1
00:00:11,300 --> 00:00:15,130
[Applause]
2
00:00:15,580 --> 00:00:22,820
so hello everyone I'm Luca and today I'm
3
00:00:20,000 --> 00:00:25,910
going to talk about heat attacks most of
4
00:00:22,820 --> 00:00:30,439
you knows know what I am what I'm going
5
00:00:25,910 --> 00:00:33,680
to talk about so what I will what I will
6
00:00:30,439 --> 00:00:35,649
show you today is despite the usual heat
7
00:00:33,680 --> 00:00:38,750
attacks i will show you some some new
8
00:00:35,649 --> 00:00:41,480
offensive devices were developed lately
9
00:00:38,750 --> 00:00:44,090
last year and we'll see what we can
10
00:00:41,480 --> 00:00:46,699
achieve with this new generation of heat
11
00:00:44,090 --> 00:00:49,430
attacks what you will which will be the
12
00:00:46,700 --> 00:00:50,960
intakes of this presentation well after
13
00:00:49,430 --> 00:00:53,930
this presentation you will be even more
14
00:00:50,960 --> 00:00:56,600
paranoid about USB devices you will
15
00:00:53,930 --> 00:00:59,269
learn about new tools for frankie
16
00:00:56,600 --> 00:01:01,149
colleagues phone customers or scare she
17
00:00:59,270 --> 00:01:04,280
chose because that's what we like most
18
00:01:01,149 --> 00:01:07,040
you will forget about rubber ducky and
19
00:01:04,280 --> 00:01:08,990
bash barney and most importantly you
20
00:01:07,040 --> 00:01:13,999
will not trust any more USB dildo and
21
00:01:08,990 --> 00:01:20,169
palm breasts so let's make a short recap
22
00:01:13,999 --> 00:01:23,839
of what our hid devices despite the D of
23
00:01:20,170 --> 00:01:26,420
hid is ready device human interface
24
00:01:23,840 --> 00:01:28,520
device according to wikipedia is a type
25
00:01:26,420 --> 00:01:31,069
of computer device usually used by
26
00:01:28,520 --> 00:01:34,189
humans that which takes input and gives
27
00:01:31,069 --> 00:01:37,369
output humans kind of dump definition
28
00:01:34,189 --> 00:01:42,639
but that's Wikipedia what we know about
29
00:01:37,369 --> 00:01:47,749
each HIDs while we use everyday
30
00:01:42,639 --> 00:01:49,548
keyboards mice game controllers and what
31
00:01:47,749 --> 00:01:51,408
we also know about out that most of the
32
00:01:49,549 --> 00:01:54,979
time do not need drivers external
33
00:01:51,409 --> 00:01:57,469
drivers Windows OS X Linux they do
34
00:01:54,979 --> 00:01:59,119
recognize keyboards automatically there
35
00:01:57,469 --> 00:02:01,609
are some corner cases like you know a
36
00:01:59,119 --> 00:02:04,130
sax is asking you to press some some
37
00:02:01,609 --> 00:02:06,259
specific keystrokes just identified the
38
00:02:04,130 --> 00:02:08,899
keyboard language but anyway usually
39
00:02:06,259 --> 00:02:10,429
most of the time our tribe words what is
40
00:02:08,899 --> 00:02:12,860
another feature an interesting feature
41
00:02:10,429 --> 00:02:15,770
of this class of devices well usually
42
00:02:12,860 --> 00:02:18,319
are ignored by DLP solutions I know that
43
00:02:15,770 --> 00:02:21,920
there are some solutions like G data
44
00:02:18,319 --> 00:02:23,079
that has a USB card that is dedicated to
45
00:02:21,920 --> 00:02:26,950
the
46
00:02:23,080 --> 00:02:31,600
HIV attacks but most of them do not care
47
00:02:26,950 --> 00:02:34,570
about hid human interface devices they
48
00:02:31,600 --> 00:02:36,250
care mostly about flash drives so you
49
00:02:34,570 --> 00:02:39,250
cannot plug it in the next version of
50
00:02:36,250 --> 00:02:42,550
Stuxnet for example here is an example
51
00:02:39,250 --> 00:02:44,830
of like two weeks ago I was checking my
52
00:02:42,550 --> 00:02:50,040
antivirus solution I had in my corporate
53
00:02:44,830 --> 00:02:53,350
laptop I cannot give you the name is and
54
00:02:50,040 --> 00:02:56,500
practically this device this solution as
55
00:02:53,350 --> 00:02:59,829
you can see allows to whitelist or
56
00:02:56,500 --> 00:03:01,840
blacklist block USB devices as you can
57
00:02:59,830 --> 00:03:04,530
see in the list there are plenty of them
58
00:03:01,840 --> 00:03:08,650
but there is only one missing hid
59
00:03:04,530 --> 00:03:10,300
devices so keyboards are not Y cannot be
60
00:03:08,650 --> 00:03:13,360
whitelist or blacklisted by this
61
00:03:10,300 --> 00:03:16,360
solution which is an issue and of course
62
00:03:13,360 --> 00:03:20,140
another feature of keyboards and mice is
63
00:03:16,360 --> 00:03:23,830
that they are not usually under the
64
00:03:20,140 --> 00:03:26,589
antivirus cope so what could possibly go
65
00:03:23,830 --> 00:03:29,560
wrong what we know most of you probably
66
00:03:26,590 --> 00:03:32,739
knows the first generation of he
67
00:03:29,560 --> 00:03:35,680
defensive devices like the most common
68
00:03:32,739 --> 00:03:38,560
and shown also on mr. robot TV series is
69
00:03:35,680 --> 00:03:42,430
rubber ducky rubber ducky was and is a
70
00:03:38,560 --> 00:03:44,290
delicate dedicated hardware which of
71
00:03:42,430 --> 00:03:46,000
course can can be used in multiple
72
00:03:44,290 --> 00:03:48,489
platforms because it depends on the
73
00:03:46,000 --> 00:03:52,000
payload so it's compatible Windows Linux
74
00:03:48,489 --> 00:03:54,459
OS X and so on has multiple payloads has
75
00:03:52,000 --> 00:03:58,390
the ability to change v ID and PID what
76
00:03:54,459 --> 00:04:01,300
is v ID ID ID is version ID and PID is
77
00:03:58,390 --> 00:04:05,649
product ID these two identifiers should
78
00:04:01,300 --> 00:04:08,530
be uniquely identifying a specific type
79
00:04:05,650 --> 00:04:11,110
of a specific brand of a device like HP
80
00:04:08,530 --> 00:04:15,430
keyboard blah-blah-blah zr1 as a
81
00:04:11,110 --> 00:04:17,890
specific v ID HP or ya and product ID is
82
00:04:15,430 --> 00:04:20,200
that pacifically of that specific type
83
00:04:17,890 --> 00:04:22,360
of keyboard so in this case rubber ducky
84
00:04:20,200 --> 00:04:25,140
was able to spoof those VI D s and P n
85
00:04:22,360 --> 00:04:30,840
DS because some DLP solutions that are
86
00:04:25,140 --> 00:04:35,530
blacklisting whitelisting hid devices
87
00:04:30,840 --> 00:04:36,849
can can be bypassed by spoofing
88
00:04:35,530 --> 00:04:39,969
such ID the only set
89
00:04:36,849 --> 00:04:42,849
thing of rubber ducky is still the price
90
00:04:39,969 --> 00:04:45,248
it's around 55 euro if you want to buy
91
00:04:42,849 --> 00:04:46,748
from us to Europe and this kind of
92
00:04:45,249 --> 00:04:49,029
expensive
93
00:04:46,749 --> 00:04:51,749
the other solution was a do-it-yourself
94
00:04:49,029 --> 00:04:55,119
solution based on teensy as a hardware
95
00:04:51,749 --> 00:04:57,279
part and from the software framework
96
00:04:55,119 --> 00:05:01,209
point of view were both open-source
97
00:04:57,279 --> 00:05:04,330
wrote Ilya and Phu KD and this was the
98
00:05:01,209 --> 00:05:08,159
first generation between 2009 10 11 the
99
00:05:04,330 --> 00:05:11,619
second generation is can be dated around
100
00:05:08,159 --> 00:05:15,459
2014-2015 and these two devices one bad
101
00:05:11,619 --> 00:05:18,909
USB which was the outcome of a research
102
00:05:15,459 --> 00:05:21,879
made by Carson Wall and the guys from SR
103
00:05:18,909 --> 00:05:24,849
labs from Germany practically what they
104
00:05:21,879 --> 00:05:27,099
figured out they figured out that on the
105
00:05:24,849 --> 00:05:30,399
market there are existing USB devices
106
00:05:27,099 --> 00:05:32,498
like USB flash drives or USB hubs that
107
00:05:30,399 --> 00:05:35,649
have a very specific type of controller
108
00:05:32,499 --> 00:05:37,929
like phi sun which can be reflashed
109
00:05:35,649 --> 00:05:39,969
so by reflashing by hacking the femur
110
00:05:37,929 --> 00:05:42,099
and reflashing it they were able to turn
111
00:05:39,969 --> 00:05:43,659
a very simple and commercial solution
112
00:05:42,099 --> 00:05:48,748
like i just be a flash drive or a USB
113
00:05:43,659 --> 00:05:51,879
hub in a rubber ducky like so malicious
114
00:05:48,749 --> 00:05:53,949
keystroke injecting device another
115
00:05:51,879 --> 00:05:57,339
device developed around the same period
116
00:05:53,949 --> 00:05:59,800
thousand 15 by the NSA playset guys from
117
00:05:57,339 --> 00:06:03,069
us practically what they did they
118
00:05:59,800 --> 00:06:05,740
recreated a device an implant hardware
119
00:06:03,069 --> 00:06:10,029
implant developed back in time by NSA
120
00:06:05,740 --> 00:06:13,479
around 2008 leaked by northern in 2013
121
00:06:10,029 --> 00:06:15,459
and the codename by a DNS ETL tool was
122
00:06:13,479 --> 00:06:17,938
called cottonmouth which i will show you
123
00:06:15,459 --> 00:06:20,469
later the original leaked paper and
124
00:06:17,939 --> 00:06:23,050
practically they recreated it called it
125
00:06:20,469 --> 00:06:25,959
terrarium scope and has the same
126
