Jump to content

Auto detect OS and choose appropriate payload?

Recommended Posts

Ok, so I did quite a bit of Research and googling about this topic.

Theoretically it is possible to detect which OS the USB stick is running on. While the OS itself never identifies any Information about the OS or host hardware, it does use a handshake to authenticate with the USB device.

The sequence of this handshake is slightly different in every OS and has got some unique properties.

I have already noted the unique identifiers for OS X 10.7, Windows XP and Windows 8 using past research.

The only thing we would need to autodetect the OS is to code the ducky to save the handshake!
A small program will check the handshake for the unique identifers and reliably determine the OS!

If and how it is possible to save the handshake with the ducky I don't know. Does anyone have any knowledge about this?

Link to comment
Share on other sites

That is a good start.

Things like android phones, Linux set-top-boxes (stbs) and embedded devices do not usually have a keyboard.

I have two STBs which can be controlled with keyboards for example.

In those cases OS auto detection makes a lot of sense.

The USB rubber ducky does respond to the handshake from the OS when it identifies itself as a HID.

I don't see why the rubber ducky can not save the handshake to ram before it responds to the OS!? Do you guys know if this can be done?

I do not have a rubber ducky yet. If anyone is good at C though I can help you with the theory!

If you are good at C please let me know and we can make this hack together.

Link to comment
Share on other sites

Why do you think that Oli? I know you are somewhat against the products because lack of support from hak5... Maybe this is a bias of yours?

Nohl's badUSB runs on a USB Flash drive that is quite a lot weaker than the rubber ducky. His USB stick has an 8bit microprocessor with 12mhz.

AND it is perfectly cable of saving and comparing the handshake and therefore auto detecting the system!

I know what to look out for in the source code to make this happen. Theoretically it is easy.

Please keep this discussion technical.

Link to comment
Share on other sites

It is not bias - I just believe that what you are asking is not possible (and that your understanding of badusb is flawed). You keep it technical: show us where in the USB protocol you think it is possible and how it is possible with proprietary ATMEL microcontroller and firmware. Also explain to the writers of the alternate ducky firmwares how they were stupid and overlooked such a simple way to determine the OS. Assuming this kind of thing is possible then a ducky is not a sensible choice of device as it has no hardware extensibility.

Link to comment
Share on other sites

I apologise Oli. I have looked through your other posts and you seem like an awesome guy who knows his stuff!

regarding badUSB. The code hasn't been released. The capabilities include: detection of the OS and switching usb classes from Mass storage to HID while the stick is plugged in for example.

have a look here

With that said I have gathered all the necessary info to be able to build a OS detection feature myself. I am not the brightest of people though when it comes to computers though. I am more than sure that you or one of the other guys here will be able to show me how to implement the features with the infos I have obtained.

Edited by Polisher
Link to comment
Share on other sites

  • 2 weeks later...

is there a realease date for this os fingerprinting on the c_duck twin duck firmware?

Karsten Nohl didn't release his BadUSB firmware for a good reason in my opinion.

I am going to respect his opinions and not release it when it is finished. I will only share it with a few friends...

Besides, I have not yet bought a rubber ducky yet. I am ready to code it now though!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...