Why are HID keys used?
This style of attack means that important/hidden machines in an organization can be reached directly, without arousing suspicion, unlike complex attacks that would be carried out from the outside and would have to disarm the firewalls and security systems in place.
Exciting, isn’t it? Here’s a scenario that could well happen to your company tomorrow if unscrupulous criminals or competitors target you.
Scenario
As you can see, to carry out this attack, you’ll need physical access to plug in your innocent little key.
The thought of physical security is often forgotten, and exploiting human behavior to gain access is easier than it sounds.
Here we imagine that a malicious actor will start with a reconnaissance andOSINT phase on the company named ” Digital Bitcoin Supply Chain ” to find out which people would be vulnerable (due to financial pressure, for example) and which people to attack. After taking advantage of this information, he notes the following:
- Bob, the box’s sales manager, doesn’t often lock his PC, as shown by the company’s corporate Instagram posts joking with the fact that he often has to pay for croissants
- During the lunch break, an external cleaning company cleans the company’s offices. Jean is a cleaner there and is apparently poorly paid and unhappy, according to his Twitter posts.
The malevolent actor contacts Jean and offers him 7,000 euros in cash in exchange for discreetly plugging this innocent USB key into Bob’s laptop while he cleans up. Jean agreed.
Other scenarios
Here’s a list of other social engineering scenarios that can also be used to gain entry to a building:
- Loaded arms, pretending to be a deliveryman
- Ask security to let you in, on the pretext of having forgotten your belongings after a job interview
- Wear a yellow vest and look like a technician (works great: cf)
- Pretend to be a lost trainee and go where you want to go
- Look like a geek and pretend to be the IT department, for example, by going through a door left open by smokers.
- A more brutal method, but if there’s no one around and it’s a simple lock, we pick it!
In this day and age, remaining anonymous even when physically visiting your victim’s offices has become easy again, thanks to a little must-have accessory: the mask!
Combined with a wig, you can literally transform yourself.
On the attack
Once the key has been inserted, the Wifi network created by the key appears. Georges, the attacker’s accomplice, is outside the company. He connects to the Wifi from his laptop and launches the payloads developed in advance.
Payload 1: Sound deactivation
In order to be as discreet as possible and to avoid attracting attention, the first charge will mute the computer’s sound.
Time required: 10 seconds
Payload 2: Disabling Windows Defender
To be able to launch as many malicious payloads as the attacker wants (and without bothering to bypass Defender), Defender is deactivated outright.
Time required: 15 seconds
Payload 3: Reverse Shell
To take full control of the remote computer, the attacker deploys a reverse shell.
Time required: 1 second
On Bob’s victim machine, we connect to the attacker’s remote server using the ConPty reverse shell.
On the attacker’s side, all we have to do is wait for Bob’s PC to connect to our PC, and we’re ready to play.
In this example, the attacker will roam onto the computer of Bob, the sales manager, then exfiltrate the company’s customer files (a CRM and a sales proposal) to his server.
In less than 30 seconds (26 to be exact), the attacker was able to launch 3 charges that gave him undetected access to Bob’s computer.
When it’s gone, it’s still there
Payload 4: Persistence
In order not to lose control of Bob’s computer and remain persistent on it, the attacker will launch this payload and use SharPersist.
Time required: 20 seconds
Payload 5: Mimikatz
If the attacker doesn’t want to stop at Bob’s computer, but wants to have some fun on the company’sAD, a tool like mimikatz may come in handy!
Here, the attacker will extract hashes, Windows session passwords and Kerberos tickets and send them to his remote server.
Time required: 20 seconds
Bonus: the ultimate vice
To definitively obtain Bob’s computer unlock password, the attacker can remotely launch the FakeLogonScreen tool, which will simulate a fake Windows login screen.
When Bob returns from his lunch break, he’ll innocently type in his password to unlock his screen. On the attacker’s side, the password will be received without any problem.
Poor Bob, and he thought he’d locked his session for once …
Here, the HID key clearly demonstrates its superiority over a conventional attacker who would manually type in the commands after gaining physical access to the company, with 3 advantages:
-
- types much faster (you’ve seen how long it takes for each load – it’s not humanly feasible)
- type without syntax errors
- is much more discreet! At just 2-3 centimetres, she manages to look much smaller than a 1.80-metre striker who wouldn’t fit in.
Attack vectors
Obviously, in this example our attacker has simply exfiltrated confidential files for industrial espionage purposes, but with full access to the computer, several attacks can be deployed:
- Ransomware
- Recovery of browser session cookies and login passwords
- Add on company domain if account has rights
- Change the hosts file to redirect the user for phishing purposes
- Sabotage files on the PC, modify parts already written
- And much more
By the way, what is this key?
It’s a good WHID! Cactus WHID was created by Luca Bongiorni in 2017 and is often summarized as a “Wifi remote-controllable Rubberducky”. And that’s not its only advantage: it costs just 11 euros.
WHID contains two modules:
- An ATMega32u4 card that emulates any HID device and features self-programming flash memory
- ESP-12S Wifi Module
The range of the Wifi access point will vary depending on the building, but from 15 – 30 meters the connection will start to suffer. In some cases, a drone will have to be used to approach the area and direct the WHID.
Available storage for payloads is 3Mb.
When purchased, Cactus WHIDs come with ESPloitV2 software.
To make the key compatible with French AZERTY keyboards, you’ll need to change the keyboard in Arduino, then reflash the key following these instructions.
Once your key has been configured, the Wifi access point will be visible with the default name Exploit and password: DotAgency
Go to the default address http://192.168.1.1 to access the ESPloit menu
From here, you can upload your payloads and launch them. Several options are also available (including conversion of Ducky scripts to ESPloit scripts)
You can also choose whether or not to make the SSID visible when creating the access point.
The PID(Product ID) and VID(Vendor ID) can also be modified, for example to bypass the protection set up by the system administrator, allowing only certain USB products to be connected.
Play hide-and-seek
For the bearded ones with soldering irons, it’s possible to hide the WHID directly in other USB-wired objects and give them away (as a gift from a company collaborating with the victim, for example) or leave them lying around, then wait for the fateful connection.
Here are a few examples by Luca Bongiorni:
Classic and discreet, the
A plasma ball, and why not!
How to protect yourself?
There is no miracle solution, but a number of measures can be put in place to defend against and prevent this type of attack:
- Train employees to be aware of this type of threat (lock their PCs, check that keys have not been connected in the meantime) and thus prevent these attacks.
- Strong way: block all USB ports. Unfortunately, this is almost impossible for most companies.
- Then restrict authorization to connect and communicate with the system to certain products only (with PID/VID) (for Windows in Regedit>DeviceInstallRestrictions, for Linux > udev rules).
- Here again, if the attacker does a good job of pre-attack reconnaissance, he’ll be able to see which keyboards are authorized (Logitech only, for example) and spoof the PID / VID.
- On Linux, since early 2020, there’s Google’s ukip tool, which measures the speed of keystrokes and determines whether this comes from a human or an attack.
- Do not plug in an unknown or found USB key. And if you need to plug in new keys, do so on an off-network workstation, or on a white station, to check that the key poses no threat to the company.