00:06:23,050 --> 00:06:27,819
functionality was the first kind of USB
127
00:06:25,959 --> 00:06:31,269
hardware implant open source and open
128
00:06:27,819 --> 00:06:32,860
hardware able to once connected to the
129
00:06:31,269 --> 00:06:35,379
target machine was able to create a
130
00:06:32,860 --> 00:06:38,860
product radio radio communication
131
00:06:35,379 --> 00:06:41,740
channel so that way an attacker was able
132
00:06:38,860 --> 00:06:44,409
to connect to that target even if was
133
00:06:41,740 --> 00:06:46,539
air-gapped i will talk a lot about air
134
00:06:44,409 --> 00:06:48,998
gap so what is an air-gapped environment
135
00:06:46,539 --> 00:06:50,568
for the ones that do not know that air
136
00:06:48,999 --> 00:06:52,819
gapped environment is very simple
137
00:06:50,569 --> 00:06:56,449
imagine a computer station or an entire
138
00:06:52,819 --> 00:06:59,419
well relatively small land that are not
139
00:06:56,449 --> 00:07:02,629
connected to other networks just imaging
140
00:06:59,419 --> 00:07:04,869
a HMI human machine interface of a
141
00:07:02,629 --> 00:07:06,949
nuclear plant is not supposed
142
00:07:04,869 --> 00:07:09,259
technically is not supposed to be
143
00:07:06,949 --> 00:07:11,389
connected to in turn we know we know
144
00:07:09,259 --> 00:07:13,520
what bridge can come out of that so in
145
00:07:11,389 --> 00:07:15,800
this case this particular implant was
146
00:07:13,520 --> 00:07:19,248
the first of that kind able to bypass
147
00:07:15,800 --> 00:07:21,249
this kind of air-gapped restriction the
148
00:07:19,249 --> 00:07:26,149
third generation can be dated around
149
00:07:21,249 --> 00:07:29,149
2017 and still ongoing is divided in two
150
00:07:26,149 --> 00:07:30,860
devices the first one that I was working
151
00:07:29,149 --> 00:07:33,349
on and I will show you in deep in depth
152
00:07:30,860 --> 00:07:35,209
is called Wynn injector you can see it
153
00:07:33,349 --> 00:07:36,949
as a rubber ducky on steroids if you
154
00:07:35,209 --> 00:07:40,699
want to make comparisons with something
155
00:07:36,949 --> 00:07:44,659
instead the other one developed by
156
00:07:40,699 --> 00:07:48,319
markus now called Pompey you can see it
157
00:07:44,659 --> 00:07:51,558
has a Bosch Banyan steroids what they're
158
00:07:48,319 --> 00:07:53,990
doing well with injector is a dedicated
159
00:07:51,559 --> 00:07:55,969
hardware exactly right rubber ducky so
160
00:07:53,990 --> 00:07:58,309
not a do-it-yourself solution why I
161
00:07:55,969 --> 00:08:02,659
decided to design that because many pen
162
00:07:58,309 --> 00:08:04,939
testers either do not have time to you
163
00:08:02,659 --> 00:08:07,550
know solve their stuff you know play
164
00:08:04,939 --> 00:08:09,709
with electronics devices or either they
165
00:08:07,550 --> 00:08:11,149
do not know how to do that they don't
166
00:08:09,709 --> 00:08:13,999
want to spend time in that they prefer
167
00:08:11,149 --> 00:08:17,629
to own like active directory's and using
168
00:08:13,999 --> 00:08:19,219
Death Star and trends so yeah and so
169
00:08:17,629 --> 00:08:21,619
practically I designed is harder show
170
00:08:19,219 --> 00:08:24,469
dedicated hardware as rubber ducky is
171
00:08:21,619 --> 00:08:26,419
able to is multi-platform able to spoof
172
00:08:24,469 --> 00:08:28,399
VI D PID because it's important well to
173
00:08:26,419 --> 00:08:30,498
bypass DLP solutions and the most
174
00:08:28,399 --> 00:08:33,500
important part respect rubber ducky it
175
00:08:30,499 --> 00:08:35,719
has Wi-Fi so in this case the attacker
176
00:08:33,500 --> 00:08:38,599
in one way or in another as soon as the
177
00:08:35,719 --> 00:08:40,339
tar the rubber dial sorry the mid
178
00:08:38,599 --> 00:08:42,199
injector gets connected to the target
179
00:08:40,339 --> 00:08:44,480
machine the attacker remotely from
180
00:08:42,198 --> 00:08:47,359
outside the building or with the call
181
00:08:44,480 --> 00:08:49,759
home function if of course he needs to
182
00:08:47,360 --> 00:08:51,139
preset existing Wi-Fi network to connect
183
00:08:49,759 --> 00:08:53,750
the wid injector and then reach outside
184
00:08:51,139 --> 00:08:55,550
he's able to connect remotely to the
185
00:08:53,750 --> 00:08:58,699
target machine and inject the payload
186
00:08:55,550 --> 00:09:02,510
whenever he wants because another sad
187
00:08:58,699 --> 00:09:03,760
thing feature of rubber ducky is that
188
00:09:02,510 --> 00:09:05,380
you can you
189
00:09:03,760 --> 00:09:07,569
have to run the payload immediately it
190
00:09:05,380 --> 00:09:09,730
runs I mean as soon as you plug you can
191
00:09:07,570 --> 00:09:12,100
run it of course you can put delay but
192
00:09:09,730 --> 00:09:15,040
you cannot exactly decide at which exact
193
00:09:12,100 --> 00:09:17,860
moment three great promotion and another
194
00:09:15,040 --> 00:09:21,520
thing we wanted to keep it cheap so it's
195
00:09:17,860 --> 00:09:24,670
around 13 euro now because the the cost
196
00:09:21,520 --> 00:09:26,770
of atmega 34 raised and I'm not getting
197
00:09:24,670 --> 00:09:29,380
any royalty so I just wanted people to
198
00:09:26,770 --> 00:09:31,300
get it people said Oh looks cool I want
199
00:09:29,380 --> 00:09:32,340
it so I just asked a manufacturer in
200
00:09:31,300 --> 00:09:35,500
China to do it
201
00:09:32,340 --> 00:09:37,570
pumpy pumpy is another cool device the
202
00:09:35,500 --> 00:09:39,760
only expense here is just the Raspberry
203
00:09:37,570 --> 00:09:42,880
Pi zero because it's based on words very
204
00:09:39,760 --> 00:09:45,520
pi zero which is around 15 euro and the
205
00:09:42,880 --> 00:09:47,170
software itself is open search of course
206
00:09:45,520 --> 00:09:50,680
also we detector is open source and open
207
00:09:47,170 --> 00:09:52,990
our what is what are the main feature of
208
00:09:50,680 --> 00:09:54,729
pompey will see later a bit more in
209
00:09:52,990 --> 00:09:57,300
depth but the idea is that it has Wi-Fi
210
00:09:54,730 --> 00:10:00,790
as well so we can remote control
211
00:09:57,300 --> 00:10:04,839
remotely control it with injector and it
212
00:10:00,790 --> 00:10:08,709
is also USB to Ethernet adapter you know
213
00:10:04,840 --> 00:10:12,310
CDC gadget from USB protocol so it can
214
00:10:08,710 --> 00:10:14,770
create a internet connection just by
215
00:10:12,310 --> 00:10:17,140
plugging in into a USB port of the
216
00:10:14,770 --> 00:10:19,870
target machine you can emulate also USB
217
00:10:17,140 --> 00:10:21,460
flash drive file system so which is cool
218
00:10:19,870 --> 00:10:23,170
it has the ability to quote back a
219
00:10:21,460 --> 00:10:24,580
command control server so you can be on
220
00:10:23,170 --> 00:10:27,370
the other side of the world and control
221
00:10:24,580 --> 00:10:30,100
it remotely again able to spoof me idea
222
00:10:27,370 --> 00:10:33,370
and PID as well and recently mark was
223
00:10:30,100 --> 00:10:36,490
added a patched version of the drivers
224
00:10:33,370 --> 00:10:39,010
of the Broadcom Wi-Fi chipset in a way
225
00:10:36,490 --> 00:10:41,140
that now this little teeny tiny toy is
226
00:10:39,010 --> 00:10:44,020
not only Batman asteroid but is also
227
00:10:41,140 --> 00:10:47,170
almost close to Wi-Fi pineapple on
228
00:10:44,020 --> 00:10:48,220
steroids so it's it's really powerful
229
00:10:47,170 --> 00:10:50,500
and lately
230
00:10:48,220 --> 00:10:53,140
during yeah around approximately
231
00:10:50,500 --> 00:10:55,120
jack-in-the-box he was working on a new
232
00:10:53,140 --> 00:10:56,680
feature that here is the video because
233
00:10:55,120 --> 00:10:58,570
due to time constraints I could not show
234
00:10:56,680 --> 00:11:01,569
you all the demos so probably I will
235
00:10:58,570 --> 00:11:03,970
publish later even other so this one was
236
00:11:01,570 --> 00:11:06,070
a demo made by Markus which is showing a
237
00:11:03,970 --> 00:11:09,760
next-generation air gap bypass I will
238
00:11:06,070 --> 00:11:11,710
explain you later what it is ok let's go
239
00:11:09,760 --> 00:11:14,500
back the weed injector these are the
240
00:11:11,710 --> 00:11:17,540
schematics I released and how it's
241
00:11:14,500 --> 00:11:21,440
composed with injector the main two
242
00:11:17,540 --> 00:11:23,630
components of weed injector are atmega
243
00:11:21,440 --> 00:11:26,090
30 to you for most of us that played
244
00:11:23,630 --> 00:11:28,939
with arduino knows it because it is
245
00:11:26,090 --> 00:11:30,530
implemented in some Arduino micro Pro
246
00:11:28,940 --> 00:11:32,120
and Friends
247
00:11:30,530 --> 00:11:34,819
so is there doing a friendly
248
00:11:32,120 --> 00:11:37,400
microcontroller and ESP 12 ESP 12 is
249
00:11:34,820 --> 00:11:41,000
known to be used is the old version of
250
00:11:37,400 --> 00:11:43,520
