Download - Teensy Programming for Everyone
![Page 1: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/1.jpg)
Teensy Programming for Everyone
Nikhil Mittal
![Page 2: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/2.jpg)
About Me
SamratAshok Twitter - @nikhil_mitt Blog – http://labofapenetrationtester.blogspot.com Creator of Kautilya Interested in Offensive Information Security, new
attack vectors and methodologies to pwn systems. Previous Talks
Clubhack’10, Hackfest’11, Clubhack’11, Black hat Abu Dhabi’11
Upcoming Talks Troopers’12, PHDays’12, Hack In Paris’12 Training at GrrCON’12
![Page 3: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/3.jpg)
Agenda - Introduction
A typical Pen Test Scenario How we are doing it Need for new methods to break into
systems HID anyone?
![Page 4: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/4.jpg)
Agenda - Workshop
Introduction to Teensy Basics of Arduino Development Environment (ADE) Installing and configuring ADE to use with Teensy Understanding the basics of programming using ADE Writing Hello World Basic usage and programming of Teensy Introduction to Kautilya Demonstration of Payloads in Kautilya Program and perform attacks on a Windows machine Program and perform advanced attacks on a Windows
machine Understanding structure of and automation using
Kautilya Understanding Integration of payloads in Kautilya
![Page 5: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/5.jpg)
Agenda - Conclusion
Protection against HID based attacks Pen Test Stories Limitations Future Conclusion
![Page 6: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/6.jpg)
Let’s get started
Be as interactive as you can. Query me, ask nasty questions, insult me.
It is mandatory to laugh on jokes, they be on slides or cracked by me.
We will start slow and then pick up speed. Be patient if you know something, everybody is not good as you.
I don’t have much theory so be ready to see demos and source code.
Make sure you keep your eyes on. You should be able to program your device after this. I will keep checking if everyone is awake ;)
![Page 7: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/7.jpg)
A client engagement comes with IP addresses.
We need to complete the assignment in very restrictive time frame.
Pressure is on us to deliver a “good” report with some high severity findings. (That “High” return inside a red colored box)
A typical Pen Test Scenario
![Page 8: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/8.jpg)
How the threats are Tested
Vuln Scan Exploit Report
![Page 9: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/9.jpg)
This is a best case scenario. Only lucky ones find that. Generally legacy Enterprise
Applications or Business Critical applications are not upgraded and are the first targets.
There is almost no fun doing it that way.
![Page 10: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/10.jpg)
Some of us do it better
Enum Scan Exploit Report
![Page 11: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/11.jpg)
Some of us do it even better
Enum +
IntelScan Exploit Post Exp Report
![Page 12: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/12.jpg)
Why do we need to exploit?
To gain access to the systems. This shows the real threat to clients
that we can actually make an impact on their business. No more “so-what”
We can create reports with “High” Severity findings which bring $$$
![Page 13: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/13.jpg)
What do we exploit?
Memory Corruption bugs. Server side Client Side
Mis-configurations Open file shares. Sticky slips. Man In The Middle (many types) Unsecured Dumpsters Humans <Audience>
![Page 14: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/14.jpg)
Worse Scenario
Many times we get some vulnerabilities but can’t exploit. No public exploits available. Not allowed on the system. Countermeasure blocking it. Exploit completed but no session was
generated :P
![Page 15: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/15.jpg)
Worst Scenario
Hardened Systems Patches in place Countermeasures blocking scans and
exploits Security incident monitoring and
blocking No network access
We need alternatives.
![Page 16: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/16.jpg)
Best Alternative
![Page 17: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/17.jpg)
Rajnikant > Chuck Norris
![Page 18: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/18.jpg)
Need for new methods to break into systems
Bad guys are getting smarter. Smart attacks of 2011
Sony (ok not so smart :P) RSA (clever attack), chained to Lockheed Martin Epsilon (Spear Phishing) Barracuda Networks (WAF turned off for little while) Some attacks on India
Smart attacks of 2010 Stuxnet Operation Aurora
And Many more (like Apache in 2009)
![Page 19: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/19.jpg)
Need for new methods to break into systems
Breaking into systems is not as easy as done in the movies.
