 Hi everyone, I'm Nikhil Mithil and I'm presenting on hacking with human interface devices. Welcome to the hardware hacking village. A couple of things about me. I'm a hacker. Still not audible? I'll be louder. I'm a hacker. I'm a trainer. I speak at conferences. I'm at the two open source toolkits, Kautilya and Nishan. So Kautilya is the toolkit which we are going to have a look at today. It could be used to generate ready to use sketches for Arduino like devices. And those sketches could be used for penetration testing or breaking into machines if you are optimized to do so. This is my Twitter handle and that is my blog. So follow me. I'm a sucker for followers. I'm generally interested in offensive information security and new ways to get into systems. And I've spoken at a couple of conferences previously as well. So what we are going to have a look at today is why should we use human interface devices? What is a human interface device? And obviously a lot about my tool. We will also see some live demonstrations and hope they work. I've just tested everything in the morning. So if something doesn't work, assume and trust me. And at last we will talk about a couple of defenses against these attacks. So I missed a slide. What is a human interface device? So those of you who don't know it, it is something. So we as humans interface with computers using different things like mouse, keyboard, touch, joystick. A human interface device is something which allows us to do that. For example, a keyboard is a HID, a mouse is a HID and so on. So why should we use these things in penetration tests? First and foremost, they are really powerful as you will see in a few minutes. Counter measures like antivirus, Hips, security teams, they trust these devices. For example, when you plug in a programmable keyboard, it's obviously detected as a keyboard. And I rarely seen any corporate environment of any of my clients who block keyboards to be attached to the machines. A lot of people block mass storage devices but no one really cares about keyboards. And the last thing is, it's really cheap. So the device I'm going to use is a TeenC3.0 from pdrc.com. It's just like $20, $22 device. So you can literally use dozens of them in your penetration test gates. There are so many HIDs or human device which hackers can use. I've listed a couple of them which are really cheap and small in size. For example, TeenC which I'm going to use today. Open to Boss, Arduino Micro and a lot more devices. In fact, I've not listed here of them. There are so many devices. Just keep in mind that if you really want to use them in penetration tests, the physical size should be small. For example, I've seen using Arduino Duo as a human device but it's like this big. At least this big, like the size of a palm. So it will not be easily hidden inside other devices. So about my toolkit, Kautilya, it is named after some Indian guy who was a political thinker back there. So I do not think about it. It is written in Ruby and it's available on my GitHub. It contains like 54 payloads right now, 45 for Windows, 5 for Linux and 4 for OS X. So your mileage may vary on OS X because I just ported it on VMware. I own a PC, I work on Windows technologies but Windows payloads should be quite stable. So Kautilya currently supports TeenC++ 2.0 and TeenC 3.0. So as you will see, we can just input some things to this tool and it has an old school GUI menu driven thing. I am scared of this thing. I am still audible. Because Arduino supports only TeenC devices, there has been a port of Kautilya for Arduino Micro by some awesome guy. So you can check that one as well. And that brings us to the pentas scenarios. So we will be having a look at these things. So these are the things which I have tested today. There are a lot more things which you can do with Kautilya. If there is any user of Kautilya, you can ask for a demonstration and I will do that right now. And the target I am going to use is a Windows 7. It is not pirated. It is a demo version but it shows that it is not activated. So do not think that it is a pirated one. I just created that 30-40 days back and it has expired couple of days back. So it is not a pirated thing. Do not complain to Microsoft please. This is going to be our target. What we are going to do is we program our HID and connect it to this target. And let's see what happens. So this is our device. As you can see, the target must be unlocked. Only in that case you can use this. I mean it works even if the target is locked but you won't be able to type anything. So the target must be unlocked. And this is not a pirated version. So this would be our target. This is how Kautilya looks. It looks a bit ugly here. It is designed and developed on Ubuntu. I am using it on Windows right now. If you have Ruby installed on Windows, you can use this on Windows as well. So our first fantastic scenario is getting access to a target environment. And we would use a couple of reverse shells. That is the shells which connect back to us. And the target which is this machine. It is a fairly restricted environment. On both TCP only 80 and 443 are allowed. On UDP only 53 and only ICMPV4. So that's quite a restricted environment. So Kautilya has a really old school GUI. You have to enter your options like this. Is it visible to the back? You save one here. Then the shells are in the execute category. Press 2 and we have 11 options for shells. Let's use a reverse TCP which is the seventh one. It shows a small help and the options you can enter. So right now it is asking for the IP address to which the reverse shell will connect back. So let's use 443 because it is generally allowed through the firewalls. Now it asks for the type of board you want to use. So let's go to IC3. It has created a sketch which could be used in the Arduino IDE. And the sketch is in the output directory of Kautilya. So let's just open that. So this is a