Submit Search
Upload
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote attacks
•
0 likes
•
43 views
Felipe Prado
Follow
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote attacks
Read less
Read more
Technology
Report
Share
Report
Share
1 of 20
Download now
Download to read offline
Recommended
Cocoa pods iOSDevUK 14 talk: managing your libraries
Cocoa pods iOSDevUK 14 talk: managing your libraries
Diego Freniche Brito
Â
Eastside incubator - Startup in Seattle
Eastside incubator - Startup in Seattle
Bryan Starbuck
Â
All about Apache ACE
All about Apache ACE
OSGi User Group France
Â
Device deployment
Device deployment
Angelo van der Sijpt
Â
Intro to HTML 5 / CSS 3
Intro to HTML 5 / CSS 3
Tadpole Collective
Â
Git tutorial
Git tutorial
Elli Kanal
Â
Composer - Package Management for PHP. Silver Bullet?
Composer - Package Management for PHP. Silver Bullet?
Kirill Chebunin
Â
Death of a Themer - Frontend United - 14 April 2013
Death of a Themer - Frontend United - 14 April 2013
Matt Fielding
Â
Recommended
Cocoa pods iOSDevUK 14 talk: managing your libraries
Cocoa pods iOSDevUK 14 talk: managing your libraries
Diego Freniche Brito
Â
Eastside incubator - Startup in Seattle
Eastside incubator - Startup in Seattle
Bryan Starbuck
Â
All about Apache ACE
All about Apache ACE
OSGi User Group France
Â
Device deployment
Device deployment
Angelo van der Sijpt
Â
Intro to HTML 5 / CSS 3
Intro to HTML 5 / CSS 3
Tadpole Collective
Â
Git tutorial
Git tutorial
Elli Kanal
Â
Composer - Package Management for PHP. Silver Bullet?
Composer - Package Management for PHP. Silver Bullet?
Kirill Chebunin
Â
Death of a Themer - Frontend United - 14 April 2013
Death of a Themer - Frontend United - 14 April 2013
Matt Fielding
Â
Teaching & Learning Forum presentation
Teaching & Learning Forum presentation
Carol Skyring
Â
Massive device deployment - EclipseCon 2011
Massive device deployment - EclipseCon 2011
Angelo van der Sijpt
Â
Chaione Ember.js Training
Chaione Ember.js Training
aortbals
Â
Automate Yo' Self
Automate Yo' Self
John Anderson
Â
20091027genentech
20091027genentech
Jeff Hammerbacher
Â
InnoDB Magic
InnoDB Magic
sunnygleason
Â
20091203gemini
20091203gemini
Jeff Hammerbacher
Â
20091110startup2startup
20091110startup2startup
Jeff Hammerbacher
Â
Taking Spinnaker for a spin @ London DevOps Meetup 36
Taking Spinnaker for a spin @ London DevOps Meetup 36
aleonhardt
Â
Modern Front-End Development
Modern Front-End Development
mwrather
Â
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Amazon Web Services
Â
Open Standards in the Walled Garden
Open Standards in the Walled Garden
digitalbindery
Â
Basic docker for developer
Basic docker for developer
Weerayut Hongsa
Â
Celix universal OSGi
Celix universal OSGi
OSGi User Group France
Â
OSGI workshop - Become A Certified Bundle Manager
OSGI workshop - Become A Certified Bundle Manager
Skills Matter
Â
Git::Hooks
Git::Hooks
Mikko Koivunalho
Â
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20
Michael Lihs
Â
Docker tips
Docker tips
Menghan Zheng
Â
DevOps Columbus Meetup Kickoff - Infrastructure as Code
DevOps Columbus Meetup Kickoff - Infrastructure as Code
Michael Ducy
Â
Old Dog, New Tricks
Old Dog, New Tricks
Simon Collison
Â
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
Â
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
Â
More Related Content
Similar to DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote attacks
Teaching & Learning Forum presentation
Teaching & Learning Forum presentation
Carol Skyring
Â
Massive device deployment - EclipseCon 2011
Massive device deployment - EclipseCon 2011
Angelo van der Sijpt
Â
Chaione Ember.js Training
Chaione Ember.js Training
aortbals
Â
Automate Yo' Self
Automate Yo' Self
John Anderson
Â
20091027genentech
20091027genentech
Jeff Hammerbacher
Â
InnoDB Magic
InnoDB Magic
sunnygleason
Â
20091203gemini
20091203gemini
Jeff Hammerbacher
Â
20091110startup2startup
20091110startup2startup
Jeff Hammerbacher
Â
Taking Spinnaker for a spin @ London DevOps Meetup 36
Taking Spinnaker for a spin @ London DevOps Meetup 36
aleonhardt
Â
Modern Front-End Development
Modern Front-End Development
mwrather
Â
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Amazon Web Services
Â
Open Standards in the Walled Garden
Open Standards in the Walled Garden
digitalbindery
Â
Basic docker for developer
Basic docker for developer
Weerayut Hongsa
Â
Celix universal OSGi
Celix universal OSGi
OSGi User Group France
Â
OSGI workshop - Become A Certified Bundle Manager
OSGI workshop - Become A Certified Bundle Manager
Skills Matter
Â
Git::Hooks
Git::Hooks
Mikko Koivunalho
Â
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20
Michael Lihs
Â
Docker tips
Docker tips
Menghan Zheng
Â
DevOps Columbus Meetup Kickoff - Infrastructure as Code
DevOps Columbus Meetup Kickoff - Infrastructure as Code
Michael Ducy
Â
Old Dog, New Tricks
Old Dog, New Tricks
Simon Collison
Â
Similar to DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote attacks
(20)
Teaching & Learning Forum presentation
Teaching & Learning Forum presentation
Â
Massive device deployment - EclipseCon 2011
Massive device deployment - EclipseCon 2011
Â
Chaione Ember.js Training
Chaione Ember.js Training
Â
Automate Yo' Self
Automate Yo' Self
Â
20091027genentech
20091027genentech
Â
InnoDB Magic
InnoDB Magic
Â
20091203gemini
20091203gemini
Â
20091110startup2startup
20091110startup2startup
Â
Taking Spinnaker for a spin @ London DevOps Meetup 36
Taking Spinnaker for a spin @ London DevOps Meetup 36
Â
Modern Front-End Development
Modern Front-End Development
Â
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013
Â
Open Standards in the Walled Garden
Open Standards in the Walled Garden
Â
Basic docker for developer
Basic docker for developer
Â
Celix universal OSGi
Celix universal OSGi