Those defending the systems have become smarter (at many places :P) and it is getting harder to break into “secured” environments.
Everyone is breaking into systems using the older ways, you need new ways to do it better.
![Page 20: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/20.jpg)
HID anyone?
Wikipedia – “A human interface device or HID is a type of computer device that interacts directly with, and most often takes input from, humans and may deliver output to humans.”
Mice, Keyboards and Joysticks are most common HID.
What could go wrong?
![Page 21: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/21.jpg)
Introduction to Teensy
A USB Micro-controller device. Storage of about 130 KB. We will use Teensy ++ which is an
updated version of Teensy.
![Page 22: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/22.jpg)
From pjrc.com
![Page 23: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/23.jpg)
Current usage of Teensy
http://www.pjrc.com/teensy/projects.html
Really cool projects.
![Page 24: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/24.jpg)
Arduino - Installation
Install Arduino Windows Serial Installer (only
Windows) Install Teensyduino Copy Teensy loader executable in
Arduino directory. Detailed with screenshots here:http://www.pjrc.com/teensy/td_download.html
![Page 25: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/25.jpg)
Arduino - Configuration
Make sure to select correct “Board” and “USB Type” under Tools menu item.
If Teensyduino has been installed properly, sketch examples could be found at File->Examples->Teensy
![Page 26: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/26.jpg)
Programming using ADE
Almost C++ like syntax is used in ADE
Two functions are required at minimum setup() which runs whenever Teensy is
plugged or restarted. loop() which keeps running after setup()
Basic usage and programming of Teensy
Writing Hello World with Teensy.
![Page 27: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/27.jpg)
DEMO, Source Code and Programming
![Page 28: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/28.jpg)
Kautilya
It’s a toolkit which aims to make Teensy more useful in Penetration Tests.
Named after Chanakya a.k.a. Kautilya. Written in Ruby. It’s a menu drive program which let
users select and customize payloads. Aims to make Teensy part of every
Penetration tester’s tool chest.
![Page 29: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/29.jpg)
Payloads
Payloads are written for teensy without SD Card.
Pastebin is extensively used. Both for uploads and downloads.
Payloads are commands, powershell scripts or combination of both.
Payload execution of course depends on privilege of user logged in when Teensy is plugged in.
Payloads are mostly for Windows as the victim of choice generally is a Windows machine.
![Page 30: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/30.jpg)
Windows User Add
Adds a user with Administrative privileges on the victim.
Uses net user command.
![Page 31: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/31.jpg)
Default DNS
Changes the default DNS for a connection.
Utilizes the netsh command.
![Page 32: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/32.jpg)
Edit Hosts File
Edit hosts file to resolve a domain locally.
![Page 33: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/33.jpg)
Enable RDP
Enables RDP on victim machine. Starts the service. Adds exception to Windows firewall. Adds a user to Administrators group.
![Page 34: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/34.jpg)
Enable Telnet
Installs Telnet on victim machine. Starts the service. Adds exception to Windows firewall. Adds a user to Administrators group
and Telnetclients group..
![Page 35: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/35.jpg)
Forceful Browsing
Starts an invisible instance of Internet Explorer which browses to the given URL.
![Page 36: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/36.jpg)
Download and Execute
Downloads an exe in text format from pastebin, converts it back to exe and executes it.
![Page 37: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/37.jpg)
Sethc and Utilman backdoor
Using registry hacks, calls user defined executable or command when Shift is pressed 5 times or Win + U is pressed.
When the system is locked, the called exe is executed in System context.
![Page 38: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/38.jpg)
Uninstall Application
Uninstalls an msiexec application silently.
![Page 39: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/39.jpg)
Chrome RDP
This payload uses opens up chrome, launches Remote Desktop plugin, enters credentials and copies the access key to pastebin.
This payload operates on browser window.
