Vincent Yiu
  • Red Team
  • About Vincent Yiu
  • Red Team Tips
  • Videos
  • Red Team
    • Attack Infrastructure
      • CloudFlare for IP Address Filtering
      • Azure Apps for Command and Control
      • CobaltSplunk
    • Backdooring PE Files
      • Backdoor 101
      • Backdoor 102
      • Backdoor 103
    • Cloud Security
      • CloudFront Domain Hijacks under Attack
      • Vultr Domain Hijacking
      • CloudFlare for Command and Control
    • Command and Control
      • TryCloudFlare Infrastructure and Domain Fronting
      • Domain Fronting using StackPath CDN
      • HAMMERTHROW: Rotate my domain
      • Domain Fronting via. CloudFront Alternate Domains
      • Validated CloudFront SSL Domains
      • Domain Fronting: Who Am I?
      • Host Header Manipulation
      • Finding Target-relevant Domain Fronts
      • Alibaba CDN Domain Fronting
      • TOR Fronting — Utilising Hidden Services to Hide Attack Infrastructure
    • General Exploitation
      • Payload Generation with CACTUSTORCH
      • Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection
      • Exploiting CVE-2017–0199: HTA Handler Vulnerability
      • F# Shellcode Execution
      • Bypassing Gmail Attachment Virus Check
      • IPFuscation
    • Hardware and Gadgets
      • USBNinja
      • Aorus Gaming Box for Password Cracking
      • Proxmark Adventures 101
      • Poor man’s guide to Raspberry Pi initial installation
    • Post Exploitation
      • Introducing ANGRYPUPPY
      • RDPInception
      • VLAN Attacks
    • Reconaissance
      • Reconnaissance using LinkedInt
      • DomLink — Automating domain discovery
      • OffensiveSplunk vs. Grep
    • Misc
      • Under the wire: Trebek — Walkthrough
Powered by GitBook
On this page
  • Introduction
  • Masquerade
  • USBNinja
  • Conclusion
  • Credits
  • References

Was this helpful?

  1. Red Team
  2. Hardware and Gadgets

USBNinja

PreviousHardware and GadgetsNextAorus Gaming Box for Password Cracking

Last updated 3 years ago

Was this helpful?

TLDR; A bunch of hackers went and created a BadUSB, in cable form, where charging of the phone works.

Introduction

As Red Teamers we are always looking for means to compromise machines. Karsten Nohl had released his research on BadUSB:

Looking around, there was soon devices such as Hak5's RubberDucky[1] and BashBunny which were created to emulate a Human Interface Device (HID). Essentially these were programmable USB drives that would simulate a keyboard, or mouse, and enter keystrokes into the target machine it's plugged into.

The most common form of this attack is whereby the attacker plugs in a USB physically into an unlocked machine and the device will input the necessary keyboard shortcuts and keystrokes to execute a malware implant. On Windows this could be Windows Key + R to trigger the Run prompt, then typing in a command to fetch and execute a payload. On Mac it could be launching Terminal then typing in a payload.

Masquerade

We've always known that users cannot be trusted. Social Engineering has proven this greatly over the years with it being at the root cause of many breaches. In my opinion the RubberDucky, the BadUSB, just looks too suspicious. Many users are now being made aware that USBs are bad, and we shouldn't just plug them in.

We set out to make a different device, one that is more covert and can masquerade as a legitimate day-to-day device.

USBNinja

My friends have worked closely with our Red Team expertise and practical experience to craft a new device known as the USBNinja. The USBNinja can come in many forms, the one that we will show you in this blog post is the USB charging cable. We've got other options such as conference dongles, USB fans[2], and more.

Of course, images don't really demonstrate capabilities as all you can see is cable. We've uploaded a quick demonstration video to YouTube:

Conclusion

I've spoken to people at different labs who have had hardware expertise. Some also attempted the same project, but were not able to make the cable charge for whatever reason. My team of friends have managed to weaponize this capability to make a fully working USB cable also a compatible HID device.

Next-generation are coming with hidden contraptions using triggers such as Magnets for physical mode switching, or even Bluetooth for arbitrary on the fly execution from a distance. These are under progress as we speak.

Credits

Vincent Yiu - Blog post, software, weaponization Olaf Tan - ProxGrind Dennis Goh - RFID Research Group Kevin Mitnick - Mitnick Security Consulting

References

[1]: [2]:

https://hakshop.com/products/usb-rubber-ducky-deluxe
https://www.washingtonpost.com/technology/2018/07/03/what-was-usb-fan-given-trump-kim-summit-security-experts-say-nothing-but-dont-plug-it/?noredirect=on&utm_term=.e0362077a5d0
https://threatpost.com/badusb-patch-skirts-more-effective-options/108775/