USB Attack to Decrypt Wi-Fi Communications
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 109 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36378 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2352 / 109
12
19
20
23
24
29
32
33
36
51
58
60
62
66
67
68
69
70
71
77
82
84
85
88
89
92
98
99
103
104
107
00:00
Goodness of fitTouchscreenComputer wormTelecommunicationRight angleComputer animation
01:15
Presentation of a groupInclusion mapComputer networkInformation securityCrash (computing)SoftwareDisk read-and-write headInformation securitySocial classPresentation of a groupFood energyDifferent (Kate Ryan album)Data centerComputer animation
02:15
SharewareComputer wormKeyboard shortcutMassComputer wormMultiplication signKeyboard shortcutPresentation of a groupDifferent (Kate Ryan album)SharewareComputer fontLevel (video gaming)Mass
02:45
Goodness of fitGroup actionLogicType theoryDescriptive statisticsProduct (business)Semiconductor memoryVirtual machine
03:19
Information securityMultiplication signPlastikkarteData storage deviceSemiconductor memoryMereologyAreaBitForm factor (electronics)MicroprocessorSlide ruleComputer animation
04:00
outputKeyboard shortcutData storage deviceMassFirmwareComputer configurationBeat (acoustics)Mass storageKeyboard shortcutPower (physics)SharewareFirmwareoutputCoefficient of determinationComputer animation
04:36
Presentation of a groupComputer configurationDrop (liquid)Product (business)Hacker (term)Computer animation
05:06
Connected spaceVirtual machinePublic key certificateFlash memoryDisk read-and-write headSlide ruleKey (cryptography)Term (mathematics)FirmwareFormal languageMetropolitan area networkEncryption
06:38
NumberObservational studySocial engineering (security)Integrated development environmentAreaWeightFlash memoryProcess (computing)Goodness of fitSpeech synthesisOptical disc driveSoftware testingReal number
07:47
Ext functorComputer-generated imageryForm factor (electronics)Observational studyGoogol
08:17
Computer virusDigital filterProxy serverFile Transfer ProtocolCodierung <Programmierung>Level (video gaming)Computer fileSuite (music)SineComputer wormCuboidOrder (biology)Self-organizationPublic key certificateOpen setSign (mathematics)WebsiteData storage devicePoint (geometry)Information securityBitFilter <Stochastik>Block (periodic table)Digital photographyVirtual machineSharewareProxy serverFile Transfer ProtocolConfiguration spaceInterface (computing)Codierung <Programmierung>Real numberTelecommunicationMechanism designElectronic mailing listWeb applicationAreaGoodness of fitDirect numerical simulationEnterprise architectureTouch typingQuicksortHypermedia1 (number)Metropolitan area networkProduct (business)InformationWeb 2.0Network topologyTrailAuditory maskingAntivirus softwareTable (information)Type theoryScripting languageServer (computing)Gastropod shellConnected spaceInterpreter (computing)Reverse engineeringAsynchronous Transfer ModeRandomizationFocus (optics)Authorization
13:16
Keyboard shortcutCodierung <Programmierung>Right angleGreatest elementWindowPublic key certificateType theoryTouch typingNumberFile format
13:50
outputWhiteboardUser profileScripting languageStandard deviationKeyboard shortcutString (computer science)Graphical user interfaceTrailPublic key certificateRootData storage device2 (number)Computer fileCuboidMachine codeSoftware testingWindowSystem administratorVirtual machineKey (cryptography)Metropolitan area networkRight angleComputer wormKeyboard shortcutProfil (magazine)String (computer science)outputProcess (computing)CodeWireless LAN
15:28
String (computer science)2 (number)Type theoryCodeCuboidVirtual machineProcess (computing)Structural loadDevice driverSystem administratorWindowMultiplication signPublic key certificateComputer wormGraphical user interface
16:27
Ring (mathematics)Session Initiation ProtocolPublic key certificateKeyboard shortcutWindowoutputComputer fileVirtual machineType theoryNP-hardMultiplication signGame theoryPresentation of a groupMereologyData storage deviceGoogolHacker (term)RootSlide ruleEnterprise architectureComputer animation
17:24
User profileComputer networkCovering spaceWeightComputer filePublic key certificateWindowProfil (magazine)Wireless LANVirtual machineSuite (music)Right angleGreatest elementPasswordProxy serverView (database)Point (geometry)
18:28
Internet ExplorerPoint (geometry)InternetworkingExplosionPublic key certificateView (database)Graphical user interfaceError messagePrice indexSuite (music)
