Introduction to BadUSB Using Arduino Leonardo

Introduction to BadUSB Using Arduino Leonardo

Shandong Xinxin Information

Professional | Focused | Excellent | Secure

Introduction to BadUSB Using Arduino Leonardo
Introduction to BadUSB Using Arduino Leonardo
Introduction to BadUSB Using Arduino Leonardo
Introduction to BadUSB Using Arduino Leonardo
Introduction to BadUSB Using Arduino Leonardo
Introduction to BadUSB Using Arduino Leonardo
Introduction to BadUSB Using Arduino Leonardo

Disclaimer:This is an original article by the Tide Security Team, please state the source when reprinting!The technologies, ideas, and tools mentioned in this article are for educational exchange purposes only, and no one may use them for illegal purposes or profit, otherwise the consequences will be borne by themselves!

Introduction

With the offensive and defensive exercises temporarily concluded, recalling the amazing operations during the exercises, such as modifying drones with Raspberry Pi + 8187L network cards and the various covert operations, of course, the attackers also spread BadUSB near various targets attempting to use physical means to take down the targets…Introduction to BadUSB Using Arduino Leonardo

0X00 Principles and Basic Knowledge

Overview

My old friend, pick up the USB stick, insert it into the PC, and it goes online.

This (stupid) wonderful story made me want to learn how to create a BadUSB, so I specially bought an Arduino Leonardo board from a certain treasure, as shown in the figure below.

Introduction to BadUSB Using Arduino Leonardo

In simple terms, it directly plugs into the other person’s computer to execute code, achieving purposes such as interference, control of the host, or information theft.

Basic Knowledge

HID Attack

HID stands for Human Interface Device, and from its name, we can understand that HID devices are those that interact directly with humans, such as keyboards, mice, and game controllers. However, HID devices do not necessarily have to have a human interface; any device that meets the HID category specification is an HID device. Generally speaking, attacks targeting HID mainly focus on keyboards and mice, as controlling a user’s keyboard essentially means controlling the user’s computer. Attackers hide the attack within a normal mouse or keyboard, and when the user inserts the mouse or keyboard containing the attack vector into the computer, the malicious code is loaded and executed.

Teensy

When customizing an attack device, the attacker embeds an attack chip into the USB device. This attack chip is a very small and fully functional microcontroller development system called TEENSY. With TEENSY, you can simulate a keyboard and mouse. When you insert this customized USB device, the computer will recognize it as a keyboard, and using the microprocessor and storage space in the device along with the programmed attack code, it can send control commands to the host, thus completely controlling the host, regardless of whether autoplay is enabled or not. For more information on TEENSY, you can refer to the article “HID Attack with TEENSY Practical” by Tianrongxin Alpha Lab.

Arduino

Arduino is a convenient, flexible, and easy-to-use open-source electronic prototyping platform. It is built on an open-source simple I/O interface and has a development environment similar to Java and C language called Processing/Wiring. It mainly consists of two parts: the hardware part is the Arduino circuit board used for circuit connections; the other is the Arduino IDE, the program development environment on your computer. You simply write the program code in the IDE, upload the program to the Arduino circuit board, and the program tells the Arduino circuit board what to do.

Operational Process

After inserting BadUSB, it simulates keyboard and mouse operations on the computer. Through these operations, it opens the command terminal on the computer and executes a command that downloads other code from a specified URL and runs silently in the background. These codes can perform functions such as information theft, reverse shells, sending emails, etc., thus achieving the purpose of controlling the target machine or stealing information.

Arduino

Features of Arduino

Cross-Platform

The Arduino programming platform can run on various operating systems including Windows, Mac OS X, Linux, Android, and iOS. Most other controllers can only be developed on Windows.

Programming Flexibility

Thanks to the efforts of makers worldwide, the Arduino programming platform can now be developed without traditional programming on a PC. A simpler and more practical graphical programming software has been developed, further lowering the learning threshold for Arduino programming, allowing beginners to create their smart projects more quickly.

Openness

The hardware schematics, circuit diagrams, IDE software, and core libraries of Arduino are all open-source, allowing developers to modify the original designs and corresponding codes within the open-source protocol.

Rapid Development

Arduino is not only the most popular open-source hardware globally but also an excellent hardware development platform and a trend in hardware development. The simple development method of Arduino allows developers to focus more on creativity and implementation, completing their project development faster, greatly reducing learning costs and shortening development cycles.

Types of Arduino Boards

Arduino has released more than ten models of boards, including the basic model UNO, the smaller micro, and the MEGA board with more pins.Introduction to BadUSB Using Arduino Leonardo

Arduino UNOIntroduction to BadUSB Using Arduino Leonardo

Arduino LeonardoIntroduction to BadUSB Using Arduino Leonardo

Arduino MICRO

Introduction to BadUSB Using Arduino LeonardoArduino MEGA 2560

The above is an introduction to Arduino boards, now let’s get to the main topic.

0X01 Installing Drivers and Connecting Arduino IDE

Linux and Mac OS do not require driver installation, but Win7 requires drivers. When inserting Arduino Leonardo into Win7, a yellow exclamation mark will appear as shown in the figure below. The driver can be found in the drivers folder under the Arduino IDE directory.

Introduction to BadUSB Using Arduino Leonardo

Downloading the Arduino IDE from the official website may be a bit slow, so I have uploaded it to a cloud disk, the link is as follows, feel free to download and unzip it for use.

https://pan.baidu.com/s/1UqLszoiN8OI_vM3QYMlgIA Password: 8aspIntroduction to BadUSB Using Arduino Leonardo

0X02 Example Operation

After inserting the hardware into the computer, open the Arduino IDE. Below is the IDE startup interfaceIntroduction to BadUSB Using Arduino Leonardo

Arduino IDE toolbar -> Board -> Select “Arduino Leonardo”Introduction to BadUSB Using Arduino Leonardo

Arduino IDE toolbar -> Port -> Select “COMX (Arduino Leonardo)”Introduction to BadUSB Using Arduino Leonardo

Calculator example: From the first program, it is not difficult to see that the structure of Arduino programs is different from traditional C program structures—Arduino programs do not have a main function. In fact, the main function is hidden in the core library files of Arduino. During Arduino development, we do not directly manipulate the main function but use the setup and loop functions.

setup()  // After the Arduino controller is powered on or reset, it will start executing Arduino's initialization configuration (I/O ports, serial ports, etc.);
loop()  // After the setup function is executed, Arduino will continue to execute the program in the loop() function. The loop function is an infinite loop, and the program within it will continuously repeat. Usually, the main functionality of the program is completed in the loop function, such as driving various modules and collecting data, etc.

Introduction to BadUSB Using Arduino Leonardo

Calculator code:

#include <Keyboard.h>
void setup() {
    Keyboard.begin();// Start keyboard communication
    delay(1000);// Delay
    Keyboard.press(KEY_LEFT_GUI);// Win key
    delay(500);
    Keyboard.press('r');// R key
    delay(500);
    Keyboard.release(KEY_LEFT_GUI);
    Keyboard.release('r');
    Keyboard.press(KEY_CAPS_LOCK);
    Keyboard.release(KEY_CAPS_LOCK);
    delay(500);
    Keyboard.println("CALC");
    Keyboard.press(KEY_RETURN);
    Keyboard.release(KEY_RETURN);
    Keyboard.press(KEY_CAPS_LOCK);
    Keyboard.release(KEY_CAPS_LOCK);
    Keyboard.end();// End keyboard communication
}

void loop() // Loop
{
}

Note: During the upload process, you may encounter disconnection issues, which are caused by the fact that Leonardo is set to reset the controller during upload, eliminating the need for us to manually press the reset button.

