قالب وردپرس درنا توس
Home / Tips and Tricks / How to catch USB Rubber Duckies on your computer with USBRip «Null Byte :: WonderHowTo

How to catch USB Rubber Duckies on your computer with USBRip «Null Byte :: WonderHowTo



Unattended, a hacker with a USB Rubber Ducky and physical access to the computer can invade even the safest computer. Such attacks are often not detected without the use of a tool such as USBRip, which can assure you that your device has not been compromised.

Although it may be difficult to know if your device has been used in the past, making logging can make it easier to determine when a suspicious device is placed in a port. USBRip cannot look through old system logs to record past events, but it can monitor everything that happens after installation to prevent it from being hacked in the future.

What are HID attacks?

A device with a human interface or HID is a device used by a person to control a computer; keyboards and computer mice are prominent examples. HID & # 39; s have elevated privileges compared to a program or script because the operating system assumes that commands & # 39; s from an HID come from a person authorized to use the computer.

Hackers have created tools such as the USB Rubber Ducky, which exploits the inherent trust between a computer and a HID. While a USB Rubber Ducky mimics the appearance of a standard flash drive, it acts as a keyboard that can enter pre-recorded keystrokes and commands at blazing speeds.

The types of attacks that hackers have carried out using a USB Rubber Ducky, Digispark and similar tools are far-reaching; they range from placing a back door on macOS and Windows computers to sending an email with a screenshot of all user data stored in Firefox.

Detecting the Ducky

Because the computer believes that the USB Rubber Ducky is just another keyboard, it will immediately execute the & # 39; s commands without giving the target visible warning that they have been compromised. As long as the Ducky Script is careful with cleaning itself up – by closing all windows it has opened, erasing the terminal history and making the computer appear in the same state that the target left it – an attack can go completely unnoticed [19659002] That does not mean that it is impossible to prevent or detect this type of attack. There are some tools, such as DuckHunter, that want to limit the impact of HID attacks by looking at suspicious behavior, such as keystrokes that type too quickly. Although the DuckHunter project has not been updated since 2017, there is another tool that can provide evidence for a HID attack that is being sustained both vigorously and currently.

USBRip uses system logs to display a complete history of each USB device that was connected to a Linux computer. Although an attacker might delete these logs as part of the cleanup process, they are much less likely to have done this through more critical and time-consuming cleanup steps, such as removing direct proof of access to the computer. Even better, since the USB Rubber Ducky and Digispark are both made by specific manufacturers, USBRip can search through logs for devices with suspicious fingerprints.

What You Need

USBRip is written in Python, which is platform independent and should be able to run USBRip on most Linux systems. Because it mainly parses Linux system logs, it currently only works on Linux devices. We use Kali Linux for this guide, but watch our video for a different example for steps on another system.

Ensure that your system is fully updated and upgraded with the apt update and apt upgrade commands and then ensure that Python is installed by python in a terminal window. If you get an interactive Python shell, you have everything you need and you can type quit () to close. Otherwise, you can install Python by running to install python .

  ~ # python

Python 2.7.16 (standard, Apr. 6, 2019, 01:42:57)
[GCC 8.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.

>>> quit () 

I would also recommend installing Python3:

  ~ # apt install python3-venv p7zip-full -y

Read package lists ... Ready
Build dependency structure
Read status information ... Done
p7zip-full is already the newest version (16.02 + dfsg-7).
python3-venv is already the newest version (3.7.5-3).
The following packages were installed automatically and are no longer required:
dh-python libdouble-conversion1 liblinear3
Use & # 39; apt autoremove & # 39; to delete them.
0 upgraded, 0 newly installed, 0 to remove and 1853 not upgraded. 

Step 1: Reconfigure some Linux files

To enable USBRip to parse the system logs correctly, we must configure some files in the root directory. First we have to remove a line from the /rsyslog.conf file. If you want to remove USBRip and restore your computer to its original state, it is easier to simply comment on it.

Use a terminal window to open the rsyslog.conf file with your favorite text editor. It is located in your / etc folder and you can immediately continue editing the file. In our case we use nano, so go to nano /etc/rsyslog.conf cialis19459023] and the file will be opened. If you are not root, use sudo and many of the other commands in the guide below.

