SlideShare a Scribd company logo

Hacking the future with USB HID

â€ĸDownload as PPTX, PDFâ€ĸ
â€ĸ
Nikhil Mittal
Nikhil Mittal

The talk I gave at RSA China. It was about using USB HID to hack Windows 8 and Mac OS X Mountain Lion.

1 of 34
Session ID: Session Classification:
Hacking the future with USB HID Nikhil “SamratAshok” Mittal Hacker Session ID: Session Classification:
About Me ī‚§ SamratAshok ī‚§ Twitter - @nikhil_mitt ī‚§ Blog – http://labofapenetrationtester.blogspot.com ī‚§ Creator of Kautilya, Mareech and Nishang ī‚§ Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. ī‚§ Previous Talks ī‚§ Clubhack’10, Hackfest’11, Clubhack’11, Black hat Abu Dhabi’11, Black Hat Europe’12, Troopers’12, PHDays’12, Black Hat USA’12 ī‚§ Upcoming Talks ī‚§ Talk at EUSecWest’12 ī‚§ Training at GrrCON’12
Agenda ī‚§ Human Interface Devices ī‚§ Using HIDs in Penetration Tests ī‚§ HID of choice – Teensy++ ī‚§ How we will use Teensy++? ī‚§ Windows Family ī‚§ Mac OS X Family ī‚§ Kautilya ī‚§ Attacks Demo (on Windows 8 and Mountain Lion ) ī‚§ Comparison ī‚§ Future of Attacks ī‚§ Limitation ī‚§ Defense ī‚§ Conclusion 4
A typical Pen Test Scenario ī‚§ A client engagement comes with IP addresses. ī‚§ We need to complete the assignment in very restrictive time frame. ī‚§ Pressure is on us to deliver a “good” report with some high severity findings. (That “High” return inside a red colored box)
How the threats are Tested Vuln Exploit Report Scan
ī‚§ This is a best case scenario. ī‚§ Only lucky ones find that. ī‚§ Generally legacy Enterprise Applications or Business Critical applications are not upgraded and are the first targets. ī‚§ There is almost no fun doing it that way.
Some of us do it better Enum Scan Exploit Report
Some of us do it even better Enum Post + Scan Exploit Report Exp Intel
Why do we need to exploit? ī‚§ To gain access to the systems. ī‚§ This shows the real threat to clients that we can actually make an impact on their business. No more “so-what” īŠ ī‚§ We can create reports with “High” Severity findings which bring $$$
What do we exploit? ī‚§ Memory Corruption bugs. ī‚§ Server side ī‚§ Client Side ī‚§ Mis-configurations ī‚§ Open file shares. ī‚§ Sticky slips. ī‚§ Man In The Middle (many types) ī‚§ Unsecured Dumpsters ī‚§ Humans ī‚§ <Audience>
Worse Scenario ī‚§ Many times we get some vulnerabilities but can’t exploit. ī‚§ No public exploits available. ī‚§ Not allowed on the system. ī‚§ Countermeasure blocking it. ī‚§ Exploit completed but no session was generated :P
Worst Scenario ī‚§ Hardened Systems ī‚§ Patches in place ī‚§ Countermeasures blocking scans and exploits ī‚§ Security incident monitoring and blocking ī‚§ No network access ī‚§ We need alternatives.
Need for new methods to break into systems ī‚§ Breaking into systems is not as easy as done in the movies. ī‚§ Those defending the systems have become smarter and it is getting harder to break into “secured” environments. ī‚§ Everyone is breaking into systems using the older ways, you need new ways to do it better.
Human Interface Devices ī‚§ Wikipedia – “A human interface device or HID is a type of computer device that interacts directly with, and most often takes input from, humans and may deliver output to humans.” ī‚§ Mice, Keyboards and Joysticks are most common HID. ī‚§ What could go wrong?
Using HIDs in Penetration Tests ī‚§ Human Interface Devices are trusted by Operating Systems. ī‚§ Countermeasures like Anti Virus do not care for such devices. ī‚§ The way we use it, using HID for offensive security is equivalent to sitting in front of the target system as a user. ī‚§ The attack scenarios are large in number and may have severe impact. 16
HID of choice – Teensy++ ī‚§ A USB Micro-controller device from pjrc.com ī‚§ Storage of about 130 KB. ī‚§ We will use Teensy ++ which is an updated version of Teensy. ī‚§ A cheap device, costs only $24. ī‚§ It uses an Atmel based processor.
HID of choice – Teensy++ ī‚§ It could be used as Keyboard/Mouse/Joystick. ī‚§ The device is easily programmable using C or C type syntax using Arduino Development Environment with Teensyduino plugin. ī‚§ The device works with many Operating Systems. ī‚§ It is small in size.
How we will use Teensy++? ī‚§ As a programmable keyboard. ī‚§ We will program the device to do a defined set of activities when it is connected to a system. ī‚§ We will utilise the privileges of the currently logged in user and any higher privileges accessible to the user. ī‚§ Aim is to mimic a user sitting in front of the target. 19