19:06
Public key certificateError messageRight anglePoint (geometry)Program flowchart
19:38
Medical imagingDisk read-and-write headData storage deviceKey (cryptography)WindowBitPublic key certificateCASE <Informatik>Distribution (mathematics)Inheritance (object-oriented programming)Virtual machine
20:32
Keyboard shortcutFirmwareData storage deviceMassIdeal (ethics)Structural loadWeb browserPublic key certificateSign (mathematics)Identity managementData storage deviceFirmwareTwin primeComputer programKeyboard shortcutCartesian coordinate systemProxy serverPlanningMultiplication signSound effectPlastikkarteKey (cryptography)outputComputer animation
21:55
ACIDPersonal digital assistantVariable (mathematics)PlastikkarteTouchscreenDefault (computer science)NumberProfil (magazine)String (computer science)Data storage deviceKey (cryptography)Virtual machineComputer fileLevel (video gaming)Installation artGreatest element
22:34
Proxy serverData storage deviceScripting languageStapeldateiBootingSpherical capMultiplication signBitLevel (video gaming)System administratorDifferent (Kate Ryan album)Profil (magazine)Scripting languageKeyboard shortcutoutputStapeldateiRootPublic key certificateComputer fileWindowMass storageVirtual machineTouchscreenView (database)Data storage deviceCodeMereologyEnterprise architectureTwin primeWireless LANPlastikkarteKey (cryptography)Asynchronous Transfer ModeBulletin board systemComputer animation
24:35
Point (geometry)View (database)ExplosionGraphical user interfaceInternetworkingWeb browserPublic key certificateKey (cryptography)Data storage deviceRight angle
25:18
Computer wormIntegrated development environmentWireless LANWindowRight angleVirtual machineCuboidInternetworkingConnected space
26:39
WindowVirtual machineMathematicsPasswordComputer animation
27:14
Scripting languageAuditory maskingTable (information)Image resolutionDirect numerical simulationRight angleComputer animation
27:44
Suite (music)Asynchronous Transfer ModePublic key certificateScripting languagePoint (geometry)Computer animationSource code
28:23
Broadcasting (networking)Connected spaceComputer wormDevice driverVirtual machineFlash memoryTrail2 (number)Source codeComputer animation
29:06
BitComputer animation
29:37
FacebookConnected spaceShape (magazine)Presentation of a groupRight angleComputer animation
30:06
Student's t-testLoginPassword1 (number)GodPerfect groupRight angleComputer animationSource code
30:37
FacebookAuthenticationHTTP cookieBitDiallyl disulfideDisk read-and-write headPasswordCuboidGodPresentation of a groupSlide ruleParameter (computer programming)Multiplication signDrag (physics)Expected valueComputer animation
32:16
Facebook1 (number)Scripting languageOnline helpHTTP cookieSpywareComputer animation
32:45
WebsiteScripting languageAuthenticationFacebookPoint (geometry)HTTP cookiePasswordPresentation of a groupComputer animation
33:18
GUI widgetPhysical systemMassAuthenticationWordType theoryIntegrated development environmentMechanism designWireless LANRight angleInformation securityPhysical systemSelf-organizationData storage deviceTelecommunicationSoftware testingConnected spaceHand fanCuboidException handlingPrice indexWave packetDependent and independent variablesPasswordPoint cloudProxy serverWeb browserSlide ruleMass storageDenial-of-service attackComputer wormMassComputer animation
36:04
Point cloudProxy serverProof theoryComputer wormMechanism designInternet forumDistanceMultiplication signAuthenticationComputer fileOperations support systemDifferent (Kate Ryan album)CuboidRevision controlCodeTouchscreenWindowProxy serverPoint cloudSet (mathematics)Right angleWireless LANForm (programming)CodeEmailVirtual machineOperating system
Transcript: English(auto-generated)
00:01
welcome. Good afternoon. Thanks for coming. Thanks to DEFCON for having me. My name is Jeremy Durrow. Today I'm going to present to you guys on two different variants of an attack that I made for the USB rubber ducky. What do we got here? One minute. Or is
00:26
that just their screen? Are these screens screwed up, too, or no? Just that one? All right. Cool. All right. So we made two different payloads for the USB rubber ducky that will decrypt the Wi-Fi communications. Yeah, so before we get
00:47
started, though, quick disclaimer. I'm here on my own behalf. It's my own opinions, not my employer, no one else, so we get the legal jargon out of the way.
