Didier Stevens

Monday 24 April 2017

Bash Bunny PDF Dropper

Filed under: Hardware,My Software,PDF — Didier Stevens @ 0:00

More than 5 years ago, I worked out a technique to drop any file on a machine which has removable storage disabled. The technique used a Teensy to simulate a keyboard and type out a pure ASCII PDF to notepad. The PDF, containing an embedded executable, can then be saved and opened with a PDF reader to extract the embedded file.

I recently re-visited this technique with my Bash Bunny (it can also be done with a Rubber Ducky):

First I create a pure ASCII PDF file with an embedded executable using my make-pdf-embedded.py tool:

make-pdf-embedded.py -f fi80 -t -n Dialog42.exe.txt Dialog42.exe Dialog42.pdf

Option -f select the filters to use: f to deflate (zlib compress) and i80 to use hexadecimal lines of 80 characters to encode the compressed executable file in pure ASCII.

Option -t for pure text.

Option -n to choose the name used in the PDF document for the embedded file (files with extension .exe can not be extracted with Adobe Reader).

And then I create a Ducky Script script from the PDF with my python-per-line.py tool:

python-per-line.py "Duckify({})" -o payload.duck Dialog42.pdf

The payload.duck file can then be installed on my Bash Bunny, referenced from a payload.txt bash script like this:


#!/bin/bash

ATTACKMODE HID

QUACK SET_LANGUAGE be

QUACK GUI r
QUACK DELAY 500
QUACK STRING notepad.exe
QUACK ENTER
QUACK DELAY 1000

QUACK switch1/payload.duck

Here is a video showing my Bash Bunny dropping this PDF file:

Sunday 9 April 2017

Quickpost: Bash Bunny & Keyboard Layouts

Filed under: Bash Bunny,Hardware,Quickpost — Didier Stevens @ 12:50

This Quickpost is for my Bash Bunny with the original firmware. Since my first Bash Bunny post a couple of days ago, firmware 1.1 was released, but I have not yet upgraded.

When I used my Bash Bunny as a keyboard emulator (attackmode HID) to type string Attack! (QUACK STRING Attack!), I got the same result as with my Teensy: the string Qttqck1 was typed. That’s because by default, Bash Bunny emulates a US keyboard, and my computers are configured for a BE keyboard layout.

A keyboard doesn’t send characters to the computer when typed upon, but it sends so-called scancodes identifying the typed keys. Then the operating system converts those scancodes to characters, depending on the configured keyboard layout. So I have two solutions to fix my problem: change the keyboard layout of my machines to US, or have my Bash Bunny send the scancodes corresponding to a BE keyboard.

Solution 1 is not practical for me, so let’s take a look at solution 2. With my Teensy, I would send characters Qttqck8. Doing the same with my Bash Bunny, command “QUACK STRING Qttqck8” sends the correct scancodes for a BE keyboard to type Attack!.

Fortunately, the Bash Bunny can be configured to use keyboard layouts other than US, so that I don’t have to convert strings. But first, The DuckToolKit needs to be installed on the Bash Bunny via the DuckyInstall payload. After the toolkit is installed, you will find a folder (/root/tools/DuckToolkit/ducktoolkit/languages) with json files for different keyboard layouts on the Bash Bunny:

OK, so how do we use this in a payload? With command QUACK SET_LANGUAGE, like this:


#!/bin/bash

ATTACKMODE HID

QUACK SET_LANGUAGE be
QUACK STRING Attack!

SET_LANGUAGE will use the selected keyboard layout, and translate the strings to the correct scancodes. Remark that if you select a keyboard layout for which there is no corresponding json file on your Bash Bunny, then the HID key injection will not work. You will have to find or create a json file for your keyboard layout, and add it to the folder.

This is the be.json file (BE keyboard layout):

Notice that the scancodes for letter q are: 00, 00 and 04. The first byte (00) is the modifier key (indicating SHIFT for example), the second byte (00) is reserved, and the third byte (04) is the keycode.