Windows Family ī‚§ A user is notified when a new device is connected. ī‚§ It takes 20-25 seconds while the driver for the device gets loaded. ī‚§ A device can type really fast on Windows machine thanks to large USB keyboard buffer of Windows. ī‚§ If PowerShell is used some really powerful things could be done. 20
OS X Family ī‚§ A user is not notified if a USB device is connected. ī‚§ It takes 10-15 seconds while the device is detected and loaded. ī‚§ The device cannot type very fast. ī‚§ Built-in scripting languages make payloads powerful. 21
Kautilya ī‚§ It is a toolkit which aims to make HID more useful in Penetration Tests. ī‚§ Named after Chanakya a.k.a. Kautilya. ī‚§ Written in Ruby. ī‚§ It’s a menu drive program which let users select and customize payloads. ī‚§ Aims to make HID part of every Penetration tester’s tool chest. ī‚§ Contains payloads for Windows, Linux and OS X.
Payloads in Kautilya ī‚§ Payloads are tested on Teensy without SD Card. ī‚§ Pastebin is extensively used for uploads and downloads. ī‚§ Payloads are commands, powershell scripts or combination of both. ī‚§ Payload execution depends on privilege of user logged in when the device is plugged in.
Attacks Demo (on Windows 8 and Mountain Lion ) ī‚§ Let us have a look at three attacks on both ī‚§ Download and execute shellcode. ī‚§ Reverse shell using built-in features. ī‚§ DNS TXT Code Execution. 24
Comparison Attribute Windows 8 Mac OS X Mountain Lion Detection or blocking of Shows a balloon. Easy to No information to user. USB HIDs prevent installation of Not easy to block a device. removable devices using Group policies. Response to a very fast Possible to send input Delays must be introduced keyboard input really fast. between the keyboard inputs. Trust on end user (as we For sensitive functions a Sudo is required for are simulating one) UAC prompt is shown. sensitive functions. 25
Pen Test Stories Library Fun ī‚§ Internal PT for a large media house. ī‚§ The access to network was quite restrictive. ī‚§ The desktops at Library were left unattended many times. ī‚§ Teensy was plugged into one system with a sethc and utilman backdoor. ī‚§ Later in the evening the system was accessed and pwnage ensued.
Pen Test Stories Breaking the perimeter ī‚§ A telecom company. ī‚§ A perimeter check for the firm was to be done. ī‚§ The Wireless rogue AP payload was used and Teensy was sold to the clients employees during lunch hours. ī‚§ Within couple of hours, we got a wireless network ready with an administrative user and a bind shell.
Pen Test Stories Help by the Helpdesk ī‚§ A pharma company. ī‚§ A user’s data card was replcaed with a Teensy inside the data card’s cover. ī‚§ The payload selected was Keylogger. ī‚§ “Data card” obviously didn’t worked and multiple keyloggers were installed, for the user and the helpdesk. ī‚§ Helpdesk guys had access to almost everything in the environment and over a workday, it was over.
Limitations with Teensy ī‚§ Limited storage in Teensy. Resolved if you attach a SD card with Teensy. ī‚§ Inability to “read” from the system. You have to assume the responses of victim OS and there is only one way traffic. ī‚§ Inability to clear itself after a single run.
Limitations with Kautilya ī‚§ Many payloads need Administrative privilege. ī‚§ Lots of traffic to and from pastebin. ī‚§ Some times payloads are not stable. ī‚§ For payloads which use executables you manually need to convert and paste them to pastebin.
Future of Attacks ī‚§ Improvement in current payloads. ī‚§ Use some payloads as libraries so that they can be reused. ī‚§ More payloads for Non-Windows platform. ī‚§ Implementation of newer payloads. ī‚§ Reliable user activity detection.
Defence ī‚§ For Windows systems, use Group Policy to “Prevent Installation of Removable Devices”. ī‚§ For Mac OS X, udev rules may be used. ī‚§ Best defence is to physically block USB ports or lock the existing devices to the ports. 32
Conclusion ī‚§ USB HID attacks are real threats and here to stay. ī‚§ This is because Operating System trust itself and its users. ī‚§ Security ends with trust. 33
Thank You ī‚§ Questions? ī‚§ Insults? ī‚§ Feedback? ī‚§ Kautilya is available at http://code.google.com/p/kautilya/ ī‚§ Follow me @nikhil_mitt ī‚§ http://labofapenetrationtester.blogspot.com/