the ESP family now most likely most of
251
00:11:41,000 --> 00:11:45,980
you will know ESP 32 anyway
252
00:11:43,520 --> 00:11:48,290
this type of Wi-Fi chipset are very
253
00:11:45,980 --> 00:11:50,300
common in IOT devices like you know
254
00:11:48,290 --> 00:11:52,760
these power sockets that you can control
255
00:11:50,300 --> 00:11:55,370
from a web app mobile app so let that
256
00:11:52,760 --> 00:11:59,350
thing why it's nice because in a little
257
00:11:55,370 --> 00:12:03,470
small form-factor chipset which is this
258
00:11:59,350 --> 00:12:05,600
black thing behind on the PCB you have
259
00:12:03,470 --> 00:12:09,110
what four megabyte flash NAND flash
260
00:12:05,600 --> 00:12:11,660
Wi-Fi support both has access point and
261
00:12:09,110 --> 00:12:12,800
client mode and TCP stack and DNS
262
00:12:11,660 --> 00:12:14,870
support so you have plenty of
263
00:12:12,800 --> 00:12:17,180
capabilities there another thing I
264
00:12:14,870 --> 00:12:18,950
wanted to add and I added in the PCB is
265
00:12:17,180 --> 00:12:21,589
this thing that in rubber ducky door is
266
00:12:18,950 --> 00:12:25,820
not is a simple pin out bridge that is
267
00:12:21,590 --> 00:12:29,480
practically giving the ability to the
268
00:12:25,820 --> 00:12:31,910
attacker to use the four pins of a USB
269
00:12:29,480 --> 00:12:33,410
connection to weaponize USB gadgets we
270
00:12:31,910 --> 00:12:35,810
will see later what I mean weaponizing
271
00:12:33,410 --> 00:12:39,260
USB gadget another thing I decided to
272
00:12:35,810 --> 00:12:41,689
add was the hole sensor because many
273
00:12:39,260 --> 00:12:44,060
times when you weaponize a gadget or you
274
00:12:41,690 --> 00:12:47,660
put in your plug it in any USB case and
275
00:12:44,060 --> 00:12:49,219
you want to unbreak it or reset it or a
276
00:12:47,660 --> 00:12:51,560
flash it it's annoying
277
00:12:49,220 --> 00:12:53,270
plug it in destroy the USB keys and so
278
00:12:51,560 --> 00:12:55,430
on so with the hole sensor you just need
279
00:12:53,270 --> 00:13:00,470
to put close a magnet and will simulate
280
00:12:55,430 --> 00:13:03,890
the button pressed so I was talking
281
00:13:00,470 --> 00:13:07,280
about USB gadgets what what it means
282
00:13:03,890 --> 00:13:09,319
well you know many of you is already
283
00:13:07,280 --> 00:13:10,579
aware and probably you're doing security
284
00:13:09,320 --> 00:13:13,820
awareness trainings within your
285
00:13:10,580 --> 00:13:16,670
companies about how danger is picking a
286
00:13:13,820 --> 00:13:19,580
USB flash drive from another parking lot
287
00:13:16,670 --> 00:13:21,500
reception gas area and plug it in in
288
00:13:19,580 --> 00:13:23,390
your laptop to check what is inside so
289
00:13:21,500 --> 00:13:25,640
most of the people now knows that trick
290
00:13:23,390 --> 00:13:27,880
and is harder and is getting harder and
291
00:13:25,640 --> 00:13:30,880
harder for red teamers
292
00:13:27,880 --> 00:13:33,430
to prove that he is an issue so another
293
00:13:30,880 --> 00:13:36,850
thing you can do is to trick people to
294
00:13:33,430 --> 00:13:39,609
think that there are of course other USB
295
00:13:36,850 --> 00:13:41,889
gadgets on the market that usually raise
296
00:13:39,610 --> 00:13:44,139
less suspiciousness like for example if
297
00:13:41,889 --> 00:13:45,940
you see a USB flash drive you think
298
00:13:44,139 --> 00:13:48,459
there might be a malware there but if
299
00:13:45,940 --> 00:13:53,230
you see a plasma ball or a cup heater
300
00:13:48,459 --> 00:13:56,560
without that cough though a fan or a USB
301
00:13:53,230 --> 00:14:01,209
beer fridge I mean if you see this kind
302
00:13:56,560 --> 00:14:04,149
of of devices your awareness will be
303
00:14:01,209 --> 00:14:06,550
less high so in this case what you can
304
00:14:04,149 --> 00:14:07,839
do with you know by weaponizing USB
305
00:14:06,550 --> 00:14:09,519
gadgets you can test for social
306
00:14:07,839 --> 00:14:12,190
engineering awareness exactly as you
307
00:14:09,519 --> 00:14:14,019
were doing with the flash drive you can
308
00:14:12,190 --> 00:14:16,870
bypass physical access restriction to a
309
00:14:14,019 --> 00:14:19,180
target device because as I told you both
310
00:14:16,870 --> 00:14:21,699
pompey and with injector have Wi-Fi
311
00:14:19,180 --> 00:14:24,219
capability so imagine like here I made
312
00:14:21,699 --> 00:14:27,639
an example this is a fake brochure from
313
00:14:24,220 --> 00:14:29,620
a leaders office in supplies so
314
00:14:27,639 --> 00:14:31,959
practically you weaponize a plasma ball
315
00:14:29,620 --> 00:14:34,750
you pack it back you take that brochure
316
00:14:31,959 --> 00:14:37,029
you pack everything you maybe you even
317
00:14:34,750 --> 00:14:40,209
create a fake web domain just to give a
318
00:14:37,029 --> 00:14:43,029
you know a shape of you know a more
319
00:14:40,209 --> 00:14:45,369
serious operation then you pack
320
00:14:43,029 --> 00:14:48,250
everything you send through UPS FEDEX to
321
00:14:45,370 --> 00:14:51,550
the target or receptionist of the
322
00:14:48,250 --> 00:14:53,529
company and then most likely the guy
323
00:14:51,550 --> 00:14:55,899
will see the plasma ball will think
324
00:14:53,529 --> 00:14:58,060
plasma ball if he's really smart he
325
00:14:55,899 --> 00:15:00,959
thinks oh plasma ball has no data
326
00:14:58,060 --> 00:15:04,359
connection just you know five volt so
327
00:15:00,959 --> 00:15:06,969
most likely it will plug it it I know I
328
00:15:04,360 --> 00:15:09,009
heard people that were using on during
329
00:15:06,970 --> 00:15:12,880
engagements and they had this they did
330
00:15:09,009 --> 00:15:14,730
succeed so it is working so otherwise
331
00:15:12,880 --> 00:15:17,889
instead of plasma ball you can always
332
00:15:14,730 --> 00:15:20,800
add a hub USB hub controller and
333
00:15:17,889 --> 00:15:22,660
weaponize a mouse either then you can
334
00:15:20,800 --> 00:15:24,339
ship the mouse or during a physical
335
00:15:22,660 --> 00:15:27,610
engagement you can replace an existing
336
00:15:24,339 --> 00:15:29,949
Mouse no one will notice it and another
337
00:15:27,610 --> 00:15:31,660
thing is but that is restrictive most
338
00:15:29,949 --> 00:15:33,969
likely to just one person in the world
339
00:15:31,660 --> 00:15:36,399
is that if you are Kim Jung hoon and
340
00:15:33,970 --> 00:15:39,040
wanna have fun pawning international
341
00:15:36,399 --> 00:15:41,709
delegates you have always the chance to
342
00:15:39,040 --> 00:15:46,089
that by giving them USB fans of course
343
00:15:41,709 --> 00:15:48,130
we have no no one managed to to pop open
344
00:15:46,089 --> 00:15:49,690
that USB fan so we don't know if there
345
00:15:48,130 --> 00:15:54,009
was or not an implant but the
346
00:15:49,690 --> 00:15:56,170
possibility is still there okay I
347
00:15:54,009 --> 00:15:59,350
described the hardware part of with
348
00:15:56,170 --> 00:16:01,329
injector the software part is the one
349
00:15:59,350 --> 00:16:04,089
that is delivered by default with with
350
00:16:01,329 --> 00:16:06,519
the injector is called ESP exploit v2
351
00:16:04,089 --> 00:16:10,149
which is an evolution of with why I'm
352
00:16:06,519 --> 00:16:12,339
not really a good developer so a guy
353
00:16:10,149 --> 00:16:16,480
Koree harding decided to improve it so
354
00:16:12,339 --> 00:16:21,430
luckily for everyone so he s point v2
355
00:16:16,480 --> 00:16:24,250
has many features like hidden ssh SS ID
356
00:16:21,430 --> 00:16:28,180
so for more abstract cooperation you
357
00:16:24,250 --> 00:16:29,589
just hit the SSID so employees around
358
00:16:28,180 --> 00:16:32,979
the company will not see that there is
359
00:16:29,589 --> 00:16:35,680
like weed injector access point there it
360
00:16:32,980 --> 00:16:38,259
has SP portal prudential harvester we
361
00:16:35,680 --> 00:16:40,899
will see later what it is multi-platform
362
00:16:38,259 --> 00:16:43,149
move the keyboard language ability to
363
00:16:40,899 --> 00:16:44,860
auto start like rubber ducky in case you
364
00:16:43,149 --> 00:16:46,959
want to just use it during an engagement
365
00:16:44,860 --> 00:16:48,899
with physical access you can just plug
366
00:16:46,959 --> 00:16:50,949
it in and replicate the rubber ducky
367
00:16:48,899 --> 00:16:53,980
ability to change setting on the fly
368
00:16:50,949 --> 00:16:55,959
live payloads ability to convert if you
369
00:16:53,980 --> 00:16:57,639
already have a list of darkest crypt for
370
00:16:55,959 --> 00:16:59,768
rubber ducky you just need to copy paste
371
00:16:57,639 --> 00:17:01,329
in the web browser once you are
372
00:16:59,769 --> 00:17:03,339
connected to the grid injector and will
373
00:17:01,329 --> 00:17:06,579
automatically convert to the with
