Tuesday, January 27, 2015

Dropping infected/weaponized files using a Human Interface Device

This post discusses dropping infected/weaponized files on a target using a Human Interface Device. I am always against using mounted SD cards in a HID. In my experience, it increases the chances of detection and blocking. Using HID without SD card limits the capability of dropping files to much extent. But it is still possible to drop files using HID, a Teensy 3.0, without having to mount additional storage.

Kautilya now has a new category of attacks - "Drop Files". Following payloads have been added.
- Drop a MS Word file
- Drop a Excel file
- Drop a CHM (Compiled HTML Help) file
- Drop a Shortcut (.LNK) file
- Drop a JAR file


Lets have a look at these payloads.

Drop a MS Word file

Use this to drop a MS Word file on a target. The Word file contains an auto executable Macro which executes when the document is opened. PowerShell commands and scripts could be executed. While a command could be simply provided as an option, to execute a script following PowerShell one-liner should be used:
Below screenshot shows a screen for this payload.


The generated sketch needs to be uploaded to a HID. On a target, the HID drops a PowerShell script which generates the infected MS Word file on the Desktop of current user. 

Drop a MS Excel file

This payload is similar to the MS Word payload so no need of looking at it. PowerShell scripts and commands could be passed in the same way to it.

Drop a CHM (Compiled HTML Help) file

This payload drops a weaponized CHM file on a target. Since, compiling CHM files requires HTML Help Workshop, the CHM file is generated on attacker's machine, compressed into a zip archive and byte encoded. This encoded file is written to the HID as a byte array and is then dropped on the target as a zip archive and decompressed. The byte array is quite big even after compression so the time taken by HID to type it on a target is much longer than other payloads. Kautilya shows a warning when this payload is selected.

We have to use Out-CHM in the extras directory of Kautilya to generate the CHM. The script also compresses it and creates a byte encoded text file from it. From a PowerShell prompt use this:
Note that we must have HTML Help Workshop installed on the attacking machine. It could be downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=21138

Above command outputs a text file encodedchm.txt. It has to be copied to lib/src directory in Kautilya. The file is read by Kautilya and the sketch (.ino file) is generated to be written to HID.
On a victim, the HID drops the zip, uncompresses it, deletes zip and leaves the CHM on the current user's desktop.

Drop a Shortcut (.LNK) file

This payload drops a shortcut file (.lnk) on a target machine. The shortcut is set to the path powershell.exe which is. by default, same on every machine and the command/script is passed as an argument to it. We can also assign hotkey and icon to the shortcut. Interestingly, assigning a hotkey means every time the user presses that key our weaponized shortcut file would execute ;)

When the HID is connected to a target. A shortcut is created on the current user's desktop. Whenever a user clicks on the shortcut or presses the hotkey the specified command or script would be executed.

Drop a JAR file

Use this payload to drop a JAR file on a target. Like the CHM file attack, the JAR is to be created using Out-Java in the extras directory. This payload also takes much more time than other paylods in Kautilya.
From a PowerShell prompt use this:
Above command outputs a text file encodedjar.txt. It has to be copied to lib/src directory in Kautilya. The file is read by Kautilya and the sketch (.ino file) is generated to be written to HID.
On a victim, the HID drops the JAR on the current user's desktop.

Below video shows the MS Word attack in action. Its my first video so please share your feedback :)


Neat!

So we can drop weaponized files on a target while using only the Keyboard emulation on a programmable HID. A useful addition to an attacker's toolchest. Kautilya could be found here: https://github.com/samratashok/Kautilya

Hope you enjoyed this!

I am doing trainings on "PowerShell for Penetration Testers" during March 2015.  A one day training at CanSecWest on 14th March (details here) and a two day training at Troopers on 16th-17th March 2015 (details here).

7 comments:

  1. Thank you! This will be awesome with Kali NetHunter smartphone, I am going to test it.

    ReplyDelete
  2. Have you seen the USB Rubber Ducky? If not, check it out some time! It's a relatively script kiddie-friendly way of doing the same, and in my opinion not in a bad way. The easier an attack like this is to carry out, the more likely it's no longer an attack vector in the future, one would hope.

    On a side note: defeating this attack was an interesting exercise. I'm not sure how to go about it on Windows and OSX, but on Ubuntu I was able to modify some udev rules to make my system prompt me to activate a HID on insertion if the system was running. Anything plugged in at boot would still be fine, meaning I could have a HID to use to accept or deny the prompts, otherwise that would be awkward.

    You can find info on the ducky here:
    http://usbrubberducky.com/index.php

    ReplyDelete
    Replies
    1. Never tried ducky though I have read much about it. In fact, I remember coming through a project which "converts" Kautilya payloads to ducky ones.

      The udev rules you mentioned are a good defense against such attacks. Also, on Windows, Group Policy could be used to defeat such attacks. IronGeek has a very detailed post about it.
      http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices

      Delete
    2. This comment has been removed by the author.

      Delete
  3. Moved the comment here. Anyone tested it on a teensy 3.2? Will it work? Or should one consider buying a 2/3.0? I am asking, because for me, they are a bit on the pricey side..

    ReplyDelete
  4. could you make all in one kautilya attack

    ReplyDelete

Note: Only a member of this blog may post a comment.