Skip to main content

Teensy as a Metasploit Attack Vector


Recently I was playing with the Teensy www.pjrc.com/teensy and I wanted to test it as a Metasploit exploit/payload attack vector.  The Social Engineering Toolkit (SET) in Metasploit exploit/payload sounded like the perfect thing to try.  I followed the instructions at www.offensive-security.com/metasploit-unleashed/SET_Teensy_USB_HID_Attack and they worked almost flawlessly.  A couple of hints I'd give are:
1) Update SET prior to starting.  Simply use the menu, or do a 'svn update' from the SET directory
2) I was surprised when SET didn't ask me for my IP address.  I RTFM, and I noticed that the AUTO_DETECT in the set_config file was set to ON, which means that it automatically gave the payload the IP address of my Ethernet address.  So remember to change this if you want to get through a NAT or something.

For my Teensy, I selected:
WSCRIPT HTTP GET MSF Payload
WINDOWS REVERSE_TCP_METERPRETER
BACKDOOR EXECUTABLE
PORT

Then SET made a exploit/payload image, and I uploaded it to the Teensy.  The instructions at the URL above show a "Teensy 2.0 (USB Keyboard/Mouse)" option under Boards, and I didn't have that. But I had a Keyboard option under USB, and the Teensy 2.0 under Boards, and when I selected both of these, the SET image compiled just fine.

I uploaded it to the Teensy, and put it in a victim box.  The Teensy was recognized as a Teensy USB Keyboard, installed the keyboard drivers, and started popping up screens galore... notepad files, command prompts, and about 15 Start->Run Windows that it filled in with various text and executed, and the whole process takes about 15 seconds!  Then it errored out on an C:\x.exe file, saying that Windows couldn't find it.  What was worse, MS Security Essentials detected a backdoor in System32, and killed the exploit process by stopping it from executing (why the aforementioned c:\x.exe error occurred).  I guess the Teensy doesn't slip past AV very well.  Good to know.  So I uninstalled Security Essentials, rebooted, and tried again.  This was awarded with a Meterpreter session on my attack platform! 

My take away from this endeavor is that while the Teensy may be useful to pwn a system that you may have physical access to, it pops up so many windows that there is no way that you could social engineer it and hand it to someone and have them sit through all the windows while it infects their system... they'd unplug it and run to their IT shop for help.   So I put this in my toolbox as a quick way to install a backdoor myself, keeping in mind the AV hit potential.  

Comments

Popular posts from this blog

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms:

I could tftp a file from-to any Kali box from-to another Kali box
I could NOT tftp files to a specific Windows 7 box from any Kali box
I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box

After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable.

Thus, I switched to tftpd-hpa.   To install:
apt-get install tftpd-hpa

files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to:
chroot -R /srv/tftp

Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa:
change "TFTP_OPTIONS="--secure" to "TFTP_OPTIONS="--secure --create"

I also changed the IP li…

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   
I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from: http://www.amazon.com/gp/product/B00C37AZXK/ref=oh_details_o04_s00_i00?ie=UTF8&psc=1
But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   
Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  
This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  
For Kali Linux, here's how I got it running and plotting planes around my home:
0) before you start, you should do an apt-get update to ensure you hav…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:
https://www.linuxquestions.org/questions/linux-newbie-8/inte…