Using SET and the Teensy Controller
SET is the Social Engineering Toolkit, a framework bundled with Metasploit to be used by penetration testers to facilitate the following social engineering attacks:
- Web based attacks- Java, MITM, Credential Harvester, browser_autopwn
- Infectious Media Generator
- Payload and Listener
- Mass Mailing campaign
- Arduino-Based Attack Vector
- SMS Spoofing – Send malicious SMS messages
- Wireless Attacks
The benefit of SET is that it is menu driven, rapidly updatable and extendable, and integrates seamlessly with Metasploit.
Teensy is a USB-based microcontroller in a very small form factor. All programming is done via the mini-USB port controller. Teensy is used mainly by hobbyists for various projects such as game controllers, rhythm-based door locks, and home automation.
What makes the Teensy controller interesting for penetration testers is that is has a feature that allows an attacker to successfully compromise a victim computer, even if USB removable storage and AutoRun is disallowed by the organization. How can this be? We can configure Teensy to appear as a USB-based Human Interface Device (HID). Keyboards and mice are also in the HID category and are generally allowed by an organization. Once plugged in, Teensy will send a series of keystrokes to the Operating System as if a User were typing very quickly (and without error), building our attack payload and then executing it.
What does this mean for us? We have a very small attack vector that can be easily camouflaged, plugged into a victim host, and owned within 15 seconds, even if the host is configured to not allow USB thumb drives. The attack payload is limited only by our imagination, but generally is used to download a pre-generated payload and execute it, such as a Meterpreter reverse HTTPS shell that has been run through msfvenom or msfencode.
SET will step you through all the necessary steps for building the Teensy PDE file, selecting and encoding a payload –it will even help with evasion techniques such as backdooring a known good executable, or running through several encoders. It will even start up a Metasploit payload handler.
Attacking with Teensy is relatively simple. Plug it into an open USB port. For the
attack to succeed, the workstation must be unlocked, and the entire attack takes
about 10-30 seconds, depending on the speed of the victim host- the system has
to create Registry entries, prepare the system for the new device, etc. Once that
is done, Teensy will send keyboard commands to the desktop at about 65cps. It begins by sending a Ctrl+Esc, which opens up the Windows menu, then types “CMD.EXE /c” in the Run menu. Once a command prompt is open, it will echo a short VBScript one line at a time into a .vbs file and then execute it. Typcially, SET will build a Teensy loader file that will have it echo out a HTTP downloader, which will pull a file from the attacker’s website and execute it.
Don’t touch the keyboard, as it will continue to send keystrokes to whatever window currently has focus!
On the Metasploit host, it is best to have an Autorun script that immediately migrates the shell off of the current process to a different common process, and kills the x.exe process. It is best to use Teensy when nobody is looking as this will show some desktop activity opening up a command prompt and the Run command. Use whatever excuse necessary to get the victim to look away for a few seconds. Be creative! Engage the target in some conversation, show off a magic trick, or just don’t shower for a few days.
What can we do with Teensy now that we have it set up for evil? Despite it’s small size, we can’t really go around plugging a penny sized chip with a USB cable sticking out of it…. so how about we camouflage it?
Here is just a cheap mouse from Best Buy, which I took the guts out. With a few additional lines of code, I can simulate cursor moves onscreen to make it appear as if the mouse functions. A clever attacker could play the role of a desktop support technician, or a fellow employee who thinks his mouse may be dead and wants to troubleshoot the problem to see if it’s the mouse or the computer.
In fact, this is what Netragard did recently, but expanded the concept by installing a USB hub, Teensy, and USB flash drive, all within a Logitech mouse body (which they didn’t destroy like I did). With some reconnaissance, they found a suitable victim and sent him a “promotional” mouse with all the marketing accessories to make it look legit. Three days after they FedEx’d the mouse, they got a connection back from their target. Trojan Horse? No. Trojan MOUSE.
People may begin to get wise to the “dropped USB stick” gag, or workstations may be locked down to prevent using removable storage, but new and novel attack vectors can still be employed to keep this vector fresh.
Fortunately, we are not limited to just pulling down a Meterpreter payload with Teensy. Whatever can be sent via keyboard and mouse can be sent by Teensy. Add a user, stop Windows Firewall, open a browser and visit a malicious website, stop Antivirus. The possibilities are only limited by what evil we can imagine. With some basic electronics, programming, and soldering skill, a complete and robust “plug and pwn” kit can be developed. A cheap mouse with some..ahem… new hardware, gussied up to look cutting edge and sent as a promotion is sure to get a good response.
As user awareness increases and workstations become more secure by default, we as penetration testers must seek new attack vectors. Teensy helps accomplish this as it does not appear as removable storage media to the Operating System. Linux and OSX will happily accept input from Teensy! Work is being done on Teensy to make it a more robust attack tool. The Programmable HID USB Keystroke Dongle project provides libraries and code examples to create unique attacks. The Teensy USB Development board can be purchased at http://www.pjrc.com/teensy/ .
Last Updated on Wednesday, 30 November 2011 10:09