𝑅𝑒𝑛𝑎𝑖𝑠𝑠𝑎𝑛𝑐𝑒 𝑤𝑟𝑎𝑝𝑝𝑒𝑑 𝑖𝑛𝑠𝑖𝑑𝑒 𝑅𝑒𝑚𝑒𝑚𝑏𝑟𝑎𝑛𝑐𝑒

Saturday, March 15, 2025

Best Red Team BadUSB payload

What is the best security awareness payload for the Rubber Ducky?

A two second HID attack against Windows and Mac that launches the website of your choosing. That's by far the most effective security awareness payload for the USB Rubber Ducky.

Cyber security awareness building is important, and developing an effective security awareness program - or at least raising eyebrows that one is even necessary - doesn't need to be difficult.

WE COULD ALL USE SOME CYBER SECURITY AWARENESS

Hot off the heels of the bank heist security awareness campaign in Beirut with Jayson Street (See Breakthrough - Cyber Terror on National Geography), @Snubs and I set off to perform our own security awareness research. We were given the unique opportunity to present the keynote at AusCERT 2017 in the Gold Coast of Australia. Our talk was all about trust, convenience, and how USB and better yet Humans are the universal attack vector. CSO has a great write-up.

Essentially we wanted to see if the cyber security community practiced what it preached. Specifically following best practices with regards to foreign USB drives. What we found was astounding. Judging from our own informal poll, it seems many of us in the information security world don't even bother with basic anti-virus, so how would we fare as an industry against foreign USB drives?

THE BEST PAYLOAD THAT DOESN'T GATHER SENSITIVE DATA

Now I've spoken before about a 2-second USB Rubber Ducky payload which will grab Windows password hashes via SMB. It's a great payload for internal audits - so red teams take note. But for this engagement the last thing we wanted was any sensitive data.

Unlike Google, who conducted a similar USB drop at a university with the intent of obtaining reverse shells on the target machines, we opted for something completely benign. Our payload only launches a tiny URL, which takes the target to US-CERT Bulletin ST08-001: Using Caution with USB Drives. The US-CERT bulletin, from the National Cyber Awareness System, states:

Do not plug an unknown USB drive into your computer - If you find a USB drive, give it to the appropriate authorities (a location's security personnel, your organization's IT department, etc.). Do not plug it into your computer to view the contents or to try to identify the owner.

ABOUT HALF OF USB DROP DRIVES GET PLUGGED IN

Of the 100 USB Rubber Ducky drives we dropped, we noticed 162 executions from 62 unique IP addresses throughout a 65 day period. Mind you, this was at a conference primarily made up of professionals working in the cyber security industry. Now since we did not uniquely identify each drives payload, we cannot determine the actual percentage plugged in. However, based on the unique factors we can track, the results do seem inline with Google's findings - that 48% of people do plug-in USB drives found in parking lots.

The other data of interest indicated that targets were 68% Windows and 32% Mac. Browsers were 69% Chrome, 24% Safari and shockingly 7% Internet Explorer. The vast majority of executions were within the first week of the conference, however the long tail lasted until mid-April.

HOW DO I PERFORM THIS AUDIT AGAINST MY OWN ORGANIZATION

Setting this up for your own security awareness campaign is dead simple. All you need is this payload, a few USB Rubber Duckies, a URL to point the payloads and a few creative spots to leave the drives.

For the URL you could setup a website to let the user know they've broken corporate policy and to contact IT - or you could do what we did and send 'em to US-CERT. Either way you'll be able to track the executions. This can be done either with your own web server (preferably running PHP), or you can just use Google's goo.gl URL shortener to get the analytics.

Here's the PHP script which will log IP and browser data along with forwarding on the target to your URL of choice. Uncomment the mail command and change the SMS gateway if you want your phone to ding every time someone plugs one in :)

<?php

$today = date("F j, Y, g:i a");

$data = json_encode(array("headers" =&amp;gt; getallheaders(), "server" =&amp;gt; $_SERVER, "request" =&amp;gt; $_REQUEST));

file_put_contents("summary.txt", $today . "\t" . $_SERVER['REMOTE_ADDR'] . "\t" . $_SERVER['HTTP_USER_AGENT'] . "\n", FILE_APPEND);

file_put_contents("full-data.txt", $data . "\n", FILE_APPEND);

$message = $today . " - " . $_SERVER['REMOTE_ADDR'];

mail('5105551212@tmomail.net', 'subject', $message);

<title>Page Redirection</title></head>

<body>If you are not redirected automatically, follow the <a href="https://www.us-cert.gov/ncas/tips/ST08-001">link</a>.</body></html>

You'll need to touch full-data.txt and summary.txt and chmod them accordingly.