374
00:17:03,339 --> 00:17:09,309
injector shinta so easy peasy ability to
375
00:17:06,579 --> 00:17:11,109
update the femur over there so you don't
376
00:17:09,309 --> 00:17:13,270
need to unplug and plug or a plug and
377
00:17:11,109 --> 00:17:13,958
play with arduino if you're not you know
378
00:17:13,270 --> 00:17:17,049
used to it
379
00:17:13,959 --> 00:17:19,540
able to spoof vad PID and the best part
380
00:17:17,049 --> 00:17:21,879
i like it is ability to bypass
381
00:17:19,540 --> 00:17:26,709
air-gapped environments we will see
382
00:17:21,880 --> 00:17:28,840
later proof-of-concept about that ducky
383
00:17:26,709 --> 00:17:30,610
script so as I said before if you
384
00:17:28,840 --> 00:17:32,110
already have a doc you scrape you just
385
00:17:30,610 --> 00:17:34,570
connect to the access point created by
386
00:17:32,110 --> 00:17:38,620
with the injector copy paste the darkest
387
00:17:34,570 --> 00:17:40,780
ref and automatically the this
388
00:17:38,620 --> 00:17:43,059
JavaScript will convert it to the real
389
00:17:40,780 --> 00:17:45,879
syntax used by weed injector so very
390
00:17:43,059 --> 00:17:47,740
easy and user-friendly this is how to
391
00:17:45,880 --> 00:17:49,900
change the layout language layout
392
00:17:47,740 --> 00:17:50,710
because is delivered by with by default
393
00:17:49,900 --> 00:17:54,010
MIDI in
394
00:17:50,710 --> 00:17:55,510
keyboard so like French keyboard and so
395
00:17:54,010 --> 00:17:58,150
on you just need to go in the width
396
00:17:55,510 --> 00:18:01,000
repour on github copy paste the ASCII
397
00:17:58,150 --> 00:18:03,750
map replace it in our put it in at the
398
00:18:01,000 --> 00:18:06,400
arduino either and just flash back the
399
00:18:03,750 --> 00:18:10,510
USB device and then you will have a
400
00:18:06,400 --> 00:18:13,930
compatible with injector for any kind of
401
00:18:10,510 --> 00:18:16,390
keyboard you prefer here is an example
402
00:18:13,930 --> 00:18:19,210
of how to spoof v ID a PID again this
403
00:18:16,390 --> 00:18:22,540
nin pitar code is in the github repo
404
00:18:19,210 --> 00:18:25,390
here what we care mostly is the v ID the
405
00:18:22,540 --> 00:18:27,010
PID and the name you can put an
406
00:18:25,390 --> 00:18:29,260
arbitrary name actually you can use even
407
00:18:27,010 --> 00:18:32,470
for fuzzing probably operative systems
408
00:18:29,260 --> 00:18:34,360
if you start to play with charge and of
409
00:18:32,470 --> 00:18:36,100
course is compatible well here I put as
410
00:18:34,360 --> 00:18:37,659
an example at the end you just need to
411
00:18:36,100 --> 00:18:39,550
move to add this Nippert at the end of
412
00:18:37,660 --> 00:18:44,800
boards dot ext Lord we know either
413
00:18:39,550 --> 00:18:47,139
and then just reflash with injector so I
414
00:18:44,800 --> 00:18:49,600
I talked already many times about air
415
00:18:47,140 --> 00:18:51,340
gap bypass here is an example for
416
00:18:49,600 --> 00:18:53,290
example my favorite operating system
417
00:18:51,340 --> 00:18:55,209
right now is Windows 10 because it's not
418
00:18:53,290 --> 00:18:56,980
complaining any any how about serial
419
00:18:55,210 --> 00:19:00,040
connection so as soon as you plug it in
420
00:18:56,980 --> 00:19:02,740
poof serial connected not drivers no
421
00:19:00,040 --> 00:19:04,680
issues no nothing and here's an examples
422
00:19:02,740 --> 00:19:07,510
what you will see now you will see okay
423
00:19:04,680 --> 00:19:09,610
in this virtual machine is completely
424
00:19:07,510 --> 00:19:11,379
isolated so there is no Bluetooth
425
00:19:09,610 --> 00:19:16,620
connection electronic connection or
426
00:19:11,380 --> 00:19:19,750
Wi-Fi is so-called air gap this is the
427
00:19:16,620 --> 00:19:22,479
the full machined real laptop where the
428
00:19:19,750 --> 00:19:24,310
attacker is connected through Wi-Fi so
429
00:19:22,480 --> 00:19:27,070
in this case the wind injector is
430
00:19:24,310 --> 00:19:29,320
plugging in into the air gap machine and
431
00:19:27,070 --> 00:19:33,250
you will think just make an assumption
432
00:19:29,320 --> 00:19:35,860
somehow that we detector got connected
433
00:19:33,250 --> 00:19:37,030
either social engineering plasma ball
434
00:19:35,860 --> 00:19:40,840
whatever
435
00:19:37,030 --> 00:19:44,649
kidnapping whatever so once it's
436
00:19:40,840 --> 00:19:46,149
connected we run a payload this panel in
437
00:19:44,650 --> 00:19:48,490
this case is Windows so it's running a
438
00:19:46,150 --> 00:19:51,310
PowerShell script what we'll do we'll
439
00:19:48,490 --> 00:19:54,550
execute a common in this case Who am I
440
00:19:51,310 --> 00:19:56,409
take the common and push it back through
441
00:19:54,550 --> 00:19:58,659
the serial connection to the with
442
00:19:56,410 --> 00:19:59,980
injector at that point the attacker will
443
00:19:58,660 --> 00:20:03,550
be able to retrieve that information
444
00:19:59,980 --> 00:20:04,480
anytime he wants from the web win
445
00:20:03,550 --> 00:20:09,580
injector
446
00:20:04,480 --> 00:20:11,769
access point and ESP flash so now the
447
00:20:09,580 --> 00:20:16,899
attacker is connecting to the default
448
00:20:11,769 --> 00:20:19,230
SSID of with injector which is the
449
00:20:16,899 --> 00:20:19,229
payload
450
00:20:27,600 --> 00:20:34,168
here you can see the vADM ple uses it to
451
00:20:30,690 --> 00:20:35,610
filter and find the with injector
452
00:20:34,169 --> 00:20:37,110
connected of course if you spoofed the
453
00:20:35,610 --> 00:20:38,969
idea and PID you need to change that
454
00:20:37,110 --> 00:20:41,340
part in the script that's what's the
455
00:20:38,970 --> 00:20:43,650
common Who am I and now as soon as run
456
00:20:41,340 --> 00:20:45,510
the comment of course can be faster the
457
00:20:43,650 --> 00:20:47,520
the injection but I wanted to slow down
458
00:20:45,510 --> 00:20:49,230
just to show you a bit you know that is
459
00:20:47,520 --> 00:20:52,530
not like you know fake proof-of-concept
460
00:20:49,230 --> 00:20:54,600
so now is looking for the serial taking
461
00:20:52,530 --> 00:20:56,970
the common and then the attacker is able
462
00:20:54,600 --> 00:20:58,709
to see the exfiltrated data from an
463
00:20:56,970 --> 00:21:00,720
air-gapped environment so we fully
464
00:20:58,710 --> 00:21:02,580
bypass and imagine that the attacker
465
00:21:00,720 --> 00:21:05,039
right now could be outside the nuclear
466
00:21:02,580 --> 00:21:07,949
implant so it shouldn't be like you know
467
00:21:05,039 --> 00:21:11,879
built on machine and as you can see is
468
00:21:07,950 --> 00:21:14,039
matching of course we can do the same in
469
00:21:11,880 --> 00:21:15,840
a Linux based machine payload is
470
00:21:14,039 --> 00:21:18,150
different but the idea is the same so we
471
00:21:15,840 --> 00:21:21,120
look for well in this case is lilypad
472
00:21:18,150 --> 00:21:24,750
because this default name of the with
473
00:21:21,120 --> 00:21:27,449
the injector from serial comm point of
474
00:21:24,750 --> 00:21:29,820
view but you can as soon as you you
475
00:21:27,450 --> 00:21:31,950
change through the spoofing technique
476
00:21:29,820 --> 00:21:34,439
you just need to change accordingly the
477
00:21:31,950 --> 00:21:37,919
script so what it does is look which
478
00:21:34,440 --> 00:21:40,140
serial which serial port is the with
479
00:21:37,919 --> 00:21:44,039
injector execute if config is set back
480
00:21:40,140 --> 00:21:49,559
the shield data before I mentioned also
481
00:21:44,039 --> 00:21:53,190
ESP port a credential harvester well the
482
00:21:49,559 --> 00:21:56,129
idea is it's a very dumped rogue access
483
00:21:53,190 --> 00:21:58,530
point it doesn't have yet the karma
484
00:21:56,130 --> 00:22:01,590
attacks abilities like Wi-Fi pineapple
485
00:21:58,530 --> 00:22:04,168
for example simply because we figured
486
00:22:01,590 --> 00:22:07,320
out that there is a Wi-Fi chips within
487
00:22:04,169 --> 00:22:09,720
there we can create any arbitrary Wi-Fi
488
00:22:07,320 --> 00:22:12,000
hotspot so we thought just let's put it
489
00:22:09,720 --> 00:22:14,070
there and let's see if might be useful
490
00:22:12,000 --> 00:22:18,900
for some engagements and then eventually
491
00:22:14,070 --> 00:22:21,210
later improve it with karma attacks so
492
00:22:18,900 --> 00:22:24,179
the idea is that it ready Rex any HTTP
493
00:22:21,210 --> 00:22:27,090
requests to some default pages we can
494
00:22:24,179 --> 00:22:29,280
customize customize up to three specific
495
00:22:27,090 --> 00:22:30,840
domains like in this case was like
496
00:22:29,280 --> 00:22:33,330
microsoft.com blackhat
497
00:22:30,840 --> 00:22:35,699
bbc.com so in this case if that the
498
00:22:33,330 --> 00:22:39,149
victim goes to connect to this rogue
499
