Turning Regular AVR Microcontroller to Human ...

Turning Regular AVR Microcontroller to Human Interface Device (HID) for Hacking & Penetration testing Rhythm Kr Dasgupta Email: [email protected]

Abstract: By leaving your computer unlocked while you are away for seconds can give hackers all the time they need to obtain your personal information from your computer. This paper aims to detail the necessary research and development of turning regular AVR Microcontroller to a USB Rubber Ducky device and its run the payload and perform the attack (e.g. sent the user information to the hacker) from a Windows machine, in mere seconds. Each stage is laid out discussing applications of Ducky script, PowerShell, mimikatz, and re-enabling the vulnerability. Details of the attack on Windows 10, Mac and Android device will be presented.

Keywords ATTiny85 chip, Ducky Script, hacking, Payload, scripting, powershell, mimikatz, and duck tool kit, Arduino.

USB device firmware cannot be scanned by the host machine, antivirus software cannot detect or defend against this attack. Any device that communicates over USB is susceptible to this kind of attack. The USB interface is generally a dangerous vector for attack. In many organizations, use of USB flash drives is restricted due to their potential for being used as a hacking tool or malware delivery. Once connected to a host computer, this hacking device poses as a keyboard and injects a preloaded keystroke sequence. Recently an even more insidious form of USB-based attack has emerged known as BadUSB this BadUSB device registers as multiple device types, allowing the device to take covert actions on the host machine. For example, a USB flash drive could register itself as a device or a keyboard, enabling the ability to inject malicious scripts. This functionality is present in the AT Tiny85 penetration testing tool.

1. Introduction Every computer, including desktops, laptops, tablets and Smartphone take input from humans via keyboards. This is possible because there is a specification with every ubiquitous USB standard known as Human Interface Device (HID). Practically, this means that any USB device claiming to be a keyboard HID will be automatically detected and accepted by most modern operating systems including Windows, Mac OS, Linux or Android.

2. Hardware for making this Hacking Device 1. AT tiny85 chip. (512B RAM,8K FLASH, 20 MHz) 2. Voltage regulator IC (78M50) 3. 1 x Resistor 10k ohm ,1 x Resistor 220 ohm. 4. SMD LED

Those are the main component making hacking device. Make a PCB for this device the whole project will compact and it look like a pen drive.

4. Script and Software Configuration Here we used Ducky Scripting language, it is a highlevel-programming language. scripts can be done from any common ascii text editor such as Notepad, vi, emacs, nano, gedit, kedit, TextEdit, etc and at the end

we convert the whole script in Arduino Sketch.

Ducky Script Syntax:

Picture 1.1 (Circuit Diagram AT Tiny85 based Hacking Device)

Commands are written in ALL CAPS. Most commands invoke keystrokes, key-combos or strings of text, while some offer delays or pauses. Below is a list of commands and their function, followed by some example usage.

a) DELAY: It is quite handy for creating a moment of pause between sequential commands that may take the target computer some time to process. DELAY time is specified in milliseconds from 1 to 10000. Multiple DELAY commands can be used to create longer delays. Example:

DELAY 500

picture: 1.2 (USB Hacking Device AT Tiny85 Development board)

b) DEFAULT_DELAY or DEFAULTDELAY:

3. Tools and Technologies In this Project we used ATtiny85 microcontroller base development board and install “micronucleus tiny85” bootloader version 1.02, an open source project boot loader project [https://github.com/micronucieus] this bootloader originally written by Bluebie [https://github.com/Bluebie]. Bootloader is the code that allow the USB device so that it can programmed by the Arduino IDE.

DEFAULT_DELAY or DEFAULTDELAY is used to define how long (milliseconds) to wait between each subsequent command. DEFAULT_DELAY must be issued at the beginning of the ducky script and is optional. Not specifying the DEFAULT_DELAY will result in faster execution of ducky scripts. This command is mostly useful when debugging. Example:

DEFAULT_DELAY 100

c) REM:

h) CTRL or CONTROL:

REM command in Basic and other languages, lines beginning with REM will not be processed. REM is a comment.

It is similar to windows CTRL key

Example:

REM This line is comment

Command: CONTROL/CTRL BREAK, PAUSE, F1...F12, ESCAPE, ESC, Single Char.

d) STRING:

I) ALT:

STRING can accept a single or multiple character.

ALT key is instrumental in many automation operations. ALT is envious of CONTROL.

Example:

STRING notepad.exe

Command: ALT END, ESC, ESCAPE, F1...F12, Single Char, SPACE, TAB. e) GUI or WINDOWS: Windows-Key sometimes referred to as the Superkey. Example:

GUI r

k) Extended Commands: REPEAT, BREAK or PAUSE, CAPSLOCK, DELETE, END, ESC or ESCAPE, HOME, INSERT, NUMLOCK, PRINTSCREEN, SPACE, PAGEUP, PAGEDOWN.

f) Menu or App: Windows systems this is similar to the SHIFT F10 key combo, producing the menu similar to a right-click. It referred as the menu key or context menu key sometime. Command:

MENU

5. Ducky Script converted Arduino Sketch: Ducky Script is the language of the USB Rubber Ducky but AT Tiny85 microcontroller which don’t understand Ducky Script.

