 Hello, DEF CON 18. How are we doing? Hopefully y'all will be able to tolerate free hours of Arduino goodness since the last two presentations had some things to do with Arduino based development environments as well. My particular talk is on what I like to call the programmable hid USB keyboard mouse dongle for pin testing. And if you want more information, all right. How about this? All right, guys, hopefully I'll keep this close to y'all can hear me waving the back especially. If you want more information on this project, it's up on that very Google index friendly URL but very untyping friendly. The slides that are currently on your CD are rather old. I will have these slides posted on my website relatively shortly. First of all, a few special thanks. Thanks for the tenacity solutions for helping finance the project and for helping get me here. Kentucky Anna ISSA for also helping to get me here. And of course PJRC for giving me some extra promotional materials and sending me some free hardware to start work on this project. If anybody wants any of their little flyers on how the tenacity is built and what the pinout is, come see me afterwards. First of all, a little bit about me. My name is Adrian Crenshaw. I run a website called irongeek.com. Thank you. Also a regular on the InfoSec daily podcast, ISDpodcast.com. I'm on there usually every Thursday. A slogan for my website is lifting dumbbells in the gym, supporting them at work. And I have an interest in InfoSec education. One of my main goals is basically become a professor of sorts that goes around and teaches people about computer security. Now I don't know everything. I'm just a geek of extra time on my hands. While some people might be sitting around playing solitaire, I like to sit around and play desktop tower defense and write security articles, make security videos, do research and so forth. Now there's many things which I'm a noob on, but I have this theory that it takes a noob to teach a noob sometimes. For instance, people who have been doing computer security or any technical subject for years and years and years might take for granted what the student would know. For instance, I found this most of all when I was teaching a C106 class which is like intro to computing. And I saw someone grab a mouse like this and try to use it. And I never thought to explain to them how to use a mouse. I also saw this one lady, she learned how to actually use the mouse backwards. And she got proficient with it. So if it works for her, that's all fine and good. But, you know, for instance, explaining, you might take for granted if you're really familiar with C that people would automatically know they have to initialize whatever variables they create. You know, stuff like that. So sometimes it takes a noob to teach a noob. Which is one of the things my website tries to specialize in. First of all, before I really get onto the meat of this talk, I want to give you a little bit of a story about how I got started on this project. I was giving a fireside talk called, I think, a skinny baiting in funny pots, basically with how to screw off attackers where I was at Shmucon this year. I was one of the fireside talks. And I was giving a speaker's gift and it was this little thing called a phantom keystroker. You plug it in, it doesn't know stuff like type random characters, move the mouse around, jiggles it, turns caps lock on and off. This thing is to annoy. It was meant to be a prank. But it started me thinking, what could I do if I could program this bad boy? So I started looking around for something to program. But the first thing I did was I was there and there was a couple other people roaming around Shmucon with me. Well, I'd known that Darren Kitchen from Hack 5, he'd done a lot of work with U3 thumb drives which you plug in and one part of the drive looks like a CD and you can use the auto run functionality to automatically fire off a payload. Well, a lot of people now are getting smarter at that and are turning off auto run. So I was thinking, well, what if I could do this little keyboard dongle that you plug in and it automatically starts sending keystrokes to do much the same thing. So I brought the idea to Darren and he took me and said, Aiden would kind of already work it on that. But then they were going to send me some demo stuff to look at. But I got impatient. So I started looking around for how to build on myself. And actually we came across the exact same chip, the 10C, which I'll talk more about in a second. Also Robin Wood was involved in the project. I don't know if you all know Robin Wood, but he does a lot of really cool coding projects. Great guy. Definitely go out and check his work and if you get a chance to see some of the work he's done on using social networks for botnet command and control, interesting stuff. There are little things called the rubber ducky and they actually have a form out there for extra information. If you want more information on using these kind of devices on Macintoshes, definitely a good place to go. Okay. Playing with the idea. For those that didn't want to wait for them to get a product out, I decided to, you know, for those that, as I like to say, go ugly early, I decided to put out some notes on how to basically build one of these devices that will act as a keyboard mouse that you can program. Free notes. I'm new to microcontrollers. I suck at soldering. Or at least I did a few months ago. I've gotten better. Or as I used to say, I used to, when I soldered it was like an epileptic alcoholic with DTs soldering with an aluminum baseball bat. I'm not particularly, like I said, I'm still not great. This guy named Scott Moulton, maybe seeing some of his talks. I was in a fries with him and I was like, I need to get better at soldering. I kind of suck. It doesn't look good. The joints are bad. And he was like showing me all this really expensive equipment to buy. And if you're a guy like him who replaces, you know, hard drive controller boards and do surface mount soldering, you really need that stuff. But I'm dirt cheap. So, you know, I went with what I could