 Thanks for coming. I'm going to talk a little bit about having some fun with USB and little devices, namely the big one black. So what I'm going to talk about in particular is a pocket-sized device that can be used as a drop box, something you can battery power for days. As a remote hacking drone, you can control from up to two miles away as an airborne hacking drone, which you can get by combining one of these devices with an RC aircraft as a hacking console. All right, is that better? All right. Now if I have to go to the chiropractor after this talk, I'll be going to see Mr. Moss for some compensation. All right. So I've talked about all these things at past conferences, and tonight I want to talk about some new functionality, which is what's in yellow here. In particular, I want to talk about how you can use devices such as the big one black for some USB-based attacks, and you can do things like right protect of flash drive that you might want to use on somebody's system. Do some USB impersonation. This is something I talked about at Defcon 20 using a microcontroller-based device, and I'm going to show you how you can do that and do it better with a big one black using bash shell scripting instead of custom C code. And also talk about something new, a scriptable hit device, also based on the big one black. So why should you care about any of this anyway? The big one black running Declinix, which is my custom pen testing distro, is nice and small, very flexible, and you can be networked with other devices in order to do some pretty sophisticated pen tests. You can show up with a small bag full of devices, and you can do some really cool stuff, and it doesn't even cost you a lot of money. So for less than the cost of your MacBook, you can have your little pen testing army, and because these are so useful, you might have one around with you, and today I want to talk a little bit about how you might be able to exploit some brief physical access that you have to a target and see what kind of damage you can do in just a couple of seconds. So who am I? Some of you might have seen me around. I'm a professor at Bloomsburg University of Pennsylvania. I teach forensics, pen testing, fun stuff. Also an author, I wrote a book on Linux Forensics, which was released this morning, a pre-release for all the people at Duffcontinent. We love you. Everyone else has to wait a couple of weeks and pay more. So by the way, if you want to get a copy of this book and a copy of the VEX hacker gadget book, come early tomorrow to security booth because we're blasting through our copies. Also another book, hacking and penetration testing with low-powered devices. Been programming for a while since about eight in assembly, since I was ten, hacking hardware since I was 12 or so. Also been known to fly, build planes, do other aviation stuff, and write courses for a pen tester academy in some other places. So we're going to talk about. So we're going to give you a real quick overview of the deck Linux on the Beaglebone Black, the BBB, and talk about how you can export an attached USB drive, talk about how you can write and enable that exported drive. And this is some stuff that I talked about at Black Hat Europe in 2012. And then talk about USB mass storage device impersonation, which as I said, we talked about at DEF CON 20. And also talk about something new, a scriptable USB hit keyboard. So deck Linux. Deck Linux is based on Ubuntu. It's optimized for the Beaglebone Black and similar stuff. You can use it as a drop box, hacking console. And here's a couple of devices running it. So you can see I have a quad shot running it. It's what I call the air deck. So you can fly in, hack people, fly away. And I have the hack tar. I got a nice little system hidden inside a Rockman guitar. One of my favorites though has got to be the Trojan Dalek in this picture. He's got a nice little Beaglebone running the deck Linux alpha adapter. And it's a USB powered toy, which is awesome. So like, you know, you find a Doctor Who fan at your target company and you give them a present that keeps on giving back to you. And I of course have some lunchbox computers. And I'm doing a demo app tomorrow at noon if you want to see some of these devices in person. So I've added a few modules. The mesh deck, which uses XB and ZigBee networking to control your army of devices from up to two miles away. And also the four deck to do some forensic stuff. And today I wanted to talk about the U deck, the USB based attacks. So first of all, a little bit about USB on Linux. So USB on Linux is often done using gadgets. So there's a USB gadget composite device. And it's a composite device that has many devices in it, such as mass storage, audio networking and all kinds of good stuff. And if you have a version four or higher kernel, you can also have it as a hid, a keyboard and or mouse. So what about the BeagleBone black? So if you have a BeagleBone black by default, it creates a G multi device, a gadget multi composite device. And it normally will export the boot partition. The reason it does is this is if you screw up your BeagleBone, you want to be able to boot it sometime in the future, right? So the way that this is done is they export your boot partition so that you can fix it. So the thing actually boots again. And it's also normally configured to set up ethernet over the USB. And typically what happens unless you change the defaults, the BeagleBone black shows up as one NID two, 168.7.2, and your PC has a 7.1 address. Some Linux distributions that you might run also will start a Getty terminal process as well. Now, unfortunately, the defaults will conflict with what we want to do. So another warning I will give you, never export a mounted file system unless it's read only on both ends. It is not cool to take your root file system or something else that you're writing with your OS and export it so that somebody else can also write it. So how does this work? In order to export a USB mass storage device, here's