Training at Shakacon’12 and GrrCON’12
![Page 3: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/3.jpg)
Agenda - Introduction
• A typical Pen Test Scenario• How we are doing it• Need for new methods to break into systems• HID anyone?
![Page 4: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/4.jpg)
Agenda - Workshop• Introduction to Teensy• Basics of Arduino Development Environment (ADE)• Installing and configuring ADE to use with Teensy• Understanding the basics of programming using ADE• Writing Hello World• Basic usage and programming of Teensy• Introduction to Kautilya• Demonstration of Payloads in Kautilya• Program and perform attacks on a Windows machine • Program and perform advanced attacks on a Windows machine• Program and perform attacks on a Linux machine • Understanding structure of and automation using Kautilya• Understanding Integration of payloads in Kautilya
![Page 5: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/5.jpg)
Agenda - Conclusion
• Protection against HID based attacks• Pen Test Stories• Limitations• Future• Conclusion
![Page 6: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/6.jpg)
Let’s get started
• Be as interactive as you can. Query me, ask nasty questions, insult me.
• It is mandatory to laugh on jokes, they be on slides or cracked by me.
• We will start slow and then pick up speed. Be patient if you know something, everybody is not good as you.
• I don’t have much theory so be ready to see demos and source code.
• Make sure you keep your eyes on. You should be able to program your device after this. I will keep checking if everyone is awake ;)
![Page 7: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/7.jpg)
A typical Pen Test Scenario
• A client engagement comes with IP addresses.• We need to complete the assignment in very
restrictive time frame.• Pressure is on us to deliver a “good” report
with some high severity findings. (That “High” return inside a red colored box)
![Page 8: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/8.jpg)
How the threats are Tested
Vuln Scan Exploit Report
![Page 9: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/9.jpg)
• This is a best case scenario.• Only lucky ones find that.• Generally legacy Enterprise Applications or
Business Critical applications are not upgraded and are the first targets.
• There is almost no fun doing it that way.
![Page 10: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/10.jpg)
Some of us do it better
Enum Scan Exploit Report
![Page 11: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/11.jpg)
Some of us do it even better
Enum +
IntelScan Exploit Post Exp Report
![Page 12: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/12.jpg)
Why do we need to exploit?
• To gain access to the systems.• This shows the real threat to clients that we
can actually make an impact on their business. No more “so-what”
• We can create reports with “High” Severity findings which bring $$$
![Page 13: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/13.jpg)
What do we exploit?
• Memory Corruption bugs.– Server side– Client Side
• Mis-configurations• Open file shares.• Sticky slips.• Man In The Middle (many types)• Unsecured Dumpsters• Humans• <Audience>
![Page 14: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/14.jpg)
Worse Scenario
• Many times we get some vulnerabilities but can’t exploit.– No public exploits available.– Not allowed on the system.– Countermeasure blocking it.– Exploit completed but no session was generated :P
![Page 15: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/15.jpg)
Worst Scenario
• Hardened Systems• Patches in place• Countermeasures blocking scans and exploits• Security incident monitoring and blocking• No network access
• We need alternatives.
![Page 16: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/16.jpg)
Need for new methods to break into systems
• Bad guys are getting smarter.• Smart attacks of 2011
– Sony (ok not so smart :P)– RSA (clever attack), chained to Lockheed Martin– Epsilon (Spear Phishing)– Barracuda Networks (WAF turned off for little while)– Some attacks on India
• Smart attacks of 2010– Stuxnet– Operation Aurora
• And Many more (like Apache in 2009)
![Page 17: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/17.jpg)
Need for new methods to break into systems
• Breaking into systems is not as easy as done in the movies.
• Those defending the systems have become smarter (at many places :P) and it is getting harder to break into “secured” environments.
• Everyone is breaking into systems using the older ways, you need new ways to do it better.
![Page 18: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/18.jpg)
HID anyone?
• Wikipedia – “A human interface device or HID is a type of computer device that interacts directly with, and most often takes input from, humans and may deliver output to humans.”
