Shandong Xinxin Information
Professional | Focused | Excellent | Secure
Disclaimer:This is an original article by the Tide Security Team, please state the source when reprinting!The technologies, ideas, and tools mentioned in this article are for educational exchange purposes only, and no one may use them for illegal purposes or profit, otherwise the consequences will be borne by themselves!
Introduction
With the offensive and defensive exercises temporarily concluded, recalling the amazing operations during the exercises, such as modifying drones with Raspberry Pi + 8187L network cards and the various covert operations, of course, the attackers also spread BadUSB near various targets attempting to use physical means to take down the targets…
0X00 Principles and Basic Knowledge
Overview
My old friend, pick up the USB stick, insert it into the PC, and it goes online.
This (stupid) wonderful story made me want to learn how to create a BadUSB, so I specially bought an Arduino Leonardo board from a certain treasure, as shown in the figure below.
In simple terms, it directly plugs into the other person’s computer to execute code, achieving purposes such as interference, control of the host, or information theft.
Basic Knowledge
HID Attack
HID stands for Human Interface Device, and from its name, we can understand that HID devices are those that interact directly with humans, such as keyboards, mice, and game controllers. However, HID devices do not necessarily have to have a human interface; any device that meets the HID category specification is an HID device. Generally speaking, attacks targeting HID mainly focus on keyboards and mice, as controlling a user’s keyboard essentially means controlling the user’s computer. Attackers hide the attack within a normal mouse or keyboard, and when the user inserts the mouse or keyboard containing the attack vector into the computer, the malicious code is loaded and executed.
Teensy
When customizing an attack device, the attacker embeds an attack chip into the USB device. This attack chip is a very small and fully functional microcontroller development system called TEENSY. With TEENSY, you can simulate a keyboard and mouse. When you insert this customized USB device, the computer will recognize it as a keyboard, and using the microprocessor and storage space in the device along with the programmed attack code, it can send control commands to the host, thus completely controlling the host, regardless of whether autoplay is enabled or not. For more information on TEENSY, you can refer to the article “HID Attack with TEENSY Practical” by Tianrongxin Alpha Lab.
Arduino
Arduino is a convenient, flexible, and easy-to-use open-source electronic prototyping platform. It is built on an open-source simple I/O interface and has a development environment similar to Java and C language called Processing/Wiring. It mainly consists of two parts: the hardware part is the Arduino circuit board used for circuit connections; the other is the Arduino IDE, the program development environment on your computer. You simply write the program code in the IDE, upload the program to the Arduino circuit board, and the program tells the Arduino circuit board what to do.
Operational Process
After inserting BadUSB, it simulates keyboard and mouse operations on the computer. Through these operations, it opens the command terminal on the computer and executes a command that downloads other code from a specified URL and runs silently in the background. These codes can perform functions such as information theft, reverse shells, sending emails, etc., thus achieving the purpose of controlling the target machine or stealing information.
Arduino
Features of Arduino
Cross-Platform
The Arduino programming platform can run on various operating systems including Windows, Mac OS X, Linux, Android, and iOS. Most other controllers can only be developed on Windows.
Programming Flexibility
Thanks to the efforts of makers worldwide, the Arduino programming platform can now be developed without traditional programming on a PC. A simpler and more practical graphical programming software has been developed, further lowering the learning threshold for Arduino programming, allowing beginners to create their smart projects more quickly.
Openness
The hardware schematics, circuit diagrams, IDE software, and core libraries of Arduino are all open-source, allowing developers to modify the original designs and corresponding codes within the open-source protocol.
Rapid Development
Arduino is not only the most popular open-source hardware globally but also an excellent hardware development platform and a trend in hardware development. The simple development method of Arduino allows developers to focus more on creativity and implementation, completing their project development faster, greatly reducing learning costs and shortening development cycles.
Types of Arduino Boards
Arduino has released more than ten models of boards, including the basic model UNO, the smaller micro, and the MEGA board with more pins.
Arduino UNO
Arduino Leonardo
Arduino MICRO
Arduino MEGA 2560
The above is an introduction to Arduino boards, now let’s get to the main topic.
0X01 Installing Drivers and Connecting Arduino IDE
Linux and Mac OS do not require driver installation, but Win7 requires drivers. When inserting Arduino Leonardo into Win7, a yellow exclamation mark will appear as shown in the figure below. The driver can be found in the drivers folder under the Arduino IDE directory.
Downloading the Arduino IDE from the official website may be a bit slow, so I have uploaded it to a cloud disk, the link is as follows, feel free to download and unzip it for use.
https://pan.baidu.com/s/1UqLszoiN8OI_vM3QYMlgIA Password: 8asp
0X02 Example Operation
After inserting the hardware into the computer, open the Arduino IDE. Below is the IDE startup interface
Arduino IDE toolbar -> Board -> Select “Arduino Leonardo”
Arduino IDE toolbar -> Port -> Select “COMX (Arduino Leonardo)”
Calculator example: From the first program, it is not difficult to see that the structure of Arduino programs is different from traditional C program structures—Arduino programs do not have a main function. In fact, the main function is hidden in the core library files of Arduino. During Arduino development, we do not directly manipulate the main function but use the setup and loop functions.
setup() // After the Arduino controller is powered on or reset, it will start executing Arduino's initialization configuration (I/O ports, serial ports, etc.);
loop() // After the setup function is executed, Arduino will continue to execute the program in the loop() function. The loop function is an infinite loop, and the program within it will continuously repeat. Usually, the main functionality of the program is completed in the loop function, such as driving various modules and collecting data, etc.
Calculator code:
#include <Keyboard.h>
void setup() {
Keyboard.begin();// Start keyboard communication
delay(1000);// Delay
Keyboard.press(KEY_LEFT_GUI);// Win key
delay(500);
Keyboard.press('r');// R key
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("CALC");
Keyboard.press(KEY_RETURN);
Keyboard.release(KEY_RETURN);
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();// End keyboard communication
}
void loop() // Loop
{
}
Note: During the upload process, you may encounter disconnection issues, which are caused by the fact that Leonardo is set to reset the controller during upload, eliminating the need for us to manually press the reset button.
Arduino pops up the calculator:
For example, popping up a window:
And downloading malicious files from a remote server, etc.
This article is more about giving myself a preliminary understanding of Arduino Leonardo to facilitate further research in the future (not because my VPS was banned), and many subsequent utilizations can refer to excellent articles by predecessors, such as the detailed descriptions of BadUSB production by Vick’s article “Quickly Making Teensy BadUSB with Arduino” in both popular science and practice, and Lpcdma’s article “Using Arduino for Penetration Testing” which combines SET with Arduino for penetration, and Mrzcpo’s article “Advanced HID Attack Posture: File Theft Using PowerShell Scripts” which introduces detailed steps for obtaining files and various payload evasion, targeting internal network devices, etc.~~
0X03 BadUSB Defense
You may notice that the BadUSB I use (mainly due to being poor) only works on Win10, only Win10 can run it. WIN7 prompts for driver installation. The purpose of referring to foreign experts’ articles is mainly to (mainly to increase the word count of the article) learn how to defend against BadUSB. How to Fix the Critical BadUSB Security Flaw in Less than 10 Minutes
Create a Blacklist
1. “Start” -> “Run”, then type gpedit.msc to access the “Local Group Policy Editor”.
2. Access the following: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Double-click to use the driver that matches these device settings to block device installation, then select enable.
4. In the same location, click “Show” to create a blacklist for USB devices by their GUID.The table below lists a few common GUIDs and their corresponding devices:
4d36e96b-E325-11CE-BFC1-08402BE10318 | This controller controls the automatic installation of USB keyboards. |
---|---|
4D36E972-E325-11CE-BFC1-08012BE10318 | This corresponds to NIC (Network Interface Controller) |
e0cbf06c-cd8b-4647-bb8a-263b45f0f974 | This is for Bluetooth. |
For more information on GUID numbers, please refer to the quick reference for GUID numbers.
Avoid Automatic USB Installation
Another way to protect the system from BadUSB vulnerabilities is to disable the automatic installation of new USB devices, in the same location as above.
1. “Start” -> “Run”, then type gpedit.msc to access the “Local Group Policy Editor”.
2. Access the following: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
1. Double-click “Prevent installation of removable devices” and enable it.
2. Double-click “Allow administrators to override device installation restrictions” policy and enable it.
Disable Inactive USB Ports
Of course, a more (bold) strategy is to disable those inactive USB ports, physically isolating them to solve most BadUSB issues.
0X04 Conclusion
As previously mentioned, this article is more about giving myself a preliminary understanding of Arduino Leonardo and to facilitate further learning in the future, getting to know Arduino Leonardo, I hope the experts will correct me.
0X05 References and Thanks
https://www.jianshu.com/p/38cc68ff44ab
https://www.cnblogs.com/danpianjicainiao/p/11048576.html#_label1
https://heimdalsecurity.com/blog/badusb-exploit-vulnerability-fix/
https://blog.csdn.net/cd_xuyue/article/details/50500579
*Author of this article: Parad0x, this article belongs to the FreeBuf original reward program, reprinting without permission is prohibited.
E
N
D
gūan
关
zhù
注
wǒ
我
men
们
The Tide Security Team was officially established in January 2019 and is a security team under Xinxin Information focused on internet offensive and defensive technology research. It currently gathers more than ten professional security offensive and defensive technology researchers, focusing on network offense and defense, web security, mobile terminal, secure development, IoT/Internet of Things/Industrial Control security, and other directions.
To learn more about the Tide Security Team, please follow the team official website: http://www.TideSec.net or long press the QR code to follow the public account:
Leave a Comment
Your email address will not be published. Required fields are marked *