a little snippet of some shell script. First you need to stop the Getty device or the Getty process, I should say, if it's running. And by the way, on the DEF CON CD, you should have all this stuff. So don't think you have to take pictures and then type this stuff in later. It should be on the DEF CON CD and it will also be available for download other places later. And then you have to uninstall the module that is the gmulti device using modprobe-r, gmulti. And then I set up a couple of variables to store what's been exported. And then I have this simple little loop that says, hey, if there's something called dev, sd, something. Well, if it's on the BeagleBone Black, that must be a thumb drive that you installed. So I go through there, a little bit of shell script magic. And if it's there, I unmount it and I add it to my list. Then I strip off some commas from that list and then I export it. So I set some variables for a vendor and a product ID. Now, how many of you are familiar with bash scripting? How many of you are gurus of bash scripting? Who knows what the dollar sign double parenthesis is for? I don't see a single, okay, I see one hand, I see one hand halfway. It's like, I think, no, but I don't want them to call on me. It's not school. Okay? For those of you don't know, this puts bash in math mode. So you'll notice that vendor and product have been set up as integers and this allows you to do things like increment them. Otherwise, these things get treated like strings. So just a little tap. Again, you can get all this code off the CD. So I echo, what did that come from? Echo. The translators should have fun with that one, by the way. The vendor ID to a temporary file as well as the product ID. In case I want to mount this again as writable later. And then I run a mod pro command where I give it gmulti and I give it file as an argument. Now, this will take a list of comma separated partitions that you want to mount. I tell it CD-ROM equals zero which means I am not a CD-ROM. And I set it to read only and I give it read only for all of the partitions that I'm mounting. Say yes, it's removable. And set the vendor and product ID. Although honestly, for this purpose, just to write protect it, I don't need to do that. But we'll see later when we try to do impersonation why this comes in handy. So let's try a demo. At the first ever Friday night keynote. Okay. Doesn't look like we have any audio. So let's see if I can remember how this goes. All right. So here I have a shell. It's an exciting shell. Oh, here we go. All right. So this is the default behavior. I plugged in the Beagle bone and it's exported the root file system. And you'll notice that it just connected me to the network. So this is kind of what happens by default. I do. Please stand by. Is it this? It's not this. Yeah. Are you in? First I'm going to SSH into my Beagle bone. I'm going to run a script. All right. Let's try that one again. In this video, I want to show you what happens when you normally plug in a Beagle bone block. So here I have a Beagle bone block. And I'm just going to plug it in to my Ubuntu laptop here. And it's going to load that USB multi module. So it'll take just a little bit. And what you'll see, my computer is going to display a message saying that it's connected another network device. And as you can see, it's also pulled up the boot partition from my EMMC. And there you have it. It's connected to wired connection too. And here's my boot partition. It's not a lot on it. And it's done again so that you can recover a broken system. So you can go in there and fix something you screwed up on the boot. So here I am on my computer. If I do an LS USB, I will notice here's that new Linux foundation multifunction gadget. And if I do an if config, I will see, sure enough, here's east two. It's statically assigned IPs. And it will give you 7.1 on the PC side and 7.2 on the Beagle bone side. So if I do a ping, there it is. Great. So that's the default page. So what if we want to export a drive? The first I'm going to SSH into my Beagle bone. I'm going to run a script. And again, what do you see? You see on my Ubuntu laptop that it was disconnected because that device has gone away. And what showed up on my other screen today is here is a multiple partition from that device. So this all worked. So let me go and open a shell on my Linux machine. But if I do a mount, going to see right here, I have a read-only mount just as I wanted. So there you have it. I have exported a thumb drive that was plugged into my Beagle bone block to a PC as read-only. All right. Now one thing I should also point out, in this demo, like running a series of scripts, you could very easily, you know, set up some buttons and things on the Beagle bone block to do this. But just to make the demos a little bit simpler for this talk, I didn't do that. But it's very easily done. All right. So now, if you decide that you're ready to make it writable, maybe you're trying to exfiltrate some data, please do this after you kill antivirus. And I will leave it up to you to interpret the acronym DFIU. And those of you who've ever been a hacker jeopardy should know what that means. So you can easily remount it using another bash script. And basically I just look for that temporary file and I say, hey, let's redo that and just make it writable. And it goes kind of like this. So now you've gone on to the system, you've used all the tools that you had on your thumb drive, which was mounted as read-only. You've killed antivirus and all those other things and it's time to exfiltrate some data. So how can you do that? Well, you just need to remount your drive as readable and writable. Like so. Done. I go back to my PC. You'll notice my PC popped up this drive. I also will get reconnected on my ethernet here on my laptop. If I run mount, you will see that sure enough, there you have it. I now have a readable and writable partition that has been exported from the thumb drive attached to my big alone block. And