![Page 40: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/40.jpg)
Information Gather
Dumps valuable information from registry, net command and hosts file.
![Page 41: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/41.jpg)
Sniffer
This payload pulls the sniffer powershell script (by Robbie Fost) and executes it on the victim.
The output is compressed and uploaded to ftp.
![Page 42: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/42.jpg)
The Pwnage Saga Continues
![Page 43: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/43.jpg)
Hashdump
This payload pulls powerdump script of msf from pastebin, schedules it as taks to run in system context and upload the hashes to pastebin.
![Page 44: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/44.jpg)
Keylogging
This payload logs keys and pastes it to pastebin every twenty seconds.
There is a separate script to parse the output.
![Page 45: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/45.jpg)
Wireless Rogue AP
This payload creates a hosted network with user define SSID and key.
It also adds a user to Administrators and TelnetClients group.
It installs and starts telnet and adds it to windows firewall exception.
![Page 46: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/46.jpg)
Forced Wireless Connection
This payload forces the victim to connect to an attacker controlled WiFi AP. The AP in this case is portable WiFi hotspot on a smartphone.
Using this either payloads can be pulled from the smartphone or the internet using the AP thus effectively bypassing any internet restriction policies on the system.
![Page 47: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/47.jpg)
Code Execution
This payload uses the powershell code execution script (by Matt from exploit-monday blog).
A meterpreter shell is executed completely in memory using this script.
![Page 48: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/48.jpg)
Java Signed Applet Code Exec
This payload browses in background to a url where Metasploit Java Signed Applet module is hosted and accepts the run prompt after few seconds.
![Page 49: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/49.jpg)
Pen Test StoriesLibrary Fun
We were doing internal PT for a large media house.
The access to network was quite restrictive.
The desktops at Library were left unattended many times.
Teensy was plugged into one system with a sethc and utilman backdoor.
Later in the evening the system was accessed and pwnage ensued.
![Page 50: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/50.jpg)
Pen Test StoriesBreaking the perimeter
A telecom company. We had to do perimeter check for
the firm. The Wireless rogue AP payload was
used and teensy was sold to the clients employees during lunch hours.
Within couple of hours, we got a wireless network with a administrative user and telnet ready.
![Page 51: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/51.jpg)
Pen Test StoriesHelp by the Helpdesk
A pharma company. We replaced a user’s data card with a
Teensy inside the data card’s cover. The payload selected was Keylogger. “Data card” obviously didn’t worked and
we got multiple keylogging for the user and the helpdesk.
Helpdesk guys had access to almost everything in the environment and over a workday, it was over.
![Page 52: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/52.jpg)
Defense from malicious HID
Use Endpoint Protector 4 :P :P Group Policy in Windows which
prevent installation of hardware devices.
![Page 53: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/53.jpg)
Limitations with Teensy
Limited storage in Teensy. Resolved if you attach a SD card with Teensy.
Inability to “read” from the system. You have to assume the responses of victim OS and there is only one way traffic.
![Page 54: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/54.jpg)
Limitations with Kautilya
Many payloads need Administrative privilege.
Lots of traffic to and from pastebin. Inability to clear itself after a single
run. Not very stable as it is still a new
tool and has not gone through user tests.
For payloads which use executables you manually need to convert and paste them to pastebin.
![Page 55: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/55.jpg)
Future
Improvement in current payloads. Implementation of SD card. Use some payloads as libraries so
that they can be reused. Support for Non-English keyboards. Maybe more Linux payloads. Implementation of some new
payloads which are under development.
![Page 56: Teensy Programming for Everyone](https://reader033.vdocuments.net/reader033/viewer/2022042607/5560b84fd8b42aef3b8b4b45/html5/thumbnails/56.jpg)
Thank You
Please complete the Speaker Feedback Surveys.
Questions? Insults? Feedback?
Kautilya is available at http://code.google.com/p/kautilya/
Follow me @nikhil_mitt http://labofapenetrationtester.blogspot.
com/