  ~ # cd
approx. That part should now look something like this: 

  #### GLOBAL DIRECTIVES ####
###########################

#
# Use the traditional timestamp format.
# Comment on the following line to enable high-precision time stamps.
#
# $ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$ FileOwner root
$ FileGroup adm
$ FileCreateMode 0640 

Now save and close the file. Be careful not to change the file name. After changing the old way our computer stores system logs, we have to replace them with the method that USBRip can use. Enter the command below in the same terminal window.

  ~ # echo & # 39; $ ActionFileDefaultTemplate RSYSLOG__FileFormat & # 39; | tee /etc/rsyslog.d/usbrip.conf

$ ActionFileDefaultTemplate RSYSLOG__FileFormat 

That creates a new .conf file that USBRip will use with a different format for storing system logs. Next, we must remove our computer from the current system logs, which are in the wrong format. We can do that with the following command:

  ~ # rm -f / var / log / syslog * / var / log / messages * 

Finally, we must restart rsyslog with the command below. After that has happened, we can continue to install the program.

  ~ # systemctl restart rsyslog 

Step 2: Install USBRip

Now that the system files are configured correctly, we can install USBRip. Start by navigating to a folder of your choice in a terminal window and cloning the git repository with the following command:

  ~ # git clone https://github.com/snovvcrash/usbrip.git

Clones in & # 39; usbrip & # 39; ...
remote: list objects: 130, done.
remote control: counting objects: 100% (130/130), ready.
external: compress objects: 100% (89/89), ready.
external: total 1266 (delta 70), reused 77 (delta 39), reused package 1136
Receiving objects: 100% (1266/1266), 1.14 MiB | 4.83 MiB / s, ready.
Delta & # 39; s solve: 100% (790/790), ready. 

Then navigate to the cloned folder and start installing the required Python libraries and dependencies. Consult our video guide to do this with pip and use the setup.py installer.

  ~ # cd usbrip
~ / usbrip # chmod + x ./installers/install.sh
~ / usbrip # sudo -H ./installers/install.sh -s

>>>> Create directory: & # 39; / opt / usbrip & # 39;
>>>> / opt / usbrip already exists. First loop:
sudo uninstall.sh --all 

Then close the / usbrip folder and start the help page to check what is there.

  ~ / usbrip # cd
~ # usbrip -h

sage: usbrip [-h] {banner, events, storage, ids} ...

positional arguments:
{Banner, events, storage, ids}
banner show tool banner
events work with USB events
storage work with USB event storage
ID & # 39; s work with USB ID & # 39; s

optional arguments:
-h, - help view and close this help message 

Now we can check if USBRip has been installed correctly by typing usbrip in the terminal and making sure that we get the following splash screen. [19659015] ~ # usbrip

_ {{4}} {v2.2.1-1}
_ _ ___ | | _ ___ [E] ___
| | | _ - | . | _ [n]. |
| ___ | ___ | ___ | _ | [5] _ |
x [!] _ | https://github.com/snovvcrash/usbrip

Usage: / usr / local / bin / usbrip [-h]

When you see that, we have completed the first step of installing USBRip.

Step 3: Search entire USB event history

Now that USBRip is installed, let's look at the history of all USB events that have occurred on our computer. We can do this with the following command:

  ~ # usbrip events history

_ {{4}} {v2.2.1-1}
_ _ ___ | | _ ___ [e] ___
| | | _ - | . | _ [n]. |
| ___ | ___ | ___ | _ | [5] _ |
x [I] _ | https://github.com/snovvcrash/usbrip

[*] Started on 2020-02-14 17:11:37
[17:11:37] [INFO]   Trying to run journalctl ...
[17:11:37] [INFO]   Successfully run journalctl
[17:11:37] [INFO]   Read journal output
100% | █████████████████████████████████ | 2089/2089 [00:00<00:00, 251208.49line/s]
[?] How would you like your event history list to be generated?

    1. Terminal stdout
    2. JSON-file

[>] Enter the number of your choice (default 1): 

It now offers the option to print or save the USB history in the terminal as a JSON file. For now, let's just see it in the terminal by entering 1 .

  [>] Enter the number of your choice (default 1): 1

[17:13:34] [INFO]   Prepare collected events
------------------------------------------------
Connected: 2020-02-14 15:42:48
User: kubuntu
VID: 046d
PID: c52b
Product: USB receiver
Manufacturer: Logitech
Serial number: ∅
Bus port: 1-1
Connection lost: ∅
------------------------------------------------
[*] Closing on 2020-02-14 17:13:34
[*] Duration: 0: 01: 57.087803 

As you can see above, the list of USB events is limited to the Logitech Bluetooth mouse receiver that I have connected to my laptop.