Arduino pops up the calculator:

Introduction to BadUSB Using Arduino Leonardo

For example, popping up a window:

Introduction to BadUSB Using Arduino Leonardo

And downloading malicious files from a remote server, etc.Introduction to BadUSB Using Arduino Leonardo

This article is more about giving myself a preliminary understanding of Arduino Leonardo to facilitate further research in the future (not because my VPS was banned), and many subsequent utilizations can refer to excellent articles by predecessors, such as the detailed descriptions of BadUSB production by Vick’s article “Quickly Making Teensy BadUSB with Arduino” in both popular science and practice, and Lpcdma’s article “Using Arduino for Penetration Testing” which combines SET with Arduino for penetration, and Mrzcpo’s article “Advanced HID Attack Posture: File Theft Using PowerShell Scripts” which introduces detailed steps for obtaining files and various payload evasion, targeting internal network devices, etc.~~

0X03 BadUSB Defense

You may notice that the BadUSB I use (mainly due to being poor) only works on Win10, only Win10 can run it. WIN7 prompts for driver installation. The purpose of referring to foreign experts’ articles is mainly to (mainly to increase the word count of the article) learn how to defend against BadUSB. How to Fix the Critical BadUSB Security Flaw in Less than 10 Minutes

Create a Blacklist

1. “Start” -> “Run”, then type gpedit.msc to access the “Local Group Policy Editor”.

2. Access the following: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation RestrictionsIntroduction to BadUSB Using Arduino Leonardo

3. Double-click to use the driver that matches these device settings to block device installation, then select enable.Introduction to BadUSB Using Arduino Leonardo

4. In the same location, click “Show” to create a blacklist for USB devices by their GUID.Introduction to BadUSB Using Arduino LeonardoThe table below lists a few common GUIDs and their corresponding devices:

4d36e96b-E325-11CE-BFC1-08402BE10318 This controller controls the automatic installation of USB keyboards.
4D36E972-E325-11CE-BFC1-08012BE10318 This corresponds to NIC (Network Interface Controller)
e0cbf06c-cd8b-4647-bb8a-263b45f0f974 This is for Bluetooth.

For more information on GUID numbers, please refer to the quick reference for GUID numbers.

Avoid Automatic USB Installation

Another way to protect the system from BadUSB vulnerabilities is to disable the automatic installation of new USB devices, in the same location as above.

1. “Start” -> “Run”, then type gpedit.msc to access the “Local Group Policy Editor”.

2. Access the following: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation RestrictionsIntroduction to BadUSB Using Arduino Leonardo

1. Double-click “Prevent installation of removable devices” and enable it.

Introduction to BadUSB Using Arduino Leonardo

2. Double-click “Allow administrators to override device installation restrictions” policy and enable it.

Introduction to BadUSB Using Arduino Leonardo

Disable Inactive USB Ports

Of course, a more (bold) strategy is to disable those inactive USB ports, physically isolating them to solve most BadUSB issues.

0X04 Conclusion

As previously mentioned, this article is more about giving myself a preliminary understanding of Arduino Leonardo and to facilitate further learning in the future, getting to know Arduino Leonardo, I hope the experts will correct me.

0X05 References and Thanks

https://www.jianshu.com/p/38cc68ff44ab

https://www.cnblogs.com/danpianjicainiao/p/11048576.html#_label1

https://heimdalsecurity.com/blog/badusb-exploit-vulnerability-fix/

https://blog.csdn.net/cd_xuyue/article/details/50500579

*Author of this article: Parad0x, this article belongs to the FreeBuf original reward program, reprinting without permission is prohibited.

E

N

D

Introduction to BadUSB Using Arduino Leonardo

gūan

zhù

men

The Tide Security Team was officially established in January 2019 and is a security team under Xinxin Information focused on internet offensive and defensive technology research. It currently gathers more than ten professional security offensive and defensive technology researchers, focusing on network offense and defense, web security, mobile terminal, secure development, IoT/Internet of Things/Industrial Control security, and other directions.

To learn more about the Tide Security Team, please follow the team official website: http://www.TideSec.net or long press the QR code to follow the public account:

Introduction to BadUSB Using Arduino Leonardo

Leave a Comment

Your email address will not be published. Required fields are marked *