Recommended

Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
Megha Sahu
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
Mohamed Gad
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 

Recommended

Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
Megha Sahu
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
Mohamed Gad
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating system
abdullah roomi
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
Sumedt Jitpukdebodin
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 

More Related Content

What's hot

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating system
abdullah roomi
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
Sumedt Jitpukdebodin
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 

What's hot (20)

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating system
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Sql injection
Sql injectionSql injection
Sql injection
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 

Viewers also liked

Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Conceitos Ae
Conceitos AeConceitos Ae
Conceitos Ae
Fernando Botafogo
 
Ae rio 2011 prof. courtnay- publico
Ae rio 2011 prof. courtnay- publicoAe rio 2011 prof. courtnay- publico
Ae rio 2011 prof. courtnay- publico
Fernando Botafogo
 
AE Rio 2011 - Arquitetura da InformaçÃŖo organizacional
AE Rio 2011 - Arquitetura da InformaçÃŖo organizacionalAE Rio 2011 - Arquitetura da InformaçÃŖo organizacional
AE Rio 2011 - Arquitetura da InformaçÃŖo organizacional
Fernando Botafogo
 
Arquitetura.corporativa
Arquitetura.corporativaArquitetura.corporativa
Arquitetura.corporativa
Evolve GestÃŖo Empresarial
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
Aula 1. arquitetura organizacional.pptm
Aula 1. arquitetura organizacional.pptmAula 1. arquitetura organizacional.pptm
Aula 1. arquitetura organizacional.pptmClaudio Parra
 
Proposta de um Processo de Arquitetura Corporativa (Enterprise Architecture)
Proposta de um Processo de Arquitetura Corporativa (Enterprise Architecture)Proposta de um Processo de Arquitetura Corporativa (Enterprise Architecture)
Proposta de um Processo de Arquitetura Corporativa (Enterprise Architecture)
Rafael Targino
 
Governança da Arquitetura Corporativa
Governança da Arquitetura CorporativaGovernança da Arquitetura Corporativa
Governança da Arquitetura Corporativa
Marcelo SÃĄvio
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
Nikhil Mittal
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 

Viewers also liked (12)

Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Conceitos Ae
Conceitos AeConceitos Ae
Conceitos Ae
 
Ae rio 2011 prof. courtnay- publico
Ae rio 2011 prof. courtnay- publicoAe rio 2011 prof. courtnay- publico
Ae rio 2011 prof. courtnay- publico
 
