Sunday, September 29, 2013

Day 2 at DerbyCon 2013

Presentations that I caught on Day 2 were not as useful to me as on Day 1. Part of that may be I chose the wrong ones and that I may also not have background needed to make the most of them. 

There was one great highlight worth mentioning though, which is that I anti'd up the bread to get one of the USB Rubber Ducky's from the Hak5 crew. This is basically a keyboard emulator (HID) on a key fob. Corporate restrictions on USB mass storage devices limit our ability as pentesters to obtain data exfiltration. But who blocks USB keyboards? OK, I've seen a few environments where they do; but that's pretty rare. 

I've been aware for a couple of years of the attacks that this kind of device could enable. But I didn't know where to get one or what kind of tools I would use to work with it. Hak5 has made this easy. You thought your DLP was going to save you? BWAHAHAHAHA!

If this isn't clear, the USB HID sends commands to the victim system exactly as if they were typed at super-human speed. This does not limit attacks to just plain text. We can encode full executable files as text and then convert to executable on your host. And, of course PowerShell is just plain text anyway and is extremely powerful. 

We can script the attack to work with any platform; Windows, Linux, Mac. We're all in trouble. Lock your workstation every time you walk away. This attack takes seconds and no, I was not the one who sent that email to your boss from your PC.

http://usbrubberducky.com is the primary resource for these.  The link will re-direct to an IP address.  Sorry, but that's the address.  All of the other resources I could offer are linked from that page, including alternative firmware, scripts, encoders, forums and the user guide.

Enjoy!