Wednesday, January 30, 2013

Making a USB flash drive HW Trojan

Preface

When I first read Adrian Crenshaw’s [1] and Netragard’s [2] articles about malicious Human Interface Devices (HID) I was really impressed and decided to create my own just to try it out how hard it is to assemble one and see if there's any space for improvements.

My first attempt was a USB flash drive-like tool. The main goal was to make it as small and convincingly looking as possible. The result was a device in an enclosure with the dimensions of 8.7mm x 71mm x 23mm, fancy enough to fool someone in a social engineering engagement.

Now, the above mentioned articles have a lot of details about malicious HIDs, mostly about how to program them, but they say little about how to MAKE them. So in this blog post, I will give you a step-by-step tutorial how to prepare a USB flash drive HW Trojan (actually, you can use it as a neat, fully functional USB drive as well) using a Teensy 2.0 and Teensy SD Adaptor.

I am going to assume that you have at least some basic experience with soldering. If you don't have, take a look at Limor Fried's (a.k.a. ladyada) page about the basics of soldering or Sparkfun's Soldering Basics (takes about 40-30 minutes practicing to learn how to solder through hole components).

Parts needed

  • Teensy 2.0
  • Teensy SD Adaptor (you can use other SD card adaptors too, but the Teensy SD Adaptor is one of the smallest on the market)
  • Micro SD Card (you can use a Micro SDHC Card as well, up to 16 GB)
  • USB A type plug (male) PCB connector (I would NOT recommend using a cable connector, since it's bigger. However, it doesn't matter if you use SMD or Through-hole type, but I prefer the Through-hole type)
  • USB MINI-B type plug (male) Cable connector (I would NOT recommend using a PCB connector, since it's bigger.)
  • Enclosure (I used this one, but it's transparent, so it's is probably better for demonstration purposes and not the best for social engineering. I would recommend using something like this, or you can paint the transparent one to whatever color you want)
  • Wires (I would suggest using at least 6/7 different colors)
Anyway, here's a picture of all the parts together, except the wires:

Tools needed

  • Solder (for soldering, of course)
  • Soldering iron (yep, this one is also for soldering)
  • Desoldering tool or (De)solder braid (if you are clumsy and make a soldering error, like an unwanted short circuit)
  • Hot glue gun (I used this for the USB A to USB MINI-B converter, but you can use whatever glue/solution you want)
  • Flush/diagonal cutters (for cutting the wires)
  • Third hand with Magnifying Glass (you're gonna need it, otherwise you would have to grow a third hand :) )
  • Good light (without this, you won't be able to solder those tiny little wires...)

STEP 1: Make a small USB A type plug (male) connector to USB MINI-B type plug (male) connector converter

The first thing we need to prepare is a USB connector converter, since the Teensy 2.0 has a USB MINI-B type jack (female) USB connector, but PCs/Laptops usually only have USB A type jack (female) connectors. We need to make one of our own in order to reduce the size of our device. As you will see on the pictures below, the converters you can buy are all nice and shiny, but the one I have made is almost 2/3 of their size.

TIPP: Alternatively, you can de-solder the USB MINI connector from the Teensy and connect the pins directly to a USB A type connector, thus making the hole device even smaller (I preferred keeping my Teensy intact for this prototype).

First, let's take a look at pinout.ru for the USB pinout and wiring! As you can see, USB has only 4 pins, or 5 in case of USB MINI, but we can ignore this 5th ID pin for now. Now the thing is, that I don't have pictures about soldering the wires one-by-one, but I draw a few figures about the wiring, so the only thing you need to do is connect the pins of the connectors by soldering in the wires according to these instructions.

First, let's see the two connectors with the pins! (Sidenote: sorry for the lame pictures... by the time I wrote the post I didn't have any USB connectors with me to make my own photos, so I took something from the Internet. Still, I hope you'll get the general idea from these ones as well.)

For the USB A type plug connector, the pins are the following:
I like folding the two legs of the metal part on the USB A connector (the ones in the red circles on the picture) to the side, so it's overall height will be the height of the connector, and it will also help keeping the Teensy in one place inside the enclosure (you will see this on the pictures below), or, you can just cut them off.

If you buy a USB MINI-B type plug connector, then it's usually comes "unassembled" in three or four parts, but you only need the following two parts (pins are numbered on the "actual" connector part):
You should cut off half of the metallic part (along the red doted line), get rid of the part which is marked with a red x on the picture and only keep the part holding the "actual" connector part (marked with a green check mark on the picture).