find. Oh, apparently suck at rotary tools as you'll see in some of my packaging pictures. Okay, let's go into why you might want a programmable hid USB keyboard dongle. First of all, it's likely going to be a type a lot faster than you can without errors. So, you know, instead of going up behind someone's machine and start typing, you can just like plug this in surreptitiously in the back of the machine and have it do the commands you want to like maybe add an account or whatnot. It works even if U3 auto run is turned off. Most everybody, I played with, if you plug in a hidden device that's human interface device like a keyboard or mouse, it automatically installs and goes. It draws a lot less attention like I was saying before than sitting down in front of the terminal to type in your commands. Just plug it in and once it enumerates all the USB devices, installs it, it's good to go. Also, you can set it to go off on a timer. For instance, if I had a pursuant professor I knew, you know, and I could get access to the machine during the day, I could plug this in, I know eight hours are going to be logged in, have it do something in eight hours. Just set it off to go on a timer. Or a better example what would be just if you know the admin is going to be in and you're on a physical pen test with permission, and you know the admin is going to be logged into the box in eight hours, plug this thing in the back, have it set to go off in eight hours, do your thing, add your account and do what you need to do. Or a ton of other different payloads. I'm going to show you some payloads here in a bit. Just use your imagination on all the different ways that you could use one of these sorts of devices. Okay, what sort of commands would you want to use? Well, I've already suggested have it automatically add a user for you. That could be useful. Run any old program. For instance, you can't get auto run to work, but you can use this along with some storage built into the device to fire off any old script or exe that you have off of the storage. No problem. So basically you get around the whole auto run being disabled and still have very much like U3 from thumb drive functionality. Copy files to your thumb drive for later retrieval. It's like I have a payload you plug it in and it copies everything on the desktop to onboard storage so that you can pause that stuff, look at it later. Possibly you don't pass what hashes or what not. Look at the current U3 payloads that are out there for further ideas on what you can do with this tech. Upload local files. If you don't want to use onboard storage, you could script it to where it automatically opens up a web browser and goes out to your site and starts uploading certain files off the system. Download and install apps. Fairly obvious. And something you can do is something kind of akin to cross-site request forgery, but not right. Essentially how many people hear when they get a website say yes, remember me, stay logged in. You lying bastards. I have no idea why that just closed on me. Hold on just a second, too. We got some small issues. All right, now that I recall. We have blue screen. Well, most of my payloads for this origin for Windows and quite frankly, usually when I'm going to be targeting a system, it's going to be a Windows system. So that's why it's all targeting Windows. So I guess in the meantime, I'll do my best karaoke while I'm up here waiting for my machine as we start. See, I've had problems of live demos before, but generally the slides work. But this has even happened to Bill Gates, so you know. Don't we all have this functional very shortly? Give some order to Bo. You can bring it on up here. That's okay. By the way, they were talking a little bit ago about fuzzing USB drivers and so forth. I'm pretty sure that that's part of what happened to me there. If you see a blue screen like that, you've got to wonder if a USB device is causing that, if you can get that kind of memory corruption to cause it to crash, can you cause it to do something else? That's something we'll have to do a little bit more looking into later. But anyway, cross-site request forgery. You all might be familiar with that where you basically put some code on a website that automatically make a request on a different website the person stayed logged in for because they just chose, yeah, save this cookie and I want to stay logged into this service. So this isn't quite cross-site request forgery, but essentially you leave it and if you know they stayed logged into Facebook or their bank account or whatnot, have it automatically make a transaction on that particular service to do whatever little evil tasks your heart desires. And my heart desires a whole lot of evil tasks. All right. A few other ideas I had. Embed a hub and storage for better packaging. And essentially this mouse I had plugged in a second ago, I think everybody saw it iterating through different colors. Essentially I've embedded in one of my little 10C devices. It's programmed to act as a keyboard and mouse. On-board storage in a hub. So it's all in one unit. You plug it in and now everything functions and I can give this to someone as a gift say, hey, here's this really cool mouse that changes colors back and forth whenever you use it. Actually I'm going to show that real quick. And essentially it just sits there and iterates through the colors but I'll show the payload it does here in a bit. I'll show it now but I'm afraid of another blue screen. Okay. Leave it around and some people have mentioned this probably they called it road apples. Leave it around as a thumb drive package hoping unsuspecting users will plug it in. Trojan hardware. Use a timer or sensor and embed it in a gift device. There's also these little USB QB toys. Maybe I've seen something called a NASPag. It's like a little bunny rabbit that glows different colors if you have email or some message waiting for you. What was that? The humping dogs. The dogs that hump your USB port. Did they make the USB port literally? Yes. Those would be another good example of cubicle toys. But think of all the USB devices