Wednesday, May 23, 2012

Teensy USB HID for Penetration Testers - Part 4 - Kautilya

In third part of this series, we discussed how to write sketches using Arduino and Teensyduino. In this part, let's have a look at Kautilya. Kautilya is a toolkit written by me which helps in easing usage of Teensy in a penetration test. It is named after the famous Indian strategist, economist and political scientist Chankaya (Kautilya is one of his alias).  I will touch some less complex payload of Kautilya in this post.

Kautilya has a menu driven UI which could be used to generate sketches without a need of knowing how to program a Teensy device. The toolkit is written in Ruby and is free and open source. It currently contains payloads for Windows 7 and Linux (tested on Ubuntu 11). Kautilya is specifically designed to support Teensy out of the box, there is absolutely no modification required to the hardware.My motive behind writing Kautilya is to bring Teensy to masses. During my talks about Kautilya and Teensy I observed that often Pen Testers do not have enough time to program a device for their usage. Payloads in Kautilya could be used for pre exploitation and post exploitation tasks other than the “usual” popping of shells. 

The process of writing payloads for a Windows 7 machine could be summed up as:

  1. Understand the operating system in terms of USB buffer.
  2. Understand the commands supported and learn to write powershell or/and vbs.
  3. Recognize the built-in security measures (like UAC and powershell script execution policy) which may check privileged commands and then learn how to bypass them.
  4. Understand the time taken by operating system in completing various commands.
  5. Write the commands and scripts on Teensy.
  6. Understand more quirks of the command line when Teensy types out thing on victim.
  7. Try not to be too noisy on the victim.
  8. Test the payload and reach to final reasonable sketch.
  9. Compile the sketch to Teensy device.
  10. Attach it to the victim machine actively or using Social Engineering.
  11. Enjoy the pwnage!
(Next few lines may look like self promotion ;) )

Kautilya automates steps 1-8 for you. Using Kautilya you just need to:
  1. Select a payload and select your options. A sketch (a .ino or .pde file) would be generated for you.
  2. Compile the sketch to Teensy device.
  3. Attach it to the victim machine actively or using Social Engineering.
  4. Enjoy the pwnage!
A screenshot of Kautilya 0.2.2
Kautilya is tested on Ruby 1.9.2. It requires ruby gems "colored" and "highline".

Let's have a look at some of the payloads for Windows in Kautilya. All the payloads are tested on a default install of Windows 7.

Add a user and Enable RDP
This payload adds an admin user to the victim. It also, enables and starts Terminal Service on the victim. An exception to Windows firewall is also added. This payload requires a user to be logged in with admin privileges.


The generated payload just needs to be compiled to a Teensy++. The device could then be connected to the victim. The victim will see start menu open up, some cmd being type and then a very small cmd window which type dark blue on black will do evil stuff for us...muhahaha



Let's have a look at the source code for better understanding. Many payloads in Kautilya are similar in structure to this one.


Download and Execute
This payload downloads an executable stored in text format from pastebin (or any other service which allows hosting of text without formatting), converts it back to exe on the victim and executes it in background. The exe must be converted into hex format using script exetotext.ps1 in extras folder of Kautilya. This script is originally an idea of Matt of Exploit-Monday blog.



In the above example, a windows reverse meterpreter is pasted to pastebin and the url is provided in the option.This payload could be used even with a low privilege user.

Forceful Browsing
This payload opens up a hidden instance of Internet Explorer using a COM obbject of Internet Explorer and browses to the provided URL. An ideal use case could be hosting an exploit of msf  or a hook of BeEF  on the given URL. This payload is one of my favorites as it is able to get executed on a normal user (non administrative) privilege and is very silent.

Sethc and Utilman Backdoor
This payload utilizes a useful hack in the Windows OS family. On a locked system, if you press Shift key five times (or Left Ctrl + Left Shift + Prnt Scr) i.e. sticky keys, sethc.exe is executed with SYSTEM level privileges. In a similar way, if Window key +U is pressed, utilmanager (which is utilman.exe ) is launched with SYSTEM privs. This payload attaches a an executable present on the machine as a debugger to sethc.exe and utilman.exe. The attahced executables can then be executed with SYSTEM level privileges on a locked Windows machine.


We had a look at some less complex payloads of Kautilya. In the next post (or posts) I will explain some more complex and powerful payloads. At least one post will cover breaking Linux (Ubuntu11) too.

