>>6
While I was at Shmoocon 2010, I was given a Phantom Keystroker. It's a neat little USB dongle which looks like a thumbdrive that you could surreptitiously install in the back of someone's computer. The Phantom Keystroker acts as a keyboard/mouse USB HID (Human Interface Device) to send keystrokes, move the mouse pointer around randomly, toggle caps lock and other things to annoy your co-workers and loved ones. This started me thinking, what if you could make something like this that was programmable? There are all sorts of things you could do with it.
The Hak5 U3 USB switch blade is pretty cool, but lots of folks have autorun turned off by default now. That said, they don't turn off the adding of a new USB keyboard! A programmable USB key stroke dongle could replace U3 switchblades in places where autorun from removable storage it is disabled. A USB HID device also does not need special drivers installed on modern operating systems, much like how a thumbdrive does not need drivers if the host supports USB mass storage. This would allow for doing things on a terminal quickly, and without drawing as much attention as sitting down in front of the terminal would. The person turns their head for a minute, the pen-tester plugs in their programmable USB key stroke dongle, and Bob's your uncle, instant pwnage. All sorts of command could be run, but more on that later in the examples section.
The programmable key stroke dongle could be set to run by a timer. The pen-tester programs the dongle to wait for a certain amount of time after install before doing its thing, a time when the pen-tester suspects that a user with extra privileges will be logged into the target workstation. If timed right, all sorts of privilege escalation can happen. There are more options than just a timer however. If the dongle has heat sensor or a photo resistor built in it could be programmed to dump its key stroke/mouse payload when the heater kicks in or the lights come on in an office. Think of the possibilities!
While at Shmoocon I saw the Hak5 crew setting up, and went by to talk to Daren and Snubs. I mentioned the Phantom Keystroker to Darren, and how I thought it would be great to be able to make a programmable one. Daren told me he had something to tell me later. It seems Darren (
http://www.hak5.org/) and Robin Wood (digininja
http://www.digininja.org) had been working on just such a project. Cool, great (or devious) minds think alike! I was looking forward to their product.
So, why would a pen-tester want one?
1. Likely types faster than you can, without errors. This is important when physical access time to the target system is limited.
2. Works even if U3 autorun is turned off.
3. Draws less attention than sitting down in front of the terminal would. The person turns their head for a minute, the pen-tester plugs in their programmable USB key stroke dongle, and the box is popped as Dave Kennedy likes to say.
5. The HID can also be set to go off on a timer when you know a target will be logged in, or by sensor when certain conditions are met.
6. You could embed a hub and a flash drive in your package so that you have storage and the programmable USB HID all in one nice neat package.
7. Embed your device in a USB toy or peripheral (lots of spare room in a printer or dancing USB penguin) and give it to your target as a 'gift'. Packaging that looks like a normal thumb drive is also an option.
8. After your Trojan USB device is in place, program it to "wake up", mount onboard storage, run a program that fakes an error to cover what it is doing (fake BSOD for example), do its thing, then stop (leaving the target to think "it's just one of those things").
Just use your imagination!
What sort of commands would you use?
All sorts of things could be done:
1. Add a user to the box or the domain.
2. Run a program that sets up a back door.
3. Copy files to your thumbdrive (see example code for how to find the flash drive by volume name)
4. Go to a website they have a cookie for, and do some sort of transaction (sort of like CSRF, but hardware based).
I'd like to note one disadvantage of the device. The first time you plug in a USB HID it takes a bit of time to enumerate. This seems to take a little longer with a USB HID than a new U3 thumbdrive does. Still, I think there are many applications for this USB keyboard/mouse device.
What's in a name?
You know, 'A programmable USB keystroke dongle' is kind of a mouthful to say. I needed a shorter name for this sort of device. Lots of folks build their electronics projects in Altoids tins, so I thought about calling it MintyPwn, in honor of LadyAda's MintyBoost. Also, since it's a USB stick, and I planned to use DIP switched to select what keystrokes/mouse movements to send, DIPStick sounded like a cool name. Neither of those however really seem to describe what the device was, so I thought maybe an acronym was in order: