DrDinosaur Posted February 10, 2013 Share Posted February 10, 2013 Hello. I was interested in this attack vector, so I did some research on it. I liked the idea, so I did some experimentation as well. I'd just like to share my research paper I wrote on it. It covers both the Teensy and the USB Rubber Ducky. The district fair is coming up soon, so I have to prepare for it. Anyway, here is the link to the paper: http://goo.gl/meKuj Thanks! Quote Link to comment Share on other sites More sharing options...
no42 Posted February 10, 2013 Share Posted February 10, 2013 (edited) Not bad for a first crack at a paper. I would like to see charts e.g. comparing load/execution times on payloads; ducky vs teensy ;) You briefly mentioned AV, you could expand on this seeing how effective AV and device control is e.g. Symantec, Sophos, ... or device control specialists like lumension, gfi, devicelock Other interesting research: http://www.slideshare.net/ppolstra1/philip-polstra (different build to Ducky, author uses FTDI chips, thought it was not possible with AVR) http://www.slideshare.net/wagnerelias/usb-security (securing the use of Mass Storage Devices on Windows) http://labs.mwrinfosecurity.com/blog/2011/07/14/usb-fuzzing-for-the-masses/ (looking for vulnerabilities in USB drivers) http://www.nccgroup.com/en/blog/2013/01/lessons-learned-from-50-usb-bugs/ (very similar mwr's research????) http://www.nccgroup.com/en/blog/2013/01/the-death-of-usb-autorun-and-the-rise-of-the-usb-keyboard/ (a quick a dirty write up after learning about the Ducky) http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET) (SET and Teensy) http://labs.mwrinfosecurity.com/assets/135/mwri_t2-usb-fun-with-plug-and-0wn_2009-10-29.pdf(Pwn with USB devices) Edited February 16, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
CaptainHooligan Posted February 17, 2013 Share Posted February 17, 2013 Great share! Just as mentioned above, some AV solutions include a Host Based Security System (HBSS) which can whitelist hardware as well as software. In an environment that uses all Dell keyboards or just specific ones that do not use generic drivers this attack would be defeated. Quote Link to comment Share on other sites More sharing options...
no42 Posted February 17, 2013 Share Posted February 17, 2013 Great share! Just as mentioned above, some AV solutions include a Host Based Security System (HBSS) which can whitelist hardware as well as software. In an environment that uses all Dell keyboards or just specific ones that do not use generic drivers this attack would be defeated. Not with version 2 firmware (normally whitelist is based off VID & PID), assuming you have a laptop you can re-write vidpid.bin to support the VID&PID of known device (obtainable from device manager on Win_X or lsusb (usbutils package)(or at least dev) on Unix). Bypass AV/HBSS for the win! Quote Link to comment Share on other sites More sharing options...
CaptainHooligan Posted February 18, 2013 Share Posted February 18, 2013 Not with version 2 firmware (normally whitelist is based off VID & PID), assuming you have a laptop you can re-write vidpid.bin to support the VID&PID of known device (obtainable from device manager on Win_X or lsusb (usbutils package)(or at least dev) on Unix). Bypass AV/HBSS for the win! Good call! As always the more research you do on a target the better prepared you can be. Quote Link to comment Share on other sites More sharing options...
no42 Posted February 18, 2013 Share Posted February 18, 2013 You could even do the some old skool Social Engineering type phone calls before hand, complain about your keyboard, ask the person about their keyboard, how they like it, and any identifying manufacturing marks e.g Dell, Logitech because you want to go out and try one for yourself Then look up the VID & PID on: http://code.google.com/p/ducky-decode/wiki/Keyboard_VID_PIDS Quote Link to comment Share on other sites More sharing options...
DrDinosaur Posted April 11, 2013 Author Share Posted April 11, 2013 Hello again. Just a quick update. I made it to the state science fair and presented my project to some of the professors of computer science at the nearby university. They seemed to enjoy it and were interested. Here's what I put on FB: "Won three awards for my science fair project. I got best in category for computer science in senior research (best computer science project in state of Hawaii), $200 from Intel in the national Excellence in Computer Science Award (winner of entire computer science division), and $200 from the Department of Information and Computer Sciences and the University of Hawaii at Manoa (general award for excellence in computer science). They even said my project name out loud (which is rare and rather humorous given the manner in which they said it in) and spelt my name right in everything. Until next year." Thanks to the rubber ducky community for all the resources and support! I hope to do another computer security project next year. Maybe with pineapple, but I'm not sure yet. Anyway, thanks again. Regards, Dillon Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.