you have laying around that have extra space in them already. As you can see I jammed one in a mouse. I think my buddy Dave jammed one in a keyboard so there's all sorts of possibilities there. You can have it wake up, mount the onboard storage and have the program do whatever you want. If it happens to fake a blue screen of depth so it covers up what most people are just going to figure out one of those things. Actually not to think about it. I could use that as an excuse for why I just blue screened. Damn, I should have thought about that earlier in the slides. Also I've been thinking about doing a default BIOS password boot forcing. Basically you plug it in and it just iterates for all the common BIOS passwords if someone happens to have a password on the BIOS on a boot up. Okay. I needed a name for this project. First thing that came up was the idea for this was an Altoids 10. No, I wasn't the guy who had the problem at the TSA and I'm hoping I don't when I go back home even. But I was going to put in an Altoids 10 and Lady Aida had something called Minty Boost. I was going to call it Minty Pwn but I was like no, I don't like that name so much. Not to mention I don't want to be like in on Lady Aida's territory. You don't know who Lady Aida is. She does a whole lot of really cool electronics projects and go check out her website. Then switch is usually to set what program I want to run off the system. So maybe I'll just call it the dipstick and that name was what I used for a while but then I really want said it was more descriptive. So I thought programmable hidden USB keyboard mouse dongle because that's exactly what this thing is. But that's a little bit long to say. That's a mouthful. So maybe we can abbreviate it. Okay. Let's go ahead and make an acronym for that. Programmable hidden USB keyboard dongle. Fucked. That works for me and that's stuck. So I had to look around for something to actually build this with. I'd seen all sorts of stuff out there. I'd seen the direct AVR code that was mentioned before. I'd seen ways of doing it with a normal Arduino board. But it was extra circuitry. Not to mention the Arduino's what are not huge. The official hardware is a little bit bigger than I wanted. So I did some googling around and I found the tensi. Now the tensi is really, really small and I'm trying to come up to me after this, in the question section and I'll show you one. But the itty bitty little tiny things. Basically everything you see above the wolf's head and below the USB adapter, that's all the tensi. There's not much to one. So you can fit them in just about anything. Like 1.2 by 0.7 inches. It's got a little AVR processor. It runs at 16 megahertz. It's programmable in assembly C or the Arduino dev package. How many people have ever used Arduino? For those who haven't, Arduino is it's more or less and someone who's a bigger Arduino developer might correct me on this. It's kind of like a set of wrappers around C++ that get rid of some of the more complex things of the language and make it ever easy for hobbyist programmers and people like the master of electronics and digital art projects to deal with. There's also a version that's $27 that has more onboard storage and so forth. By onboard storage I mean program storage. There's ways you can use to go into why that has its problems in a bit. The best thing about the tensi is it has built-in USB support. I don't need anything extra. So I was good to go. You can get those from pjrc.com. By the way, if anybody orders one from listening to this talk, tell them I'm geek sent you. Sometimes he sends me free demo hardware that I can play with. Here's the basic specs of both the tensi and the tensi++. Generally for most things you just go send stuff. If you need a little bit more room for payload, look in the tensi++ 2.0. But even when it works fine for you, it also depends on how many analog inputs you need and so forth and maybe pulse width modulation you need and I'll go a little bit into that. That glowing effect you saw earlier, that's caused by using PWM as pulse width modulation. Essentially what it's doing is it's turning on and off a particular connection on the chip really fast. And based on how fast you turn it on and off, you can basically make the LED dimmer or brighter. And I have freedom going in there, one for red, one for green, one for blue so I can simulate any color I want. And currently I just have it fading through different colors. I'll go a little bit more into analog in here shortly. Here is a simple schematic of some of the fucked devices I made. One side of dip switches, one side going to ground, so I'm kind of using negative logic to where if it goes to ground, I'm considering it turned on. It just happened to be easier to wire that way. And depending on whether or not a dip switch is set or not, I can choose what I have the 10C do. That way I can basically have multiple payloads all on one thing. I don't have to reprogram it every single time I plug into a different machine. But let's say you have an 8 position dip switch, you have 256 different programs you can run. That's pretty nifty. Now the other thing you might see here is I have a symbol for a photo resistor and a 10 kilo ohm resistor. Now here's the way a photo resistor works. Essentially, when light hits it it gets lower in resistance. How many people here know Ohm's law? E over IR. This is the crowd for that. Essentially what happens whenever that voltage or one of the resistance drops on that photo resistor because it's resistance lowers so more voltage is actually dropped across that 10K resistor. Well you see that little line going off the middle off to I believe pin number where 10. That's when the analog ends. It can measure that voltage change and so by doing that I can tell how much light is in a room. And I'll show you how I use that here shortly. Basically this is a better description of how that analog pin bit works. Essentially it's measuring the amount of voltage by comparison to reference voltage. Let's say my reference voltage is 5 volts and it's getting 5 volts dropped across that resistor. Well