The document discusses various tools and hardware that could be used for red team operations, penetration testing, and surveillance. It describes a WHID injector device that can emulate a USB and conduct wireless attacks. It also mentions the ESPloitV2 and USaBuse software frameworks that can bypass air-gapped restrictions and conduct command injection. Finally, it discusses POTAEbox, a custom penetration testing device that incorporates various wireless interfaces and ports to facilitate network and wireless attacks from a single device.

1. 1 @LucaBongiorni
How To Bring Your Red Teaming Arsenal
To Next Level

2. 2 @LucaBongiorni
Advanced Network Technology Catalog
The ANT catalog is a 50-page classified document listing technology
available to the United States National Security Agency (NSA)
Tailored Access Operations (TAO) by the Advanced Network
Technology (ANT) Division to aid in cyber surveillance.

3. 3 @LucaBongiorni
Adversarial Ninja Playset Catalog
The ANP catalog is a 5-page (more to come) “kind-of-classified”
document listing technology (already) available to any InfoSec Ninja by
a bunch of Hardware Hackers* to aid in Red Team Operations.
* @Mame82 @exploit_agency @LucaBongiorni

4. 4 @LucaBongiorni
The ANP Catalog Club’s Requirements
•Being Open-Source
•Being Available to Anyone
•Being Sold at Sustainable Price

5. 5 @LucaBongiorni

6. 6 @LucaBongiorni

7. 7 @LucaBongiorni
WHID Injector – Schematics & Specs
• Atmega 32u4
– Arduino-friendly
• ESP-12
– WiFi (both AP and Client modes)
– TCP/IP Stack
– DNS Support
– 4MB Flash
• Pinout for weaponizing USB
gadgets
• HALL Sensor for easy unbrick

8. 8 @LucaBongiorni
Software Frameworks – ESPloitV2 GUI
• Evolution of WHID GUI
• Shipped w/ WHID Injector
• Hidden SSID (if needed)
• ESPortal Creds Harvester + Karma
• Multi OS & Multi KB Language
• AutoStart Function
• Change settings on-the-fly
• Live Payloads
• Duckyscript to WHID Converter
• OTA Update of ESP firmware
• Changeable VID/PID
• Reset ESP from Serial
• AirGap Bypass through Serial

9. 9 @LucaBongiorni
Software Frameworks – USaBuse
• Developed by @RoganDawes
• Bypass Air-Gapped restrictions
• Once connected to a PC:
– Creates a WiFi AP
– Stealthy Screensaver Killer
– Injects PoSH scripts that creates a HID
RAW as exfil channel to transfer data back.
– Returns a CMD shell to the attacker
– GAME OVER
• DEMO https://youtu.be/5gMvtUq30fA

10. 10 @LucaBongiorni
Common Misconception
USB devices are NOT ONLY Flash Drives!
≠
X X

11. 11 @LucaBongiorni
Weaponizing USB Gadgets
X X

12. 12 @LucaBongiorni
Weaponizing USB Gadgets
• Test for Social Engineering weaknesses
• Bypass physical access restrictions to a target’s device
• OR… You are Kim Jong-Un and wanna have fun pwning
international delegates.

13. 13 @LucaBongiorni
https://play.google.com/store/apps/details?id=whid.usb.injector

14. 14 @LucaBongiorni

15. 15 @LucaBongiorni

16. 16 @LucaBongiorni
WHID Elite
▪ Atmega 32u4
▪ sed 's/ESP/SIMxxxx/’
▪ USB2422 Controller
▪ Microphone
▪ NRF24L01+

17. 17 @LucaBongiorni
WHID Elite
▪ Atmega 32u4
▪ sed 's/ESP/SIMxxxx/’
▪ USB2422 Controller
▪ Microphone
▪ NRF24L01+
V.1.0 – 2G V.2.0 – NB-IoT

18. 18 @LucaBongiorni
WHID Elite
▪ Atmega 32u4
▪ sed 's/ESP/SIMxxxx/’
▪ USB2422 Controller
▪ Microphone
▪ NRF24L01+

19. 19 @LucaBongiorni

20. 20 @LucaBongiorni
WHID Elite
▪ Atmega 32u4
▪ sed 's/ESP/SIMxxxx/’
▪ USB2422 Controller
▪ Microphone
▪ NRF24L01+

21. 21 @LucaBongiorni
Acoustic Surveillance

22. 22 @LucaBongiorni
WHID Elite
▪ Atmega 32u4
▪ sed 's/ESP/SIMxxxx/’
▪ USB2422 Controller
▪ Microphone
▪ NRF24L01+

