USBNinja

Last updated 2 months ago

TLDR; A bunch of hackers went and created a BadUSB, in cable form, where charging of the phone works.

Introduction

As Red Teamers we are always looking for means to compromise machines. Karsten Nohl had released his research on BadUSB: https://threatpost.com/badusb-patch-skirts-more-effective-options/108775/

Looking around, there was soon devices such as Hak5's RubberDucky[1] and BashBunny which were created to emulate a Human Interface Device (HID). Essentially these were programmable USB drives that would simulate a keyboard, or mouse, and enter keystrokes into the target machine it's plugged into.

The most common form of this attack is whereby the attacker plugs in a USB physically into an unlocked machine and the device will input the necessary keyboard shortcuts and keystrokes to execute a malware implant. On Windows this could be Windows Key + R to trigger the Run prompt, then typing in a command to fetch and execute a payload. On Mac it could be launching Terminal then typing in a payload.

Masquerade

We've always known that users cannot be trusted. Social Engineering has proven this greatly over the years with it being at the root cause of many breaches. In my opinion the RubberDucky, the BadUSB, just looks too suspicious. Many users are now being made aware that USBs are bad, and we shouldn't just plug them in.

We set out to make a different device, one that is more covert and can masquerade as a legitimate day-to-day device.

USBNinja

My friends have worked closely with our Red Team expertise and practical experience to craft a new device known as the USBNinja. The USBNinja can come in many forms, the one that we will show you in this blog post is the USB charging cable. We've got other options such as conference dongles, USB fans[2], and more.

Of course, images don't really demonstrate capabilities as all you can see is cable. We've uploaded a quick demonstration video to YouTube:

Conclusion

I've spoken to people at different labs who have had hardware expertise. Some also attempted the same project, but were not able to make the cable charge for whatever reason. My team of friends have managed to weaponize this capability to make a fully working USB cable also a compatible HID device.

Next-generation are coming with hidden contraptions using triggers such as Magnets for physical mode switching, or even Bluetooth for arbitrary on the fly execution from a distance. These are under progress as we speak.

Credits

Vincent Yiu (斯圆网络安全咨询服务) - Blog post, software, weaponization Olaf Tan - ProxGrind Dennis Goh - RFID Research Group Kevin Mitnick - Mitnick Security Consulting

需要网络安全咨询服务的话,可以跟我联系!

References

[1]: https://hakshop.com/products/usb-rubber-ducky-deluxe [2]: https://www.washingtonpost.com/technology/2018/07/03/what-was-usb-fan-given-trump-kim-summit-security-experts-say-nothing-but-dont-plug-it/?noredirect=on&utm_term=.e0362077a5d0