USB Impersonation Needs More Advanced Parameters

[Triarier]

I'm using the Bash Bunny to impersonate USB storage devices, using the ATTACKMODE STORAGE command with advanced parameters, such as PID_ and VID_. This worked quite well so far. Recently, I came across Kaspersky Endpoint Security 11, where the available advanced parameters are not enough to impersonate a USB storage device.

This security software has a "Device Control" feature to block access of USB storage devices to a PC. Furthermore, it has a "Trusted devices" list, where administrators can add exceptions, which are allowed to access the PC. Details are given on this webpage: https://support.kaspersky.com/10606#block3. 

A trusted device in this list is either identified by the VID and PID, or by what Kaspersky calls "Devices by ID". It turns out, that this ID is the string, which identifies the vendor and product, and is abbreviated as Ven_ and Prod_ is the USB device description. This can be read out in Windows 10, if you open for an USB Mass Storge Device in the Device Manager the properties dialog, go to Details and then select the string for "Bus relations". For example, for my SanDisk Ultra, the string is:

USBSTOR\Disk&Ven_SanDisk&Prod_Ultra&Rev_1.00\4C530001131107103254&0

Here is the problem with the Bash Bunny. The same string for the Bash Bunny, when in ATTACKMODE STORAGE mode, is always:

USBSTOR\Disk&Ven_&Prod_&Rev_0000\ch000001&0

To impersonate a USB storage devices, the "Ven_" and the "Prod_" strings need to be set to a user-defined value. Perhaps, also the "Rev_" string is needed. 

Is there today a way to set the default values for Ven_, Prod_ and Rev_ in the current firmware?

Request to Hak5: Could you add advanced parameters "VEN_", "PROD_" and also "REV_" to the ATTACKMODE command?

 

[Darren Kitchen]

This can be done by using the MAN_ and SN_ options in ATTACKMODE. These were added in firmware v1.3 - see the changelog at https://downloads.hak5.org/bunny for usage.