it's going to read approximately 1,023. However if it's 0 volts it's going to read 0 and anywhere in between. So I can use that basically as the basis for knowing how much light there is. But I don't have to use a photo resistor. I could also use a thermistor so I can do it by temperature and so forth. Part of that would automatically fire off whenever the light levels in the office reach a certain level. And we'll show some of that during the demo. Oh 10 C code. Everybody can read that, right? I've seen some tedious slideshows. Now I know I'm a bit on the verbose side with all the stuff I put in my slides but that's because I want to provide tons of links and more information for people who want to look at them later. We're going to break this down into smaller chunks. Here's the header section. Now I created what I called the fucked lib. Essentially it's a bit of a pain in the butt to use the direct USB keyboard functionality in the 10 C so I simplified it somewhat. Essentially here in my header section I create a couple variables. I initialize some. Make sure I set photo read to 0. And I set my dip switches and say which dip switch is which pin on the physical 10 C device. This dip options is something I use as a comment that I can make dump out whenever I need it to because on these 10 Cs if I have a 9 position dip switch I'll forget which dip setting does what. Essentially I use the little buttons as a diagnostic tool. I press it and it tells me which dip selection does what particular functionality. I use dip options for that. Here's the setup routine. Basically it's just iterating through telling each pin what it wants it to do. And that minimum weight thing is just me setting up the program to weight a certain number of minutes. In this case I'm actually not using the dip switch to say what program to run but to set the number of minutes to weight in binary. But if you're familiar with C or C++ this is essentially the same thing but a little bit easier because of the Arduino wrappers obfuscating some of the more complex issues involved in those languages. What was that? Training wheels. If they help, as long as they don't become a crutch, I feel like I would have been a much better programmer if I hadn't learned basic first. Kind of makes you lazy for all future coding. But then we eventually have the actual payload inside the loop. This is basically the thing that gets done over and over and over again. Think of it as your main function. In this particular one it delays a little bit of time after the conditions are met and what it ends up doing is it uses my library which has something called command at run bar and it runs this command. That's a really simple Windows command. Everybody knows that one, right? Let me break it down for you. Essentially it opens up command EXE, does a for loop looking through the output of the WMIC command. The WMIC command that's inside of all that junk is looking for a disk that's a USB disk. What it does then is it gets that output, finds out which disk has a certain label, in this case my thumb. Basically when you plug in a thumb drive, you don't necessarily know for sure on a victim system what drive letter it's going to get. That first part finds out that drive letter for you. Then it files off a script off of that drive letter. Trust me it all works. This part I believe is in the slides you have. Try it out. Trust me it seems to work pretty well and this way you don't have to code in a drive to run something or copy stuff to a certain drive because you're not going to know what drive it is until you plug it in. You can use this scripting to find it by its volume label. It does its thing and it shrinks down the current window. That's right after the delay 10. The delay 10 basically means delay 1,000 milliseconds, so one second. In the Folk Library I've implemented a few different commands. One is command bar and then whatever operating system. I haven't done OS 10 yet. That's why the X is there. That could be either MS windows or it could be Linux and GNOME. Same thing for shrink current window. Basically the idea is you can file something off the run and then you shrink the windows so they don't necessarily see what you got going on in the background. Press and release. Essentially this makes it a little bit easier to say take this one key, press it several times. If you open up a web browser and want to do something to someone's account someplace, generally it's best to get away with a round of key presses rather than mouse events. You can use this to hit tab, tab, tab, tab, tab to get whatever field you need to get to. Show dialogue. Essentially this function just sends diagnostic information out. I use this for debugging my programs. Essentially it reads through the pins, tells me what value is. Also tells me what DIP settings I have for which particular pre-made payloads. All those sorts of things. And DIP options is that variable I mentioned before that actually gets printed out by show options. Sorry, show dialogue. A few other things I have implemented in there. Another thing is I have something called LED keys. This particular function basically just tells you which lock keys are down. For instance, scroll lock, caps lock or num lock. The next thing this is, there's not a lot of communication that comes back from the computer to the keyboard. But especially if I start doing things on this one keyboard and this is a separate entity completely. However, whenever you use caps lock, scroll lock, or num lock, that message gets sent to everybody. So you can do what I sometimes refer to as like a caps lock trap. Basically you turn on caps lock to be annoying using your tensi and you know someone is at the station whenever they turn caps lock back off and you can detect that with the tensi. And you can use LED keys for that or I have a couple of little Boolean functions that basically say is num lock on, is caps lock on, is scroll lock on. So basically all my stuff there is just to make it more convenient to use. If you want more information on this, tomorrow Dave Kennedy, also known as Relic and Josh