it was that simple. All right. So let's have some fun now. Let's talk about USB mass storage impersonation. So, you know, some people they think they can block users from mounting unauthorized thumb drives. And typically you're going to do this using some end point security software and or some rules such as UDEP rules to filter by vid and pid. Now, as I said before, I presented a microcontroller based device at DEF CON 20 on how to do this. But you can do the same thing with the big alone black and some shell scripting. Now, one important thing to note here is that you can get a lot better performance. The microcontroller based device that I showed was only capable of full speed or 12 megabits per second versus high speed or 480 megabits per second that you can get with the big alone black. So basically, you have a little bit of setup. And again, all this should be on the CD. I've got a usage statement I declare as integers, vend and prod. So that's where you get the declare dash I in a delay. And I parse some arguments and I snip that. It's just kind of boring stuff. And this is a picture, by the way, of that device that I presented at DEF CON 20. So step two, you need to unmount the drive. So how do you do that? You check and see if the getty process is running. If it is, you stop it. You also unload gmulti setups and variables. And this looks very similar to our previous script with one important difference. And that comes up right about here. By the way, hopefully your unmounting is a little bit more graceful than this lady in this picture getting off this horse. All right. So I have a file with the entire Linux VidPit database. So what you can do is spin through this file and see if it gets mounted or not. And if it gets mounted, it's not getting blocked. You just say, great. And there you go. So let's have a little demo of this. All right. So now let's have some fun with some USB impersonation. So I'm going to go ahead and run LS USB. And now I'm going to plug in a sand disk drive. And I'm going to rerun LS USB. You can see that it mounted successfully. Here it is. So I want this to impersonate something else. So how am I going to do that? I'm going to do that using my BeagleBone Black. So let me go ahead and unplug this. And I'll plug in the BeagleBone Black. All right. So now I've logged on to my BeagleBone Black. And I'm going to go ahead and run my script. And I'm going to let it run through a couple of these. And you can see that it's mounted. I'm not actually blocking in this case. But if you've seen my talk at Defcon 20, you know about how that works and everything. So now if I go back to my Linux machine, I will see that, sure enough, if I run my LS USB, boom, my little sand disk drive has suddenly become a Kingston drive. So there you have it. I was able to do this with a microcontroller-based device and some custom coding. And now I've done the exact same thing with a little bit of shell scripting and a BeagleBone Black. All right. So again, a lot faster, 40 times faster. But now let's have some real fun. Let's do something completely new and show you how you can make a USB hit device. Again, completely in bash script. You don't even have to write Python. Not that I don't love Python. And I'll show you some Python script that you can use with this. But how do you do this? Well, step one, you have to unload that gmulti. And this should look kind of familiar by now. Now step two, you have to create something called a config file system. It's a special pseudo file system, if you will. By the way, this lovely little picture here talking about how you shouldn't mix config file system and separate gadget. I didn't make this. So there's enough people that know that this is a problem that I actually found this little picture on the Internet. So you have to configure a file system and you will probably have the base directory where this is mounted under sys kernel config. And if it's there, you might have something mounted. So you want to unmount it and then mount a new config file system to that place. And then you have to create a device. So how does that work? You take that area and you make a directory for your keyboard device and you echo vendor IDs, product IDs, you know, pick your favorite. And you echo a device and USB version. As I've done here, you add a configuration. So here I have a configuration. I make a new directory and I echo things like the maximum power. And I create new directories, hid USB, zero, and echo some more stuff like the subclass protocol, report links, et cetera. And then I finalize it. So step five, you need a report descriptor. So those of you that know something about USB know that everything has descriptors to describe it. So they use for a lot of things. And there's something called a hid report descriptor that's used to define reports from keyboards, mice, joysticks, et cetera. So you need one of these things. And what you have to do is create a sim link for your configuration and activate it. So first you can copy this report descriptor. So I have it just as a bin file and copied into my config file system. Create a sim link and then echo, you know, hdrc.zero.auto to the specific place. And then, boom, you have a device. So this is the eye test slide for this talk. Now I don't expect you to be able to read this. I just put this in here so that when you get the slide back you can see it. But this is the details of what's in that binary file and descriptions for every single byte on what this report descriptor looks like. So that's boring. Let's have a demo. So now we're going to go ahead and create our hid device. So first I'm going to run my script, create hid. And if I go back now to my Linux system and I do an LS USB, I will see a new device. Now Linux is a little bit smarter than Windows. So for the Linux devices it just comes up and it says 1337, 1337, because it will actually look it up. If you give it a fake vendor and product ID it'll say, no, that's not right. I know that that's not right. So