قالب وردپرس درنا توس
Home / Tips and Tricks / How to catch USB rubber duckies with USBRip on your computer «Null Byte :: WonderHowTo

How to catch USB rubber duckies with USBRip on your computer «Null Byte :: WonderHowTo



If a hacker is left unattended with a USB Rubber Ducky and physical access to the computer, he can infiltrate even the most secure computer. Such attacks often go undetected without the use of a tool like USBRip, which you can be sure that your device has not been compromised.

While it can be difficult to know if your device has been accessed in the past, you can enable it. Logging makes it easier to determine when a suspect device has been inserted into a port. USBRip cannot scan old system logs to capture past events, but it can keep track of everything that happens after installation to avoid being hacked in the future.

What Are HID Attacks?

A human interface device or HID is a device that is used by a person to control a computer. Keyboards and computer mice are outstanding examples. HIDs have elevated privileges over a program or script because the operating system assumes that commands from an HID come from someone who has permission to use the computer.

Hackers have created tools like the USB Rubber Ducky that takes advantage of the inherent trust between a computer and an HID. While a USB Rubber Ducky mimics the look of a standard flash drive, when connected to a computer, it acts as a keyboard that can type keystrokes and commands at lightning speed.

The types of attacks that hackers have performed via USB Rubber Ducky, Digispark and similar tools are extensive; They range from inserting a back door on MacOS and Windows computers to sending an email with a screenshot of all the user's credentials stored in Firefox.

Detecting the Ducky

Because the computer thinks the USB Rubber Ducky is just another keyboard. The commands are executed immediately without the target getting a visible warning that they have been compromised. As long as the Ducky Script is careful to clean itself up – by closing all open windows, deleting the terminal history and making the computer appear in the state in which the target left it – an attack can remain completely undetected

That does not mean that it is impossible to prevent or detect such attacks. There are some tools, such as DuckHunter, that aim to limit the effects of HID attacks by paying attention to suspicious behavior such as keystrokes that type too quickly. While the DuckHunter project has not been updated since 2017, there is another tool that can provide evidence of an HID attack that is both powerful and currently under maintenance.

USBRip uses system logs to display a complete history of each USB device connected to a Linux computer. While an attacker could delete these logs as part of the cleanup process, it is much less likely that more critical and time-consuming cleanup steps, such as removing direct evidence of access to the computer, would do so. Even better, since USB Rubber Ducky and Digispark were both made by certain manufacturers, USBRip can search the logs for devices with suspicious fingerprints.

What You Need

USBRip is written in Python, which is cross-platform and should run USBRip on most Linux systems. However, since it is primarily parsing Linux system logs, it is currently only running on Linux devices. In this manual we use Kali Linux. You can find further steps on another system in our video.

Ensure that your system has been updated and fully updated and updated with the apt update command apt upgrade and then make sure Python is installed by using python into a terminal window. When you get an interactive Python shell, you have everything you need and can type quit () to exit. Otherwise, you can install Python by running apt install python .

  ~ # python

Python 2.7.16 (default, April 6, 2019, 1:42:57 am)
[GCC 8.3.0] under Linux2
Enter "Help", "Copyright", "Credits" or "License" for more information.

>>> quit () 

I would also recommend installing Python3:

  ~ # apt install python3-venv p7zip-full -y

Read package lists ... Done
Create dependency tree
Read status information ... Done
p7zip-full is already the latest version (16.02 + dfsg-7).
python3-venv is already the latest version (3.7.5-3).
The following packages were installed automatically and are no longer required:
dh-python libdouble-convert1 liblinear3
Use & # 39; apt autoremove & # 39; to remove them.
0 updated, 0 newly installed, 0 removed and not updated in 1853. 

Step 1: Reconfigure some Linux files

In order for USBRip to correctly analyze the system logs, some files have to be configured in the root folder. First we have to remove a line from the /rsyslog.conf file. If you uninstall USBRip and want to restore your computer to its original state, it is easier to just comment on it.

Open the rsyslog.conf file using a terminal window with your preferred text editor. It is in your / etc directory and you can start editing the file straight away. In our case we use nano, so we go to nano /etc/rsyslog.conf and the file opens. If you are not root, use sudo with it and many of the other commands in the instructions below.

  ~ # cd
~ # nano /etc/rsyslog.conf[19659016weiblAfteropeningscrolldownandcommentoutthelinethatiswrittenbelow:[19659016[$ActionFileDefaultTemplateRSYSLOG_TraditionalFileFormat

Next, place a [1945902423] # in front of it. This part should now look something like this:

  #### GLOBAL DIRECTIVES ####
#############################

#
# Use the traditional timestamp format.
# To activate high-precision timestamps, comment out the following line.
#
# $ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$ FileOwner root
$ FileGroup adm
$ FileCreateMode 0640 

Now save and exit the file, being careful not to change the file name. After changing the old way our computer stores system logs, we need to replace them with the method that USBRip can use. Enter the following command in the same terminal window.

  ~ # echo & # 39; $ ActionFileDefaultTemplate RSYSLOG__FileFormat & # 39; | tee /etc/rsyslog.d/usbrip.conf

$ ActionFileDefaultTemplate RSYSLOG__FileFormat 

This creates a new .conf file that USBRip uses in a different format to save system logs. Next we need to delete our computer from its current system logs, which are in the wrong format. We can do this with the following command.

  ~ # rm -f / var / log / syslog * / var / log / messages * 

Finally we have to restart rsyslog with the following command. After that we can continue with the installation of the program.

