A two second HID attack against Windows and Mac that launches the website of your choosing. That’s by far the most effective security awareness payload for the USB Rubber Ducky.
Cyber security awareness building is important, and developing an effective security awareness program – or at least raising eyebrows that one is even necessary – doesn’t need to be difficult.
WE COULD ALL USE SOME CYBER SECURITY AWARENESS
Hot off the heels of the bank heist security awareness campaign in Beirut with Jayson Street (See Breakthrough – Cyber Terror on National Geography), @Snubs and I set off to perform our own security awareness research. We were given the unique opportunity to present the keynote at AusCERT 2017 in the Gold Coast of Australia. Our talk was all about trust, convenience, and how USB and better yet Humans are the universal attack vector. CSO has a great write-up.
Essentially we wanted to see if the cyber security community practiced what it preached. Specifically following best practices with regards to foreign USB drives. What we found was astounding. Judging from our own informal poll, it seems many of us in the information security world don’t even bother with basic anti-virus, so how would we fare as an industry against foreign USB drives?
THE BEST PAYLOAD THAT DOESN’T GATHER SENSITIVE DATA
Now I’ve spoken before about a 2-second USB Rubber Ducky payload which will grab Windows password hashes via SMB. It’s a great payload for internal audits – so red teams take note. But for this engagement the last thing we wanted was any sensitive data.
Unlike Google, who conducted a similar USB drop at a university with the intent of obtaining reverse shells on the target machines, we opted for something completely benign. Our payload only launches a tiny URL, which takes the target to US-CERT Bulletin ST08-001: Using Caution with USB Drives. The US-CERT bulletin, from the National Cyber Awareness System, states:
Do not plug an unknown USB drive into your computer – If you find a USB drive, give it to the appropriate authorities (a location’s security personnel, your organization’s IT department, etc.). Do not plug it into your computer to view the contents or to try to identify the owner.
Of the 100 USB Rubber Ducky drives we dropped, we noticed 162 executions from 62 unique IP addresses throughout a 65 day period. Mind you, this was at a conference primarily made up of professionals working in the cyber security industry. Now since we did not uniquely identify each drives payload, we cannot determine the actual percentage plugged in. However, based on the unique factors we can track, the results do seem inline with Google’s findings – that 48% of people do plug-in USB drives found in parking lots.
The other data of interest indicated that targets were 68% Windows and 32% Mac. Browsers were 69% Chrome, 24% Safari and shockingly 7% Internet Explorer. The vast majority of executions were within the first week of the conference, however the long tail lasted until mid-April.
HOW DO I PERFORM THIS AUDIT AGAINST MY OWN ORGANIZATION
Setting this up for your own security awareness campaign is dead simple. All you need is this payload, a few USB Rubber Duckies, a URL to point the payloads and a few creative spots to leave the drives.
For the URL you could setup a website to let the user know they’ve broken corporate policy and to contact IT – or you could do what we did and send ’em to US-CERT. Either way you’ll be able to track the executions. This can be done either with your own web server (preferably running PHP), or you can just use Google’s goo.gl URL shortener to get the analytics.
Here’s the PHP script which will log IP and browser data along with forwarding on the target to your URL of choice. Uncomment the mail command and change the SMS gateway if you want your phone to ding every time someone plugs one in
You’ll need to touch full-data.txt and summary.txt and chmod them accordingly.
This cross-platform USB Rubber Ducky payload works against Windows, Mac and some Linux window managers which support URLs from the ALT+F2 menu (like Ubuntu’s Unity).
DELAY 1000 ALT F2 DELAY 50 GUI SPACE DELAY 50 GUI r DELAY 50 BACKSPACE DELAY 100 STRING http://example.com ENTER
Replace example.com with the URL of your choosing.
Finally, load up the ducks, find some enticing places to plant ’em, and watch the logs as humans do what humans do best.
WHY DOES THIS WORK
As users and as a society, we expect technology to “just work”.
As developers and systems administrators, in order to make things “just work”, we typically need to put in hard coded trusts.
As hackers and penetration testers, wherever we find these hard coded trusts, it’s simply a matter of telling the right lie. Something we learned to do from childhood.
Hacking is all about trust. As in life – trust is hard to build & easy to break. Hacking is violating the inherent trust in complex systems.