Jump to content

badUSB & Secondhand PCs


broadsworde
 Share

Recommended Posts

I want to get into penetration testing, and want to use a dedicated PC for the task. I was thinking about getting a cheap second hand machine, but I'm stuck on believing that pre-used computers can no longer be trusted because of possible badUSB firmware infections that are undetectable and unfixable... am I correct in this belief?

 

Thanks in anticipation.

Link to comment
Share on other sites

  • 2 weeks later...

So I read this post a while back and thought about it several times, each time thinking of a new reply but then rethinking about it again.  So let's give it a whirl.  What exactly are your concerns?  Your concerned your going to buy a used PC that has been infected by badUSB?  Wouldn't you want to wipe the hard drive anyways?  I'll probably end up going way off topic here but let's look at it from several angles.  First of all depending on your funds...just build your own PC.  Much more fun.  Ok that angle is done now let's look at a few more...so you have a pc in front of you and you don't know what lies inside. 

I'd power it up without it being connected to your network and look around.  See if there is anything of interest on it.  I don't want to get into any trouble here but if you "own" it now then I would guess if you want to salvage the OS or any other programs on it you could waste a USB thumb drive and install some software on there to relieve the PC of it's keys.  If there is nothing else of interest on there then blast it and install a fresh OS.

If your still concerned that the firmware of certain devices may be compromised due to a badUSB hack them break down the items you have to worry about.  If the hard drive firmware is questionable ditch it and buy a new hard drive.  If the optical drive firmware is questionable ditch it all together since those are going by the wayside anyways.  CPU/RAM should be fine.  Motherboard BIOS...replace motherboard?  Order a new BIOS chip?  Same goes with add on cards (network, video, sound, etc.)

Unless you live in an area where everyone and their cousin are running around infecting PCs with badUSB I'd think that would be the least of your worries.  Not to freak you out but when you do a fresh install of say Windows...who owns it?  It definitely isn't you or I.  Maybe back with good old XP but current OS's...nope.  MS will constantly have that computer phone home without telling you.  I installed a fresh install of Windows 10 a few weeks back.  I knew I was wasting my time but I bothered to delete all of the apps I knew I wouldn't use...I gave it about an hour and MS decided I really needed those apps and reinstalled them without me asking.  So obviously I don't own it.  Same with Mac.  Good luck assuming you have any control over that OS.  It'll just straight up ignore a command if it doesn't feel like doing it.  Sorry Mac guys but it's true.  And even some bigger brand Linux OS's are doing that now too.  I'd be a bit more concerned about that than a random attack on a machine. 

That's just my two sense on the matter.  I get random PCs all the time and there's nothing more fun then just diving in and looking around. 

Link to comment
Share on other sites

  • 2 weeks later...
On 4/27/2017 at 11:30 PM, Bob123 said:

So I read this post a while back and thought about it several times, each time thinking of a new reply but then rethinking about it again.  So let's give it a whirl.  What exactly are your concerns?  Your concerned your going to buy a used PC that has been infected by badUSB?  Wouldn't you want to wipe the hard drive anyways?  I'll probably end up going way off topic here but let's look at it from several angles.  First of all depending on your funds...just build your own PC.  Much more fun.  Ok that angle is done now let's look at a few more...so you have a pc in front of you and you don't know what lies inside. 

I'd power it up without it being connected to your network and look around.  See if there is anything of interest on it.  I don't want to get into any trouble here but if you "own" it now then I would guess if you want to salvage the OS or any other programs on it you could waste a USB thumb drive and install some software on there to relieve the PC of it's keys.  If there is nothing else of interest on there then blast it and install a fresh OS.

If your still concerned that the firmware of certain devices may be compromised due to a badUSB hack them break down the items you have to worry about.  If the hard drive firmware is questionable ditch it and buy a new hard drive.  If the optical drive firmware is questionable ditch it all together since those are going by the wayside anyways.  CPU/RAM should be fine.  Motherboard BIOS...replace motherboard?  Order a new BIOS chip?  Same goes with add on cards (network, video, sound, etc.)

Unless you live in an area where everyone and their cousin are running around infecting PCs with badUSB I'd think that would be the least of your worries.  Not to freak you out but when you do a fresh install of say Windows...who owns it?  It definitely isn't you or I.  Maybe back with good old XP but current OS's...nope.  MS will constantly have that computer phone home without telling you.  I installed a fresh install of Windows 10 a few weeks back.  I knew I was wasting my time but I bothered to delete all of the apps I knew I wouldn't use...I gave it about an hour and MS decided I really needed those apps and reinstalled them without me asking.  So obviously I don't own it.  Same with Mac.  Good luck assuming you have any control over that OS.  It'll just straight up ignore a command if it doesn't feel like doing it.  Sorry Mac guys but it's true.  And even some bigger brand Linux OS's are doing that now too.  I'd be a bit more concerned about that than a random attack on a machine. 

That's just my two sense on the matter.  I get random PCs all the time and there's nothing more fun then just diving in and looking around. 

Usually, if you make a dedicated hacking PC, wouldn't you just go with a few Linux distros anyway? Linux distros (depending on which distro) don't phone home. Most have no homes.

I would check out Debian and Kali if I were you. Ubuntu is good as well, but it's more of a user-friendly environment built to be a desktop. Kali is specifically a pen-testing environment while Debian is a mix of the two. I have a multi-boot USB with 3 different distros on it (one of which is a custom one I made), a few system tools and a Windows 7 installer. Never know when you need to clean a PC from the outside or use Kali/Debian to access files on the HDD.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...