00:22:35,700 --> 00:22:41,370
access point goes to bbc.com well we can
500
00:22:39,150 --> 00:22:43,620
play we can discuss about HSTs
501
00:22:41,370 --> 00:22:45,629
but in a brand new computer it goes like
502
00:22:43,620 --> 00:22:47,790
for example here you can see that it
503
00:22:45,630 --> 00:22:49,470
tries to check if there is Microsoft is
504
00:22:47,790 --> 00:22:52,920
trying to check if there is a hotspot so
505
00:22:49,470 --> 00:22:54,480
it makes requests without HTTPS so in
506
00:22:52,920 --> 00:22:57,000
that case I'm ready directly there is
507
00:22:54,480 --> 00:23:01,170
also of course the casual template so
508
00:22:57,000 --> 00:23:03,720
any website you are visiting the DNS
509
00:23:01,170 --> 00:23:06,270
requests will be routing you the reply
510
00:23:03,720 --> 00:23:08,130
will route route you to my login page
511
00:23:06,270 --> 00:23:12,150
fake login page so in that case you can
512
00:23:08,130 --> 00:23:14,059
you know fish anyone and of course all
513
00:23:12,150 --> 00:23:17,040
the credentials will be store in DSP
514
00:23:14,059 --> 00:23:19,590
flash so you just need the attacker just
515
00:23:17,040 --> 00:23:22,110
in to go in the USB port all log dot txt
516
00:23:19,590 --> 00:23:24,750
and get it as I said I'm working on the
517
00:23:22,110 --> 00:23:29,159
Karma Tech implementation and the ESP
518
00:23:24,750 --> 00:23:32,910
chipset so Stadium will see another
519
00:23:29,160 --> 00:23:37,080
software Wharf to be mentioned is us
520
00:23:32,910 --> 00:23:40,530
abuse was developed by rogue and apes
521
00:23:37,080 --> 00:23:43,470
from sans post and the idea is that as
522
00:23:40,530 --> 00:23:47,070
well he's based on cottonmouth this is
523
00:23:43,470 --> 00:23:49,110
the original PDF leaked by Snowden was
524
00:23:47,070 --> 00:23:52,169
created this device implant was created
525
00:23:49,110 --> 00:23:54,120
in 2008 by NSA Tao and practically is
526
00:23:52,170 --> 00:23:57,390
rip the u.s. abuse is replicating the
527
00:23:54,120 --> 00:23:59,550
same functionalities the idea the main
528
00:23:57,390 --> 00:24:01,530
feature is to the main goal is to bypass
529
00:23:59,550 --> 00:24:04,919
circuit restriction so what it does is
530
00:24:01,530 --> 00:24:07,260
once the the win injector flashed me us
531
00:24:04,920 --> 00:24:10,559
abuse is connected to a PC create some
532
00:24:07,260 --> 00:24:12,360
Wi-Fi access point start a stealthy
533
00:24:10,559 --> 00:24:17,520
screensaver killer so imagine the
534
00:24:12,360 --> 00:24:19,800
situation that somehow win injector got
535
00:24:17,520 --> 00:24:24,330
connected to your machine you are
536
00:24:19,800 --> 00:24:27,780
usually have the setup screen saver
537
00:24:24,330 --> 00:24:29,850
setup kick in after one minute right 60
538
00:24:27,780 --> 00:24:31,590
second so in that case imagine that you
539
00:24:29,850 --> 00:24:33,270
go to take the coffee and you don't lock
540
00:24:31,590 --> 00:24:35,159
your laptop because you know that in 60
541
00:24:33,270 --> 00:24:36,870
seconds by the time you are to the
542
00:24:35,160 --> 00:24:39,510
coffee machine already kicked in the
543
00:24:36,870 --> 00:24:42,090
screensaver in this case us abuse is
544
00:24:39,510 --> 00:24:44,460
likely moving on one pixel the mouse so
545
00:24:42,090 --> 00:24:46,350
is immolating a mouse in a way that the
546
00:24:44,460 --> 00:24:47,910
screen server will never kick in so in
547
00:24:46,350 --> 00:24:49,350
the meanwhile the guy is enjoying the
548
00:24:47,910 --> 00:24:51,090
coffee the attacker from outside the
549
00:24:49,350 --> 00:24:54,178
building connects will find at work and
550
00:24:51,090 --> 00:24:55,490
starts a fires the first powershell
551
00:24:54,179 --> 00:24:58,920
stage
552
00:24:55,490 --> 00:25:02,490
which is which is what is doing is
553
00:24:58,920 --> 00:25:04,410
creating a heat row tunnel so human
554
00:25:02,490 --> 00:25:07,470
interface devices at different classes
555
00:25:04,410 --> 00:25:11,340
so in this case is creating a heat roll
556
00:25:07,470 --> 00:25:14,850
I would say device but it's bad shape
557
00:25:11,340 --> 00:25:17,850
panel which is used to exfil data and
558
00:25:14,850 --> 00:25:20,399
actually as main channel communication
559
00:25:17,850 --> 00:25:23,280
channel between weeding value as abuse
560
00:25:20,400 --> 00:25:26,070
itself and the the PowerShell strip that
561
00:25:23,280 --> 00:25:26,370
is injected in memory from on the target
562
00:25:26,070 --> 00:25:29,790
machine
563
00:25:26,370 --> 00:25:32,399
so after this channel is established it
564
00:25:29,790 --> 00:25:33,990
returns a CMD shell to the attacker if I
565
00:25:32,400 --> 00:25:36,360
will have time after the presentation I
566
00:25:33,990 --> 00:25:38,820
will show you how it looks like this is
567
00:25:36,360 --> 00:25:40,979
really cool and after that is pretty
568
00:25:38,820 --> 00:25:44,159
much game over an air-gapped environment
569
00:25:40,980 --> 00:25:49,490
compromised outside the building or
570
00:25:44,160 --> 00:25:49,490
inside the room remotely like that
571
00:25:49,970 --> 00:25:58,890
what's next well this is we delete so
572
00:25:56,640 --> 00:26:02,040
the idea is the same is using again
573
00:25:58,890 --> 00:26:08,040
atmega 32 you for as keystrokes
574
00:26:02,040 --> 00:26:10,020
injecting the voice as also USB 24 22
575
00:26:08,040 --> 00:26:12,690
controller what it is it's just a USB
576
00:26:10,020 --> 00:26:16,110
hub controller so instead of weaponizing
577
00:26:12,690 --> 00:26:19,170
a USB gadgets by using by by using an
578
00:26:16,110 --> 00:26:21,300
external USB hub is already implemented
579
00:26:19,170 --> 00:26:25,320
in a PCB so you just need to solder
580
00:26:21,300 --> 00:26:27,870
there the pins that goes like you know
581
00:26:25,320 --> 00:26:29,820
if he is a mouse here you put the input
582
00:26:27,870 --> 00:26:32,159
from the keyboard herbs from the mouse
583
00:26:29,820 --> 00:26:35,460
and here the cable that goes to the
584
00:26:32,160 --> 00:26:37,590
target machine so easy the most
585
00:26:35,460 --> 00:26:39,870
important feature of we delete is that
586
00:26:37,590 --> 00:26:42,629
instead of ESP this time I replaced it
587
00:26:39,870 --> 00:26:46,229
with a well the first version will have
588
00:26:42,630 --> 00:26:48,840
a 2g base man for the simple reason that
589
00:26:46,230 --> 00:26:49,260
still many places in Europe and in the
590
00:26:48,840 --> 00:26:52,230
world
591
00:26:49,260 --> 00:26:53,790
2g still a thing so and it's cheaper
592
00:26:52,230 --> 00:26:56,310
this base man than this one
593
00:26:53,790 --> 00:26:58,230
the second version I started already to
594
00:26:56,310 --> 00:27:00,629
work on so it's just matter of because
595
00:26:58,230 --> 00:27:02,700
both of them communicate on you are T so
596
00:27:00,630 --> 00:27:04,530
serial connection with atmega so it's
597
00:27:02,700 --> 00:27:07,710
just matter of redesigning the PCB a bit
598
00:27:04,530 --> 00:27:08,999
so the second version we will have a MV
599
00:27:07,710 --> 00:27:11,309
iot
600
00:27:08,999 --> 00:27:14,549
so LTE so everywhere in the world is
601
00:27:11,309 --> 00:27:17,939
supposed to work flawlessly so how how
602
00:27:14,549 --> 00:27:21,289
it works already the work flow from from
603
00:27:17,939 --> 00:27:25,169
this new device well the idea is that
604
00:27:21,289 --> 00:27:28,049
the attackers send an SMS source in some
605
00:27:25,169 --> 00:27:30,389
way we delete was connected to the
606
00:27:28,049 --> 00:27:33,299
target machine of course so it sends an
607
00:27:30,389 --> 00:27:36,629
SMS like do air-gap Who am I
608
00:27:33,299 --> 00:27:38,969
we delete take the common inject makes a
609
00:27:36,629 --> 00:27:41,309
key structure injection into the target
610
00:27:38,969 --> 00:27:42,689
so in this case like that PowerShell
611
00:27:41,309 --> 00:27:47,009
script I showed you before would be the
612
00:27:42,689 --> 00:27:50,489
injector almost similar code within with
613
00:27:47,009 --> 00:27:54,029
who am i common in it we delete waits
614
00:27:50,489 --> 00:27:57,749
for the answer back of Who am I output
615
00:27:54,029 --> 00:28:01,199
takes the output in this case contoso
616
00:27:57,749 --> 00:28:02,999
all each and sends back through SMS to
617
00:28:01,199 --> 00:28:04,379
the attacker that can be potentially on
618
00:28:02,999 --> 00:28:12,809
the other side of the world because
619
00:28:04,379 --> 00:28:15,059
again whip ok weaponize is he plasma
620
00:28:12,809 --> 00:28:23,039
ball and then can Shifu FedEx everywhere
621
00:28:15,059 --> 00:28:26,399
around so this is an example what you
622
00:28:23,039 --> 00:28:29,879
will see is a laptop completely again
623
00:28:26,399 --> 00:28:33,329
air-gap no connection whatsoever and
624
00:28:29,879 --> 00:28:36,329
that keyboard was weaponized with
625
00:28:33,329 --> 00:28:38,789
wittily so as soon as you plug it in it
626
00:28:36,329 --> 00:28:42,029
takes few seconds to boot up connect
627
00:28:38,789 --> 00:28:44,599
with 2g network and then is pretty much
628
00:28:42,029 --> 00:28:44,599
operative
629
00:28:59,529 --> 00:29:05,600
here from the common control bot from an
630
00:29:02,539 --> 00:29:08,809
SMS you sound like am I in do air gap
631
00:29:05,600 --> 00:29:12,230
mode so we will get back the the output
632
00:29:08,809 --> 00:29:14,360
of that and then this mass fly is you
633
00:29:12,230 --> 00:29:16,610
know goes from the mobile network of the
634
00:29:14,360 --> 00:29:18,498
attacker mobile network we delete and I
635
00:29:16,610 --> 00:29:21,379
start the injection take the output
636
00:29:18,499 --> 00:29:23,389
sense through serial and then we delete
637
00:29:21,379 --> 00:29:27,350
will send the SMS back with as you can
638
00:29:23,389 --> 00:29:29,178
see with my with Who am I output and of
639
00:29:27,350 --> 00:29:31,219
course she's sending also an
640
00:29:29,179 --> 00:29:33,649
acknowledgement about common receive
641
00:29:31,220 --> 00:29:37,580
because in case you just want to inject
642
00:29:33,649 --> 00:29:39,830
like a PowerShell Empire stage like you
643
00:29:37,580 --> 00:29:41,809
don't need like output so it just send
644
00:29:39,830 --> 00:29:44,299
you an acknowledgment that was executing
645
00:29:41,809 --> 00:29:47,480
and here is the classic calculator so as
646
00:29:44,299 --> 00:29:49,190
you can see no output back but just you
647
00:29:47,480 --> 00:29:51,529
know acknowledgement that was executed
648
00:29:49,190 --> 00:29:55,669
just to be sure that you know it was
649
00:29:51,529 --> 00:29:58,129
received and executed another thing I
650
00:29:55,669 --> 00:29:59,990
added well since we have a GSM or anyway
651
00:29:58,129 --> 00:30:02,090
mobile network days man we have
652
00:29:59,990 --> 00:30:03,710
microphone capabilities so I thought
653
00:30:02,090 --> 00:30:06,168
yeah why not
654
00:30:03,710 --> 00:30:10,279
acoustic so surveillance so by adding a
655
00:30:06,169 --> 00:30:12,919
microphone we can easily like stand like
656
00:30:10,279 --> 00:30:14,899
make call send the number of the the
657
00:30:12,919 --> 00:30:17,389
attacker or anyone that want to be
658
00:30:14,899 --> 00:30:20,299
called from we delete with the lead will
659
00:30:17,389 --> 00:30:23,600
receive the common start enable the
660
00:30:20,299 --> 00:30:25,759
microphone and then start the acoustic
661
00:30:23,600 --> 00:30:27,799
surveillance by calling back the the
662
00:30:25,759 --> 00:30:31,029
attacker control number so you will be
663
00:30:27,799 --> 00:30:33,619
able also to listen conversation around
664
00:30:31,029 --> 00:30:35,450
that's not enough I was not satisfied
665
00:30:33,619 --> 00:30:39,019
enough about the capabilities so I
666
00:30:35,450 --> 00:30:42,289
wanted to add also a NRF chipset 24 l01
667
00:30:39,019 --> 00:30:44,299
and what it does well most of you most
668
00:30:42,289 --> 00:30:48,220
likely heard it about you know crazy
669
00:30:44,299 --> 00:30:51,918
radio the ones that loves to use drones
670
00:30:48,220 --> 00:30:54,350
you know you can use with drone hacking
671
00:30:51,919 --> 00:30:56,330
and in this case Mouse jacking wireless
672
00:30:54,350 --> 00:30:59,899
keyboards and mice and I will show you
673
00:30:56,330 --> 00:31:03,259
now what it means so imagine like that
674
00:30:59,899 --> 00:31:05,510
you you you manage to wheedle it gets
675
00:31:03,259 --> 00:31:09,400
attached to a victim
676
00:31:05,510 --> 00:31:15,129
and then you want to hunt for is click
677
00:31:09,400 --> 00:31:15,130
wireless keyboards or mice in this case
678
00:31:19,270 --> 00:31:32,360
the usual calculator proof that we can
679
00:31:23,120 --> 00:31:35,840
send and receive back information and
680
00:31:32,360 --> 00:31:41,000
here the depailler well in this case
681
00:31:35,840 --> 00:31:42,709
after do mouse jack right now was yeah I
682
00:31:41,000 --> 00:31:45,770
wrote foo Bo doesn't matter what you
683
00:31:42,710 --> 00:31:48,410
write at the final release will be like
684
00:31:45,770 --> 00:31:49,549
a number of channel hops or seconds
685
00:31:48,410 --> 00:31:53,530
doesn't matter
686
00:31:49,549 --> 00:31:56,660
and now we start to scan so imagine like
687
00:31:53,530 --> 00:31:59,360
another target with another machine is
688
00:31:56,660 --> 00:32:01,850
using the my the mouse or the keyboard
689
00:31:59,360 --> 00:32:06,049
and generates traffic's so in this case
690
00:32:01,850 --> 00:32:08,659
we delete sees the traffic follow the
691
00:32:06,049 --> 00:32:12,168
hopping and then inject keep keystrokes
692
00:32:08,660 --> 00:32:14,330
so again I try to inject key strokes and
693
00:32:12,169 --> 00:32:16,460
succeeded in this case for proof of
694
00:32:14,330 --> 00:32:18,470
concept I use the same laptop but the
695
00:32:16,460 --> 00:32:22,400
wireless keyboard should be connected to
696
00:32:18,470 --> 00:32:25,130
another victim of course another thing
697
00:32:22,400 --> 00:32:28,160
I'm working on is a hybrid command
698
00:32:25,130 --> 00:32:31,490
control so not only SMS days but because
699
00:32:28,160 --> 00:32:33,760
SMS has the 140 charge limitation for
700
00:32:31,490 --> 00:32:37,429
SMS so you know extra training later is
701
00:32:33,760 --> 00:32:40,669
it's not that you know reliable so the
702
00:32:37,429 --> 00:32:44,270
idea is Packers Shenzhen SMS like Who am
703
00:32:40,669 --> 00:32:46,790
I tweedily it in Jack the payload get
704
00:32:44,270 --> 00:32:49,370
back the output and instead of sending
705
00:32:46,790 --> 00:32:52,040
back an SMS is uploading through HTTP
706
00:32:49,370 --> 00:32:54,320
making an HTTP POST we see two
707
00:32:52,040 --> 00:32:56,059
controlled by the attacker and then
708
00:32:54,320 --> 00:32:58,040
sends an acknowledgment to the attacker
709
00:32:56,059 --> 00:33:00,260
to SMS again and then the Packer knows
710
00:32:58,040 --> 00:33:02,210
that you just need to visit the exhale
711
00:33:00,260 --> 00:33:04,850
txt and will be able to get like
712
00:33:02,210 --> 00:33:07,790
mimicked artists output instead of you
713
00:33:04,850 --> 00:33:10,639
know something else another thing I'm
714
00:33:07,790 --> 00:33:14,360
working on is the with mobile connector
715
00:33:10,640 --> 00:33:16,280
because someone said connecting every
716
00:33:14,360 --> 00:33:17,860
time to the Wi-Fi access point visiting
717
00:33:16,280 --> 00:33:21,610
a web browser in is annoying
718
00:33:17,860 --> 00:33:23,590
so this is what I'm going to work what
719
00:33:21,610 --> 00:33:26,559
I'm going to release next is our config
720
00:33:23,590 --> 00:33:28,120
who I able to once you said the first
721
00:33:26,559 --> 00:33:29,799
time we'll be able to auto connect to
722
00:33:28,120 --> 00:33:31,600
the access point so you don't need as
723
00:33:29,799 --> 00:33:35,379
soon as you open the uber app we'll
724
00:33:31,600 --> 00:33:37,600
connect and then most other important
725
00:33:35,380 --> 00:33:40,720
thing is that the increase the payloads
726
00:33:37,600 --> 00:33:42,879
will not be stored on the ESP device the
727
00:33:40,720 --> 00:33:45,340
view the injector will be stored on the
728
00:33:42,880 --> 00:33:47,320
mobile app so we'll be a pain in the ass
729
00:33:45,340 --> 00:33:50,080
from blue teaming point of view how to
730
00:33:47,320 --> 00:33:52,120
retrieve those payloads yes will not be
731
00:33:50,080 --> 00:33:54,309
store anymore there another thing as I
732
00:33:52,120 --> 00:33:57,549
said I mentioned before I would like to
733
00:33:54,309 --> 00:33:59,470
bring karma attacks to the ESP chipset
734
00:33:57,549 --> 00:34:01,690
so in that case in this case will be not
735
00:33:59,470 --> 00:34:04,030
only a rubber ducky on steroids but a
736
00:34:01,690 --> 00:34:05,710
little brother of Wi-Fi pineapple which
737
00:34:04,030 --> 00:34:08,739
is always good because the hardware is
738
00:34:05,710 --> 00:34:13,750
the same that you already have short
739
00:34:08,739 --> 00:34:15,459
brief discussion about pong time this is
740
00:34:13,750 --> 00:34:17,949
our the main feature bypass air-gapped
741
00:34:15,460 --> 00:34:20,350
environment as we saw before Windows 10
742
00:34:17,949 --> 00:34:22,330
lock picker and Wi-Fi cover channel the
743
00:34:20,350 --> 00:34:23,368
Wi-Fi cover channel is the best feature
744
00:34:22,330 --> 00:34:26,949
I love it
745
00:34:23,369 --> 00:34:29,919
practically enables the keystroke
746
00:34:26,949 --> 00:34:32,350
injection bringing up the USB HID tunnel
747
00:34:29,918 --> 00:34:35,589
that the same Heathrow Tunnel us abuse