Kelly, also known as Winfang are going to be giving a presentation on PowerShell and they go into some more advanced things you can do with a tensi. So they're doing some more complex things than what we're showing here. For example, I think they have some kind of reverse shell they do out of PowerShell. So it should be pretty nifty. All right, setting up the development environment. It is incredibly simple to go ahead and start this up. Hopefully this plays correctly. Essentially I've already downloaded the Arduino environment. Also Paul, the buyer who makes the tensis, has his own little special extra libraries and hardware specifications you have to put into the Arduino folder. So once you zip all those out together you pretty much will have a working programming environment. The first thing I have to do right here is I have to go for serial. Sometimes people ask me if you need a driver installed for the work. No, you don't. However to program it sometimes you do. So I'm installing this just so I can program it. This driver is not needed on the victim machine just for the sake of setting up my development environment. Also I'm going into the device manager to find out what COM port it is. That just makes it easier for me to do diagnostics and set things up. Eventually I'm going to find out the COM port so I can set up my Arduino environment. For some reason I think I had to install that driver twice to actually make it function. And eventually it works. Okay, after I've got all that done I've already unzipped my Arduino environment. I'm going ahead and I think the next thing I did was I go into lib and I put in my, I'm sorry, the tensi loader. That's an extra EXE you can download from Paul's site. Essentially it's used for programming the tensi. After you install it essentially you can just press the button that's on the tensi itself, that little black button you saw in some of the pictures and it would know to automatically load code from the machine. Also right here I'm porting the Arduino extra hardware specifications and porting it towards my Arduino development folder so it knows what kind of board I have. With the Arduino environment you can program for a lot of different micro controllers that are based around Arduino. The main part of that is the generation and a couple different types of tensi and what not. Which is why you have to install that so it knows about your hardware. At this point I'm actually going to take my library which is downloaded from my website and copy it into the libraries folder and it actually comes along with some examples so you can look at them and see how to do some of the stuff I'm going to be showing here shortly in the demo. At this point whenever I want to actually program it, I can load up Arduino. The code is fairly simple. I spent a lot of time in my life watching a blue line across the screen and I come to realize. Alright, I'm going to open up one of the sample programs and now all I should have to do is tell it what kind of board I have, compile it and press the button on the tensi and it will load that program and it should be good to go. Also not only what kind of board type you have to tell about a USB device you want to emulate Paul set it up so you can emulate different types of USB devices. For instance, you can do a keyboard mouse but you can also do an SD card adapter and you can also do a serial interface if you just want to talk to the thing over serial and don't want to use any keyboard functionality at all. That's not going to be something to be used in this project but for future projects I want to do I think I might very well be using that functionality. I want to make my own, who thinks, I want to make a zombie defense gun that does much the same thing. I want a heat sensor, I want it to detect motion and then I want it to say, okay is it hot or not, if it's cold and it's moving it's a zombie, fire. So I'm thinking about using the serial interface stuff for that but once I have all those settings in I tell it what comport I'm using, I compile it and I go. Hopefully it gets more interesting from here but I want people to know how simple it was to set up the environment and the examples up there, once you go through them a little bit, they're really not hard to follow at all. At least in my personal opinion. Now let's do a little bit of a device demo. I currently have a few different devices set up. You saw this one here a second ago. This is a mouse I've trojan with some extra storage and a hub inside, did some soldering, put the tensi in there and essentially it's made to be left. I mean it does all this pretty color things and so forth but I can set it to go off via the caps lock trap. Instead of using caps lock for the sake of this video, what I've done is set it up to go off whenever it sees scroll lock hit because it's anymore people don't use scroll lock, at least I don't, a whole lot. I'm going to have to put down the microphone to actually do this though. But I could easily be caps lock or num lock and essentially I'll just sit there and wait for it to change. Try it again. Hopefully it's supposed to be seeing that it's changed. It's possible I'm in live demo hell again. It sits there and waits for the keyboard to have some change in value and once it does fires off its payload. I'll give this one more shot before I, there you go. It just fired it off in the background and it started copying all the files on my desktop to the onboard storage and then shrank down the current active window, which I screwed up by clicking on the wrong window right afterwards. But if I go back here and bring that window back up what I basically did was fire off a script on the onboard thumb drive to start copying everything from my desktop, which might have interesting information to the onboard storage. Then the person can come around later on and collect this device. And the scripts I've written for that are fairly easy, but essentially what it does is with the current logged in user it creates some extra folders on the drive and, for instance, I was logged into a different name, it would make a