• Mice, Keyboards and Joysticks are most common HID.
• What could go wrong?
![Page 19: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/19.jpg)
Introduction to Teensy
• A USB Micro-controller device.• Storage of about 130 KB.• We will use Teensy ++ which is an updated
version of Teensy.
![Page 20: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/20.jpg)
From pjrc.com
![Page 21: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/21.jpg)
Current usage of Teensy
• http://www.pjrc.com/teensy/projects.html• Really cool projects.
![Page 22: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/22.jpg)
Arduino - Installation
• Install Arduino• Windows Serial Installer (only Windows)• Install Teensyduino• Detailed with screenshots here:http://
labofapenetrationtester.blogspot.in/2012/04/teensy-usb-hid-for-penetration-testers.html
http://www.pjrc.com/teensy/td_download.html
![Page 23: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/23.jpg)
Arduino - Configuration
• Make sure to select correct “Board” and “USB Type” under Tools menu item.
• If Teensyduino has been installed properly, sketch examples could be found at File->Examples->Teensy
![Page 24: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/24.jpg)
Programming using ADE
• Almost C++ like syntax is used in ADE• Two functions are required at minimum– setup() which runs whenever Teensy is plugged or
restarted.– loop() which keeps running after setup()
• Basic usage and programming of Teensy• Writing Hello World with Teensy.
![Page 25: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/25.jpg)
DEMO, Source Code and Programming
![Page 26: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/26.jpg)
Kautilya
• It is a toolkit which aims to make Teensy more useful in Penetration Tests.
• Named after Chanakya a.k.a. Kautilya.• Written in Ruby.• It’s a menu drive program which let users
select and customize payloads.• Aims to make Teensy part of every Penetration
tester’s tool chest.
![Page 27: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/27.jpg)
Payloads
• Payloads are written for teensy without SD Card.• Pastebin is extensively used. Both for uploads
and downloads.• Payloads are commands, powershell scripts or
combination of both. • Payload execution of course depends on privilege
of user logged in when Teensy is plugged in.• Payloads are mostly for Windows as the victim of
choice generally is a Windows machine.
![Page 28: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/28.jpg)
Windows User Add
• Adds a user with Administrative privileges on the victim.
• Uses net user command.
![Page 29: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/29.jpg)
Default DNS
• Changes the default DNS for a connection.• Utilizes the netsh command.
![Page 30: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/30.jpg)
Edit Hosts File
• Edit hosts file to resolve a domain locally.
![Page 31: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/31.jpg)
Enable RDP
• Enables RDP on victim machine.• Starts the service.• Adds exception to Windows firewall.• Adds a user to Administrators group.
![Page 32: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/32.jpg)
Enable Telnet
• Installs Telnet on victim machine.• Starts the service.• Adds exception to Windows firewall.• Adds a user to Administrators group and
Telnetclients group..
![Page 33: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/33.jpg)
Forceful Browsing
• Starts an invisible instance of Internet Explorer which browses to the given URL.
![Page 34: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/34.jpg)
Download and Execute
• Downloads an exe in text format from pastebin, converts it back to exe and executes it.
![Page 35: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/35.jpg)
Sethc and Utilman backdoor
• Using registry hacks, calls user defined executable or command when Shift is pressed 5 times or Win + U is pressed.
• When the system is locked, the called exe is executed in System context.
![Page 36: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/36.jpg)
Uninstall Application
• Uninstalls an msiexec application silently.
![Page 37: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/37.jpg)
Chrome RDP
• This payload uses opens up chrome, launches Remote Desktop plugin, enters credentials and copies the access key to pastebin.
• This payload operates on browser window.
![Page 38: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/38.jpg)
Information Gather
• Dumps valuable information from registry, net command and hosts file.
![Page 39: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/39.jpg)
Sniffer
• This payload pulls the sniffer powershell script (by Robbie Fost) and executes it on the victim.
• The output is compressed and uploaded to ftp.
![Page 40: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/40.jpg)
Hashdump
• This payload pulls powerdump script of msf from pastebin, schedules it as task to run in system context and upload the hashes to pastebin.