748
00:34:32,350 --> 00:34:38,379
deal then delivers dotnet library client
749
00:34:35,590 --> 00:34:43,000
via well they each shady tunnel into
750
00:34:38,379 --> 00:34:46,089
memory and invoke a its net library from
751
00:34:43,000 --> 00:34:48,600
PowerShell and then is done
752
00:34:46,090 --> 00:34:52,450
the attacker needs to remove the pump I
753
00:34:48,600 --> 00:34:55,359
walk away and then the machine the
754
00:34:52,449 --> 00:34:57,279
target machine will try to connect to
755
00:34:55,359 --> 00:35:00,029
the commander control server of the
756
00:34:57,280 --> 00:35:03,430
attacker within the pump I and then
757
00:35:00,030 --> 00:35:05,500
everything will be done in a hidden
758
00:35:03,430 --> 00:35:07,779
channel through the probe request of a
759
00:35:05,500 --> 00:35:09,820
Wi-Fi chip set of the title of the
760
00:35:07,780 --> 00:35:11,890
victim so in that case the victim will
761
00:35:09,820 --> 00:35:14,470
not need to attack to connect physically
762
00:35:11,890 --> 00:35:16,330
to the pump I access point but will be
763
00:35:14,470 --> 00:35:18,279
all probe requests so the the victim
764
00:35:16,330 --> 00:35:21,549
will not notice anything here are some
765
00:35:18,280 --> 00:35:24,130
videos because I'm show you but really
766
00:35:21,550 --> 00:35:26,110
cool thing developed by Markus there are
767
00:35:24,130 --> 00:35:28,720
two operational mode of
768
00:35:26,110 --> 00:35:30,490
Pompey on premises so the attacker
769
00:35:28,720 --> 00:35:33,640
connects outside the building outside
770
00:35:30,490 --> 00:35:35,529
the room to pump I or otherwise pump I
771
00:35:33,640 --> 00:35:38,020
can call home as you can see here is one
772
00:35:35,530 --> 00:35:42,700
module I added to the Raspberry Pi with
773
00:35:38,020 --> 00:35:44,500
adjacent cheap basement which can call
774
00:35:42,700 --> 00:35:46,359
you home your command control server
775
00:35:44,500 --> 00:35:50,200
wherever it is so you don't need even
776
00:35:46,360 --> 00:35:54,580
close access to the building here a very
777
00:35:50,200 --> 00:35:56,500
short demo how it works spawn PI is in
778
00:35:54,580 --> 00:36:01,020
this case again air-gapped environment
779
00:35:56,500 --> 00:36:04,000
fully protected upon PI got connected
780
00:36:01,020 --> 00:36:06,030
and now the attacker connects to the
781
00:36:04,000 --> 00:36:06,030
network
782
00:36:16,010 --> 00:36:21,050
okay the attacker is connected to the
783
00:36:18,350 --> 00:36:23,868
pump i network Wi-Fi network and then
784
00:36:21,050 --> 00:36:33,859
fires the first stage which is a
785
00:36:23,869 --> 00:36:40,420
powershell script and then it fires the
786
00:36:33,859 --> 00:36:45,080
second stage called shell boom
787
00:36:40,420 --> 00:36:47,720
full usual shell remotely connected to
788
00:36:45,080 --> 00:36:49,190
an air-gapped environment so we didn't
789
00:36:47,720 --> 00:36:51,618
need these air gapped environment
790
00:36:49,190 --> 00:36:56,740
doesn't have an even have Wi-Fi network
791
00:36:51,619 --> 00:36:59,780
enabled so full remote shell like that
792
00:36:56,740 --> 00:37:02,240
these are some other mods around
793
00:36:59,780 --> 00:37:05,720
available with if you like to play with
794
00:37:02,240 --> 00:37:07,520
electronics really cool some mitigations
795
00:37:05,720 --> 00:37:10,580
well the most important is don't trust
796
00:37:07,520 --> 00:37:13,640
and on USB devices ever if you want
797
00:37:10,580 --> 00:37:16,819
really to trust them just us use a USB
798
00:37:13,640 --> 00:37:18,830
condom so just you can buy it like
799
00:37:16,820 --> 00:37:25,000
sing-sing stop or you can make it just
800
00:37:18,830 --> 00:37:27,710
cut off the the data cables of USB cable
801
00:37:25,000 --> 00:37:29,420
other kind of mitigations well here i
802
00:37:27,710 --> 00:37:31,490
suggest you to make a photo check out
803
00:37:29,420 --> 00:37:34,130
the video later is practically what you
804
00:37:31,490 --> 00:37:36,350
do you use dev rules to restrict access
805
00:37:34,130 --> 00:37:39,170
they restrict the creation of new
806
00:37:36,350 --> 00:37:42,290
registration of new devices on linux or
807
00:37:39,170 --> 00:37:45,140
if you're lazy you can already use open
808
00:37:42,290 --> 00:37:47,540
source tools to achieve the same idea
809
00:37:45,140 --> 00:37:50,540
for windows there are open source tool
810
00:37:47,540 --> 00:37:52,700
as well I like duck hunt because of four
811
00:37:50,540 --> 00:37:55,130
different operational modes so depending
812
00:37:52,700 --> 00:37:57,529
on what you want to achieve you can be
813
00:37:55,130 --> 00:37:59,960
super paranoid or just log any new
814
00:37:57,530 --> 00:38:03,140
devices connected and here are some
815
00:37:59,960 --> 00:38:05,570
artifacts for blue teamers here instead
816
00:38:03,140 --> 00:38:07,759
of responders here are most likely you
817
00:38:05,570 --> 00:38:10,430
already know most of them these are some
818
00:38:07,760 --> 00:38:13,300
places where you can find like
819
00:38:10,430 --> 00:38:17,089
information about hit devices connected
820
00:38:13,300 --> 00:38:18,740
timestamp and so on LBI dep ID so here
821
00:38:17,090 --> 00:38:21,950
is an example this is the first time
822
00:38:18,740 --> 00:38:24,799
device was plugged in here we have a
823
00:38:21,950 --> 00:38:27,859
tool three word tool called USB the view
824
00:38:24,800 --> 00:38:29,480
which shows last time plug first time
825
00:38:27,859 --> 00:38:31,850
plug and actually in here
826
00:38:29,480 --> 00:38:34,400
if you're smart enough as blue TM you
827
00:38:31,850 --> 00:38:37,490
can even check sometimes you can spoof
828
00:38:34,400 --> 00:38:40,700
vADM PID but there are other other IDs
829
00:38:37,490 --> 00:38:44,270
on a USB device so like fumer version
830
00:38:40,700 --> 00:38:46,970
you know tons of them in descriptors so
831
00:38:44,270 --> 00:38:49,070
if you are a bad attacker you can spoof
832
00:38:46,970 --> 00:38:52,009
vADM PID but you can forget about femur
833
00:38:49,070 --> 00:38:55,190
version so a forensics guy can use this
834
00:38:52,010 --> 00:39:00,350
kind of logs to check if was inserted a
835
00:38:55,190 --> 00:39:03,980
real HP keyboard or a smooth one another
836
00:39:00,350 --> 00:39:06,350
thing that we can find on Windows 10 and
837
00:39:03,980 --> 00:39:10,130
Windows since we understand and Windows
838
00:39:06,350 --> 00:39:13,460
2016 Windows Server 2016 is this group
839
00:39:10,130 --> 00:39:15,560
policy well is these policies audit PNP
840
00:39:13,460 --> 00:39:17,780
activity once these policy is enabled
841
00:39:15,560 --> 00:39:19,970
every time you plug it in a human
842
00:39:17,780 --> 00:39:24,290
interface device will trigger the event
843
00:39:19,970 --> 00:39:26,450
64 16 which is called a new external
844
00:39:24,290 --> 00:39:28,670
device was recognized by the system this
845
00:39:26,450 --> 00:39:31,040
is very good because it's giving a lot
846
00:39:28,670 --> 00:39:34,310
of information like device name class
847
00:39:31,040 --> 00:39:35,660
name VAD PID timestamp so it's always
848
00:39:34,310 --> 00:39:38,150
good you know especially if you use
849
00:39:35,660 --> 00:39:40,399
system owners plank and all these you
850
00:39:38,150 --> 00:39:43,550
know detection system even you know
851
00:39:40,400 --> 00:39:45,320
remote handling sending sending remotely
852
00:39:43,550 --> 00:39:47,330
this event lock is very good for
853
00:39:45,320 --> 00:39:50,030
detection of course you can also do
854
00:39:47,330 --> 00:39:51,980
advanced forensics like a very simple
855
00:39:50,030 --> 00:39:55,820
thing imagine that blue team finds or
856
00:39:51,980 --> 00:39:59,390
get access to one weed injector for
857
00:39:55,820 --> 00:40:01,520
example just plug it in a in a Linux
858
00:39:59,390 --> 00:40:06,140
machine and just by using the default
859
00:40:01,520 --> 00:40:09,470
ESP tool not yeah yeah you can dump the
860
00:40:06,140 --> 00:40:11,390
image of it of the ESP name and then you
861
00:40:09,470 --> 00:40:13,759
just need to run strings not even you
862
00:40:11,390 --> 00:40:15,319
know either stuff like that and you can
863
00:40:13,760 --> 00:40:17,600
find exactly what was stored in this
864
00:40:15,320 --> 00:40:20,890
case was the ESP portal credential
865
00:40:17,600 --> 00:40:23,118
artist er that you know the attacker
866
00:40:20,890 --> 00:40:25,640
successfully retrieved information from
867
00:40:23,119 --> 00:40:27,380
a poor guy that's fall victim and then
868
00:40:25,640 --> 00:40:28,819
you can see then see you can even see
869
00:40:27,380 --> 00:40:31,990
attackers information like
870
00:40:28,820 --> 00:40:34,250
SSID password in this case our default
871
00:40:31,990 --> 00:40:36,259
credentials but imagine like an attacker