23. 23 @LucaBongiorni
WHID Elite
Mousejacking Wireless
Keyboards & Mice
DEMOs:
https://youtu.be/9SPe_HZLGq4
https://youtu.be/YA4VOk09tRI

24. 24 @LucaBongiorni

25. 25 @LucaBongiorni
Remote Radio Hacking
• External Cheap 315/433MHz RTXs to:
– Replay Attacks >> RollJam (WIP)
– Fuzzing (e.g. crashing target)
– Bruteforce (e.g. from Arm to Disarm packet)
– Jamming
– What Else?
DEMOs:
https://youtu.be/gX0oo788vs0 https://youtu.be/7CntpdL_hsw

26. 26 @LucaBongiorni
Controlling RC Cranes
Source: https://tinyurl.com/trendmicro-cranes-report

27. 27 @LucaBongiorni
Controlling RC Cranes: DEMO

28. 28 @LucaBongiorni

29. 29 @LucaBongiorni

30. 30 @LucaBongiorni
P4wnP1 – Operating Features
• Bypass Air-Gapped restrictions
– Uses a HID RAW as exfil channel to transfer data back (~50Kb/s)
– The HID backdoor can call back a remote C&C (in case of a weaponized
gadget & a known WiFi network available)
• Win10 Lockpicker
– Steals NetNTLMv2 hash from locked Windows machine, attempts to
crack the hash and enters the plain password to unlock the machine on
success. (Fixed with KB4041691 on October 10, 2017).
• WiFi Covert Channel (w/o admin privileges)
– Keystroke injection, to bring up USB HID tunnel.
– Delivery of client agent (NET Library) via HID tunnel into memory.
– Invocation of NET lib from PowerShell.
– C2 over Victim’s WiFi card (w/o disconnecting it)
– PoC & Sources http://bit.ly/2uY8SyU & https://youtu.be/fbUBQeD0JtA

31. 31 @LucaBongiorni
AirGap Bypass – On Premises

32. 32 @LucaBongiorni
AirGap Bypass – Phone Home
s/WiFi/GSM

33. 33 @LucaBongiorni

34. 34 @LucaBongiorni https://youtu.be/7fCPsb6quKc

35. 35 @LucaBongiorni
P4wnP1 Mods – 2G CallHome & OLED UI
@jermainlaforce
@BeBoXoS
http://stephanhahn.ch/

36. 36 @LucaBongiorni
HID Attacks’ Mitigations 101
• Do Not Trust Unknown USB Devices!
• At Most, Use an USB Condom!
– Or Create your own DIY version
• Look For DLP Solutions that Really Block HID

37. 37 @LucaBongiorni
Mitigation Tools – Windows
• https://github.com/pmsosa/duckhunt
– Four Operational Modes:
• Paranoid: KB input is disallowed until a password is input. Attack will also be logged.
• Normal: KB input will temporarily be disallowed. Attack will also be logged.
• Sneaky: A few keys will be dropped. Attack will also be logged.
• LogOnly: Simply log the attack.
• https://github.com/JLospinoso/beamgun
– When a malicious HID is inserted it blocks keystrokes injection by continuously
stealing focus (and eventually locking the workstation)

38. 38 @LucaBongiorni
Mitigations in Linux 101
Use udev rules to temporarily disable the
addition of new HID devices by creating a file
/etc/udev/rules.d/10-usbblock.rules
with the content:
#ACTION=="add",
ATTR{bInterfaceClass}=="03" RUN+="/bin/sh
-c 'echo 0 >/sys$DEVPATH/../authorized'"
Run to Block:
sed -i 's/#//' /etc/udev/rules.d/10-usbblock.rules; udevadm
control --reload-rules
Run to Unlock Before Reboot:
sed -i ‘s/^/#/' /etc/udev/rules.d/10-usbblock.rules; udevadm
control --reload-rules

39. 39 @LucaBongiorni
Mitigation Tools – Linux
• https://github.com/trpt/usbdeath
– Anti-forensic tool that writes udev rules for known usb devices and do some
things at unknown usb insertion or specific usb device removal
• https://github.com/USBGuard/usbguard
– Software framework for implementing USB device authorization policies

40. 40 @LucaBongiorni

41. 41 @LucaBongiorni

42. 42 @LucaBongiorni
Wiegand Protocol
01100100
0 1 1 0 0 1 0 0 1 0 0 0 0 1 0 1 1 1 0 1 1 0 1 1 0 1
P Facility Code: 201 Card ID: 02998 P
100001011101101101

