HackerFest 2018 and what we couldn´t fit into the lecture

Last week I had the opportunity to perform at HackerFest in Prague. I have lectured with William Ischanoe on the topic of BadUSB attacks (the official title of the lecture “Plug and Pray”). I think we have “played” well together, complementing each other, and giving a lecture (but those are only my feelings; we need to get the audience feedback first).

Since we were unable to squeeze everything into 45 minutes, I would like to add what we and William had taken a bite at on the stage.

What was said at the lecture

I started from articles I have shared on the blog: “How to Hack a Computer in Seconds or Bash Bunny and Packet Squirrel Attacks” and “Hacking Gadgets: Hak5 Bash Bunny“. I have expanded and tweaked my thoughts. I’ve shot explanatory videos – I hope you liked them. I would like to show a similar (only shorter) lecture on October 13, 2018, at Barcamp in Hradec Králové. I would be very happy if you would give me my lecture a like and come to see me. Admission is free and you will hear a lot of other interesting topics from different disciplines during the day.

Quick lecture content recap with William:

• Theory: Present tip for business partners, quick theory on GoodUSB (or BadUSB), what Bash Bunny can do.
• Demo 1: What happens when you go for a water in a coworking and do not lock your PC.
• Demo 2: When the USB flash itself backs up your important data.
• Demo 3: Hacking in movie vs. hacking in reality.
• Teorie: BashBunny is not the only thing, Raspberry Pi Zero W can work as well.
• Demo 4: When an admin blocks your Facebook at work.
• Demo 5: USB Flash, which has multiple faces (content).
• Demo 6: Unique troubleshooting of untrusted certificates.
• Conclusion: USB gadgets are like ToyStory – they come to life when you are asleep.

What didn’t fit into the lecture

And what did not fit into the lecture? Although HackerFest is mainly about attacks, I wanted to take a moment to defend against these attacks.

Methods defence of USB attacks

I will mention caution in the first place. When you accept that USB is not just the “harmless” USB flash drive, and you know what is at risk, you can defend yourself. How?

• Ideally, do not use USB at all

Have a PC without USB, disable USB in BIOS/UEFI, or physically block USB ports (eg, USB port lock). It is clear to me that it will be an extremely restrictive solution for many people.

• USB limits

USB limits, if complete removal is unrealistic. Few people plug in an unlimited number of devices. So it’s best to disable everything and “whitelist” only the devices we use. In Windows, you will use “Device installations restrictions” and in Linux “Kernel settings“. Antiviruses also offer similar functionality (eg device control in ESET antivirus)).

• Block unknown USB keyboards

This is the case if you have little time and do not want to tune it too much, as described above. When you prevent an attacker from connecting to your system as a keyboard, most BadUSB attacks will not work. For example, you can protect yourself with the free G DATA USB Keyboard Guard. The app works as follows:

• • You will connect a new USB keyboard to your PC, the program will notify you of this and require you to enable the keyboard.
  • The program prompts you to overwrite a random 4-digit code. You can only enter the code using a different, already connected keyboard (such as a laptop keyboard) or a mouse. For what reason? If you just need to press the “allow keyboard” button, BashBanny might act as a mouse itself and click on the button (even if it is not able to do it yet).
  • The next time the keyboard is connected to the PC, the keyboard will be automatically enabled.
  • Since “an image is worth a thousand words” (and video even more), I have prepared a demo below. ☟

• Do not connect a foreign device

If you do not want to install or configure anything, do not connect foreign devices to your PC. 🙂

Breaking the defense: How to bypass device control

Unfortunately, it is so. Once there is a defense, the counterparty starts to figure out how to break it. The next video shows you how to bypass ESET’s device control using whitelisting. The possibility of breaking in is not due to the fact that ESET is not done well. Other manufacturers’ technologies can be bypassed in the same way

These technologies recognize “whitelisted” devices according to PID (product ID), VID (vendor ID) and serial number. When you plug in the USB, these data are shared. The fun part is that they can lie and the system wouldn´t recognize it. So your Bash Bunny can state the system that it is your home Kingston DataTraveler.

In order to bypass whitelisting, the attacker already needs some information about how the victim’s network works. When they find that USB flash drives are disabled except for the XY model (or the owner’s flash drive), they simply “imitate” them.

More in this video ☟

What has happened in the video:

• First, I have configured the ESET device control to only allow my flash drive: Kingston DataTraveler 2.0 with SN “001E4FB776D6BD21A75D002F”. I left the rest of the USB flash drives blocked.
• I have pulled out the Kingston flash and plugged in the Bash Bunny. ESET blocked it.
• I’ve used a USBDeview to see how does the system see the connected USB devices. Note that each USB flash drive is different.
• I have pulled the Bash Bunny out, switched it to another payload (which I had ready) and returned it to NB.
• Now the Bash Bunny has not been blocked but allowed. The system thinks my Kingston DataTraveler is plugged in, which I have confirmed by looking at USBDeview again. 🙂

Do you want to try the attack using your BushBunny?

You can’t do this purely with “payload.txt”. Officially, BB allows you to set only PID, VID and SN (this is not even in the documentation). Another disadvantage is that SN will be converted to uppercase.

But unofficially, BB supports more options. Below is a picture with a list of parameters supported by the kernel module used for USB device emulation. To bypass ESET device control, I needed the following parameters: “iManufacturer, iProduct, iSerialNumber, idVendor, idProduct”. I set them up by extending the script “/usr/local/bunny/bin/ATTACKMODE.” 🙂

More USB attack material that is worth reading

I came across those when I was preparing HackerFest lecture. I think they are very useful.

• Great research from Security Research Labs – “USB peripherals can turn against their users“. The results were presented at the Black Hat 2014 conference (“BadUSB – On Accessories that Turn Evil by Karsten Nohl + Jakob Lell“). They have managed to code the firmware of common USB flash drives and make them a BadUSBs. Basically, you lend someone your flash drive to copy a document into, and when it is returned, it can do something extra (hack their PC). They also suggest attack vectors in the lecture: BadUSB for screen capture, how to detect OS type and send the correct payload, misuse of USB device to attack from VM to guest.
• Not only a USB device can be dangerous, but also the USB cable itself (see USBharpoon) or even a mobile/tablet with Kali Nethunter OS. Be careful when you decide to recharge a cell phone from your PC.
• Have you ever wondered if a “scatter USB flash drive after a parking lot” attack works? Yes, it does! Users really plug in about 48% of flash drives to their PC (see “Concerns about usb security are real: 48% of people plug-in usb drives found in parking lots” and “What is the best security payload for the USB Rubber Ducky?“
• Overview of BadUSB attack zypes (there is so many of them): “List of 29 Different Types of USB Attacks”.

Conclusion

If you have visited HackerFest 2018, I hope you have enjoyed our presentation as well as the whole festival. I have personally enjoyed a lot of great speakers, interesting topics and cool people. I’ll be happy to meet you at the next years´ HackerFest.

Did you get an idea for improvement? Do you have a tip for another attack? Are you interested in a particular topic? Please email me, or share a comment. I look forward to your observations.  🙂