872
00:40:34,250 --> 00:40:38,660
that changed them and you know fails on
873
00:40:36,260 --> 00:40:41,570
ops AK and maybe you can correlate by
874
00:40:38,660 --> 00:40:42,089
using all scenes by finding you know
875
00:40:41,570 --> 00:40:44,160
maybe
876
00:40:42,090 --> 00:40:45,930
you will figure out who is was the
877
00:40:44,160 --> 00:40:48,660
attacker of course you can also dump
878
00:40:45,930 --> 00:40:50,549
Arduino humor is a AVR controller so you
879
00:40:48,660 --> 00:40:53,520
just need to dump the femur and then try
880
00:40:50,550 --> 00:40:55,680
to reverse-engineer it with radar so a
881
00:40:53,520 --> 00:40:57,780
bit harder than using strings and USB
882
00:40:55,680 --> 00:41:02,069
tool to dump the image from ESP but
883
00:40:57,780 --> 00:41:05,550
still not the path well here some
884
00:41:02,070 --> 00:41:07,860
resources and die gas I'm pretty much
885
00:41:05,550 --> 00:41:11,720
done I don't know if I have two minutes
886
00:41:07,860 --> 00:41:11,720
for questions
887
00:41:16,380 --> 00:41:25,359
five minutes we have five minutes anyone
888
00:41:19,690 --> 00:41:27,540
has questions I don't see one right
889
00:41:25,359 --> 00:41:27,540
there
890
00:41:33,880 --> 00:41:38,770
is there any way to detect the user
891
00:41:36,430 --> 00:41:40,690
activity to avoid launching scripts when
892
00:41:38,770 --> 00:41:42,220
he's in front of the screen or typing on
893
00:41:40,690 --> 00:41:45,460
his keyboard or moving his mouse for
894
00:41:42,220 --> 00:41:47,439
example I heard just half of it is there
895
00:41:45,460 --> 00:41:50,050
any user activity is there any way to
896
00:41:47,440 --> 00:41:51,820
detect that the user is active to avoid
897
00:41:50,050 --> 00:41:55,960
launching stuff on the screen while he
898
00:41:51,820 --> 00:41:59,530
is in front of it so you're asking if
899
00:41:55,960 --> 00:42:02,680
the the user can detect the activity or
900
00:41:59,530 --> 00:42:05,980
wait because oh well in your demos we
901
00:42:02,680 --> 00:42:11,649
can see that the device is opening to
902
00:42:05,980 --> 00:42:13,600
execute and then there are some actually
903
00:42:11,650 --> 00:42:16,690
for example in PowerShell there are two
904
00:42:13,600 --> 00:42:18,790
lines of code that what they do is for
905
00:42:16,690 --> 00:42:20,860
example one line makes the background
906
00:42:18,790 --> 00:42:24,340
color the same color of the font and
907
00:42:20,860 --> 00:42:28,120
then another line takes down the entire
908
00:42:24,340 --> 00:42:30,790
window choose matter of one most two
909
00:42:28,120 --> 00:42:33,130
seconds so usually that's the difference
910
00:42:30,790 --> 00:42:36,580
between rubber ducky and weed injector
911
00:42:33,130 --> 00:42:38,830
or Pompey in this case what what type of
912
00:42:36,580 --> 00:42:41,140
do is usually I don't care about these
913
00:42:38,830 --> 00:42:42,670
two seconds three seconds of of activity
914
00:42:41,140 --> 00:42:45,310
because the user is already compromised
915
00:42:42,670 --> 00:42:46,750
that yeah I mean afterwards of course if
916
00:42:45,310 --> 00:42:48,970
the user is marked enough and sees
917
00:42:46,750 --> 00:42:52,420
something flashing around will call the
918
00:42:48,970 --> 00:42:54,700
blue team usually I triggered when they
919
00:42:52,420 --> 00:42:57,730
I know that the victim is around so
920
00:42:54,700 --> 00:42:59,830
imagine a receptionist so I call the
921
00:42:57,730 --> 00:43:01,750
receptionist and then I trigger when you
922
00:42:59,830 --> 00:43:03,880
know she's not looking at the money so
923
00:43:01,750 --> 00:43:06,250
in that way you but yeah of course I
924
00:43:03,880 --> 00:43:08,920
mean this kind of attacks relies on the
925
00:43:06,250 --> 00:43:11,350
fact that you know can be detected and
926
00:43:08,920 --> 00:43:13,690
not saying that are undetectable though
927
00:43:11,350 --> 00:43:17,290
it can be reused can be used this trick
928
00:43:13,690 --> 00:43:19,540
of you know background and font color
929
00:43:17,290 --> 00:43:21,970
the same and are reducing after a few
930
00:43:19,540 --> 00:43:24,580
second for example in pop up on pi the
931
00:43:21,970 --> 00:43:29,819
video I showed you was what two seconds
932
00:43:24,580 --> 00:43:29,819
the first stage let me check
933
00:43:30,600 --> 00:43:34,860
so yeah it is possible
934
00:43:39,490 --> 00:43:54,618
you you can can your name doll D okay
935
00:43:46,210 --> 00:43:57,020
okay look now one two three three
936
00:43:54,619 --> 00:44:00,290
seconds it can be improved this is the
937
00:43:57,020 --> 00:44:02,420
default one so yeah of course can be
938
00:44:00,290 --> 00:44:04,610
detected I'm not saying that you know if
939
00:44:02,420 --> 00:44:09,410
you if you are fast enough and you're I
940
00:44:04,610 --> 00:44:12,320
mean I bet that HR and play is I mean
941
00:44:09,410 --> 00:44:14,149
because we are IT security guys so if
942
00:44:12,320 --> 00:44:16,190
you see something like flashing you
943
00:44:14,150 --> 00:44:23,380
immediately raise an alert but usually
944
00:44:16,190 --> 00:44:23,380
them is like thank you thank you yes I
945
00:44:27,730 --> 00:44:34,790
thank you for the presentation
946
00:44:29,990 --> 00:44:38,240
I like to complete the question of my
947
00:44:34,790 --> 00:44:39,980
friend over there because you do stealth
948
00:44:38,240 --> 00:44:43,100
is one point but the other point is that
949
00:44:39,980 --> 00:44:46,670
the user has to stop using any hid
950
00:44:43,100 --> 00:44:50,000
device during the script injection so in
951
00:44:46,670 --> 00:44:52,820
fact is not only stopping not noticing
952
00:44:50,000 --> 00:44:54,740
something is happening you have to stop
953
00:44:52,820 --> 00:45:00,770
using your your computer
954
00:44:54,740 --> 00:45:04,520
in fact overlapping it might be an issue
955
00:45:00,770 --> 00:45:08,480
but yes I said usually I tend to
956
00:45:04,520 --> 00:45:10,400
remotely inject when I know that for
957
00:45:08,480 --> 00:45:12,560
example us abuse is using the trick of
958
00:45:10,400 --> 00:45:14,750
the screensaver killer so in that way is
959
00:45:12,560 --> 00:45:16,310
attacking the the the attacker will
960
00:45:14,750 --> 00:45:19,940
trigger it when he knows that the guy is
961
00:45:16,310 --> 00:45:22,130
not around yes there are some means like
962
00:45:19,940 --> 00:45:24,290
for example if you are into hardware
963
00:45:22,130 --> 00:45:27,320
hacking you can add like a photo resist
964
00:45:24,290 --> 00:45:29,090
or the photo resist or will detect like
965
00:45:27,320 --> 00:45:31,670
for example if you weaponize a mouse and
966
00:45:29,090 --> 00:45:34,190
you have the photoresistor and you can
967
00:45:31,670 --> 00:45:35,930
use that matrix so you know
968
00:45:34,190 --> 00:45:38,300
photoresistor you know the light is
969
00:45:35,930 --> 00:45:42,020
changing the value so you can use that
970
00:45:38,300 --> 00:45:46,010
as a metric to see if the guy is around
971
00:45:42,020 --> 00:45:49,430
or not so that can be a way yeah can I
972
00:45:46,010 --> 00:45:52,220
just complete another question maybe are
973
00:45:49,430 --> 00:45:55,368
you planning to work on a dynamic VI
974
00:45:52,220 --> 00:45:57,859
DP ID spoofing because I see that in
975
00:45:55,369 --> 00:46:02,090
that way you have to somehow compile the
976
00:45:57,859 --> 00:46:05,240
firmware with the v ID and PID yeah I
977
00:46:02,090 --> 00:46:08,570
understand the thing the thing that V ID
978
00:46:05,240 --> 00:46:11,240
a PID spoofing was mainly for
979
00:46:08,570 --> 00:46:13,940
engagements where you have the Recon
980
00:46:11,240 --> 00:46:16,669
phase available so you walk around the
981
00:46:13,940 --> 00:46:19,609
building and you see a lot of you know
982
00:46:16,670 --> 00:46:22,490
standard Lenovo keyboards so you go back
983
00:46:19,609 --> 00:46:25,069
to your company office wherever and then
984
00:46:22,490 --> 00:46:29,598
you buy the novel and weaponize it and
985
00:46:25,070 --> 00:46:32,140
then you manually from a myriad flash
986
00:46:29,599 --> 00:46:34,910
the female with spoofing ad ad ad
987
00:46:32,140 --> 00:46:38,029
dynamically the dynamic VI D and P ID
988
00:46:34,910 --> 00:46:40,970
spoofing could be doable because rubber
989
00:46:38,030 --> 00:46:43,430
ducky is doing that from input the the
990
00:46:40,970 --> 00:46:44,419
that file in the SD card and is doing
991
00:46:43,430 --> 00:46:45,980
that from that side
992
00:46:44,420 --> 00:46:49,040
I never investigated that I can
993
00:46:45,980 --> 00:46:51,500
instigate I will yeah I can put it as an
994
00:46:49,040 --> 00:46:57,369
announcement in github thank you thank
995
00:46:51,500 --> 00:46:57,369
you thank you
996
00:46:57,440 --> 00:47:00,920
[Applause]