Â
OSGI workshop - Become A Certified Bundle Manager
OSGI workshop - Become A Certified Bundle Manager
Â
Git::Hooks
Git::Hooks
Â
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20
Â
Docker tips
Docker tips
Â
DevOps Columbus Meetup Kickoff - Infrastructure as Code
DevOps Columbus Meetup Kickoff - Infrastructure as Code
Â
Old Dog, New Tricks
Old Dog, New Tricks
Â
More from Felipe Prado
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
Â
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
Â
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
Felipe Prado
Â
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
Felipe Prado
Â
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
Â
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
Felipe Prado
Â
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Felipe Prado
Â
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
Â
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
Â
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Felipe Prado
Â
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Felipe Prado
Â
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
Â
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
Felipe Prado
Â
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
Â
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Felipe Prado
Â
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Felipe Prado
Â
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
Â
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Felipe Prado
Â
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
Felipe Prado
Â
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
Â
More from Felipe Prado
(20)
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Â
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Â
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
Â
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
Â
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
Â
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
Â
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Â
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Â
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
Â
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Â
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Â
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
Â
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
Â
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Â
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Â
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Â
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Â
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Â
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
Â
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Â
Recently uploaded
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Â
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
Â
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
MarianaLemus7
Â
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
charlottematthew16
Â
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
Â
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
The Digital Insurer
Â
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Â
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
Â
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Florian Wilhelm
Â
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
Â
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Fwdays
Â
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
charlottematthew16
Â
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
Â
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Â
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
Â
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Memoori
Â
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
hariprasad279825
Â
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
Â
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Dubai Multi Commodity Centre
Â
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
Â
Recently uploaded
(20)
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Â
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Â
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
Â
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
Â
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Â
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
Â
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Â
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Â
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Â
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Â
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Â
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
Â
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Â
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Â
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Â
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Â
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
Â
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Â
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Â
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
Â
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote attacks
1.
Universal*Serial* aBUSe Rogan&Dawes&&&Dominic&White research@sensepost.com
2.
Important*Note • This&is&the&text8based&version&of&the&slides,&and¬& the&version&we&plan&to&present.&We&wanted&to&give& you&something&meaningful&to&read&through. • The&toolset&will&be&released&on&our&github: •
https://github.com/sensepost/USaBUSe • Details&of&the&talk,&latest&slides&and&code&will&be& written&up&at&our&blog: • https://sensepost.com/blog Background&http://sneakyninja95.deviantart.com/art/Stored8Memories8535612391
3.
