The document discusses various tools and hardware that could be used for red team operations, penetration testing, and surveillance. It describes a WHID injector device that can emulate a USB and conduct wireless attacks. It also mentions the ESPloitV2 and USaBuse software frameworks that can bypass air-gapped restrictions and conduct command injection. Finally, it discusses POTAEbox, a custom penetration testing device that incorporates various wireless interfaces and ports to facilitate network and wireless attacks from a single device.
2. 2 @LucaBongiorni
Advanced Network Technology Catalog
The ANT catalog is a 50-page classified document listing technology
available to the United States National Security Agency (NSA)
Tailored Access Operations (TAO) by the Advanced Network
Technology (ANT) Division to aid in cyber surveillance.
3. 3 @LucaBongiorni
Adversarial Ninja Playset Catalog
The ANP catalog is a 5-page (more to come) “kind-of-classified”
document listing technology (already) available to any InfoSec Ninja by
a bunch of Hardware Hackers* to aid in Red Team Operations.
* @Mame82 @exploit_agency @LucaBongiorni
4. 4 @LucaBongiorni
The ANP Catalog Club’s Requirements
•Being Open-Source
•Being Available to Anyone
•Being Sold at Sustainable Price
7. 7 @LucaBongiorni
WHID Injector – Schematics & Specs
• Atmega 32u4
– Arduino-friendly
• ESP-12
– WiFi (both AP and Client modes)
– TCP/IP Stack
– DNS Support
– 4MB Flash
• Pinout for weaponizing USB
gadgets
• HALL Sensor for easy unbrick
8. 8 @LucaBongiorni
Software Frameworks – ESPloitV2 GUI
• Evolution of WHID GUI
• Shipped w/ WHID Injector
• Hidden SSID (if needed)
• ESPortal Creds Harvester + Karma
• Multi OS & Multi KB Language
• AutoStart Function
• Change settings on-the-fly
• Live Payloads
• Duckyscript to WHID Converter
• OTA Update of ESP firmware
• Changeable VID/PID
• Reset ESP from Serial
• AirGap Bypass through Serial
9. 9 @LucaBongiorni
Software Frameworks – USaBuse
• Developed by @RoganDawes
• Bypass Air-Gapped restrictions
• Once connected to a PC:
– Creates a WiFi AP
– Stealthy Screensaver Killer
– Injects PoSH scripts that creates a HID
RAW as exfil channel to transfer data back.
– Returns a CMD shell to the attacker
– GAME OVER
• DEMO https://youtu.be/5gMvtUq30fA
12. 12 @LucaBongiorni
Weaponizing USB Gadgets
• Test for Social Engineering weaknesses
• Bypass physical access restrictions to a target’s device
• OR… You are Kim Jong-Un and wanna have fun pwning
international delegates.
30. 30 @LucaBongiorni
P4wnP1 – Operating Features
• Bypass Air-Gapped restrictions
– Uses a HID RAW as exfil channel to transfer data back (~50Kb/s)
– The HID backdoor can call back a remote C&C (in case of a weaponized
gadget & a known WiFi network available)
• Win10 Lockpicker
– Steals NetNTLMv2 hash from locked Windows machine, attempts to
crack the hash and enters the plain password to unlock the machine on
success. (Fixed with KB4041691 on October 10, 2017).
• WiFi Covert Channel (w/o admin privileges)
– Keystroke injection, to bring up USB HID tunnel.
– Delivery of client agent (NET Library) via HID tunnel into memory.
– Invocation of NET lib from PowerShell.
– C2 over Victim’s WiFi card (w/o disconnecting it)
– PoC & Sources http://bit.ly/2uY8SyU & https://youtu.be/fbUBQeD0JtA
36. 36 @LucaBongiorni
HID Attacks’ Mitigations 101
• Do Not Trust Unknown USB Devices!
• At Most, Use an USB Condom!
– Or Create your own DIY version
• Look For DLP Solutions that Really Block HID
37. 37 @LucaBongiorni
Mitigation Tools – Windows
• https://github.com/pmsosa/duckhunt
– Four Operational Modes:
• Paranoid: KB input is disallowed until a password is input. Attack will also be logged.
• Normal: KB input will temporarily be disallowed. Attack will also be logged.
• Sneaky: A few keys will be dropped. Attack will also be logged.
• LogOnly: Simply log the attack.
• https://github.com/JLospinoso/beamgun
– When a malicious HID is inserted it blocks keystrokes injection by continuously
stealing focus (and eventually locking the workstation)
38. 38 @LucaBongiorni
Mitigations in Linux 101
Use udev rules to temporarily disable the
addition of new HID devices by creating a file
/etc/udev/rules.d/10-usbblock.rules
with the content:
#ACTION=="add",
ATTR{bInterfaceClass}=="03" RUN+="/bin/sh
-c 'echo 0 >/sys$DEVPATH/../authorized'"
Run to Block:
sed -i 's/#//' /etc/udev/rules.d/10-usbblock.rules; udevadm
control --reload-rules
Run to Unlock Before Reboot:
sed -i ‘s/^/#/' /etc/udev/rules.d/10-usbblock.rules; udevadm
control --reload-rules
39. 39 @LucaBongiorni
Mitigation Tools – Linux
• https://github.com/trpt/usbdeath
– Anti-forensic tool that writes udev rules for known usb devices and do some
things at unknown usb insertion or specific usb device removal
• https://github.com/USBGuard/usbguard
– Software framework for implementing USB device authorization policies
46. 46 @LucaBongiorni
Long Range Readers
HID Proxcards
(125 KHz)
EM41xx
(125 KHz)
iClass & Mifare
(13.56 MHz)
Potato For Scale
(No. Is not
weaponized. It’s
just a Potato.)
50. 50 @LucaBongiorni
Mitigations
• Use the Anti-Tamper Switches!*
– PROS: Are already there!
• Encrypt Wiegand Data
– CONS: Need new Reader & Controller
• Upgrade to TCP/IP-based ACSes
– CONS: Need new Reader & Controller
– CONS: New Attack Vectors to check
• Detect HW implants by diffing amperage
changes
• Epoxy All The Things!!! (kidding)
*We all know they can be bypassed anyway. But still… they are there… better use them!
51. 51 @LucaBongiorni
Mitigations
• Use the Anti-Tamper Switches!
– PROS: Are already there!
• Encrypt Wiegand Data
– CONS: Need new Reader & Controller
• Upgrade to TCP/IP-based ACSes
– CONS: Need new Reader & Controller
– CONS: New Attack Vectors to check
• Detect HW implants by diffing
amperage changes
• Epoxy All The Things!!! (kidding)
62. 62 @LucaBongiorni
Covert Cases
• Power Socket
• Charging Station
• Bluetooth Speaker
• Smoke Alarm
– Battery powered & connected to RJ45 (offensive eth & wireless attacks)
– Male power socket (wireless only attacks)
66. 66 @LucaBongiorni
USB Devices Vs. DFIR – Windows Artifacts
• Registry Hives
• Tools For The Trade
– USBdeview
– USBLogView
– USBDeviceForensics
• Event Logs
• Command Run History
• Advanced DFIR
67. 67 @LucaBongiorni
USB Artifacts in Windows
• SYSTEM/CurrentControlSet/Enum/USBSTOR
• SYSTEM/CurrentControlSet/Enum/USB
• SYSTEM/CurrentControlSet/Enum/HID
• NTUSER.DAT/Software/Microsoft/Windows/CurrentVersion/Explorer
/MountPoints2
• Windows XP – ROOT/Windows/setupapi.log
• Windows Vista+ – ROOT/Windows/inf/setupapi.dev.log
74. 74 @LucaBongiorni
Command Run History
Instead of:
GUI + R
STRING <malicious command>
ENTER
Do:
GUI + R
STRING CMD (or Powershell)
ENTER
STRING <malicious command>
ENTER
75. 75 @LucaBongiorni
Command Run History
Instead of:
GUI + R
STRING <malicious command>
ENTER
Do:
GUI + R
STRING CMD (or Powershell)
ENTER
STRING <malicious command>
ENTER
Event Logs for the rescue!
76. 76 @LucaBongiorni
The Right Event Logs at The Right Time
Security Log Audit Plug and Play Activity
• 6416: A new external device was recognized by the System.
• 6419: A request was made to disable a device.
• 6420: A device was disabled.
• 6421: A request was made to enable a device.
• 6422: A device was enabled.
• 6423: The installation of this device is forbidden by system policy.
• 6424: The installation of this device was allowed, after having previously been
forbidden by policy.
• 1006: May contain Manufacturer, Model, Serial, and raw Partition Table, MFT,
and VBR data.