AE Rio 2011 - Arquitetura da InformaçÃŖo organizacional
AE Rio 2011 - Arquitetura da InformaçÃŖo organizacionalAE Rio 2011 - Arquitetura da InformaçÃŖo organizacional
AE Rio 2011 - Arquitetura da InformaçÃŖo organizacional
 
Arquitetura.corporativa
Arquitetura.corporativaArquitetura.corporativa
Arquitetura.corporativa
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
Aula 1. arquitetura organizacional.pptm
Aula 1. arquitetura organizacional.pptmAula 1. arquitetura organizacional.pptm
Aula 1. arquitetura organizacional.pptm
 
Proposta de um Processo de Arquitetura Corporativa (Enterprise Architecture)
Proposta de um Processo de Arquitetura Corporativa (Enterprise Architecture)Proposta de um Processo de Arquitetura Corporativa (Enterprise Architecture)
Proposta de um Processo de Arquitetura Corporativa (Enterprise Architecture)
 
Governança da Arquitetura Corporativa
Governança da Arquitetura CorporativaGovernança da Arquitetura Corporativa
Governança da Arquitetura Corporativa
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 

Similar to Hacking the future with USB HID

Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
Nikhil Mittal
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
Nikhil Mittal
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
Nikhil Mittal
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
ClubHack
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
Hackfest Communication
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
AI Frontiers
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control Address
Angie Lee
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
Derby con 2014
Derby con 2014Derby con 2014
Derby con 2014
TonikJDK
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Product of Things
 
A pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security SolutionsA pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security Solutions
B.A.
 
Cyber Security and GDPR Made Easy
Cyber Security and GDPR Made EasyCyber Security and GDPR Made Easy
Cyber Security and GDPR Made Easy
ChristoanSmit
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detection
amiable_indian
 
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal Devices
Javier GonzÃĄlez
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
Alexander Kot
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdf
amrapalibuildersreviews
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 final
Frank Siepmann
 

Similar to Hacking the future with USB HID (20)

Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control Address
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Derby con 2014
Derby con 2014Derby con 2014
Derby con 2014
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
 
A pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security SolutionsA pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security Solutions
 
Cyber Security and GDPR Made Easy
Cyber Security and GDPR Made EasyCyber Security and GDPR Made Easy
Cyber Security and GDPR Made Easy
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detection
 
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal Devices
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdf
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 final
 

More from Nikhil Mittal

RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
Nikhil Mittal
 

More from Nikhil Mittal (6)

RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 

Hacking the future with USB HID

  • 2. Hacking the future with USB HID Nikhil “SamratAshok” Mittal Hacker Session ID: Session Classification:
  • 3. About Me ī‚§ SamratAshok ī‚§ Twitter - @nikhil_mitt ī‚§ Blog – http://labofapenetrationtester.blogspot.com ī‚§ Creator of Kautilya, Mareech and Nishang ī‚§ Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. ī‚§ Previous Talks ī‚§ Clubhack’10, Hackfest’11, Clubhack’11, Black hat Abu Dhabi’11, Black Hat Europe’12, Troopers’12, PHDays’12, Black Hat USA’12 ī‚§ Upcoming Talks ī‚§ Talk at EUSecWest’12 ī‚§ Training at GrrCON’12
  • 4. Agenda ī‚§ Human Interface Devices ī‚§ Using HIDs in Penetration Tests ī‚§ HID of choice – Teensy++ ī‚§ How we will use Teensy++? ī‚§ Windows Family ī‚§ Mac OS X Family ī‚§ Kautilya ī‚§ Attacks Demo (on Windows 8 and Mountain Lion ) ī‚§ Comparison ī‚§ Future of Attacks ī‚§ Limitation ī‚§ Defense ī‚§ Conclusion 4
  • 5. A typical Pen Test Scenario ī‚§ A client engagement comes with IP addresses. ī‚§ We need to complete the assignment in very restrictive time frame. ī‚§ Pressure is on us to deliver a “good” report with some high severity findings. (That “High” return inside a red colored box)
  • 6. How the threats are Tested Vuln Exploit Report Scan
  • 7. ī‚§ This is a best case scenario. ī‚§ Only lucky ones find that. ī‚§ Generally legacy Enterprise Applications or Business Critical applications are not upgraded and are the first targets. ī‚§ There is almost no fun doing it that way.
  • 8. Some of us do it better Enum Scan Exploit Report
  • 9. Some of us do it even better Enum Post + Scan Exploit Report Exp Intel
  • 10. Why do we need to exploit? ī‚§ To gain access to the systems. ī‚§ This shows the real threat to clients that we can actually make an impact on their business. No more “so-what” īŠ ī‚§ We can create reports with “High” Severity findings which bring $$$
  • 11. What do we exploit? ī‚§ Memory Corruption bugs. ī‚§ Server side ī‚§ Client Side ī‚§ Mis-configurations ī‚§ Open file shares. ī‚§ Sticky slips. ī‚§ Man In The Middle (many types) ī‚§ Unsecured Dumpsters ī‚§ Humans ī‚§ <Audience>
  • 12. Worse Scenario ī‚§ Many times we get some vulnerabilities but can’t exploit. ī‚§ No public exploits available. ī‚§ Not allowed on the system. ī‚§ Countermeasure blocking it. ī‚§ Exploit completed but no session was generated :P
  • 13. Worst Scenario ī‚§ Hardened Systems ī‚§ Patches in place ī‚§ Countermeasures blocking scans and exploits ī‚§ Security incident monitoring and blocking ī‚§ No network access ī‚§ We need alternatives.
  • 14. Need for new methods to break into systems ī‚§ Breaking into systems is not as easy as done in the movies. ī‚§ Those defending the systems have become smarter and it is getting harder to break into “secured” environments. ī‚§ Everyone is breaking into systems using the older ways, you need new ways to do it better.
  • 15. Human Interface Devices ī‚§ Wikipedia – “A human interface device or HID is a type of computer device that interacts directly with, and most often takes input from, humans and may deliver output to humans.” ī‚§ Mice, Keyboards and Joysticks are most common HID. ī‚§ What could go wrong?
  • 16. Using HIDs in Penetration Tests ī‚§ Human Interface Devices are trusted by Operating Systems. ī‚§ Countermeasures like Anti Virus do not care for such devices. ī‚§ The way we use it, using HID for offensive security is equivalent to sitting in front of the target system as a user. ī‚§ The attack scenarios are large in number and may have severe impact. 16
  • 17. HID of choice – Teensy++ ī‚§ A USB Micro-controller device from pjrc.com ī‚§ Storage of about 130 KB. ī‚§ We will use Teensy ++ which is an updated version of Teensy. ī‚§ A cheap device, costs only $24. ī‚§ It uses an Atmel based processor.
  • 18. HID of choice – Teensy++ ī‚§ It could be used as Keyboard/Mouse/Joystick. ī‚§ The device is easily programmable using C or C type syntax using Arduino Development Environment with Teensyduino plugin. ī‚§ The device works with many Operating Systems. ī‚§ It is small in size.
  • 19. How we will use Teensy++? ī‚§ As a programmable keyboard. ī‚§ We will program the device to do a defined set of activities when it is connected to a system. ī‚§ We will utilise the privileges of the currently logged in user and any higher privileges accessible to the user. ī‚§ Aim is to mimic a user sitting in front of the target. 19