This cross-platform USB Rubber Ducky payload works against Windows, Mac and some Linux window managers which support URLs from the ALT+F2 menu (like Ubuntu's Unity).

DELAY 1000

ALT F2

DELAY 50

GUI SPACE

DELAY 50

GUI r

DELAY 50

BACKSPACE

DELAY 100

STRING http://example.com

ENTER

Replace example.com with the URL of your choosing.

Finally, load up the ducks, find some enticing places to plant 'em, and watch the logs as humans do what humans do best.

WHY DOES THIS WORK

As users and as a society, we expect technology to "just work".

As developers and systems administrators, in order to make things "just work", we typically need to put in hard coded trusts.

As hackers and penetration testers, wherever we find these hard coded trusts, it's simply a matter of telling the right lie. Something we learned to do from childhood.

Hacking is all about trust. As in life - trust is hard to build & easy to break. Hacking is violating the inherent trust in complex systems.

Happy Hacking!

Friday, December 06, 2024

esp8266 packet monitor

#include <ESP8266WiFi.h>

#include <Wire.h>

#include <EEPROM.h>

#include "SSD1306.h"

extern "C" {

#include "user_interface.h"

}

SSD1306 display(0x3c, 5, 4); // GPIO 5 = D1, GPIO 4 = D2 پین های مربوط

#define btn D3 // GPIO 0 = پین Flash در برد های Nodemcu

#define maxCh 13 // US = 11, EU = 13, Japan = 14 حداکثر تعداد چنل در استاندارد های متفاو

#define ledPin 2 // پین LED

#define packetRate 5 // پکت ها قبل شناسایی شدن به عنوان حمله

#define flipDisplay true

#define minRow 0

#define maxRow 127

#define minLine 0

#define maxLine 63

#define Row1 0

#define Row2 30

#define Row3 35

#define Row4 80

#define Row5 85

#define Row6 125

#define LineText 0

#define Line 12

#define LineVal 47

unsigned long prevTime = 0;

unsigned long curTime = 0;

unsigned long pkts = 0;

unsigned long no_deauths = 0;

unsigned long deauths = 0;

int curChannel = 1;

unsigned long maxVal = 0;

double multiplicator = 0.0;

bool canBtnPress = true;

unsigned int val[128];

void sniffer(uint8_t *buf, uint16_t len) {

pkts++;

if (buf[12] == 0xA0 || buf[12] == 0xC0) {

deauths++;

}

void getMultiplicator() {

maxVal = 1;

for (int i = 0; i < maxRow; i++) {

if (val[i] > maxVal) maxVal = val[i];

}

if (maxVal > LineVal) multiplicator = (double)LineVal / (double)maxVal;

else multiplicator = 1;

}

void setup() {

display.init();

if (flipDisplay) display.flipScreenVertically();

Serial.begin(115200);

EEPROM.begin(4096);

curChannel = EEPROM.read(2000);

if (curChannel < 1 || curChannel > maxCh) {

curChannel = 1;

EEPROM.write(2000, curChannel);

EEPROM.commit();

}

pinMode(ledPin, OUTPUT);

wifi_set_opmode(STATION_MODE);

wifi_promiscuous_enable(0);

WiFi.disconnect();

wifi_set_promiscuous_rx_cb(sniffer);

wifi_set_channel(curChannel);

wifi_promiscuous_enable(1);

Serial.println("starting!");

}

void loop() {

curTime = millis();

if (digitalRead(btn) == LOW) {

if (canBtnPress) canBtnPress = false;

} else if (!canBtnPress) {

canBtnPress = true;

curChannel++;

if (curChannel > maxCh) curChannel = 1;

wifi_set_channel(curChannel);

for (int i = 0; i < maxRow; i++) val[i] = 0;

pkts = 0;

multiplicator = 1;

EEPROM.write(2000, curChannel);

EEPROM.commit();

if (pkts == 0) pkts = deauths;

no_deauths = pkts - deauths;

display.clear();

display.drawLine(minRow, Line, maxRow, Line);

display.setTextAlignment(TEXT_ALIGN_LEFT);

display.drawString(Row1, LineText, "Ch:");

display.drawString(Row3, LineText, "Pkts:");

display.drawString(Row5, LineText, "DA:");

display.setTextAlignment(TEXT_ALIGN_RIGHT);

display.drawString(Row2, LineText, (String)curChannel);

display.drawString(Row4, LineText, (String)no_deauths);

display.drawString(Row6, LineText, (String)deauths);

for (int i = 0; i < maxRow; i++) display.drawLine(i, maxLine, i, maxLine - val[i]*multiplicator);

display.display();