IMPORTANT: The side where I marked the pins is not the one where you will have to solder the wires!!! It's on the other side! Obviously, the order of the pins is the same on the other side as well. (Sorry, but I couldn't find a good picture on the Internet to mark the pins on the side where you actually need to do the soldering. I hope you will be able to figure out this one on your own.)

And now, let's see how we should connect them! It's pretty simple, basically you just have to connect each pin of a connector to the same pin of the other connector. I like using red (pin 1), white (pin 2), green (pin 3) and black (pin 4) wires when I work with USB, so I can easily distinguish which wire goes into which pin (the lines on the picture also follow this convention):
Make sure that you use as short wires as possible, ideally no longer than 1 cm, so they don't need much space. Soldering can be quite tricky, but keep on trying until you succeed, otherwise it won't fit into the enclosure. Once you have them wired up, you can use for example a hot glue gun to cover the solder joints and protect them from falling apart.

Here's a picture from the commercially available and the home-made connector from the "bottom":
Same thing, from the "top":
Last, but not least, from the side:
As you can see, the result is quite small and thin (even though it's a bit ugly, but this is not a beauty contest), so it won't need a lot of valuable space in the enclosure.

STEP 2: Connecting the Teensy with the Teensy SD adaptor

The next step is to connect the Teensy with the Teensy SD Adaptor. Like I said, you can use a different SD card adapter too, but this one fits nicely on the top of a Teensy, so I will give instructions for this adapter.

You can find the technical documentation on the PJRC website for the Teensy SD Adapter. The most important part is the pinout of the adapter (I took the liberty and reused the pictures from the PJRC website):
We need to connect the MISO, MOSI, SCLK, SS, Ground and +5V pins. The SW (Switch) pin is not needed for now, but you can solder it too (I did, so you will see that the SW pin is connected on the pictures below).

The way you need to connect the Teensy with the Teensy SD Adapter is the following:
Note, that according to the above picture the Teensy's top side will face forwards the top side of the Teensy SD Adaptor. Once you place a Micro SD card into the card slot, the Teensy SD Adaptor will fit perfectly between the USB connector of the Teensy and the push button.

IMPORTANT: The top side of the Teensy SD Adaptor has the metallic surface of the Micro SD card slot that will be in contact with the top side of the Teensy board. When you plug in the assembled Teensy to a USB port, the microcontroller will get really hot, really soon. This is because the metallic part of the SD card adaptor makes a short circuit on the capacitors on the Teensy's top as you squeeze them together. In order to prevent this from happening, I used a small piece of insulation tape stuck on the metallic part of the Micro SD card slot.

The end result from the top should look like this:
Notice that the wires on the top are placed next to each other and they don't cross, so they won't increase the height of the final product.

Same thing, from one side:
From the other side (barely visible, but you can see the small piece of black insulation tape too):

STEP 3: Putting everything together

The last thing we need to do is connecting the USB A to USB MINI-B converter to the Teensy + Teensy SD Adaptor part and put them into an enclosure.

The two parts connected together should look something like this:
Putting them into a nice casing:


Final product

Aaand, that's all! :) Later, I will make a detailed blog post on how can you program such a device and what evil payloads you can use. There are a few other pictures I have made and some additional resources on malicious HIDs that you can find below.

Final product from the "top":
Final product from the side:

When the device is plugged into a PC:


Resources

[1] Programmable HID USB Keystroke Dongle: Using the Teensy as a pen testing device
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

[2] Netragard’s Hacker Interface Device (HID)
http://pentest.snosoft.com/2011/06/24/netragards-hacker-interface-device-hid

Saturday, January 5, 2013

Hacker Hotshots - Zombie Browsers Spiced With Rootkit Extensions

My dear friend Balázs Zoltán is going to have a Web Show in Hacker Hotshots next month. Don't miss it! Register ASAP! :)

"Live web show this Feb 7th at 1200 EST titled: "Zombie Browsers Spiced With Rootkit Extensions." Learn more and subscribe to the Concise Courses Hacker Hotshots Web Show Community.

Concise Courses host a weekly web show called "Hacker Hotshots" with speakers from security conferences like DefCon, Black Hat and Hacker Halted. These guys interview the best hackers on the planet! Enjoy."

UPDATE:
In case you have missed it, here is the archive: http://www.concise-courses.com/infosec/20130207/