Teensy USB HID for Penetration Testers - Part 2 - Basics of Arduino and Hello World

In the first post we installed Arduino Development Environment (ADE). Now lets have a look at basics of Programming Teensy using ADE

Make sure that proper board is selected from the menu. Then choose the correct device type

In Arduino Development Environment (ADE), programming is done in a C type syntax. We have variables, methods, conditional operators and pointers etc. A program is called a sketch in ADE.

Now, let's have a look at sketches. A sketch must have a setup and a loop function. This is a bare minimum sketch and compilation of a sketch will fail in absence of any of these methods. You can compile a sketch even with empty setup and loop functions.

setup is called when a sketch is started. It is loaded only once. loop function keeps...umm...looping and repeats the code written inside it.

Let's write a very simple sketch which types "Hello World" on the cursor.

void setup()

{

Keyboard.print("Hello World");

}

void loop()

{

}

Now connect your Teensy device to the machine and compile and upload the code to the device by clicking on the Verify button. If you have done everything correctly you the sketch will be compiled and uploaded on the device. The device will reboot and should type out Hello World for you. Congrats you just ran your first sketch !!

If you move "Keyboard.print" to loop, Teensy will keep typing Hello World indefinitely. We will have a look at Keyboard and other functions in detail in next post.


If you encounter errors while compiling, double check that you have selected correct board type and device type. When you connect Teensy for the first time it may not type anything, since enough delays have not been introduced and device drivers take nearly 25 seconds to get loaded. Give it another try, it _will_ work.

If you want your Teensy to type nothing on your machine and want to test this only on a test machine, as soon as the program is compiled and Teensy reboots, press the small reboot key on Teensy and make sure "Auto" reboot is disabled on Teensyloader application (if the Auto button is off i.e. Dark Green in color,it is disabled). Now pull Teensy out of your machine and connect it to a "victim". You can see your device getting detected and type whatever was programmed.

This is it. This is a very basic post and is intended for first time or basic users of Teensy and ADE.  In the next post we will look in more detail about writing Teensy sketches with ADE. Meanwhile, try this and post your comments, insults and feedback.

Teensy USB HID for Penetration Testers - Part 1 - Introduction and Arduino Installation

My first blog post after two back to back awesome conferences Black Hat Europe and Troopers. At Black Hat Europe I conducted a workshop called Teensy Programming for Everyone. The workshop was well recieved by most of the participants. But I found that many of them found it difficult to setup Arduino for usage with Teensy and other basic stuff. So keeping in mind my upcoming trainings at Shakacon and GrrCON I am starting this series of blog posts which during initial posts will detail the basics of Teensyduino installation, structure of sketches and usage of Teensy. In later posts, I will cover Kautilya and its usage. So let's get started.

Teensy is a programmable USB HID from nice guys at pjrc.com. I use Teensy++ (which is an improved version of Teensy) in Penetration Tests for its ability to be used as a programmable keyboard. To start with, this is how you can install Arduino with Teensyduino:


For Windows (Tested on Windows 7 and XP) as an Adminsitrator

1. Download Arduino for Windows.

2. Extract the zip archive.

3. Download Teensyduino for Windows which is a plugin for Arduino. We require this to add support for Teensy in Arduino.

4. Download Windows Serial Installer

5. Run the the downloaded Serial Installer. You will get a warning as the driver is not signed by MicroSoft. Accept it and continue with the installation.

6. Run the Teensyduino, it will check for installed serial driver.Provide the path for the folder where Arduino has been extracted, the "Next" button will be activated only if a Arduino is found at the provided location.

You can choose more libraries to install on the next screen. You can choose to install none, Teensy does not require them.

7. Now you should see more options in Arduino.

For Linux (Tested on Backtrack 5)


1. Download Arduino for Linux.

2. Extract the zip archive.

3. Download Teensyduino 32bit or Teensyduino 64bit depending on your OS. We require this to add support for Teensy in Arduino.