![Page 41: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/41.jpg)
Keylogging
• This payload logs keys and pastes it to pastebin every twenty seconds.
• There is a separate script to parse the output.
![Page 42: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/42.jpg)
Wireless Rogue AP
• This payload creates a hosted network with user define SSID and key.
• It also adds a user to Administrators and TelnetClients group.
• It installs and starts telnet and adds it to windows firewall exception.
![Page 43: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/43.jpg)
Forced Wireless Connection
• This payload forces the victim to connect to an attacker controlled WiFi AP. The AP in this case is portable WiFi hotspot on a smartphone.
• Using this either payloads can be pulled from the smartphone or the internet using the AP thus effectively bypassing any internet restriction policies on the system.
![Page 44: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/44.jpg)
Code Execution
• This payload uses the powershell code execution script (by Matt from exploit-monday blog).
• A meterpreter shell is executed completely in memory using this script.
![Page 45: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/45.jpg)
Java Signed Applet Code Exec
• This payload browses in background to a url where Metasploit Java Signed Applet module is hosted and accepts the run prompt after few seconds.
![Page 46: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/46.jpg)
Time based payload execution
• This payload waits till the given time, downloads a payload at the time and execute it.
![Page 47: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/47.jpg)
WLAN keys dump
• This payload dumps WLAN keys in clear text and upload them to pastebin as a private paste.
![Page 48: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/48.jpg)
Pen Test StoriesCould you
please plug this in for
me?
![Page 49: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/49.jpg)
Pen Test StoriesLibrary Fun
• We were doing internal PT for a large media house.
• The access to network was quite restrictive.• The desktops at Library were left unattended
many times.• Teensy was plugged into one system with a
sethc and utilman backdoor.• Later in the evening the system was accessed
and pwnage ensued.
![Page 50: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/50.jpg)
Pen Test StoriesBreaking the perimeter
• A telecom company.• We had to do perimeter check for the firm.• The Wireless rogue AP payload was used and
teensy was sold to the clients employees during lunch hours.
• Within couple of hours, we got a wireless network with a administrative user and telnet ready.
![Page 51: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/51.jpg)
Pen Test StoriesHelp by the Helpdesk
• A pharma company.• We replaced a user’s data card with a Teensy
inside the data card’s cover.• The payload selected was Keylogger. • “Data card” obviously didn’t worked and we got
multiple keylogging for the user and the helpdesk.• Helpdesk guys had access to almost everything in
the environment and over a workday, it was over.
![Page 52: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/52.jpg)
Defense from malicious HID
• Use Endpoint Protector 4 :P :P• Group Policy in Windows which prevent
installation of hardware devices.• UDEV rules for Linux.
![Page 53: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/53.jpg)
Limitations with Teensy
• Limited storage in Teensy. Resolved if you attach a SD card with Teensy.
• Inability to “read” from the system. You have to assume the responses of victim OS and there is only one way traffic.
![Page 54: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/54.jpg)
Limitations with Kautilya
• Many payloads need Administrative privilege.• Lots of traffic to and from pastebin.• Inability to clear itself after a single run.• Not very stable as it is still a new tool and has
not gone through user tests.• For payloads which use executables you
manually need to convert and paste them to pastebin.
![Page 55: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/55.jpg)
Future
• Improvement in current payloads.• Implementation of SD card.• Use some payloads as libraries so that they
can be reused.• Support for Non-English keyboards.• Maybe more Linux payloads.• Implementation of some new payloads which
are under development.
![Page 56: Creating Havoc using Human Interface Device](https://reader033.fdocuments.in/reader033/viewer/2022061122/546fe6b2af795996308b4577/html5/thumbnails/56.jpg)
Thank You
• Please complete the Speaker Feedback Surveys.• Questions?• Insults?• Feedback?
• Kautilya is available at http://code.google.com/p/kautilya/
• Follow me @nikhil_mitt• http://labofapenetrationtester.blogspot.com/