as in general is the case, it's a lot smarter than Windows. So there you have it. I have my fitpid now. If I do an LS USB dash B dash D on 1337, you'll see it gives me a bunch of information and right here it tells me this is in fact a hid and it's a keyboard. Alright, so now we have a device but we're not quite ready to do anything useful with it. So in order to do something useful with this device you have to send some reports. And the format for these reports is pretty simple. There is a modifier, so do you have a shift key, control key, which shift key, etc. And there's a reserve byte and then we have a bunch of key codes and you're allowed to press up to six keys at a time. Why you would want to do this? I don't know but it's in the spec. So how can you do this? Now I should say this, you've created the device and you can just echo stuff to the device, again on the command line. But who wants to do that? We like Python. Python is every pentester's friend. So how can you do this in Python to make it a little easier? So some preliminums in the Python code, you import a few things like struct and time and I define key modifiers for the different shift keys, etc. And then I create this little list of ASCII to key mappings so that you can map key codes to ASCII codes. Because of course they're not the same. Why would they be the same? That would be easy. If it's easy then people won't get jobs. We have to make it hard. You have to be smart to do this stuff and then we get paid more money. So the next thing I do is I create a hit class and how many of you are familiar with Python? Okay. So you know how to create classes in Python and here I have a constructor where you can pass in optionally what is the hit device file name and I define a whole bunch of nice little helper functions such as send key. Now if you send a key you have to send two reports unless you want to fill the screen with the same key. You have to send a report that says I pressed a key and another report that says I stopped pressing the key. So that's what you'll see here. It says write the report and then it sends a nice zeroed out report which means I stopped pushing buttons. And then of course I define some other helpful functions such as send a shifted key, send a character, send a string, etc. And I didn't show it here but I have a whole bunch of nice little hot key things such as please lock the screen, please flip the screen upside down if you're running Windows. Bring up a terminal if you're running letex, etc. So let's do a simple Linux attack. So here in my script I'm just going to type out your environment variables. I'm going to run nano and create a new file called hacked. And I'm just going to put in a couple of strings you're so hacked and then I'm going to send some keys to exit nano and save your file of course. And then I'm going to cat your password file to got your passwords TXT and then I'm going to clear the screen. So how does this look? So I've created the USB HID device but we haven't done anything useful with it yet. And in order to do that we can run our Python script. So I'm just going to go ahead and run the script I've attached to my Linux computer and boom I just ran a bunch of stuff. You didn't even see it. It was so fast. Now if I do an LSTXT you'll notice that I created a new file hacked and another one called got your passwords. So if I cat hacked I see it says you are so hacked. And if I cat got your passwords it in fact brings up my password file. So there you have it. Pretty simple. Now hacking and attacking Linux is fun but come on. Windows is more fun right? I mean Windows isn't good for anything else so might as well be good for an attack target. So let's do a simple little Windows attack. So you know like I said here what else is good for anyway. So here what I'm going to do is I'm going to create a HID device. I'm going to send the window R key which says please run something. And then I'm going to send the line notepad please. And then I'm going to again put a bunch of text in a file. I'm going to send alt F and then X which will save and exit. I'll hit enter to say yes please save my file. I will send the line hacked txt but it says what would you like to call that file. And then I'm going to send the windows upside down screen command which will flip your screen upside down and then I'm going to lock the screen. So it's a nice upside down lock screen potentially. So let's go ahead and run this. Now I'm going to go ahead and attack Windows. And there you have it. By the way I sent a command to flip the screen which didn't work in this case because it's running in a virtual box but normally it would have. If I log back in and I look at my documents I see a new file. So of course I could do some other fun stuff but you know I think you guys get the point. And given that it's late just let you know if you have any questions tomorrow at noon to two I'm doing a demo lab. Also you might find me chained to the security to booth over in the vendor area. So one thing you can do there yesterday I talked about this new device that's come out called a catch wire. And the manufacturer is graciously donated some nice little bundles with their devices running my pen testing Linux that we're giving away so if you drop by the booth you can register to win free stuff which who likes free stuff? I like free stuff too. So you know you can get a nice gift set it's worth over 600 bucks we got 200 or not 202 sorry of those to give away and of course you can always come by and say hello. So I'll have all my toys tomorrow so I'll have my lunchbox computers I'll have a beagle bone black that's running this stuff and a couple of catch wires as well if you want to see that so everything I talked about today everything I talked about yesterday if you want to come you know get touchy-feely it's that kind of conference I'll let you touch my junk if you want to come tomorrow at noon and so thanks for coming at 7 o'clock on a Friday and I'll see you guys around.