01:02
Yeah, okay. Oh, so what are we doing here? Yeah, there we go. Sorry, guys. All
01:32
right, so about me. A little bit of background. We're more than a decade of experience in the IT security industry. In those ten years plus I've worked for a
01:40
couple different sectors. I started my career out with the Department of Defense working for the Army at a data center hosting both class and unclass material. Left out of there to go work in the energy sector defending a nuclear power facility. And then currently I'm working in the financial sector as a network
02:00
security engineer for Jim Worth Financial. And just a little side note there, a hobby, I enjoy building, driving and destroying demolition derby cars. If there's any gear heads in the audience, feel free to find me afterwards. We'll talk cars. So the presentation outline, what we're going to talk about from a high level, we're going to first talk about what is a USB rubber ducky for those
02:22
who are not familiar. Then we're going to talk about how the attack actually works and then we're going to get into the details of each of the different payloads. So we'll first talk about the keyboard payload and then we'll talk about the one that involves both keyboard and USB mass storage. I'll demo the second variant of the attack and if we have any time for questions, maybe we'll take
02:42
some questions but it's probably going to take the full time. So again, those who are not familiar with the rubber ducky, in a simple description of what it is, think about if you were able to take a keyboard and apply some type of logic or some type of memory to it to tell it what to send to a victim's machine
03:02
when you plug it in and you ultimately have the USB rubber ducky. So these devices are sold by Hack5. Those who are not familiar, they're actually selling products here. Run by and support them. Really good group of guys. I think they're like 40 bucks or a little better than 40 bucks. So it's pretty cheap. So here's what the rubber ducky
03:21
looks like. You'll notice that it is a very common form factor. So notice there on the far right for you guys, the, you know, if you've been to any of the trade shows, like any of the IT security stuff, typically as vendors hand out swag, a lot of times it will be that's the actual form factor. So if you've gone to some of those,
03:42
you're looking at a drawer, you probably have one that looks very similar to that. Inside the enclosure you'll see that it has a micro SD card storage area as well as a little micro processor, a little 32-bit chip. And again, that's what kind of drives the memory part of the brain from that previous slide. And to kind of talk about the
04:04
different ways that the ducky behaves, it comes shipped with the duck firmware, which is that kind of first bullet there. And again, that is just keyboard input. But there's also those out there, there's fat duck, detour duck. But make note of that last variant of the firmware as well. That involves having both USB mass storage at your
04:26
disposal when you plug the device in as well as programmable keyboard. So a lot of powerful things can be done once you start adding mass storage. We'll see that in a demo later. But for those that are like, you know, thinking, well, this must be a Hack 5 presentation. He's trying to peddle their products. You don't have to go with
04:43
the Hack 5 rubber ducky. There's other options out there. Sammy Kamkar, he's actually here. Spoke to him last night. So he's got a presentation later today. I developed the USB drive by. So he does the same kind of mentality with the Teensy device. So check his stuff out if you don't want to spring for the 40 some odd
05:04
dollars for the rubber ducky. As well as last year at Black Hat, Carson and Jacob did the bad USB, those that are familiar with that term. And then later at Derby Con, Adam Caudle and Brandon Wilson released code so that you can take
05:24
an off the shelf variant of a flash drive, flash their firmware to it and more or less it will run the same scripting language that the rubber ducky runs. So that's more or less free if you have those flash drives laying around. All right. So how does the
05:40
TAC work? This slide just depicts the victim having a wireless connection to a little radio there. And you see the lock. So any SSL connections they have are working as they should. Everything is encrypted. Anything that they're supposed to be encrypted is encrypted. It's the standard connection before the attack. Then comes the
06:03
rubber ducky. If the rubber ducky was the USB flash drive was plugged in, first thing that's going to happen, there's going to be a trusted certificate that's loaded on that victim's machine. After the trusted certificate is loaded, it will then move the wireless connection over to a man in the middle machine, which I will be running. So if
06:23
you kind of think about this in your head, what just happened, not only are we now a man in the middle, but since we provided that key, there's nothing that cannot decrypt. So it's kind of a bad situation for that victim. All right. So first question I had
06:42
when I bought it was, you know, is this a novelty device? I mean, yeah, it's great to see Rick roll your buddies with it. Yeah, yeah, that, yeah, cool. But does this thing really have a place in the corporate environment for, say, a real CT, you know, actual pen test or is this a real useful tool for, you know, a black hat for that matter? And,
07:04
you know, I was kind of astounded to see these numbers. You may have heard these before, but DHS obviously had the same thought and they paid a third party to perform a study where they dropped flash drives around public areas, whether it be smoking areas, walkways, what have you, and they found that an astounding 60% of people
07:23
plugged them in once they picked them up. Well, that's scary enough, but then if you look at the last bullet there, if they add an official logo to it, that number jumped to 90%. So the moral of the story here is that you really don't need any clever social engineering for this attack to work. I mean, if someone really wanted to do something bad and do this attack, you know, for $400 you've got ten of them.
07:44
Someone's going to plug it in. Your odds are pretty good. And speaking of official logo, if you recall the form factor of what the rubber ducky ships, this is just a quick Google search of marketing USB drive or something. Ta-da, first one came up, the exact same form factor that the rubber ducky ships in. For a couple bucks you can
08:04
put whatever logo you want on your rubber ducky because it's just a little shield there that connects to it. And you're up to your 90% mark according to a DHS study. So pretty useful stuff. I kind of want to talk about now why I actually made
08:21
this payload. You know, there's plenty of good ones already out there. The rubber ducky, it's nothing new. The product has been out there for a while now. And Darren, the guy that runs hack5, his get hub is full of really good payloads that people have written. But what I found is that most of those, if not all of them,
08:41
would be stopped by the modern defenses that are deployed in most enterprise organizations. So I'm not talking about your, you know, if you're trying to attack the random victim at Starbucks, I'm more focused on corporations and doing this thing in a more secure area. And the first one I'll touch on there is antivirus. So a lot of the payloads that are out there will try to pull down a
09:01
tool of some type, whether it be, you know, Netcat or try to do some interpreter reverse shell, what have you. But, you know, that's cool and all, but if you pull those down on a company asset, you know, your antivirus is going to light up like a Christmas tree and it's going to stop it in its tracks. I mean, it's too well known at this point. The next bullet there, web filters and
09:22
proxies. So some of the other attacks, what they'll do is they'll try to make you go out to some open storage place, you know, Dropbox or Box or something like that. Well, most organizations, at least if they're, you know, more secure side of things are going to block those style sites. They're not going to let you go to any open storage or pull down any random file you want. So that's going to be stopped. Same
09:44
kind of mentality below with the FTP white list. Some of the attacks try to pull down files through FTP. Again, most companies, if they're at the level of any security knowledge at all, they're not going to just allow you to FTP anywhere from any asset in the organization. And then the last bullet there is, has nothing to do with corporate
10:02
security. I'm sure most of you guys are familiar with HSTS, but those that are not, it's kind of a tool that was designed just to stop this style of attack. So the old school way of doing man in the middle attacks, once you got in the middle of the communication path, you would tell the victim, you know, just go ahead and talk to me
10:21
in clear text. Trust me. Talk clear text to me. You know you want to talk encrypted to your banking site, well, I'm telling you to go ahead and load it in HTTP so I can harvest the credentials. And then on the side that's talking to the real banking website, you would talk encrypted. And, you know, it worked well for a while until things like HSTS came along, which is an actual browser-based security mechanism. It
10:42
says if you're a member or you're on this list of HSTS-enabled sites, no matter what the man in the middle machine tells you, you must always use encrypted traffic. And that becomes a problem because it kind of thwarts the way that the old school way of attacking took place. And again, a lot of your big sites are doing that. A lot of your
11:02
paid sites, like you see PayPal and your social media sites, even Def Con implemented this year. So I guess Def Con's got some super secret information they don't want someone to get. So let's start the attack. Enough kind of pre-talk. So the first step is to actually set the man in the middle machine up. Because
11:22
you have to have something for the victim to connect to. Right? So this is not the focus of the attack, so I'm going to breeze through this stuff, but just to give you an idea of what I used when I set up the demo, you're going to see in a minute. I used host APD for the wireless radio. I used DNS mask for the DNS server as
11:42
well as the DHCP server. IP tables to kind of direct the traffic over to a proxy. And I mentioned the MANA toolkit. So those guys actually have developed some really cool scripts that I used to kind of just adjust their stuff to make it work the way I wanted it. So I mentioned proxies, those IP tables that move stuff
12:04
over to a proxy. So you got to think about it. Once you get the connections coming into your man in the middle machine, and you've got the radio, it's listening, people connecting to you, you have to have some way to manipulate the traffic or at least view the traffic. I mean, what's the point of sending it through you if you can't do anything with it. So you're going to have to set up some
12:20
type of proxy. In my example I used burp suite. Doesn't mean you have to use burp suite. It's just easiest in my opinion. You can use SSL strips, squid, malware, whatever. I do make note here that whatever proxy you want to use for this style of attack, make sure you know how to pull the certificate out, the actual signing authority it's using, because we're going to have to convert that
12:40
certificate to a base 64 encoding. And I'll get into that in a little bit. So for those not familiar with burp suite, I'm sure most of you have at least seen it. The configuration I'm using today is very, very simple. I've just got it listening on, all interfaces, just pick the random, you know, the 880 port, and you'll see there that invisible box as they call it is checked, but industry that's a transparent
13:04
mode proxy is all it's doing. And I mentioned you had to export your certificate. Well, that's with the little radio, I mean the little button below that there, CA certificates, you click there and you'll kind of go through some dialogue boxes to export the certificate. And when you do that, it's going to come out in a Dura formatting. So again, this is not a talk about certificates, but at
13:21
least I want to touch on this. The certificate, if it's in Dura formatting, you'll notice that top window there, that's text that I can't enter by keyboard, right? So I want you to make sure I convert that certificate to something that my ducky can type in easily. So use an open SSL, convert that Dura formatting to a PIM
13:40
formatting, so it's a base 64 encoding. And if it's done right, you should look something like that bottom window. So it's human readable. All letters and numbers. All right. So now we have the man in the middle machine. So let's talk about the payload itself that's going to be sent to the victim. So what it's going to first do, it's going to bypass the Windows UAC and open a command prompt window. If the user is
14:04
logged in with admin credentials, it's going to get admin credentials. If they're logged in as user credentials, they're just going to get user credentials. And the test I'm doing today, I actually have admin creds, but I will make note that this will work with user credentials without admin creds. It's just going to have a few extra pop-up
14:22
boxes along the way. The second step it's going to do is create that .sir file. So you're just going to create a certificate from keyboard input. The same certificate we exported a few minutes ago. Then it's going to add that certificate to the trusted root store using the built-in tool certutil. Then it will create a new
14:41
wireless profile and then connect to that wireless profile. And then lastly, it's going to clean up its tracks. So it's going to delete the files that it made in the code. I wanted to let everyone at least understand how simple this thing is to really write. So Def Con gave me a lot of credit by making me talk to you guys. But really,
15:01
it's pretty simple stuff. Again, very straightforward. Delay, delay in milliseconds. String what you're actually typing to the machine once you activate the payload. And then all your command keys like enter, GUI is the Windows command, remark. And any question on that, the GitHub that Darren keeps up has pretty much all
15:25
the documentation needed to any of the commands here that it supports. All right. So here actually is the first step in the payload. Kind of broken it out here a little bit. So you'll see how the code kind of works. Delays 10,000. So that's 10,000 milliseconds. That's 10 seconds. And the idea behind that is when you plug the device
15:43
into a machine the first time you're going to see Windows spin in there with the drivers, load drivers, load drivers, load drivers. Hopefully it's done in 10 seconds and then it's going to enter the issue of GUI R command. Those are not familiar with GUI R. That's going to open a run dialog box. And it's going to delay 200 milliseconds to allow time for that box to pop up. And it's going to type a little
16:02
PowerShell command, start process command, verb run as. All that does is open the dialog box that's in admin credentials if possible. And a little side note here, you'll see now I'll put a little side note that Windows 10, this is as well as 8. You don't have to do that PowerShell command for those that aren't got the Windows 10 8
16:20
thing. If you just do GUI X and then type A, it opens up an admin command prompt. A little side note. So next step is we're going to have to create that certificate on the victim's machine with keyboard input. And the way we're going to do that is we're going to use a built-in tool in Windows called CopyCon. Those that are
16:41
used, CopyCon, file name and anything below it is concatenated to the file. You break out of it and now you have a certificate. And I had to put the obligatory picture of the hacker in the presentation but I noticed earlier when I was going on my slides like this poor guy is having a hard time typing because he's got like big thick winter gloves on. So I don't know. I don't know where I, that's a Google search for
17:04
a hacker. Anyway. So we're going to use, this in my opinion is a climax of the attack. So this is the part where it's actually doing bad things. Certutil, add store, enterprise. So that's added to the machine root store. It's adding that certificate we just created. So if this command succeeds, game over. Lastly we're
17:26
going to create an XML file. And again, those are not familiar. Windows handles wireless profiles, just a little XML file. So we create an XML file and then we, after we create it, we then connect to it with a net SH command. Again, pretty
17:41
straightforward stuff. And lastly we'll just delete those XML file and then the certificate file that we created. All right. So here is what it looks like from the attacker's machine. Right? So this is again burp suite. We're looking at the proxy kind of view there. And I've kind of highlighted there. We're typically going to be
18:04
interested in post commands. So I've kind of looked at a post command there to Wells Fargo. I'm not picking on Wells Fargo so hopefully don't sue me. But any bank would work. You'll see on the bottom of the details you've got user ID and password clear text. Right? So that poor person's bank was just compromised. And
18:26
alternatively, this is what it looks like from the victim's point of view. There was no indication there was anything wrong. And I've even kind of opened up the certificate details to show that this certificate was signed by, you probably can't read
18:44
that, but it's issued by Port Swigger. Those are not familiar. Port Swigger is a company that actually writes burp suites so they put their name in the certificate. So really bad day. Internet Explorer got the best of them. But I'm sure some of you in the crowd are like, well, I don't ever use Internet Exploder. I'm cool. I use
19:03
Chrome. So there's no way you'd get me. Well, here's Chrome. Same deal. Look at their credential. I mean, look at the certificate details. You also see signed by Port Swigger. And again, same story. No pop-ups, no warnings, no errors, no issues. There's no point transparent to the user. There's no way by at least the
19:23
certificate anyway you'd ever be able to know something bad had happened. All right. So again, they have no more money in their bank account. All right. Firefox, though. How about Firefox? The special snowflake that Firefox is. Yeah, yeah, yeah, clap. It was a bad day for me. So I'm glad you all think it's funny. Yeah.
19:42
So Firefox. And I'm sure some of you know already why this is the case. But so Firefox decided they're not going to trust Windows key store and trust store. That they're going to implement their own key store and trust store. So those commands that I issued earlier with the certutil, that's all for the Windows
20:01
certificates. NSS labs has the tool you can download to actually manipulate Firefox certs because they have their own key store, trust store. But it's not installed on a typical distribution. Therefore, it would be very hard to use, you know, on a victim's machine. So I kind of banged my head against the wall for a
20:22
while and, you know, my face looked a lot like that image there for quite a bit, trying to figure out how in the world to get this to work. And I just couldn't come up with anything clever. So that kind of brings me up to the next variant of the attack. The twin duck that I referred to earlier. So twin duck firmware, again, just to recap, it mounts both a USB mass storage device as well as that same
20:45
programmable keyboard mentality we just had before. So to use the twin duck firmware, obviously you're going to have to reflash the device. Not a big deal. Instructions are out there how to do that. Very straightforward. And I will make one little side note here that if you're planning on making some attacks
21:03
using the twin duck firmware, it's not really designed for really fast IOs. So don't be trying to load some massive application up on your, you know, micro SD card and pull from it through command line because it's going to probably behave a little differently than what you expected. Quick side note there. So let's
21:22
start this attack. How we're going to ‑‑ what's different this time we have to set it up. First steps are to create a new Firefox key store, trust store. And the easiest way to do that is go ahead and affect your own browser. So go ahead and open your own Firefox up and take that certificate
21:40
that you just exported from your proxy, load it into your own browser. All right. And I've kind of listed here how to do that. I'm sure you all know. Go ahead and click trust the certificate identities from that website, yes, so that way portfolio can sign anything through Firefox. Okay. After you do that, then you're going to pull your key store and trust store and copy it over to your micro SD card. And
22:02
it's located in the path listed on the screen. And that variable works for pretty much any basic install. You'll see it uses variables. As well as wildcard.default because it's going to give it some crazy number string.default. So that path right there if you just enter
22:21
that into your machine right now it would go to your Firefox profile. And you're going to get those two files there listed in the bottom. You're going to get the key 3 DB and the cert 8 DB. That's your key store and trust store for Firefox profiles. All right. So again from a high level how this attack is going to work now we've done the prework to set it all up. Same as before it's going to open a command
22:42
prompt with admin creds if it can get admin creds. It's going to then this time a little bit different. It's going to create a script to identify where that mass storage was mapped. So again we've got to think about this. We're going to it blind. We don't know what's going to be on the machine once it's plugged in. So it could be mapped to E drive, F drive, who knows. So a little script trying to find where the
23:02
ducky usc mass storage is located. Then it will create another script a little BBS script that will run a batch file invisibly. When I say invisibly it's just running in the background. The idea behind that is it's quicker to overwrite a script on the screen because it's all done with keyboard input than it is to write the whole batch file out.
23:22
And it just gives you a little less time that text is kind of scrolling across the screen. But what that batch file is going to do it's going to first add just like before it's going to add the windows trusted root certificate. It's going to then overwrite the user's Firefox and key store
23:41
and then it's going to create a new wireless profile connect to it and clean up. So here's what that batch file looks like just for those that are looking for the code part of the talk. You'll see here we obviously kill Firefox. We don't want to do anything while it's running. We same command to add
24:00
it to the windows enterprise store, the machine store and then you'll see that it overwrites the Firefox profiles. And as a quick view here's what the micro SD card looks like on my device. I'm going to do a demo. You'll see the XML file which is the wireless profile. You'll see
24:22
the cert file which is what we loaded to windows. You'll see the cert and key files for Firefox as well as the batch file we just looked at. So there's the files that are needed to run in the twin duck mode. So again we'll go back to looking at what it looks like from the user's point of view or the victim's point of view. Internet
24:42
exploder. Yeah, got them. Chrome. Same story. No more money in their bank account. Firefox. Yay, Firefox. Yeah. Sneaky bastard. Got you. So you'll see it's also been signed by Port Swigger. We got them. Again because we
25:02
loaded those trusted certificates into their own key store and trust store. So at this point I more or less consider the attack successful. Right? We've got all three modern browsers. And yeah, they've all been pwned. So with that being said, thank you, thank you. So we'll kind
25:26
of dive into the demonstration now and I kind of want to set this up so it makes somewhat of sense because I obviously don't have a nice environment here to have someone over there getting attacked and I'll show you guys. So what's going to happen is hopefully and please no one in the crowd be that guy
25:43
that tries to mess up my SSID, please. If you do, whatever, I've got a video but I'd rather do it live. So please don't screw with it. There's going to be the Windows machine which I'm presenting from, that's going to be the victim. Right? So you'll see Windows machine is where I'll
26:01
actually apply the rubber ducky payload but there's going to be a Kali Linux box. It's going to have a Debian background to kind of represent which is which. It'll be a Debian background VM that has, I've got a bunch of USB connections up here I can't really show you, but I've got a USB connection into a hard wire out to the Internet as well as a wireless radio that is going to be hosting the SSID
26:23
from the VM. And when the payload is deployed, hopefully the built-in wireless on the Windows machine will connect to that wireless radio. Right? So it's all kind of in one but it should depict what the attack would look like. All right. So let's do that now without further ado. So that's
26:44
what the Windows machine is going to look like. I'm going to change it so you can clone the machines again. You should be able to see my desktop now. All right. So
27:00
yeah, here's going to be the victim and let's go ahead and pull up super secret password. So before I actually get started, my resolution is all whacked out now, but this is the script that I was talking about, the MANA toolkit
27:23
script that I've kind of modified. So again, for anyone that wants to take note, it's, you know, using host APD again, using DNS masking and using some IP tables to redirect traffic. All right. So let's actually do that. Let's kick
27:41
that off. Actually, before I kick it off, let me show you. Again, here's the, I've already got burp suite up and running. So it's just listening on any interface on port 8080 and it's in transparent mode and there's where, again, where you'd go to export those certificates. All right. So let's go ahead and run that script. Hit enter to kill me.
28:16
That's a little brutal. Okay. So at this point, what I should see if I were to look, yeah, all right, there's SSID
28:26
being broadcast. It's actually trying to connect to it. I'll disconnect from it once it, just to prove that this does work. So now again, what I'm going to do is I'm going to
28:43
restart the payload. So I just, this would be indicative of me plugging in. I'm a dumb user that picked it up and I decided that, oh, I found a nice flash drive. Let me see what I can do with it. All right. Ten seconds. This is where drivers would be loading, but I already have the drivers on the machine. And the payload has now started and it's now
29:12
done. So that's how long it takes to do with magic. Yeah.
29:25
So there you'll see now it's connecting like it's supposed to be doing. It just takes a little bit. All right. So you guys are being nice to me, not kicking me off there. Appreciate that. So what we're going to do is now we're going to, and again, you guys already probably know damage
29:41
is going to be done now that I've got this connection in this shape, but just for grams. We'll go to a Facebook account that I created just for this presentation here. So please don't own my Facebook account. All right. And we'll also go again, poor Wells Fargo. I could use any other
30:00
bank, but they're not my bank, so that's why I chose them. So let's go for DEF CON user and some super secret
30:20
password. Let's log in. I hope to God this is no one's password. That would be awful. Let's see here. All right. Obviously didn't work. Okay. Perfect. So let's kill out of that. Demonstrate. Here we go. Okay. We got some data.
30:42
So the attack is working as we'd expect. So let's first look at Wells Fargo. You'll see like I had in the slides. There's the authentication packet. You'll see the post, the off log on. If I just go in here to parameters and scroll a little bit, you guys hope you can see that. Whoa.
31:04
DEF CON user password D3FCON23. Let's go ahead and transfer all the money out of that account. Got it. All right. Thank you. And now you may be kind of crashing your head like, well,
31:23
dude, you forgot to put a password in Facebook. Good luck getting that password now. You messed the presentation up because it was one of those little click box leave me always logged in, which I think we all kind of know what that means is you're using authentication cookies. That actually may be even worse because any of the Facebooks,
31:43
anyone who knows anything about Facebook and how they do their authentication cookies, let's see here, drag it up so you can see it a little bit better. But like every packet that you ever send to Facebook, you'll see this DATR cookie. Yeah, that's your authentication cookie. So every time you do anything in Facebook, it just
32:01
sends it over and over and over and over. So I can click on pretty much any of these posts and you'll see, yeah, there it is again. And there it is again. So what we'll do is we're going to go ahead and say, let me just have those cookies for a minute. And then I'll go over here to this account and just to prove there's no shanning that's going on. I'm not logged in. Yeah, see, I just
32:21
refreshed. No one's logged in here, but with the help of a little tool for those that are familiar with Greasemonkey, it's just a scripting tool. And I've got the cookie injector script loaded. If I go in here to do, yeah, let's go ahead and take those cookies I just stole and paste them in. Well, thank you. All right. So now we have hijacked the session.