I am thinking of creating some small videos demonstrating few payloads but only if some people ask for it ;) Please let me know if the length of blog posts is ok. Feedback and comments are welcome.

22 comments:

  1. This was interesting enough to get me to order a Teensy++ within minutes of reading this post and a bit of the Kautilya project pages. :-)

    So far it's been quite fun playing around with it, and brainstorming new uses and payloads as a result of you getting the creative juices flowing. Thanks for that!

    ReplyDelete
  2. Nice work Nikhil!

    I've got a question though. We've also played around with Teensy devices and noticed that it's quite difficult to figure out the delay between commands. If you wait too long, the user will most probably close the command shell or focus another window. If you paste the command lines too quickly, they often get lost because the previous command has not finished yet. Did you find any solution for that?

    Besides, I saw that you're using Alt+y to overcome UAC. You should use LeftArrow-Enter instead, as Alt+y will only work on English versions of Windows (e.g. for German it's Alt+j).

    Best,
    Paul

    ReplyDelete
  3. Thanks Paul.

    No. Unfortunately, I have not figured out a way to guess the delay more accurately. I think we have to live with best guess right now.

    Yes, using Left-Arrow Enter is a nice idea. In fact, I faced the same problem here today at PHDays in Russia. Thanks!!

    ReplyDelete
  4. Hi!

    Is there any way to speedup the first time driver install process? Or is there any way to trigger the teensy ufter windows driver installation without using the big delay at the beginning of the teensy's code?

    thanks!

    ReplyDelete
    Replies
    1. AFAIK, you have to use the large delay to wait for the installation process.

      Delete
  5. Is there any way to use known or default drivers, like default keyboard driver? It takes 5 second to setup flash drive and almost 2 minutes to instal teensy drivers :(

    ReplyDelete
  6. The drivers installation time should be same for all new devices, about 15-20 secs.

    I think you want to use already installed drivers, I have not been able to do this. If I set the Vendor ID and Product ID to an already installed keyboard, Teensy doesn't work. According to this document (which describes the process of identification of a device and driver installation) http://msdn.microsoft.com/en-us/library/ff549455 a change in Hardware ID should lead to usage of existing drivers. But as I said, this never worked for me.

    ReplyDelete
  7. On my way to the bank. Need to deposit cash for Teensy order.

    ReplyDelete
  8. Before I go to the bank ...
    I understand PowerShell is mostly used for these kind of attacks and it means it's not seen as a trojan, right? But PowerShell's behaviour won't trigger heuristic alerts?

    ReplyDelete
    Replies
    1. It won't. As of this date, no AV or other countermeasures' alert is triggered by a HID and/or PowerShell.

      Delete
  9. Hi,
    I keep getting this error with almost any Kautilya payloads:

    http://imageshack.us/f/716/teensyerror.png/

    Any suggestions?
    I work on a windows 7 machine, I've checked for that script and it's where it is supposed to be.

    ReplyDelete
    Replies
    1. Hi,

      Seems like a keyboard layout problem. What is the keyboard type you are using? All of the testing has been done on English (US) keyboard. Try changing the layout.

      Delete
  10. Yeah, so it was!

    I changed the layout and now it works. Thanks

    ReplyDelete
    Replies
    1. Great! While this is good for testing, please keep in mind that you should change the Keyboard type to your target in Arduino IDE while compiling the payload to Teensy.

      Delete
  11. wow what a enjoyable use for my teensy just one qestion how hard/possible whoud it be to perform multiple tasks from the same sketch say keylogger and dump wlan keys

    thanks -rob

    ReplyDelete
    Replies
    1. Thanks :)

      Quite possible. Right now you need to manually combine two payloads which could be doneeasily if you know a little bit powershell and arduino. In future, this may be an option in Kautilya.

      Delete
  12. my question , where should i order to get a teensy , i am from india.

    ReplyDelete
    Replies
    1. I always buy it from pjrc.com who are the makers. Someone suggested digibay.in but I have not ordered anything ever from that place.

      Delete
  13. Hi is Kautilya support teensy Lc? I have find only option for teensy 2.0++ or 3.×× in kautilya.

    ReplyDelete
    Replies
    1. Not tested with Teensy LC. Kautilya should work with it but some payloads *may* be too big for the device.

      Delete