different folder and that folder will contain all the stuff off the person's desktop. So that's one example of a payload and that's one I use that I can trigger via scroll lock and whatnot. Let me back up a little bit. One I have more advanced payloads for is this little device. Now this one I used a 10C++ on just because I wanted, well, because Paul sent me one and I could attach more pins to it. So let me go ahead and bring this one up. I'm assuming this mic is live also? Groovy. All right. Now for these demos, I'd set things up to where I use this one button to trigger everything. Not because I have to. I can't even spy off by timer, by lighting conditions, or as Mr. Elkin showed just a bit ago, feel like an RF trigger. But for the sake of demoing at Defcon, I figured it would be easier for me to know exactly when my demo code was going to run by setting this button. I also have a nine pin dip switch on this thing. I can set to 512 different possible programs using that, but I pretty much have each individual dip set to do one particular function on those convenience. Now I mentioned that show diagnostics. That's what I have basically set on the first pin. The reason I have it that way is I can sit there and look, and it makes it quick for me to figure out what might be going wrong with my program based on the current value of each pin and what the analog value is. This one has a little photo resistor that I mentioned before, and I'll show how we're using that here in a bit. But the most important thing is I keep that particular functionality I have on which pin, so I went ahead and added these comments in there. And pin one is show dialogue. But let's use some of the other ones. Pin two is go to my website. Let me hope that I actually have an internet connection here, and let's also hope that Chris Padgett hasn't figured out CDMA hacking yet. Let's see if this is epic fail or not. See, I didn't like it's connecting to something. All right. Inferite, that should open up a web browser. Oh, I'm sorry. That first one is not open up a web browser. The first one is open up notepad and say Aden was here. That's a fairly simple thing to do. Essentially, I just use that command open a command bar and run something function that I mentioned before. Let's go ahead and try dip position three. That one opens up the web browser and goes to irongeek.com. Which may or may not fail depending on when I have an active internet connection right now. I appear to. Now you can use this for like, if you notice a, thank you, a drive by zero day out there, you can have it set to automatically go out to some website. Also, if you wanted to go out to some website and start uploading stuff in the person's machine, you would use that kind of functionality. But I'm going to shrink that down right now and let's go to the next thing. Oh, set cap slot trap. That one turned on number four. Essentially what this does is it starts annoying the user until they turn cap slot off. Then you know for sure someone's actually at the keyboard. So let me fire off the cap slot trap. I'm just the average user typing along, hey, I'm shouting at everybody. What am I supposed to do? So I turn off cap slot and it fires off the script that I had set. And essentially it just tells you what it could have done. And I have woodwrap turned off so you don't see it all, but just type something different in the notepad. All right, let's see if we have anything else more interesting than that. Ooh. Be more interesting if it's a bank account, but Facebook will work also. All right, this one, essentially what it's going to do is it's going to open up the mobile version of Facebook. It was just so much easier to script the right number of tabs to get the right spot in the forms if I use the mobile app. Essentially you can have this paid off go off by time or some other thing like the light functionality I'm going to show shortly. It goes out to Facebook, gets the right number of tabs, gets itself to the right position and makes a post. It could be some other kind of transaction as well, but I just happened to decide to do Facebook. Thank you. Let me see what's the other one I had on there. This is just to get your brain working on what you could possibly use for. Oh, the find my drive by its name my firm and start copying stuff to it. I pretty much always show that with the Trojan mouse. I think Dave and Josh tomorrow may have a Trojan keyboard they'll be bringing with them. I'm not sure. I haven't actually seen the presentation yet because I didn't go to Black Hat and I got there a little bit late for B-Sides. All right, brightness detection. Oh, yeah, that one's fun. We'll go ahead and do that one. For that, I'm going to need some freaking lasers. With no shocks necessarily attached. Though if anybody happens to have any shocks in the audience, bring them on up and we can try. All right, essentially the light detection just detects the amount of light in the area. I was telling you you could trigger it by environmental conditions. This could also be like a thermistor and you can do it via heat. But essentially I press the button and it says it's section of the room. I'm going to cover the photo resistor. Do it again. Let's try this again. You know it's distinctly possible that I destroyed something in the process of building this bad boy. It happens. That's why it's always good to bring back up. Hold on a second. Hopefully I have the exact same program loaded on this particular unit. Oh, another thing I've been doing is making those little Trojan devices. See the little things flashing. This is the unit that I recently was at meeting with tenacity and I had this embedded in a wolf's head because our logo is a wolf. So you put this in the eyes and make it flash and so forth. But hopefully I have all the right stuff set in it to act as a demo for this. Let's go ahead and one. Brightness detection. Yes, that's number seven on this particular unit. Let's see if this one blows up in my face right. Brightness detection. Do it. Lights are on. That's expected. I'm scared of the dark because I got it covered. It's possible