43. 43 @LucaBongiorni
Wiegand Protocol
01100100
0 1 1 0 0 1 0 0 1 0 0 0 0 1 0 1 1 1 0 1 1 0 1 1 0 1
P Facility Code: 201 Card ID: 02998 P
100001011101101101

44. 44 @LucaBongiorni
Sniff, Replay, Clone

45. 45 @LucaBongiorni

46. 46 @LucaBongiorni
Long Range Readers
HID Proxcards
(125 KHz)
EM41xx
(125 KHz)
iClass & Mifare
(13.56 MHz)
Potato For Scale
(No. Is not
weaponized. It’s
just a Potato.)

47. 47 @LucaBongiorni
Weaponized & Standalone Reader
Able to Sniff Cards from ~80 cm
Away!

48. 48 @LucaBongiorni
Real Engagement

49. 49 @LucaBongiorni

50. 50 @LucaBongiorni
Mitigations
• Use the Anti-Tamper Switches!*
– PROS: Are already there!
• Encrypt Wiegand Data
– CONS: Need new Reader & Controller
• Upgrade to TCP/IP-based ACSes
– CONS: Need new Reader & Controller
– CONS: New Attack Vectors to check
• Detect HW implants by diffing amperage
changes
• Epoxy All The Things!!! (kidding)
*We all know they can be bypassed anyway. But still… they are there… better use them!

51. 51 @LucaBongiorni
Mitigations
• Use the Anti-Tamper Switches!
– PROS: Are already there!
• Encrypt Wiegand Data
– CONS: Need new Reader & Controller
• Upgrade to TCP/IP-based ACSes
– CONS: Need new Reader & Controller
– CONS: New Attack Vectors to check
• Detect HW implants by diffing
amperage changes
• Epoxy All The Things!!! (kidding)

52. 52 @LucaBongiorni

53. 53 @LucaBongiorni

54. 54 @LucaBongiorni
Prologue - The TETRA “deal”
CPU: 533 MHz MIPS 74K Atheros AR9344 SoC
Memory: 64 MB RAM
Disk: 2 GB NAND Flash
Wireless: Atheros AR9344 + Atheros AR9580
Ports: 4 SMA Antenna, RJ45 Fast Ethernet, Ethernet over USB, Serial over USB, USB 2.0 Host, 12V/2A DC

55. 55 @LucaBongiorni
Prologue – The PowerPwn “deal”
CPU: 1.2 GHz ARM CPU
Memory: 512 MB RAM
Disk: 2GB NAND Flash + 16 GB SD card storage
Wireless: WiFi, Bluetooth, 3g Modem
Ports: 2x RJ45 Gigabit Ethernet, USB 2.0 Host, UART

56. 56 @LucaBongiorni
The Reaction

57. 57 @LucaBongiorni
Pentest Dropboxes Everywhere
2nd Generations (>2011) – Price 40~200 €
3rd Generation (2016) - Price < 15 €
1st Generation (2006) – Price ~ 30 €

58. 58 @LucaBongiorni

59. 59 @LucaBongiorni
R&D: SBCs and Covert Cases Evaluation

60. 60 @LucaBongiorni
POTÆbox – Penetration Over The {Air, Ethernet} box
• Allwinner Quad-core CPU ARM (H5 or H6)
• 2gb RAM
• 8gb NAND
• 2x Gigabit Ethernet Ports (e.g. RTL8363SB)
• 2x USB 2.0 Ports
• 1x USB 2.0 OTG Port
• 1x USB 3.0 Port (if H6 is used)
• 1x mini-pcie (if H6 is used)
• Embedded Microphone
• CSI Camera connector
• 2G/3G Module (w/ SIM card slot)
• uSD card slot
• Atheros Wifi Chipset 2.4/5 GHz ( 2x space permitting)
• AR9580 mini-pcie (if H6 is used and a minipcie connector is
available on PCB)
• AR9344 (connected through USB 2.0)
• Relays (controlled by PCB’s GPIOs)
• [OPTIONAL] Wireless Attacks (NRF2401L, CC1101, etc.)