SHIFT command can be used when navigating fields to select text, among other functions.

A simple scripting language anyone is able to craft payloads capable of changing system settings, opening backdoors, retrieving data, initiating reverse shells, or basically anything that can be achieved with physical access -- all automated and executed in a matter of seconds.

Command: SHIFT DELETE, HOME, INSERT, PAGEUP, PAGEDOWN, WINDOWS, GUI, UPARROW, DOWNARROW, LEFTARROW, RIGHTARROW, TAB.

Here we have to convert Ducky Script to Arduino Sketch using HID library (or any online Ducky Script to Arduino software) in Arduino IDE and burn this Arduino Sketch in AT Tiny85 development board.

g) SHIFT:

Keyboard.print("notepad");

Ducky Script for Print Hello world on notepad:

delay(500); DELAY 3000

typeKey(KEY_RETURN); delay(750); Keyboard.print("Hello World!!!"); typeKey(KEY_RETURN);

GUI r DELAY 500 STRING notepad

// End Payload

DELAY 500

// Stop Keyboard and Mouse

ENTER

Keyboard.end(); AbsoluteMouse.end();

DELAY 750 STRING Hello World!!! ENTER

} // Unused

void loop () {}

Converted the Ducky Script Arduino Sketch

#include #include // Utility function

void typeKey(int key) { Keyboard.press(key); Delay(50); Keyboard.release(key); } void setup () { // Start Keyboard and Mouse

AbsoluteMouse.begin(); Keyboard.begin(); // Start Payload

delay(3000); Keyboard.press(KEY_LEFT_GUI); Keyboard.press(114); Keyboard.releaseAll(); Delay (500);

This Hacking Device isn't your ordinary HID (Human Interface Device). Coupled with a powerful 20 MHz 8bit timer/counter. Burn this Arduino sketch on this hacking Device and it ready to go for the attack.

6. Troubleshooting By default, Arduino IDE doesn't support ATtiny85 so we should add ATtiny boards to Arduino IDE. Open File -> Preferences and in the Additional Boards Manager URLs give this url https://raw.githubusercontent.com/damellis/attiny/i de-1.6.x-boardsmanager/package_damellis_attiny_index.json. Uploading program to ATtiny85 Now back to Arduino IDE. Select ATtiny under Tools -> Board. Then select ATtiny85 under Tools -> Processor. And select 8 MHz (internal) under Tools -> Clock. By default, the ATtiny85 runs at 1MHz. To make it to run at 8MHz select Tools -> Burn Bootloader.

7. FUTURE RESEARCH

9. Conclusion

This project can be extended in several ways:

This paper focused on how we can use Ducky Script and burn the program on AT tiny85 chip using Arduino IDE.

1) POC program that reprograms the firmware of a class of Apple internal iSight webcams so that an attacker can covertly capture video without the LED indicator warning. 2) DNS Override by Modified Firmware - modified the firmware of drive and used it to emulate a USB-ethernet adapter, which then allowed them to hijack local traffic. 3) Attacks on Smartphones via the USB Port - attackers can hide and deliver malware (malicious) via USB phone chargers.

8. Objective Atmel ATTiny85 processor it allows for an incredibly small form factor. The USB interface of this device that allows the processor to be programmed via a USB power and run the Ducky Script that turn this device into a Human Interface Device (HID). The attack platform that was super effective against local Windows targets, the Hak5 community has developed a new kind of attack -- this time crossplatform (Windows, Mac, Linux) -- which achieves deadly results by posing as a ubiquitous keyboard. All automated and executed in a matter of seconds. • • • •

Cross-Platform: Attacks any OS that supports USB Keyboards, Mouse. Simple Scripting language: Start writing payloads in minutes Open Source Firmware: Add functionality using included libraries Open Source Ducky Script to Arduino Sketch converter

In this paper we demonstrated the process of writing a malware payload which can exploit Windows vulnerability to launch an attack on a victim’s machine. The payload can be executed from the victim’s machine or remotely. Our aim in this project was to launch the attack remotely targeting a Windows machine. To create the malware and launch the attack. Buffer Overflow based Attacks - Several attacks that rely on exploiting OS buffer overflows when a USB hacking device is inserted into a computer. This happens because operating systems will enumerate the devices and functions (run certain predetermined operations) when a USB device is inserted. Driver Update - very complex attack that relies on obtaining a VeriSign Class 3 Organizational Certificate and submitting drivers to Microsoft that are automatically delivered and installed on user PCs when a certain SUB device is inserted. This attack is possible, but very hard to pull off in the real world.

10. Acknowledgements This project required genuinely efforts. Nevertheless, it would not have been realizable without the assistance and help from many individuals and organizations. Various tutorials and resources given in the official website of USB Robber Ducky have made initial works easier.

11.References

[1] Hak5, USB Switchblade. Hak5.org. , 2008 (accessed November 10, 2009). [2] A. Caudill and B. Wilson. Phison 2251-03 (2303) Custom Firmware & Existing Firmware Patches (BadUSB). GitHub, 26, Sept. 2014. [3] N. Falliere, L. O. Murchu, and E. Chien. W32. Stuxnet Dossier. 2011. [4] P. Thomas and A. Morris, “An Investigation into the Development of an Anti-forensic Tool to Obscure USB Flash Drive Device Information on a Windows XP Platform,” in Digital Forensics and

[16] S. Vouteva, Feasibility and Deployment of Bad USB. University of Amsterdam, System and Network Engineering Master Research Project, Feb 2015. [17] Arduino Micro, http://arduino.cc/en/ Main/ArduinoBoardMicro, 2015 [18] R. Bhakte, P. Zavarsky and S. Butakov. Security Controls for Monitored Use of USB Devices Based on the NIST Risk Management Framework. Computer Software and Applications Conference (COMPSAC), 2016 IEEE 40th Annual, [19] R. Schilling and F. Steinmetz. USB Device Phoning Home. Hamburg University of Technology, February 2016.

– 66.

[20] M. Kang. USBWall: A Novel Security Mechanism to Protect Against Maliciously Reprogrammed USB Devices. M.S., Computer Science, University of Kansas, 2015.

[5] Hak4. Episode 709: USB Rubber Ducky Part 1. http://hak5.org/episodes/episode-709, 2013.

[21] G. Fournier, P. Matousswoski and P. Cotret. Hit the KeyJack: stealing data from your daily device incognito. CS.CR, France, Oct. 2016.

[6] Hak5. USB Rubber Ducky Payloads. https://github.com/hak5darren/USB-RubberDucky/wiki/Payloads, 2013.

[22] KeyScrambler, https://www.qfxsoftware.com/.\

[7] K. Nohl and J. Lehl. BadUSB – On Accessories That Turn Evil. In Blackhat USA, Aug. 2014.

[24] Mimikatz, https://github.com/gentilkiwi/mimikatz. [23] Hall, J., & Breen, K. (2014). Duck Toolkits NG, https://ducktoolkit.com/

[8] OLEA Kiosks, Inc. Malware Scrubbing Cyber Security Kiosk. http://www.olea.com/product/cyber-security-kiosk/, 2015.

[25] M. Al-Zarouni. The Reality of Risks from Consented Use of USB Devices. School of Computer and Information Science, Edith Cowan University, Perth, Western Australia, 2006.

Incident Analysis, Third International Annual Workshop, 2008, pp.60

[9] S. Shin and G. Gu. Conficker and Beyond: A Large-scale Empirical Study. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC ’10, [10] J. Walter. "Flame Attacks": Briefing and Indicators of Compromise. McAfee Labs Report, May 2012. [11] D. Tian, A. Bates and K. Butler: Defending Against Malicious USB Firmware with GoodUSB. ACSAC ’15, December 07-11, 2015, Los Angeles, CA, USA. [12] BlackHat USA 2014, Karsten Nohl and Jakob Lell, BadUSB - On Accessories that Turn Evil, https://srlabs.de/badusb/, Accessed on 07 Jan 2015 [13] S. Kamkar, USBDriveBy, http://samy.pl/usbdriveby/, Jan 2015 [14] D. V. Pham, M. N. Halgamuge and A. Syed, P. Mendis, “Optimising Windows security features to prevent USB based software attacks”, The 28th PIERS, Cambridge, USA, 5-8 July 2010 (accepted). [15] Hak5, U3 Incident Response Switchblade. Hak5.org. , 2009 (accessed November 10, 2009)

[23]KeyGrabber, http://www.keelog.com/usb_hardware_keylogger.html

[26] M. Fabian, “Endpoint Security: Managing USB-based Removable Devices with the Advent of Portable Applications,” in Information Security Curriculum Development Conference, 2007. [27] S. Lee, A. Savoldi, S. Lee and J. Lim, “Password Recovery Using an Evidence Collection Tool and Countermeasures,” in Intelligent Information Hiding and Multimedia Signal Processing, Third International Conference, Volume 2, 2007. [28] K. Harrison and S. Xu, “Protecting Cryptographic Keys from Memory Disclosure Attacks,” in 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2007 [29] Nikhil "SamratAshok" Mittal, Kautilya, https://github.com/samratashok/Kautilya, Jan 2015