}

if (curTime - prevTime >= 1000) {

prevTime = curTime;

for (int i = 0; i < maxRow; i++) {

val[i] = val[i + 1];

}

val[127] = pkts;

getMultiplicator();

if (deauths > packetRate) digitalWrite(ledPin, LOW);

else digitalWrite(ledPin, HIGH);

if (pkts == 0) pkts = deauths;

no_deauths = pkts - deauths;

display.clear();

display.drawLine(minRow, Line, maxRow, Line);

display.setTextAlignment(TEXT_ALIGN_LEFT);

display.drawString(Row1, LineText, "Ch:");

display.drawString(Row3, LineText, "Pkts:");

display.drawString(Row5, LineText, "DA:");

display.setTextAlignment(TEXT_ALIGN_RIGHT);

display.drawString(Row2, LineText, (String)curChannel);

display.drawString(Row4, LineText, (String)no_deauths);

display.drawString(Row6, LineText, (String)deauths);

for (int i = 0; i < maxRow; i++) display.drawLine(i, maxLine, i, maxLine - val[i]*multiplicator);

display.display();

deauths = 0;

pkts = 0;

}

Thursday, March 14, 2024

Machine Learning starting course with the Seeed Studios Wio Teminal -- Join Me!

Intro to Machine learning on Microcontrollers:
Machine Learning -- TinyML & Seeed Studios Wio Terminal

TinyML -- Seeed Wio Terminal -- ItsyBitsy Machine Learning...Lets GOoOo

So if you don't already know I do a lot of tinkering with microcontrollers. A microcontroller is essentially a small simple SOC -- System On Chip -- or very similar to the CPU's in all mobile devices now days. Although they tend to be much simpler and are usually designed with specific use cases. Here's the textbook definition:

In modern terminology, a microcontroller is similar to, but less sophisticated than, a system on a chip (SoC). An SoC may include a microcontroller as one of its components, but usually integrates it with advanced peripherals like a graphics processing unit (GPU), a Wi-Fi module, or one or more coprocessors. Microcontrollers are used in automatically controlled products and devices, such as automobile engine control systems, implantable medical devices, remote controls, office machines, appliances, power tools, toys and other embedded systems.

I recently got a new device called the Wio Terminal its very fast feature rich device with a plethora of sensors:

MCU, LCD, WIFI, BT, IMU, Microphone, Buzzer, microSD Card, Configurable Buttons, Light Sensor, 5-Way Switch, Infrared Emitter (IR 940nm), Crypto-authentication Ready

It also runs one of the fastest processing units (ATSAMD51), which when you see the specs you may compare them to a good mobile or a CPU you'd find in most laptops and desktops and see that the microcontroller appears to be extremely lacking in speed & memory but the microcontroller has that huge variety of sensors and peripherals tied directly to the processor, meaning there is much much less overhead for the processor on a microcontroller unit to do the SPECIFC tasks the sensors and unit were designed for. It will do them fast but most importantly do them extremely reliably with an absolutely tiny amount of power.

A similar micro can run on a small battery pack about equal to that of a cell phone battery (3600mAh) for about 12 days, if its configured to go into deep sleep mode between the timers set to receive weather data from its sensors. For connectivity this particular unit has THE best mobile designed Wifi/Bluetooth chips available the Realtek RTL8720DN.

All this to say as a platform to build a microcontroller based project off of the Wio Terminal comes with every bit of hardware you could want or need. This project in particular is a Machine Learning project, so I'm going to be following this course for the first time ever. Although I do have some experience with Googles CoLab which similarly has some AI & Machine learning walkthroughs but the devices you rent and use for those courses are extremely powerful enterprise level cloud servers. So these projects while alike in name could not be more different. The Wio Terminal costs about 30-45$ on amazon I got mine for 24$ on sale a few weeks ago, so jump on amazon (42$) if you want it fast, if you want it for cheap (29$) on Seeed Studios store website. Then we can do this together! I'm going to drop the PDF's below off our classes MEGA server, same one I setup and shared that contain all the slides.

Seeed Studio Wio Terminal TinyML Courses The intro courses will teach us how to create Machine Learning projects of varying applications :

Autonomous vehicles: Neural networks can be used to detect obstacles in the environment and make decisions about how to avoid them.
Home security: Neural networks can be used to identify people and objects in videos captured by home security cameras.
Healthcare: Algorithms can be used to detect anomalies in medical images or to predict the risk of diseases.
Industrial IoT: Neural networks can be used to classify different types of data from industrial sensors.
Retail: Neural networks can be used to identify items in images of merchandise and to recommend products to customers.