Overview In&this&talk,&we’ll&cover&some&novel&USB8level&attacks,& that&can&provide&remote&command&and&control&of,& even&air8gapped&machines,&with&a&minimal&forensic& footprint,&and&release&an&open8source&toolset&using& freely&available&hardware.
4.
The*Meta*Point • It’s&hard&to&defend&at&the&best&of×. • Doing&so&well,&requires&a&realistic&threat&model. •
Too&often,&that&threat&model&is&driven&by&vendor& marketing&rather&than&real&attacks. • For&example,&advanced&attackers&have&always&existed,& it’s¬&clear&“APT”&would&have&been&a&thing,&or&as&much& of&a&thing&without&the&significant&vendor&marketing& spend&put&behind&it. • Penetration&testers&need&to&emulate&real&threats&or& they’re&just&wasting&your&time
5.
Why*we’re*highlighting*this*issue • We’ve&seen&real&attackers&doing&it,&but&defenses& haven’t&adapted. • The&NSA’s&COTTONMOUTH&toolkit&showed&these&sorts&of& USB&attacks •
Technically&unsophisticated&criminals&have&defrauded& banks&using&simple&IP&KVMs • If&your&apex&predators&and&low&level&bottom&feeders& are&using&the&same&sort&of&attacks;&physical& bypasses&of&software/network&security&via& hardware,&then&you&best&pay&attention. • Plus,&it&makes&sense,&software&is&getting&harder&to& exploit&and&changes&more&rapidly&than&hardware.
6.
But*we*know*about*these*attacks? • Do&we?&Because&the&defenses&in&this&space&seem&to&be&poor& in&our&experience&at&clients. • Hardware&keyloggers
have&been&around&for&decades,&and& are&still&near&impossible&to&practically&detect&in&software. • Most&organisations seem&to&think&USB&is&about&malware&or& tethering/wifi and&rely&on&protections&elsewhere&in&the& stack: • malware&deployment&– proxy • malware&on&device&– AV/endpoint • comms from&device&– FireEye&and&friends • But&there’s&little&defense&specific&to&malicious&devices,& something&the&USB&standard&makes&very&easy&to&implement. • Finally,&there&wasn’t&an&end8to8end&implementation&of&this& attack&when&we&started.&
7.
Prior*Work • This&work&stands&on&the&shoulders&of&giants.&While& numerous&researchers&have&produced&USB&related& work,&prior&work&specific&to&this&project&includes: • Travis&Goodspeed’s&Facedancer2& http://goodfet.sourceforge.net/hardware/facedancer21/ •
Michael&Ossman &&Dominic&Spill’s&NSA&Playset,& TURNIPSCHOOL&http://www.nsaplayset.org/turnipschool • Samy Kamkar’s USBDriveBy http://samy.pl/usbdriveby/ • USB&Rubber&Ducky&Wiki&http://usbrubberducky.com/ • Adrian&Crenshaw&Plug&&&Pray;&Malicious&USB&Devices& http://www.irongeek.com/i.php?page=security/plug8and8 prey8malicious8usb8devices &&his&PHUKD& http://www.irongeek.com/i.php?page=security/programmabl e8hid8usb8keystroke8dongle • Seunghun Han’s&Iron8HID&https://github.com/kkamagui/IRON8 HID (released&after&our&Defcon CFP&submission)
8.
Objectives*of*our*Work • Build&and&end8to8end&attack&that’s&usable&in&a&pentest • Allow&it&to&be&remotely&triggered&and&updated •
Work&without&requiring&victim&interaction • Exclude&typical&USB&malware&vectors&(for&which&typical& defenses&exist)&e.g.&malware&via&mass&storage • Don’t&sent&any&traffic&via&the&victim’s&network • Avoids&environmental&complexities&(firewalls,&etc) • Avoids&detection&(IDS) • Create&a&stealthy&bi8direction&pipe&over&innocuous&USB& devices&(something&forensic&tools&are&unlikely&to&spot) • Minimise forensic&artefacts&(e.g.&execute&in&memory& where&possible)
9.
So*what’s*different/new? • Simpler&networking;&TCP/IP&interface&over&WiFi • TURNIPSCHOOL&uses&custom&RF&protocol •
IRON8HID&uses&Bluetooth • More&complete&implementation • TURNIPSCHOOL&never&completed&firmware&for&cc1111&against&host • Numerous&small&improvements&over&IRON8HID& • Enables&reuse&of&existing&tools • Implements&a&VNC&clients&for&keyboard&and&mouse&input • Compatible&with&metasploit generated&payloads • More&stealthy • No&use&of&mass&storage&devices&to&load&malware • No&use&of&host’s&network&i.e.&works&on&airgapped hosts&too • An&end8to8end&attack • From&plug&in&to&remote&network&&&command&access • Open&Hardware • While&it&works&on&available&hardware,&we’re&releasing&our&open&hardware&design • Minimal&custom&bootstrap
10.