sketch. We'll just either open it in IDE, Arduino IDE or just copy it and paste it here. Now connect the device. First I will upload the sketch to it. And because there is a sketch already loaded on it, first I have to stop the device after inserting it. So I will just disable the auto reboot and stop the device. It started working. So now the device is now ready. Now we can upload our sketch to this device. Just press upload. Now stop, stop, stop. I believe the sketch has been uploaded. Let's just try it out. So I entered the IP address of my host machine and put 443. So let's start and listen to it. Okay. So I'm going to use PowerKit which is a NATKit port to PowerShell. Or you can use your NATKit on Linux as well. So it's our choice. In fact let's use NATKit. So for that I need to just change the IP address. It's gone. So this is IP of this Kali Linux running over here. Let's start. Let's start a listener output for 443. And now if I connect this device to the VM, that is our target. Let's see if it works. So what it will do first, if it is for the first time it is being used on a machine. It waits for the drivers. It minimizes everything and opens up a really small command prompt. Types in dark blue on black so that it is less visible and does the stuff. Let me just disconnect and reconnect it. Okay. Let's see if it gets detected. So the idea behind this thing is you can program it as a keyboard and it can type really fast and without errors. So in internal gigs you can assume it as you have access to a machine and you want to really fastly add a user and do something like that. Then this device is for you. Okay. Let me just re-burn it to the device because it was the different IP address previously. I use it in external pentas gigs is I take a couple of dozen of these things hide them inside either thumb drives or USB toys and things like that. And then I drop it in my client's parking lots, cafeteria, etc. or near the office and the success rate has been quite high like 30 to 40%. So that's really really good because once you have access to even a single machine you are in. So let's see if right now we have something. Oh it sucks. Okay. Let me start the power cat listener. Okay. So it drops partial scripts in the temp directory of the user because this is not working right now. Let me check that script if it is something wrong with the script. I'm trying to make it file less but right now this is what it does. So it dropped these partial script and VB script in the temporary directory of the user. And I know what's wrong with this. Nice. It connects to my, okay. It's there. So it took some time. I'm sorry. So we have this interactive PowerShell connect back from the target machine. It took some time. So now we can run the native commands or PowerShell command lets as well whatever you want. And once you have a PowerShell session, you can really like in couple of seconds upgrade it to a metapeter or in fact only using PowerShell you can do really cool stuff. And I do a training for that so please join that. So this is a reverse TCP proxy of your shell. You can use it over internet in your external gigs or whatever. Another thing I would like to show you is a reverse ICMP shell. Please note that that reverse ICMP shell is not tunneling anything. So if someone is looking at the network, I'm sorry to say he will see everything, your commands, your responses. I'm working on encoding things. Right now the problem is if you encode at least base 64 encode things, they would be so huge that you will generate malformed ICMP packets. So that is not what we want. So is this good? I'm going to close this shell. Okay. So if you want to have a look at it, just in case you don't feel like that. It's off. I'm sorry. I'll just turn this on. And if you see we have only couple of outbound rules. Let's enable outbound ICMP as well. So for an ICMP reverse shell, we'll again go to payload for windows. Execute. And now let's select the reverse ICMP shell option. Or if you want, I can show reverse HTTPS shell as well. So the reverse HTTPS shell is a certificate paint completely encrypted shell. So really hard to detect. See both of them. Okay. So nine. Notice that in this case, you must have the listener on a Linux machine because you cannot turn off ping replies on windows. So this is my Kali Linux, couple of other options. And we have a sketch. Let's just copy this sketch to the Arduino IDE and let's just upload it to the device. Now we must start a listener. And if you notice the help here, it shows the command you need to execute on your Linux machine to turn off ping replies. Let me just copy this. We have stopped ping replies by the OS. It's our server which will reply to the pings. And we need, as a server, we need the server from ICMP as such tool suite. So let's start that. So now our server is listening for ICMP probes. Now if I reboot the device that is connected to the victim, it again will open up a command prompt and type some stuff. Because in case of windows, most of the payloads are in PowerShell in conjunction with VBScript. And as I will show you in couple of minutes to get away from the USC prompt, it uses some need break. When it needs to open an elevated shell, for example, to dump user passwords in plain, it uses the... Okay, so we have our reverse PowerShell shell here. For example, let's run GUMI again. So this is completely ICMP. Let's just exit this one. So that was our first pentest use case. We must shell or shell or shell from windows machines. Let's use this second one. For example, in a social engineering campaign, you may be asked to gather user credentials in plain. So let's try that. So for that, you need to go to the gathered category, which is one. And then the ninth one, which is dump passwords in plain. So what this script does is it needs to pull Mimicats ported into PowerShell, which is a script called invokeMimicats. It needs to pull it from