I even have an open and a short on that that's causing that analog read to always read the same thing. I may have screwed it up and jostling it all around on the plane here. And that was light to dark and let's get a little bit more creative. And that's why it's always good to bring back up. But I also have a payload on there that I think you may have saw that one in the listing when I did my diagnostic called motion sensor. And essentially all it's doing is using the photo resistor where it sees a change in the value of light. Because generally if someone moves, a shadow happens, something gets rearranged, light reflects differently. It's a great way to detect motion. So when it detects some kind of change it should oh, actually I have the wrong one there. I'm not using nine pins on this one. Motion detected. You can have it fire off some other payload. The payload I have just types out into notepad. But you can just as easily have it add an account, make one of those transactions I mentioned before, just a ton of different things. Alright, I unplugged that bad boy. And now we can go back to the slide part. I assume I can find it amongst all the windows that I now have open. There we go. Alright, demo units. The first time I made a demo unit and anybody wants to see these after the main part of the talk, come on up and I'll show them to you. The first time I made was in an Altoids 10. I've also tried directly soldering the dip switches onto the 10C. But that looks hard to repurpose and I like to use my 10C for other things like 10 minutes. Thank you. I like to use it for other purposes like controlling servos and whatnot. So I decided to start doing these things like I make it so I can just solder on sockets. Not to mention sockets are much cheaper. I'd much rather burn out a $30 component than like an $18 component. So I solder those on and I can actually start making shields that can pop on and off for different functionality like you see right here. Oh, by the adapter I got, I think that's the same adapter that Mr. Elkins was using. Got it from Deal Extreme for dirt cheap. It's about the smallest one I can find. You can actually make it a little bit smaller by getting rid of that plastic casing. Also, I have versions that there is an SD card adapter so you can make it read a microSD card and use that instead of any kind of flash drive. The problem is the 10C operates at 1.1 USB speeds, which is perfectly fine for a mouse and keyboard. It's not going to be going any faster than that anyways. But it is kind of a limitation for microSD. I'm hoping that Paul's going to implement some more stuff on the 10C so you can start using it for like pulling up password lists and what not. Beyond the dipstick, I've been talking about Trojan USB devices. I've always showed you the mouse. I've been working on, okay, tenacity's logo is this howling wolf and while I was at a recent meeting they gave me this cool little plush stress toy. But it was hard to fit all my electronics in it. So I've been trying to get better at sculpting. So let me see if I can put this guy back together with a function. So I have a 50-50 chance of hooking this thing up right. Alright, someone come up to me later on. I think I got it with me. Who has ever seen Army of Darkness or Evil Dead 2 or one of those movies? I have a Necromanicon-styled iPod touch cover. Unfortunately, I haven't got the finger biting part done yet. That's going to have to require a few servos and some extra electronics, but we'll talk about later. Here's my little tenacity wolf. I tried to sculpt and I've essentially used RGB LEDs in its eyes and I can actually change those programmically. So if I want to make a more advanced version of this I could make it like the Navs tag. That's that little rabbit you see right there that gives you extra information about what's going on on the computer, like is there new emails or what not. Well, I can make the eyes change different colors based on what's going on in the computer system. But to do that, I need extra software installed. So when you're socially engineering someone to install these things you can say, yeah, I've got this cool desktop toy for you. It does extra things for your computer but you've got to install this extra software along with it. I'm not much of a social engineering. I mean, I leave that to people like Dave Kennedy and Chris Nicholson and the guys on the social engineering podcast. It's been said before that I use my personality as birth control. Not to mention my accent kind of gives me a way if I'm talking on the phone with somebody. But social engineering with Trojan devices or I'd say beware of geeks bearing gifts is another option. I'm going to start speeding up through this. This is basically the internals of that mouse I was showing off earlier. If I can get this to play. Essentially I've just sorted in the 10C, a little hub so I can still get USB 2 speeds on onboard storage. And the thumb drive I have in here isn't exactly a thumb drive. It's essentially a micro SD card adapter and you'll see it behind everything else. There's that little RGB LED which I basically just have set to iterate through colors to make it pretty. But I could program it to do something more advanced if I really, really want to. But that's essentially how this one's built and if anybody wants to see it in the Q&A room feel free to come on up. Oh, another thing I made. I'm not much of a sculptor. I'm getting better at it. For some reason I can sculpt skulls. I don't know why. So this is another little Trojan device with these little skulls that the eyeballs flash different colors eventually. There we go. And it looks nifty. That one I made out of something called ShapeLock which I'll talk a little bit more in a second. All right, Austin Crafts and my Defcon. Is it more likely than you think? All right, there's also the cool things out there for making these Trojan toys. ShapeLock is the first thing I want to mention. ShapeLock is five minutes. ShapeLock is this cool stuff. I believe the guy before me mentioned it as well. Essentially you put it in boiling water. It