  • 20. Windows Family ī‚§ A user is notified when a new device is connected. ī‚§ It takes 20-25 seconds while the driver for the device gets loaded. ī‚§ A device can type really fast on Windows machine thanks to large USB keyboard buffer of Windows. ī‚§ If PowerShell is used some really powerful things could be done. 20
  • 21. OS X Family ī‚§ A user is not notified if a USB device is connected. ī‚§ It takes 10-15 seconds while the device is detected and loaded. ī‚§ The device cannot type very fast. ī‚§ Built-in scripting languages make payloads powerful. 21
  • 22. Kautilya ī‚§ It is a toolkit which aims to make HID more useful in Penetration Tests. ī‚§ Named after Chanakya a.k.a. Kautilya. ī‚§ Written in Ruby. ī‚§ It’s a menu drive program which let users select and customize payloads. ī‚§ Aims to make HID part of every Penetration tester’s tool chest. ī‚§ Contains payloads for Windows, Linux and OS X.
  • 23. Payloads in Kautilya ī‚§ Payloads are tested on Teensy without SD Card. ī‚§ Pastebin is extensively used for uploads and downloads. ī‚§ Payloads are commands, powershell scripts or combination of both. ī‚§ Payload execution depends on privilege of user logged in when the device is plugged in.
  • 24. Attacks Demo (on Windows 8 and Mountain Lion ) ī‚§ Let us have a look at three attacks on both ī‚§ Download and execute shellcode. ī‚§ Reverse shell using built-in features. ī‚§ DNS TXT Code Execution. 24
  • 25. Comparison Attribute Windows 8 Mac OS X Mountain Lion Detection or blocking of Shows a balloon. Easy to No information to user. USB HIDs prevent installation of Not easy to block a device. removable devices using Group policies. Response to a very fast Possible to send input Delays must be introduced keyboard input really fast. between the keyboard inputs. Trust on end user (as we For sensitive functions a Sudo is required for are simulating one) UAC prompt is shown. sensitive functions. 25
  • 26. Pen Test Stories Library Fun ī‚§ Internal PT for a large media house. ī‚§ The access to network was quite restrictive. ī‚§ The desktops at Library were left unattended many times. ī‚§ Teensy was plugged into one system with a sethc and utilman backdoor. ī‚§ Later in the evening the system was accessed and pwnage ensued.
  • 27. Pen Test Stories Breaking the perimeter ī‚§ A telecom company. ī‚§ A perimeter check for the firm was to be done. ī‚§ The Wireless rogue AP payload was used and Teensy was sold to the clients employees during lunch hours. ī‚§ Within couple of hours, we got a wireless network ready with an administrative user and a bind shell.
  • 28. Pen Test Stories Help by the Helpdesk ī‚§ A pharma company. ī‚§ A user’s data card was replcaed with a Teensy inside the data card’s cover. ī‚§ The payload selected was Keylogger. ī‚§ “Data card” obviously didn’t worked and multiple keyloggers were installed, for the user and the helpdesk. ī‚§ Helpdesk guys had access to almost everything in the environment and over a workday, it was over.
  • 29. Limitations with Teensy ī‚§ Limited storage in Teensy. Resolved if you attach a SD card with Teensy. ī‚§ Inability to “read” from the system. You have to assume the responses of victim OS and there is only one way traffic. ī‚§ Inability to clear itself after a single run.
  • 30. Limitations with Kautilya ī‚§ Many payloads need Administrative privilege. ī‚§ Lots of traffic to and from pastebin. ī‚§ Some times payloads are not stable. ī‚§ For payloads which use executables you manually need to convert and paste them to pastebin.
  • 31. Future of Attacks ī‚§ Improvement in current payloads. ī‚§ Use some payloads as libraries so that they can be reused. ī‚§ More payloads for Non-Windows platform. ī‚§ Implementation of newer payloads. ī‚§ Reliable user activity detection.
  • 32. Defence ī‚§ For Windows systems, use Group Policy to “Prevent Installation of Removable Devices”. ī‚§ For Mac OS X, udev rules may be used. ī‚§ Best defence is to physically block USB ports or lock the existing devices to the ports. 32
  • 33. Conclusion ī‚§ USB HID attacks are real threats and here to stay. ī‚§ This is because Operating System trust itself and its users. ī‚§ Security ends with trust. 33
  • 34. Thank You ī‚§ Questions? ī‚§ Insults? ī‚§ Feedback? ī‚§ Kautilya is available at http://code.google.com/p/kautilya/ ī‚§ Follow me @nikhil_mitt ī‚§ http://labofapenetrationtester.blogspot.com/