32:47
Gotcha. Thank you. So and again, the point being there is it's not that Facebook's really your end goal and your attacks, but there's so many sites now
33:00
that are using the authentication cookies, I think that Facebook kind of just drives the point home that anywhere that uses the authentication cookies or passwords, it really doesn't matter. Once you're scripting in traffic, the data is yours. All right. So let's go back to presentation. I think it's going to see here. Wait for it. Wait for it. Got
33:24
it. All right. So now, since like I told you guys at the beginning, I'm not a fan tester. I'm not a security researcher. I am a security engineer. So I am paid to defend against these attacks and not create
33:41
them. So it's only fair and responsible thing that I talk about is how to stop this kind of attack. All right. So the first bullet I want to touch on here is wireless intrusion prevention systems, so WIPs systems. Those are not familiar with those. They're very powerful, but this style of attack would not work because as soon as I'd spin up that rogue AP, it'd start flooding me with D-off packets and it
34:03
just wouldn't work. So if your organization deploys some type of WIPs environment, you'd have to find some other mechanism to get into traffic to you other than through wireless. Disable mass storage devices. This is becoming more common just because of these, I guess, there's lots of style attacks, not to
34:22
mention DLP concerns. People are starting to disable mass storage, but that's also kind of a bummer if you're trying to do that second variant of the attack, because if you don't have mass storage available, you can't get all through browsers, at least the way that I did the payload. And take that kind of mentality a step further, a little more extreme. Some companies even disable USB ports
34:42
entirely. That would certainly limit the attack because none of the USB style attacks should work if it won't even turn on. And then this slide, I mean, this bullet I put in there, frankly that bullet could be in any DEF CON talk given this weekend. User training can always be encouraged to be
35:01
more responsible with X. Just today it's USB usage because that's what I'm talking about. So, yeah, you can always use more user training to encourage responsible use of technology. Multifactor authentication, yeah, so if I was able to pull this attack off on you and you're using some kind of
35:21
one-time use password or some token-based password, it's going to be very difficult for me to reuse that credential. So, yeah, that's another check in the box for why you should use multifactor authentication. And the last one here, it may not be quite so obvious, but those familiar with cloud proxy agents, a lot of organizations are
35:42
now starting to deploy them. So on all the corporate assets, what that does is it requires the company asset to talk directly out to a cloud resource for their proxy exceptions. And typically it has some type of authentication mechanism built into that. So if I got the middle of that communication, it would probably just break. It just wouldn't allow you to go anywhere and I
36:01
wouldn't be able to decrypt anything because it would have broken your connection. So a couple other things here to consider. I use wireless as the mechanism of getting the data to me, but that certainly doesn't have to be what you use. You
36:21
could set up like a proxy that listen out in the cloud, right, and instead of changing wireless settings, you could go in and say, let's monkey with some of the proxy settings to have it, no matter if it's hardwired, wireless, whatever, you always connect out to like say AWS proxy listener and you could have the same kind of attack take place. And the benefits there is, one,
36:41
again, hardwired or wireless, but you also don't have to be in physical proximity. So you could deploy this thing and no matter where they went, they'd be connected out to like a cloud listener. And you could also increase the authenticity. And what I mean by that is, again, I made this as just a proof of concept, you know, the files are labeled what they are. You could
37:02
certainly label them more, you know, suspicious things that people would be trying to really click in. Like if I was trying to get more authentic, I'd probably put in a file that says like salaries or something and, you know, I'd corrupt it so they'd keep trying to open it just to buy me more time of that screen in front of them before they thought something was fishy. As well as we
37:21
talked about putting a label on the device, you know, you could print out whatever label you were trying to attack, so company X, put that label on it. Another note here that the syntax will need to be adjusted slightly for whatever your victim base will be. And the reason I say that is certain OSs are going to have different dialog boxes pop up at different times, warnings pop up
37:42
at different times, as well as timers. So if your timers are on like a ‑‑ try to get it very aggressive on your timers on when things work and you put it into a really slow old machine, the timers may not work out right and it'll break the whole attack. So you got to really play with the timer, play with the syntax, but, you know, the attack should work
38:01
pretty much regardless of any version of Windows. And just a quick little shout out for the guys at Hack5. They have a forum out there for people to share, collaborate, new payloads. It's a pretty active community. So if you're thinking about doing this style of attack or you're looking at
38:22
new ways to get into this kind of thing, I recommend you go check them out. Because that's where I got a lot of the ideas and some of the code that I use for my attack. And with that, I'll finish here with please any questions you have, e‑mail me. I'm not going to try to do the question thing here in this forum. It's just too many people. But feel free to get any
38:42
questions. Find me out in the public areas. And with that, thank you guys all for your attention. I appreciate it.