melts down. It becomes very flexible. You can mold into whatever you like. But then when it gets hard, it becomes like hard plastic nylon. It's very, very tough stuff. And that's what that skull you saw a second ago was made of. Also, LEDs don't always look the best if it's a raw LED because you can see the individual elements in it. But if you diffuse them, if you use ShapeLock, it's really good as a diffusing substance. Two-part silicone putty. Some of the stuff I've sculpted myself, some other stuff, like my little penguin here. I basically found someone else's penguin toy. Cast it with this two-part silicone putty and then I could keep casting more and more of the same toy to use this packaging for my devices. If you're really lazy, go to like a hobby store. Cake, soap, and candy molds also work very well. So for instance, if you your target is very religious, you can go out there and find like a soap mold that is made like a crucifix or a cross or a star of David, which brings the subject, why would someone want to use a cross as a soap mold? I mean, I've seen it. It was in the store. I'm not sure why. But I mean, that's an option for making toys to handle people. Silicone caulk also will work as a casting agent, but you don't get very good definition and it's kind of the set within a reasonable amount of time. Polymer clay, which is what I sculpted the wolf head over here out of, was very easy stuff to work. It kind of looks like the opposite of a shape lock. You basically bake it and it becomes hard and tough. And then you can use that to cast other items, which is what some of the things I've done. Hot glue also works as a casting agent and it's really good at diffusing light. And fishing lures. A lot of these rubbery substances I've been messing around with are actually made out of glue. It gives this really cool, funny texture and it's really easy to cast and once it comes out, it's awesome. And it's fairly heat tolerant. You've got to get it fairly hot to actually melt it. Unlike shape lock. Shape lock I made the mistake of leaving something I made on the dashboard in my car. In a hot summer day Black Honda Fit wasn't a pretty sight. But here's a bunch of stuff I've been casting. I'm going to start speeding this up because I don't want to run out of time. One of the things you can do to protect against these kind of devices, for instance Windows 7 Vista has a ton of things in group policy that you can go in and set. And there's more information on that particular URL. And that part is in the slides that are on your CD and I'm going to have it out on my website before long. Also basically it manipulates these particular registry keys. So you can basically go in there and say don't automatically install any USB device. And that's the safest bet. You can have a vendor ID and product ID. Which is how you can kind of like a... All these USB devices have vendor IDs and product IDs and you can blacklist those. But you can also on the 10Z set them to whatever you like. You can tell it's an Apple Keyboard if you want. So that doesn't do you good. I usually set mine, I think my vendor ID is usually 1313 and my product ID is like 666. But you can have it whatever you want. If you want a ton more information on how these work, I wrote it down on my website. It's near the top of the list if you go to the front page and look at the history. Also, if you're using Linux, look at the Udev rules. I haven't looked into them myself, but there should be ways of doing the same thing in Linux. There are 10 people. I don't care about you all. No one laughed at that? I'm going to get lynched when I leave here. Okay. A few ideas I have for future work. I'd like to make a version of the line so I can sit there and log keystrokes as well as send them. Then I can sit there and pass out when someone hits control at delete and then a tab and know, oh, that's probably the username and password that is typed in. I can start doing my evil and use the credentials for it. Stuff like that could be very interesting. Also, a long range wireless keyboard which the guy before me has kind of covered. So I have various links out there. Paul's site, my project site, USBDV which is awesome to see which USB devices are currently attached to your system. I've used it a lot for this. That way you can see the product ID and the vendor ID so you know what you want to spoof. Reg from app was useful for figuring out what particular applications edited what things in the registry and hack five has the own rubber ducky form. Tons of things out there for sources for parts, the tensi store, photo resistors, I get a lot of my stuff in BG, micro, micro USB adapters, LED shoppers and places to buy all types of LEDs and I buy tons of stuff from deal extreme, for instance that little micro USB adapter I was using and there's a really nice hub they have there that you can take apart, has long wires and you can make it very small to fit inside of objects like a mouse. All right, few events I want to mention. The Louisville InfoSec is coming out on October 7th, 2010. Hope some of you all can make it out there. SkyDog is going to be coming out sometime in 2011. Keep pestering from me actually this is the date. And also I'm regularly going to FreakNIC, not a con and outer zone. All cons I recommend. And a little bit of announcement. A few of us from the Louisville area and well one guy from the Cleveland area are organizing a con in Louisville, Kentucky. Now this one weighs off in the future, September 30th to October 7th, 2011, but it's called Derbycon. By the way if anybody can help us with some names for it we need a slogan. And we want it to be either Kentucky or horse themed. So a few ideas I've had, what colors you're Derby. 1100 nerds and devices, which is what someone came up with, being the security world like a French steak, the glue that holds the hacker community together. If anybody has better ideas, let me know. Special thanks to all these guys again and questions will be out of the room, I'm going to get out of the way because I'm about to get pulled off stage. Everyone have a lovely evening.