Quantcast

Adaptive Penetration Testing 6: The Teensy Attack

What’s described here is another somewhat hilarious security assessment story, where a company got compromised through keyboards presented to the IT staff.

Another assessment

Another assessment

Dave: The next one is Company 2, which is malicious media. This actually happened this month. It was an engagement that I was working on. It’s a Fortune 1000 company. The customer requested to deploy malicious items through parking lot (see right-hand image). We’ve gotten those assessments before, where the customer wants us to drop a malicious USB or DVD in the parking lot and see how many people pick it up.

Why not do something different?

Why not do something different?

Well, we wanted to do something different because those were getting a little boring for us. How many times have you seen an RFP that says “You must do it this way”? So, we were bored with the standard deployment and we decided to do something a little bit different. I went and scoured the Internet for the most expensive, fancy keyboard that I could find (see right-hand image below).
The idea

The idea

And who wouldn’t want this thing? This thing is awesome! It’s got lights and stuff, and it’s an IT person’s wet dream. I mean, they can do some major gaming at lunch time on this thing, right?

Teensy works wonders

Teensy works wonders

And what we did is we sent this keyboard – modified, obviously – to five IT folks in the actual company itself. And this is where we talk about “The Teensy Attack”. A Teensy is this little device right here (see left-hand image), it’s a computer chip. Here’s a couple of different ones out there (see image below).
Some examples of Teensy devices

Some examples of Teensy devices

And I have to give a special shout-out to Josh Kelley, because his research has been instrumental in a lot of the stuff that we’re doing here. He’s also got a talk on Sunday, where he’s going to be releasing some extremely cool stuff that will literally blow your mind because of what you can do with it. So, Josh, no pressure.

Attack workflow

Attack workflow

What we did with this is we coded the keyboard itself to do an in-line attack (see left-hand image). Essentially, when you hit a key on the keyboard, the Teensy detects it and then propagates that key out. So we can actually start to detect when someone is actually there, right? What happens is, when it doesn’t detect somebody there it moves the pixel of the mouse up one into the left. You don’t notice it on the screen, but it keeps the screensaver active. So, after about two hours of inactivity you know that person is not there and you can drop your malicious payload onto it.

And why that’s important is, this thing is recognized as a keyboard. You can change the vendor ID and product ID to whatever you want to and see if you can make it that manufacturer that we bought the keyboard off of, and put it in there. And why is that important? Because it disables autorun, there’s no autorun capability. If you have autorun disabled, it’s still going to execute because it’s recognized as a keyboard. The Teensy devices have on-board memory storage that can emulate keyboard typing, and I’ll show you that in a second.

Results obtained

Results obtained

And so, during off-hours we deployed it. This is actually really funny, because we got nine shells (see right-hand image). We only sent it to five people. My only guess is that the IT guys got jealous and ganked it from the other person, which is what we normally do in IT, right? I mean, if it’s out there and it’s cool, we take it. And we got nine shells, so jokes really on them. From there we further penetrated the network and got further access, and I’m going to show you a demo of this (watch video below). This is all available in the Social-Engineer Toolkit.

The Teensy attack deployment

Essentially, you just go to SET, then you go to Social-Engineering Attacks, you go to the Arduino-Based Attack Vector, and you select what attack vector you want to do. It has some of the X10 stuff that we’ve been doing with jamming, which I’ll talk a little bit about. And my favorite one is deploying a binary via the Teensy attack. What’s cool about this is you can actually drop a binary onto the system and have it convert back and run a binary. So, if my demo works, we should see some magic typing happening here, no hands. What’s happening here is it’s deploying a payload onto the system using a hexadecimal representation. So what we are going to leverage is PowerShell to reconvert our hexadecimal representation of our binary back to a binary again. What’s cool about his one is I leveraged a tool called Shellcodeexec. If you’re unfamiliar with Shellcodeexec, it’s just an executable, where you can give it a second argument parameter that’s alphanumeric shellcode, and it shoots Meterpreter string into memory. So it never touches disk.

In this case – you are going to see it convert here in a second – we are going to do our conversion, here it goes. This took a long time to code, by the way. My wife hated me on this one. So we execute and, lo and behold, now it’s generating the alphanumeric shellcode, it’s going to stage everything into hexadecimal representation of it. It’s going to create the PD file through Arduino. You can see the Arduino stuff right here, this is all the code.

Kevin: I remember when we were testing this, and I was testing this on an Acer One. The timing on this thing was crazy. Dave and I had to spend, like, a few days with the timing on it. It was just funky.

Dave: Yeah, it was typing way too fast for the actual computer to handle. Usually I have that problem whenever I’m typing, it can’t handle me. What’s cool is we did a modification to the Teensy device, which I don’t have one with me right now, but Josh ended up soldering an SD card onto the Teensy device, and now you can do native SD storage on the device. Why that’s important is, when you plug it in, it doesn’t recognize as a storage device, because the Teensy actually natively reads an SD card, so you can store as large of a binary as you want to on it and then copy it up.

The takeaways

The takeaways

So you’re not restricted with the characteristics you would have when leveraging the Teensy device. So we go back to our attacker machine here, there’s the Meterpreter shell.

Lessons learned from this: we decided to do something a little different, and we had a lot of fun doing it.
 

Read previous: Adaptive Penetration Testing 5: Physical Part of the Compromise

Read next: Adaptive Penetration Testing 7: Rogue AP and the Blackout Jammer

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: