Pentesting with Programmable HID: Owned by a USB Keyboard

Most corporate (and government) IT experts know the danger of rogue USB drives. In 2008, one of the largest exploitations of the military was caused by a simple USB drive that was purposely infected with malware. Since then, turning off the “Autorun” feature has been a common mantra amongst security professionals to stop infected USB’s from running their automated payload. 

But, what if the system did not know that the device being plugged in was a USB flash drive? What if it thought it was a keyboard, or a mouse? What if it was in fact a keyboard, mouse or even an office toy? 

What if the device could run automated commands, like copying off all the data in certain directories, running an onboard malware program, or automatically taking you to a rogue site? What if the device could detect when you were sitting at the keyboard? When you turned on your office lights or even moved? 

Welcome to the world of Programmable HID (Human Interface Device) hacking. This new area of social engineering attacks is very deceiving and effective. Using a device that can be used as is, or inserted into a real keyboard, mouse or office toy, hackers are able to run a plethora of attacks against a machine. 

And because the system thinks it is a human interface device, anti-virus has little if no effect. Because it is programmable via the simple Arduino language (same technology used in robotics), the attack options are limited only by the imagination of the hacker. And as you will see, some of them have a pretty evil imagination. 

The video above is from Defcon 18. The exceptional presentation by Adrian Crenshaw (aka Irongeek) demonstrates his work with transforming the Teensy USB device into a pentesters dream. He shows the dangers and capabilities of USB HID hacking and how to defend against them. Adrian is extremely knowledgeable and his light, witty demeanor makes watching the video not only informative, but very enjoyable. 

Just don’t borrow a mouse from this guy!    

Pen Testing Perfect Storm Part V: “We Love Adobe!”

Part V of the Pen Testing Perfect Storm webcast series will be held on August 31, 2010 at 2PM EDT / 11AM PDT. This will be presented by Ed Skoudis, Kevin Johnson and Joshua Wright. Ed is one of my favorite presenters, and authors, so this is a definite must see.

Webcast Information (From Coresecurity):

It’s no secret that Adobe’s ubiquitous applications provide a broad attack surface for criminals seeking to gain access to sensitive IT networks. During this webcast, security experts Ed Skoudis, Kevin Johnson and Joshua Wright will demonstrate penetration testing techniques that you can use to proactively assess the security of systems relying on Adobe technologies throughout your organization.

You’ll learn how to …

    * Assess Adobe Reader and Flash for exploitable vulnerabilities
    * Extend testing with escalation and session management techniques
    * Impersonate network infrastructure and simplify wireless hijacking
    * Gain remote control of exposed clients

Like all Perfect Storm webcasts, part V will go beyond simple vulnerability exploitation and show you how to replicate multiple stages of an attack – from identifying and profiling exposed systems to gaining root and gathering data for reporting and remediation.

*Bonus: Register now and you’ll also get on-demand access to the slide decks for The Pen Testing Perfect Storm Trilogy Parts I-V.

Computer Security Webinar: Pen Testing Ninjitsu

Core Security Technologies offers several security related webcasts on their website. One that I enjoyed was “Pen Testing Ninjitsu”. The series is presented by SANS instructor and security expert Ed Skoudis.  The topics are (from website):

Part I: “Windows Command Line Hero”
A brief introduction to the value of penetration testing + an overview of pen testing techniques using the Windows command shell.

Part II: “Crouching Netcat, Hidden Vulnerabilities”
An introduction to techniques for performing the functions of Netcat – such as moving files, scanning ports and creating backdoors – without using Netcat.

Part III: “After the Initial Compromise”
This installment explores what can happen after the initial vulnerability is compromised and a threat becomes truly invasive – and how to proactively assess your systems against such attacks.

Ed’s knowledge is truly amazing, check it out.