This is the us.json file (US keyboard layout):

Notice that the same scancodes for letter q on a BE keyboard (00, 00 and 04) correspond to letter a on a US keyboard.

BTW, when my Bash Bunny is plugged-in for a couple of hours, it gets a little bit hot:


Quickpost info


Saturday 8 April 2017

Quickpost: Infinite Control For Bash Bunny

Filed under: Bash Bunny,Hardware,My Software,Quickpost — Didier Stevens @ 11:25

I already used a Teensy to send a CONTROL keypress every 10 seconds. This came in handy to keep machines from going to sleep or auto-locking.

Today I wrote a script for my Bash Bunny to do the same.

Warning: if you use this, make sure you unplug the Bash Bunny before you start typing on the computer. Otherwise the CONTROL keypresses will interfere with your typing, potentially ending up in unwanted commands like CTRL-Q: Quit


#!/bin/bash
# Title:         Infinite Control
# Author:        Didier Stevens (https://DidierStevens.com)
# Version:       0.0.1 2017/04/08
#
# Hit the CONTROL key every 10 seconds in an infinite loop,
# while blinking the red LED with every keypress.
#
# Can be used to prevent a machine from sleeping or auto-locking.
#
# WARNING: Do not type on the machine's keyboard while this script
#          is running, or your keystrokes might become commands,
#          for example CTRL-Q: Quit
#
# Red ...............Hitting CONTROL key
# Red Blinking.......Wow! We broke out of the infinite while loop!

ATTACKMODE HID

# infinite while loop
while true
do
  LED R
  QUACK CTRL
  LED
  sleep 10
done

# this code will never be reached
LED R 100

Quickpost info


Thursday 6 April 2017

Quickpost: Using My Bash Bunny To “Snag Creds From A Locked Machine”

Filed under: Bash Bunny,Entertainment,Hacking,Hardware,Quickpost — Didier Stevens @ 23:22

FYI: This is nothing new, I’m just documenting how I configured and used my new Bash Bunny for “SNAGGING CREDS FROM LOCKED MACHINES” as Mubix explained.

After setting up my Bash Bunny, I used it on a locked Windows 10 machine to get netNTLMv2 hashes, here is the video:

 

After collecting the hashes, I can recover them from the Bash Bunny:

I put my Bash Bunny into arming mode: put the switch in position 3 (switch position closest to the USB connector). I insert my Bash Bunny in my Windows machine. The removable storage on the Bash Bunny gets assigned drive letter D: on my machine.

Inside folder D:\loot\quickcreds there are folders created each time I use this payload on a machine. Here is the content for the Windows 10 machine I collected hashes from (DESKTOP-DEMO):

File Proxy-Auth-NTLMv2-172.16.64.10.txt contains the hashes:

These can be cracked, for example with John The Ripper:

Here is what I did to setup my Bash Bunny after unboxing it:

First I updated the payloads on my Bash Bunny from the GitHub repository.

I put my Bash Bunny into arming mode: put the switch in position 3 (switch position closest to the USB connector). I insert my Bash Bunny in my Windows machine. The removable storage on the Bash Bunny gets assigned drive letter D: on my machine.

I copy the content of the GitHub repository payloads folder to the payloads folder on the Bash Bunny: d:\payloads\ (overwriting existing files).

To install the tools: I copy D:\payloads\library\tools_installer\ to D:\payloads\switch1\ (overwriting existing files).

I eject the Bash Bunny, put the switch in position 1 (payload 1, switch position closest to the LED). I insert the Bash Bunny in my Windows machine, and wait for a white solid LED: this takes about 10 seconds.

I eject the Bash Bunny, put the switch in position 3 and re-insert it into my Windows machine.

Then I set the QuickCreds payload (responder) as payload 2 on my Bash Bunny: copy D:\payloads\library\QuickCreds\ to D:\payloads\switch2\ (overwriting existing files).

I eject the Bash Bunny, put the switch in position 2 (payload 2, switch position in the middle) and insert it into my test Windows machine. After some time, the Bash Bunny displays a green LED, indicating that hashes were collected.


Quickpost info


Monday 11 June 2012

Update: vs.py Version 0.5

Filed under: Hardware,My Software,Update — Didier Stevens @ 20:17

I’ve updated my Python program to take surveillance pictures from IP-cameras. This updated version can take action after a picture is taken. For each picture to retrieve, you can specify a optional program to be executed; this program receives the picture as argument.

Each line in vs.config can have a 5th parameter now: the name of the program to execute:

Hall.jpg    http://192.168.1.1/IMAGE.JPG    -    Thread1  image-compare.py

I use it to start a program that compares the new picture with the previous picture, and warns me if they are significantly different.

vs_v0_5.zip (https)
MD5: 83B6DE93E6E26B510E2FBC80C0FF3C17
SHA256: DE3D4DC8D00692BE57F4A8B0A13BB4E3FAE9564ECE444EA04A890B65EED2D538

Monday 22 August 2011

Quickpost: CCTV Over UTP

Filed under: Hardware,Quickpost — Didier Stevens @ 0:04

I knew it was possible to transmit a composite video signal over UTP, but I always assumed that this was a kludge: that the preferred way was to use RG59 cable.

But recently I discovered that UTP cabling is often used in professional CCTV installations, because it offers the same benefits of structured cabling (like standardization and cost reduction).

To send the video signal over UTP, you need video baluns (one at each end of the pair). It is not transmitted via Ethernet, but the video signal is transformed to be send over a pair. Since CAT5 cable has 4 pairs, you can send 4 video signals over 1 cable. That’s what I’ve done at home, to limit the number of cables I had to install.

You can also use some pairs in the CAT cable to provide power to the CCTV camera (typically 12V) or to transmit audio (when you add a microphone to your CCTV camera). Video baluns are passive components, they don’t need power to operate. I’ve used baluns to cover distances of about 30m, and I don’t notice a difference in the quality of the video signal (compared to a video signal transmitted over RG59 cable).
Most baluns advertise distances of several hundred meters.

I was also able to transmit a video signal without noticeable quality degradation over an untwisted pair of 10m.


Quickpost info


Friday 5 August 2011

My Home Surveillance System: Some Details

Filed under: Arduino,Hacking,Hardware — Didier Stevens @ 11:02

I use Phidgets USB interfaces and sensors for my home surveillance system. For the moment, my home surveillance system consists of Python programs running on a PC, but once I’m past the experimental phase, I will migrate this to a dedicated controller.
I particularly like the PIR motion sensor Phidget, because it gives you an analogue output. When there’s no movement, the output will be around 500. With movement, the output value will oscillate around 500, with larger amplitudes for larger movements.This allows me to differentiate between small and large movements, and to eliminate false positives which are only of a short duration. If you have to run wires for many meters to connect your analogue sensors to the interface module, I recommend you use shielded wires and connect the shield to the ground of the interface module. This allowed me to eliminate noise I had on the readings.

Another plus is that the sensors are powered by the interface module. So if you power the PC (or micro-controller) with a UPS, your home surveillance system will also operate when there’s a power cut.

To take pictures when an event occurs (like ringing the doorbell), I use an IP camera. Take a look at my vs.py program to see how that’s done.

Friday 29 July 2011

My Home Surveillance System

Filed under: Arduino,Hacking,Hardware — Didier Stevens @ 10:21

Aside from having installed my own Home Automation and CCTV system, I also designed and installed a surveillance system at home. This post will discuss some of the design decisions I took. Some of them are different from more conventional alarm systems.

The surveillance system has many sensors in and around the house (passive infrared (PIR) sensors, reed switches, temperature sensors, …) and can take several actions, like starting sirens, turning on lights, sending text messages, making phone calls, taking pictures, … Which  actions are taken depend on the alert level that was set.

First design decision : this system is designed to deter common burglars, not burglars with inside knowledge of the system.

Second design decision is that the system will log all events coming from sensors, regardless of triggering an alarm.