4. Download udev rules. This is required to use Teensy as non root user.

5. Install udev rules

sudo cp 49-teensy.rules /etc/udev/rules.d/

6. Run the Teensyduino, provide the path for the directory where Arduino has been extracted.

7. Now you should see more options in Arduino.

This is it for the first post. Please leave comments and feedback.


UPDATE: If you are facing problems when using Linux make sure you have installed all the dependencies. Read this for more details

Bypassing (?) End Point Protector 4 blocking of Teensy

One of my friends shared with me a news about some end point protection solution called End Point Protection 4. The news article highlights that Teensy and Teensy++ board can be blocked using this solution. This is the news piece

-----------------------------------------------------------------------------------------------------------------------
Endpoint Protector 4 – one step ahead the Teensy Board threat
The microcontroller Teensy++ 2.0 is one of the latest threats for endpoint security. It can be plugged into a miniUSB port, is identified as keyboard or mouse and is able to emulate every keystroke or move made by the usual input devices. With Endpoint Protector 4 you won’t be a victim of Teensy 2.0 or Teensy++ 2.0. The endpoint security solution identifies Teensy Boards, enabling you to block or allow them without affecting the normal use of your keyboard and mouse.

Get in touch now with your local CoSoSys sales person for more information and customized sales offers."
-----------------------------------------------------------------------------------------------------------------------

I checked out their website and saw Teensy Board in their list of Controlled Device Types.

I have been working on using Teensy for Penetration Tests for much time now and took this up as challenge. Aa dekhein zara kisme kitna hai dum started playing in my ears.

I wanted to test this out and downloaded a trial of their virtual appliance and set that up. I installed client on my test Windows 7 machine and connected my Teensy++ device. To my amazement, the device was not blocked even for the first time. Though, a warning balloon popped up but Teensy++ was still not blocked.I rushed back to the admin console and checked if the policies were correct

On further exploring the admin console, I saw though the device was not blocked (even when it is reported blocked), the device was detected properly. I decided to look how they identify devices to be blocked. Aaaand, I should have guessed this, they are trying to block it based upon Vendor ID and Product ID.

I decided to play with it as that warning balloon is still annoying and I prefer to be as stealthy as possible. I changed the Product ID and Vendor ID for my Teensy++. A valid Product ID and Vendor ID is required, I used that of RIM.

.\arduino-1.0\hardware\teensy\cores\usb_hid\usb_private.h

After this I restarted Arduino Development Environment, recompiled a sketch and uploaded it to Teensy++ board. Now, when I connected the Teensy++ board, bingo! there were no balloon warnings or logs in the console. Mission Accomplished !!

I may include this in Kautilya as an advice to change Product ID and Vendor ID before using Teensy++ in Penetration Tests.

P.S. - Cososys should get web console of End Point Protector 4 tested for common webapp vulnerabilities, in few minutes of playing 4-5 vulnerabilities were discovered. Management console of a product which claims to be "one step ahead the Teensy Board threat" should at least be reasonably secure.

EDIT: This nice list by Stephen J. Gowdy could be used for finding Vendor ID and Product ID.

Remote Code Execution on SkyMobile VTI Server

Recently, I got access to management web console of a new to me product called SkyMobile VTI Server. The web console itself was enough to allow complete access to the system as it was running with Administrative privileges and allowed file upload. All I needed to do was upload an asp meterpreter to wwwroot and get the work done.

But I wanted to have fun. After browsing through the console for few minutes I saw the unencrypted default configuration file.

In the configuration file, I saw a parameter called "JavaCommand" which calls JRE executable.

I uploaded a meterpreter executable, changed the "JavaCommand" variable to path of the uploaded meterpreter executable and restarted the service (Yes I restarted it, I know its _really_ bad, but I just did that)

And the result was sweet !!

Kautilya Video

As my first blog post, here is a video for Kautilya. Kautilya is a toolkit developed by me which contains some payloads for Teensy USB Micro-controller device which ay be useful to penetration tester.





I will provide more details once the tool is released at Blackhat Abu Dhabi on 15th December. Do provide feedback :)

UPDATE: Kautilya has been released and can be downloaded from here