the internet. That's a bad part. It executes it in memory on the target, dumps passwords and paste it back or exfiltrate it to whatever you want. So let's use our local web server. So this is the URL of our script. We need not pass any argument. Let's exfiltrate to our local web server. So that would be option number three. Post request to your own website or web server. And that is my Kali Linux. So we have a sketch. Let's open that sketch. Place it here and upload it to the device. And now if I connect this device or reboot it here. Now the mode of operation would be a bit different. It will open up an elevated shell because that script, obviously like any other method, needs administrative access to do that. But I don't think this user has administrative access. Let's see. I don't think this user, okay, I don't know. Okay, it does. Now it presses left arrow and y to say yes to this UAC prompt. And that thing right now is an elevated shell. So it types the PowerShell code for downloading a script which we specified and executing it. The time it takes prior to closing this is because of its weights if the driver needs to be installed. Also it has a reliability check that if a user clicks in between where it is typing, it restarts the process. Okay, so as you can see it was downloaded from my local web server and should be executed. Let's check. Okay, it is, it should be this. So this is obviously encoded output. Let's just copy this. So Cortelia in the extras directory has scripts to decode things. It has written the decoded data to decoded.txt. And now if I open it, you can see that we have password in plain for that user. So it's quite powerful, but you must have internet access to pull the script right now. What I am working on is to mount an SD card over this device which pulls the script from it so that we need not depend on access to an external web server in case of larger scripts. We used, we downloaded the script here because it is so huge that if, I don't think the device would be able to hold that. And even if it holds that, it would take so much time to type that out which is non-practical. So that was just another case. Okay, the third one is obviously I cannot show it at Defcon because both of these are my favorite ones. Not really practical, but really cool. For example, this one, the first one, which means script, which means secret in my language. That reads SSID names. So the idea behind that thing is it looks for a specifically crafted SSID name and the command which it needs to execute the target needs to execute is within that SSID name that it never connects to that network. So there are slight chances that of WIPS or any Wi-Fi countermeasure may detect or may not detect it. So I'll show you how to configure it, but obviously I cannot run it here. So these are the banglers available. So this is how it works. You need to specify a magic string, a four character magic string. If I go by the example in the payload itself, nothing. Okay, so what happens now if I connect it to a target is it will look for an SSID whose name, whose first four characters are open, and if the fifth character is C for command, then the rest of the SSID name up to 32 characters is considered a command. For example, if I run this on my machine and you start a hotspot called open C, who am I? It will execute who am I on the target. And to execute scripts, unfortunately, because SSID names are limited to 32 characters, you have to specify open view and the shortened part of Google URL shortener. So it takes that URL shortener, expands it, and pulls down the script from there. So I like it because it looks cool but not really practical unless you are sitting with a targeted antenna in a cafe across the road of your client, which is always possible. So I cannot show the next one as well, the rogue AP. So I can explain what it does. A Windows 7 and onwards, there's a feature of hosted wireless networks. So what this rogue AP does is this. You can provide SSID which would be created, which we used on the target machine. And that, and then there is a meta-printer bind started on the machine. So it is like you have SSID with proper key on the target and you can connect to it. And as soon as you connect to it, there would be a bind meta-printer. This payload adds firewall exceptions as well. So there would be a bind meta-printer listening for it. You can just connect to it so that you have a private network on a single machine with a meta-printer session. So again, because my VM does not have a Wi-Fi card, unfortunately, I'm not carrying an external one. So I have to create it on my machine, so I'm not doing that. So just close this. What else? We can drop infected files as well. Again, in case of Windows, PowerShell allows a lot of things to do. So we can drop a Word, Excel, Compile, Help file, LNK, the shortcut files on the target which are infected. Word and Excel files use auto-executable macros. So if there is something which detects auto-executable macros, it will catch that. But I've not seen any AV flagging it yet. So we can use it. Another thing is, as far as I know and I tried, it is not programmatically possible to password protect your macros. So someone can open it and have a look at your macro. So let's just try this one out. Okay, I forgot the HTTPS. So I'll demonstrate the HTTPS shell first. I just missed that. So this is our listener. So this needs to be executed on the attackers machine. And this is Windows specific right now. So we have our listener running on our attacker machine. Let's choose time with this reverse HTTPS shell and the IP address of our machine and the port. So let's paste it here, upload it to the device. Now if I connect it to the target, let's see if it works. So this is one of the smallest payloads in particular. Just two lines needs to be typed on the target so it's really fast. Doesn't need administrative privileges or anything like