Unfortunately, since we had to delete all incorrectly formatted system logs, we can only see the USB event history since we installed USBRip. Despite that limitation, we were able to learn some interesting information about the USB device, such as the time stamp to which it was connected and disconnected (or if it had ever been disconnected).

We can also see the VID and PID, which are numbers used by computers to identify a USB device to know which drivers to install. The VID is assigned by usb.org and the PID determines the manufacturer. We also learn what the device is, the manufacturer's name and which USB port the device was connected to.

After a few days the number of USB events on your computer starts to pile up and we will want to compact the list in a more readable format. We can limit the request to the last 20 USB events and format it as a shortened table instead of a list.

  ~ # usbrip events history -n 20 - table

_ {{4}} {v2.2.1-1}
_ _ ___ | | _ ___ [E] ___
| | | _ - | . | _ [N]. |
| ___ | ___ | ___ | _ | [5] _ |
x [1] _ | https://github.com/snovvcrash/usbrip

[*] Started on 2020-02-14 22:18:00
[22:18:00] [INFO]   Trying to run journalctl ...
[22:18:00] [INFO]   Journalism performed successfully
[22:18:00] [INFO]   Read journal output
100% | █████████████████████████████████ | 2095/2095 [00:00<00:00, 364532.95line/s]
[22:18:00] [INFO] Filtering events
[?] How would you like your event history list to be generated?

    1. Terminal stdout
    2. JSON-file

[>] Enter the number of your choice (default 1): 1

[22:18:02] [INFO]   Prepare collected events
[22:18:02] [INFO]   Representation: table 

That should reflect something like this:

  ┌USB-History-Events───┬────────────────┬───── ─ ─┬─────────────────────────────────────────┬───────────── ────────────────────┬───────────────────────────────────────┬─ ─ ────┬─────────────────────┐
│ Connected │ User │ VID │ PID │ Product │ Manufacturer │ Serial Number │ Port │ Not Connected │
├─────────────────────┼────────────────┼──────┼────────── ─────────────────────────────────────────────────────────────── ───────────────┼─────────────────────────────────┼──────┼ ─────────────────────┤
-02 2020-02-14 •••••• Julie -. -.
│ 2020-02-14 17:30:04 │ kubuntu │ 1d6b │ 0002 │ xHCI Host Controller │ Linux 5.0.0-25-generic xhci-hcd │ 0000: 00: 14.0 │ usb1 │ ∅ │
-02 2020-02-14 18:05:23 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-2 │ 2020-02-14 18:07:23 │
-02 2020-02-14 18:22:56 │ kubuntu │ 1c7a │ 0570 │ EgisTec Touch fingerprint sensor │ EgisTec │ 000253CD │ 1-6 │ 2020-02-14 18:24:45 │
│ 2020-02-14 18:32:16 │ kubuntu │ 1c7a │ 0570 │ EgisTec Touch fingerprint sensor │ EgisTec │ 000253CD │ 1-6 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 1d6b │ 0003 │ xHCI Host Controller │ Linux 5.0.0-25-generic xhci-hcd │ 0000: 00: 14.0 │ usb2 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 04ca │ 3016 │ ∅ │ ∅ │ ∅ │ 1-5 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 1c7a │ 0570 │ EgisTec Touch fingerprint sensor │ EgisTec │ 000253CD │ 1-6 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 0bda │ 57f2 │ HD WebCam │ KS0HD050046430866CLM06 │ 200901010001 │ 1-7 │ ∅ │
-02 2020-02-14 19:59:54 │ kubuntu │ 046d │ c52b │ USB receiver │ Logitech │ ∅ │ 1-1 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 1d6b │ 0002 │ xHCI Host Controller │ Linux 5.0.0-25-generic xhci-hcd │ 0000: 00: 14.0 │ usb1 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 0bda │ 0129 │ USB2.0-CRW │ Generic │ 20100201396000000 │ 1-8 │ ∅ │
│ 2020-02-14 20:46:17 │ kubuntu │ 1d6b │ 0003 │ xHCI Host Controller │ Linux 5.0.0-25-generic xhci-hcd │ 0000: 00: 14.0 │ usb2 │ ∅ │
│ 2020-02-14 20:46:17 │ kubuntu │ 04ca │ 3016 │ ∅ │ ∅ │ ∅ │ 1-5 │ ∅ │
│ 2020-02-14 20:46:17 │ kubuntu │ 1d6b │ 0002 │ xHCI Host Controller │ Linux 5.0.0-25-generic xhci-hcd │ 0000: 00: 14.0 │ usb1 │ ∅ │
-02 2020-02-14 20:46:17 │ kubuntu │ 046d │ c52b │ USB receiver │ Logitech │ ∅ │ 1-1 │ 2020-02-14 20:47:22 │
-02 2020-02-14 20:46:17 │ kubuntu │ 1c7a │ 0570 │ EgisTec Touch fingerprint sensor │ EgisTec │ 000253CD │ 1-6 │ 2020-02-14 20:48:17 │
│ 2020-02-14 20:46:17 │ kubuntu │ 0bda │ 0129 │ USB2.0-CRW │ Generic │ 20100201396000000 │ 1-8 │ ∅ │
│ 2020-02-14 20:46:17 │ kubuntu │ 0bda │ 57f2 │ HD WebCam │ KS0HD050046430866CLM06 │ 200901010001 │ 1-7 │ ∅ │
-02 2020-02-14 21:00:06 │ kubuntu │ 046d │ c52b │ USB receiver │ Logitech │ ∅ │ 1-1 │ 2020-02-14 21:04:08 │
-02 2020-02-14 21:20:15 │ kubuntu │ 046d │ c52b │ USB receiver │ Logitech │ ∅ │ 1-2 │ 2020-02-14 21:40:45 │
└─────────────────────┴────────────────┴──────┴────────── ─────────────────────────────────────────────────────────────── ───────────────┴─────────────────────────────────┴──────┴ ─────────────────────┘
[*] Closed on 2020-02-14 22:18:08
[*] Duration: 0: 00: 42.650509 