61. 61 @LucaBongiorni
POTÆbox – Penetration Over The {Air, Ethernet} box
POTAEbox Purposes:
• Security Operations (i.e. Penetration Tests)
• Surveillance (i.e. Mic & Camera)
• Network Appliance (i.e. Firewall, IDS, Honeypot)
• Home Automation (i.e. Lights)
• Generic Electronic Projects

62. 62 @LucaBongiorni
Covert Cases
• Power Socket
• Charging Station
• Bluetooth Speaker
• Smoke Alarm
– Battery powered & connected to RJ45 (offensive eth & wireless attacks)
– Male power socket (wireless only attacks)

63. 63 @LucaBongiorni
Software Orchestrator (within POTAEbox device)
• Easy-to-Use GUI (e.g. FruityWifi)
• Multiple channels/tunnels to call home the aggregator (e.g. DNS, ICMP,
SSH, HTTPS, Gmail, Twitter, etc.)
• NAC/802.1x bypass techniques
• MANA + Bettercap + New EAP Relay Attack
• Ice Breaker + Deathstar
• Remote Wireless Attacks with NRF2410L & CC1101 (e.g. Mousejacking,
YardstickONE style attacks: Disabling Alarm Systems, Fuzzing ASK/FSK/MSK RF controllers,
etc.)

64. 64 @LucaBongiorni
Fin?

65. 65 @LucaBongiorni
DFIR Time!

66. 66 @LucaBongiorni
USB Devices Vs. DFIR – Windows Artifacts
• Registry Hives
• Tools For The Trade
– USBdeview
– USBLogView
– USBDeviceForensics
• Event Logs
• Command Run History
• Advanced DFIR

67. 67 @LucaBongiorni
USB Artifacts in Windows
• SYSTEM/CurrentControlSet/Enum/USBSTOR
• SYSTEM/CurrentControlSet/Enum/USB
• SYSTEM/CurrentControlSet/Enum/HID
• NTUSER.DAT/Software/Microsoft/Windows/CurrentVersion/Explorer
/MountPoints2
• Windows XP – ROOT/Windows/setupapi.log
• Windows Vista+ – ROOT/Windows/inf/setupapi.dev.log

68. 68 @LucaBongiorni
C:Windowsinfsetupapi.dev.log
First time the device was plugged

69. 69 @LucaBongiorni
USBDeview Vs Live System
First time the
device was
plugged
Last time was plugged

70. 70 @LucaBongiorni
USBDeview Vs Disk Image Analysis
USBDeview.exe /regfile "C:blablaC-DiskWindowsSystem32configSYSTEM"

71. 71 @LucaBongiorni
USBDeview
http://www.nirsoft.net/utils/usb_devices_view.html

72. 72 @LucaBongiorni
USBLogView
http://www.nirsoft.net/utils/usb_log_view.html

73. 73 @LucaBongiorni
USBDeviceForensics
https://github.com/woanware/usbdeviceforensics

74. 74 @LucaBongiorni
Command Run History
Instead of:
GUI + R
STRING <malicious command>
ENTER
Do:
GUI + R
STRING CMD (or Powershell)
ENTER
STRING <malicious command>
ENTER

75. 75 @LucaBongiorni
Command Run History
Instead of:
GUI + R
STRING <malicious command>
ENTER
Do:
GUI + R
STRING CMD (or Powershell)
ENTER
STRING <malicious command>
ENTER
Event Logs for the rescue!

76. 76 @LucaBongiorni
The Right Event Logs at The Right Time
Security Log Audit Plug and Play Activity
• 6416: A new external device was recognized by the System.
• 6419: A request was made to disable a device.
• 6420: A device was disabled.
• 6421: A request was made to enable a device.
• 6422: A device was enabled.
• 6423: The installation of this device is forbidden by system policy.
• 6424: The installation of this device was allowed, after having previously been
forbidden by policy.
• 1006: May contain Manufacturer, Model, Serial, and raw Partition Table, MFT,
and VBR data.

77. 77 @LucaBongiorni
Plug-and-Play Event Logs

78. 78 @LucaBongiorni
Plug-and-Play Event Logs
Event 6416: A
new external
device was
recognized by the
System.

79. 79 @LucaBongiorni
PowerShell Event Logs

80. 80 @LucaBongiorni
Advanced DFIR
• Extract raw NAND’s
data from ESP
• Dump Arduino
firmware
• Reverse Engineering
with Radare
esptool.py --port COM5 --baud 38400 read_flash 0x00000 0x400000 ESP_Flash_Dump.img

81. 81 @LucaBongiorni
MOAR Forensics
https://github.com/certsocietegenerale/Publications/blob/master/DFRWS%20EU19%20-
%20The%20Rise%20Of%20HID%20Devices.pdf

82. 82 @LucaBongiorni
Fin