that. Okay, now it didn't work. It's perfect, it should work. There could be some issues with the payload. Let's not waste time on it. Keep one thing in mind that if you're using, if you're trying to use this with Arduino, you must install TNC-DUNO and things. So that is written in detail on the website of these vendors. Make sure that you use the current board which is in this case TNC-3.0 and the USB type. So these two things should be kept in mind. Okay, that could be firewall here. Just let me see if I have an output 4.3 or not. Okay, it's allowed. So it should work. I don't know why it didn't work. Okay, again sorry, it took time. So this is a completely encrypted certificate pinned session. It should work. Okay, so this was our reverse HTTPS shell. Now on to dropping infected files. So the idea behind dropping infected file is just to have another way of breaking into a system. For example, if you can have a reverse shell, there is no need to basically drop files on a target. But let's see it anyways. So these are the options which we have with us. Let's go for the MS word. So it asks for a PowerShell one-liner or native command whatever you want. So let's use a reverse shell. One-liner reverse shell, let's see if that works. So you can always copy it from here. Let me copy one-liner reverse shell that connects back to again 443. So if you want, you can change the name of the file as well. And if you see the sketch, you will see that it is nothing but just a simple PowerShell script which drops the file on the target. So let's just try this thing out. I need to execute this on the local machine because there is no MS Office on the target. So let me just reboot it here. So it will drop that file on the user's desktop. Hopefully. So it is a good thing to have if you just want a different way to stay in a client's machine or in a target machine. So the word file, this one, is the infected one. And if I start, let me start a new one. I have to start a listener before I open that file. Okay, now let me just close this one. So it connected back actually. So this is how our infected file worked and hopefully we will have a reverse shell here. The flip side with this thing is this, anyone can go to the macros and see what we are up to. So if you are really using it in a social engineering campaign, then you have to password protected. Otherwise, anyone would be able to see, for example, if you are downloading a script, anyone looking at the macro would be able to see your IP address. So that's a flip side. Maybe it is taking time. Let's come back to it in a couple of minutes. Okay, a reverse meterpreter. So there are two ways of getting a reverse meterpreter using this thing. The first one is, which we saw a couple of minutes back, get a reverse power shell and use it to upgrade it to a meterpreter. Or you can use this one. Sixth, it is execute shellcode. So you need just create a shellcode using MSF Venom, paste it to... Okay, not this one, sorry. Oh, not this one, not this one. It is... Okay, so it is the first one. You can create some MSF Venom supports creating meterpreter in PowerShell. You can just create that and execute it on the target and you will be fine. I am not going to demonstrate that. We have already seen so many reverse shells. So defenses against these things. You can always control installation of devices using group policies. But I have seen in real corporate environments and in my clients, what they do, they match the block mass storage devices and nothing else. So if someone is really smart enough and blocks installation of any hardware device or hardware device by class, then this thing could be blocked. If someone is using, for example, so many antivirus vendors, block devices by VID, vendor ID and product ID. You can always change that by going here. And I do know hardware teensy course and this one, not this one. I believe it is this one. So it is there on my blog. I am not going to recall it right now. Here it is. So you can always change these vendor ID and product ID. So if there is, you know that there is an antivirus or any endpoint protection which blocks a particular VID and PID. You can always mimic HP keyboard or Microsoft keyboard or whatever you want. So you can just change it here. So there is a list of vendor IDs and PIDs on usb.org and so many websites. So one difference is on Windows machines is to use ProPolicy or Linux is to use UDAV. But the best thing is just put glue on all the USB ports but one and lock that USB device to the machine. So that is the best difference. If you have USB ports open, there are so many devices. As we saw a couple of minutes back, you can do really nasty things with them. And the best thing is to make your employees aware of the risks of attaching unclustered or new USB devices to their work machines. I mean I've seen like in one of my pentast gates, this device didn't work. So it was, I used it that way that I used a two port USB hub and connected the toy and the device together inside the toy. And there was a single cable coming out of it. So it didn't work on one of the guy's machine. So they connected in the colleagues machine and I got like three shells from a single device. So employee awareness is the best defense. And couple of closing remarks. Bad guys are already using it. I have myself seen this with couple of clients getting hacked by this thing. Even good guys are using it. It's not really something groundbreaking. As long as operating systems and system administrators and counter measures keep trusting things, these things will work because security ends with trust. Okay, so some shameless self promotion. I do a training for this thing. So I have a look at it on my blog and these are my contact details. You can find quarterly on my GitHub. There is another tool open source tool I mentioned. You can find it there as well. So that was all. Any questions? No questions? Thank you.