Step 4: Create a JSON file for filtering trusted devices

Because most USB events occur with devices you trust – your mouse, keyboard, flash drive, and internal devices such as webcams or fingerprint scanners – the event history can become messy with uninteresting USB events. When you try to track malicious activities on your computer, it causes clutter and makes it harder to see a real threat.

One way to solve that problem is to create a whitelist of trusted devices so that we can suppress reports of trusted USB devices that we would otherwise have to ignore.

We can easily create a JSON file from trusted devices using USBRip. We can create a .json file named "auth.json" with any USB device connected to the computer on February 14, 2020, with the following command.

  ~ # usbrip events gen_auth auth.json -d & # 39; 2020 -02-14 & # 39;

use: usbrip events [-h] {history, open, genauth, violations} ... 

When we open the "auth.json" file in our USBRip directory, we see the following.

  {
"manufact": [
        "EgisTec",
        "Generic",
        "KS0HD050046430866CLM06",
        "Linux 5.0.0-25-generic xhci-hcd",
        "Logitech"
    ],
"pid": [
        "0002",
        "0003",
        "0129",
        "0570",
        "3016",
        "57f2",
        "c52b"
    ],
"prod": [
        "EgisTec Touch Fingerprint Sensor",
        "HD WebCam",
        "USB Receiver",
        "USB2.0-CRW",
        "xHCI Host Controller"
    ],
"serial": [
        "0000:00:14.0",
        "000253CD",
        "200901010001",
        "20100201396000000"
    ],
"vid": [
        "046d",
        "04ca",
        "0bda",
        "1c7a",
        "1d6b"
    ]
} 

We can now limit a USBRip search to any USB event that is not in auth.json using:

  ~ # usbrip events violations auth.json --table

_ {{4}} {v2.2.1-1}
_ _ ___ | | _ ___ [e] ___
| | | _ - | . | _ [N]. |
| ___ | ___ | ___ | _ | [5] _ |
x [i] _ | https://github.com/snovvcrash/usbrip

[*] Started on 2020-02-14 23:06:02
[22:20:08] [INFO]   Trying to run journalctl ...
[22:20:08] [INFO]   Successfully executed journalctl
[22:20:08] [INFO]   Read journal output
100% | █████████████████████████████████ | 2101/2101 [00:00<00:00, 296000.56line/s]
[22:20:08] [INFO]   Open the list of authorized devices: "/root/usbrip/auth.json"
[22:20:08] [INFO]   Search for violations
100% | █████████████████████████████████████████ | 3/3 [00:00<00:00, 15534.46dev/s]
[?] How would you like your violation list to be generated?