Third design decision is that there is no alarm delay: if a sensor triggers that would cause the alarm to sound, then the alert sounds immediately. There is no delay or pre-alarm phase. I believe an immediate alarm has a greater deterrent effect. With this design, it’s best to avoid false-positives as much as possible.

Fourth design decision : use analogue PIR detectors, not binary PIR detectors. A classic (binary) PIR detector will just tell you that movement occurred. With an analogue PIR detector, you get the amplitude and duration of the movement, which is useful information to weed out false alarms, or ignore movement from small pets.

Now on to some interesting or unusual use cases.

I have a sensor on the doorbell too. When someone rings the doorbell, the event is logged and the system takes pictures of the front door. I’ve seen some interesting events since this doorbell sensor was installed. For example, I expected a package to be delivered after 18:00. The sender had instructed our national courier company to deliver the package after 18:00. You can probably guess they didn’t follow the instructions. I have evidence they attempted to deliver well before 18:00, and what’s even worse, they left a note saying they had passed around 18:15…

Like modern, commercial alarm systems, I have several alarm zones. For example, I can set the alarm level for when we go to bed. In this mode, the alarm will go off if there is movement inside the house, except in the bedroom and nearby rooms/hall. But come morning, you have to remember to switch off the alarm before you leave the bedroom.
Not with my system. If my system detects movement in the protected zone, and if there has been movement in the bedroom zone just before, it will disable the alarm in stead of sounding the alarm. So no false-alarms triggered in my house by sleepy-heads.

Outside lights that switch on when movement is detected are supposed to deter burglars, but they are so common that I believe the deterrent effect is negligible. My system turns on some lights inside the house when it detects movement outside while it is dark and there is no movement inside. I believe this has a much greater deterrent effect, because it’s so uncommon. And it will also take pictures. I now have a large picture collection of neighborhood cats in my back garden 😉

I’ve recently installed wireless interconnected smoke alarms. I will connect one smoke alarm to my home surveillance system, so that my system is aware when smoke alarms trigger and can act appropriately.

Testing all these functions is fun. I’m ” testing in production “, you can imagine that I don’t have a second home that I can use as a test system.
So sometime you can see me run around the house like a madman, but I’m just testing a new feature I programmed… 😉

Thursday 14 July 2011

Quickpost: Blocking and Detecting a Teensy Dropper

Filed under: Forensics,Hardware — Didier Stevens @ 9:58

A Teensy dropper presents itself as a keyboard (HID) to a PC and this is how it can be used to drop files even if you don’t allow removable drives.

You can prevent the installation of new HIDs, but this is an issue when you need to replace keyboards or mice. Irongeek has a good write-up.

Connected HIDs leave forensics traces in the registry, take a look under key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\

Connecting a Teensy leaves these entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482\6&31417f27&0&3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_00\7&becc88c&0&0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_01\7&becc88c&0&0001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_02\7&becc88c&0&0002


Quickpost info


Wednesday 13 July 2011

Teensy PDF Dropper Part 1

Filed under: Hacking,Hardware,PDF — Didier Stevens @ 21:40

Pentesters need to drop files on targets. If a box is not connected to the Internet, and doesn’t accept removable storage, they need to come up with some tricks.

Inputting the file via the keyboard is an option, but typing several millions of bytes is not. This needs automation.

Irongeek uses a Teensy micro-controller to achieve this. My solution is a variation on this. If you need to drop a binary file, you need to find a way to convert the typed ASCII to bytes. There’s a solution with a debugger, but I’m using a PDF Reader.

It’s possible to create a pure ASCII PDF file that embeds a binary file. Here are the steps to drop a binary file:

  • open Notepad,
  • insert the Teensy and let it type the ASCII  PDF file into Notepad
  • save the PDF file
  • open it with a PDF Reader and save the embedded binary file

Writing a program with the Arduino IDE to type an ASCII PDF file is not difficult:

But with the Arduino IDE, your embedded file is limited to a couple of kilobytes. Handling larger files will be described in part 2 of this post.

Next Page »

Blog at WordPress.com.