Initial*Hardware • April&Brother&Cactus&Micro&Rev2 • Atmega32u4&on&one&side&8
host • ESP8266&WiFi on&the&other&– our&exfil • Compact&enough&to&be&a&flash&drive • Advantages • Cheap&&&available • AVR&&&ESP&gives&us&host&side&and&wifi side • Disadvantages • No&I2C • No&USB&A • Can’t&program&ESP&directly • Minimal&storage • Can’t&reset&when&in&a&case • LED¬&controllable&from&Atmega • Not&open&hardware
11.
New*Hardware • Very&similar&to&the&Cactus&Micro,&but&with: • USB&A&male&connector! •
Micro&SD&Card&slot&for&storage • I2C&connected&with&pull&up&resistor • Programmable&LED • Hall8effect&switch&to&trigger&reset&when&in&case
12.
Firmware • Lightweight&USB&Framework&for&AVR&(LUFA) • Running&on&the&atmega32u4 •
Implements&the&various&USB&interfaces&seen&by&the& victim • ESP8Link&(UART&to&TCP&firmware) • Running&on&the&ESP8266 • Provides&Wifi to&device,&connects&to&attacker’s&AP • Added&a&VNC&implementation&to&receive&key&&&mouse& events&to&pass&to&the&host • Added&a&multiplexing&protocol&over&the&UART&to&allow& communication&between&various&functions
13.
USB*Implementation • Traditional&Keyboard&and&Mouse • Emits&events&received&via&VNC •
Can&programmably emit&events&ala&RubberDucky • Used&to&stage&initial&payload&on&host • Used&to&prevent&screensaver&engaging • Generic&HID • Allows&bidirectional&packet&transfers • 64&byte&packets& • 1000&per&second&(in&theory)
14.
Alternate*USB*Implementations • For&stealthier,&more&innocuous&bi8directional& comms • Text8only&printer •
“Prompt8less”&driver&installation&in&Windows • Sound&card • Gives&us&audio&out&and&mic&in • Problems:&Might&interfere&with&primary&audio&device • Depends&on&default&permissions
15.
Targets • Targeting&Windows&PCs&at&the&moment,&plans&to& expand&to&OSX&then&Linux&hosts • Keyboard/Mouse&is&generic •
Payload&is&platform&dependent • Powershell • Available&on&most&Windows&workstations • C#&API&available • P/Invoke&CreateFile,&ShowWindowAsync • Staged&approach • Can&avoid&touching&disk&for&the&most&part • Excludes&P/Invoke8d&function&definitions&above!
16.
Payload*Stages • Stage&1&(PowerShell&typed&via&the&keyboard) • Optimised
for&size • Open&device • Read&Stage&2 • Clear8History • Hide! • Stage&2&(PowerShell&read&from&device) • Arbitrary&complexity
17.
Stage*2*payload*examples • CMD.exe • TCP&Listener/Relay/Proxy •
Enables&existing&network8based&exploits • Localhost8only&avoids&firewalls/alerts • Metasploit • Currently&being&redirected&through&the&proxy • Can&use&arbitrary&msf payloads;&meterpreter,&cmd,&vnc etc. • Purpose8built&payloads • Knows&how&to&access&the&USB&device&directly • Future&development&for&meterpreter
18.
Difficulties*experienced • Programming&errors&on&the&ESP8266&result&in& reboots,&any&debug&logs&disappear! • Flow&control •
TCP&is&much%faster&than&the&UART,&and&ESP8266&triggers& watchdog&to&reboot&if&you&take&too&long&to&process&the& data.&We&had&to&rewrite&the&ESP8Link&TCP&handlers&to& support&“resume8able”&processing&of&data • UART&is&faster&than&the&Keyboard • HID&interrupt&transfers&occur®ardless&of&a&read() • Disappearing&UART&interrupts • Data&received&by&the&ESP8266&would&get&stuck&in&the& UART&FIFO
19.
Demonstrations • We’ll&provide&a&demo&of&the&toolset&in&the&talk. • The&software&will&be&released&at&Defcon
at: • https://github.com/sensepost/USaBUSe
20.
Contacts • Rogan&Dawes • rogan@sensepost.com •
@rogandawes • Dominic&White • dominic@sensepost.com • @singe
Download now