    1. Terminal stdout
    2. JSON-file

[>] Enter the number of your choice (default 1): 1

[22:20:12] [INFO]   Preparing collected events 

This produces a table with all devices that are not on the list of trusted devices.

  BUSB-Violation-Events─┬─────────┬──── ───┬──────┬────────────── ────────────────────┬──── ──────────────┬───────────────── ────────────────┬──────┬─ ───────────────────────────┐
│ Connected │ User │ VID │ PID │ Product │ Manufacturer │ Serial Number │ Port │ Not Connected │
├─────────────────────┼────────────────┼──────┼────────── ─────────────────────────────────────────────────────────────── ┼──────────────────────────┼──────┼────────────────────── ──────┤
-02 2020-02-14 •••••• Julie −−−−−−−−−−−−−−− │ −−−−−−−−−−−−−−−− ││ −−−−− −−−−−−−−−−− −−−−−−−−│
-02 2020-02-14 22:29:11 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-1 │ 2020-02-14 22:33:55 │
-02 2020-02-14 22:38:55 │ kubuntu │ 03eb │ 2401 │ HID keyboard │ ATMEL AVR │ ∅ │ 1-2 │ 2020-02-14 22:40:44 │
-02 2020-02-14 22:40:44 │ kubuntu │ 03eb │ 2401 │ HID keyboard │ ATMEL AVR │ ∅ │ 1-2 │ ∅ │
-02 2020-02-14 22:41:18 │ kubuntu │ 1686 │ 0045 │ H5 │ ZOOM Corporation │ 000000000000 │ 1-2 │ 2020-02-14 22:44:48 │
-02 2020-02-14 22:44:51 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-2 │ 2020-02-14 22:54:51 │
-02 2020-02-14 22:46:10 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-2 │ 2020-02-14 22:57:10 │
│ 2020-02-14 22:50:54 │ kubuntu │ 1c7a │ 0570 │ EgisTec Touch fingerprint sensor │ EgisTec │ 00253CD │ 1-6 │ ∅ │
-02 2020-02-14 22:51:33 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-2 │ 2020-02-14 22:59:39 │
-02 2020-02-14 23:05:23 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-2 │ 2020-02-14 23:06:12 │
└─────────────────────┴────────────────┴──────┴────────── ─────────────────────────────────────────────────────────────── ┴──────────────────────────┴──────┴────────────────────── ──────┘
[*] Closing on 2020-02-14 23:06:12
[*] Duration: 0: 01: 17.904624 

All devices on this list must be carefully inspected to determine whether they are reliable or not.

Looking at the above data, it is clear that the HID keyboard is a suspicious device that is connected to a computer like a laptop without needing an external keyboard. Research shows that the manufacturer, Amtel, is responsible for the chip in the USB Rubber Ducky, which means that there is a good chance that this logbook shows that a USB Rubber Ducky is connected to the system.

Step 5: Sort by manufacturer to quickly find suspicious USB events

Now that we know that the USB Rubber manufacturer is Ducky Atmel, we can quickly search the USB event history for devices that may have a USB Rubber Be Ducky. To do this, enter the command below.

  ~ # usbrip event history - production "ATMEL AVR" 

That will return the list of USB devices with an Atmel chip. It is important to remember that not all devices manufactured by Atmel become a USB Rubber Ducky, but if you think your computer has been compromised, this is a good quick and dirty check for suspicious devices.

Recording of suspicious USB events is easy with USBRip

Although USBRip is not a tool for collecting data from the past, it can enable advanced logging of USB activities, making it easy to detect future HID attacks. If a hacker with a USB Rubber Ducky or a Digispark connects a load to your computer while it is left unattended, you can use the logs they leave to identify the manufacturer and the time when the device is connected and removed. If you recognize a time stamp that is consistent with the length of a USB Rubber Ducky payload, it may be clear when a computer has been compromised.

I hope you enjoyed this tutorial about catching USB Rubber Duckies with USBRip. If you have any questions or ideas for a future article, hit me on Twitter @nickgodshall .

Don't miss it: Steal macOS files with the USB Rubber Ducky

Start your White-Hat Hacker journey with our Null Byte beginner's guide to a hacking career.

Buy now for $ 49.99>




Source link