  ~ # restart systemctl rsyslog 

Step 2: Install USBRip

After the system files have been configured properly, we can install USBRip. First, navigate to a directory of your choice in a terminal window and clone the Git repository with the following command.

  ~ # git clone https://github.com/snovvcrash/usbrip.git

Cloning in & # 39; usbrip & # 39; ...
remote: enumerate objects: 130, done.
remote: count objects: 100% (130/130), done.
remote: compress objects: 100% (89/89), done.
Remote: A total of 1266 (Delta 70), reused 77 (Delta 39), pack-reused 1136
Receiving objects: 100% (1266/1266), 1.14 MiB | 4.83 MiB / s, done.
Dissolving deltas: 100% (790/790), done. 

Then navigate to the cloned directory and begin installing the required Python libraries and dependencies. To do this with pip and use the setup.py installer, read our video tutorial.

  ~ # cd usbrip
~ / usbrip # chmod + x ./installers/install.sh
~ / usbrip # sudo -H ./installers/install.sh -s

>>>> Create directory: & # 39; / opt / usbrip & # 39;
>>>> / opt / usbrip already exists. First run:
sudo uninstall.sh --all 

Next, exit the / usbrip folder and launch the help page to find out what's there.

  ~ / usbrip # cd
~ # usbrip -h

say: usbrip [-h] {banners, events, storage, IDs} ...

Positional arguments:
{Banners, events, storage, IDs}
Banner Show Tool Banner
Events work with USB events
Storage work with USB event memory
IDs work with USB IDs

optional arguments:
-h, --help Display and exit this help message 

Now we can check if USBRip has been installed correctly by typing usbrip in the terminal and ensure that the following welcome screen is displayed. [19659015] ~ # usbrip

_ {{4}} {v2.2.1-1}
_ _ ___ | | _ ___ [E] ___
| | | _ – | , | _ [n]. |
| ___ | ___ | ___ | _ | [5] _ |
x [!] _ | https://github.com/snovvcrash/usbrip

Usage: / usr / local / bin / usbrip [-h]

If you see this, the first step of installing USBRip is complete.

Step 3: Search the entire USB event history

USBRip has been installed. Let's look at the history of all USB events that have occurred on our computer. We can do this with the following command.

  ~ # usbrip events history

_ {{4}} {v2.2.1-1}
_ _ ___ | | _ ___ [e] ___
| | | _ - | , | _ [n]. |
| ___ | ___ | ___ | _ | [5] _ |
x [I] _ | https://github.com/snovvcrash/usbrip

[*] Started on February 14, 2020 at 5:11:37 p.m.
[17:11:37] [INFO]   Attempt to journalctl ...
[17:11:37] [INFO]   Journalctl successfully executed
[17:11:37] [INFO]   Reading the journal edition
100% | █████████████████████████████████ | 2089/2089 [00:00<00:00, 251208.49line/s]
[?] How would you like your event history list to be generated?

    1. Terminal stdout
    2. JSON-file

[>] Please enter the number of your choice (Standard 1): 

Now you can either print the USB history in the terminal or save it as a JSON file. First, let's see it in the terminal by typing 1 .

  [>] Please enter the number of your choice (Standard 1): 1

[17:13:34] [INFO]   Collecting collected events
------------------------------------------------
Connected: 2020-02-14 15:42:48
User: kubuntu
VID: 046d
PID: c52b
Product: USB receiver
Manufacturer: Logitech
Serial number: ∅
Bus connection: 1-1
Separately: ∅
------------------------------------------------
[*] Shutdown on February 14th, 2020 at 5:13:34 pm
[*] Time spent: 0: 01: 57.087803 

As you can see above, the list of USB events is limited to the Logitech Bluetooth mouse receiver that I connected to my laptop.

Unfortunately, because we had to remove With all incorrectly formatted system logs, the USB event history is only shown since we installed USBRip. Despite this limitation, we were able to get some interesting information about the USB device, e.g. B. The time stamp when it was connected and disconnected (or if it was ever disconnected).

We can also see the VID and PID, which are numbers used by computers to identify a USB device to know which drivers need to be installed. The VID is assigned by usb.org and the PID determines the manufacturer. We also learn what the device is, what the name of the manufacturer is, and which USB port the device was connected to.

After a few days, the number of USB events on your computer is starting to pile up, and we'll do it. I want to compress the list to a more readable format. We can narrow the request down to the last 20 USB events and format it as a compressed table instead of a list.

  ~ # usbrip events history -n 20 --table

_ {{4}} {v2.2.1-1}
_ _ ___ | | _ ___ [E] ___
| | | _ - | , | _ [N]. |
| ___ | ___ | ___ | _ | [5] _ |
x [1] _ | https://github.com/snovvcrash/usbrip

[*] Started on February 14, 2020 at 10:18 p.m.
[22:18:00] [INFO]   Attempt to journalctl ...
[22:18:00] [INFO]   Journalctl was successfully executed
[22:18:00] [INFO]   Reading the journal edition
100% | █████████████████████████████████ | 2095/2095 [00:00<00:00, 364532.95line/s]
[22:18:00] [INFO] Filtering events
[?] How would you like your event history list to be generated?

    1. Terminal stdout
    2. JSON-file

[>] Please enter the number of your choice (Standard 1): 1

[22:18:02] [INFO]   Collecting collected events
[22:18:02] [INFO]   Illustration: Table 

It should look something like this:

  ┌USB-History-Events──────────────────────── ─── ──┬──────────────────────────────────────────── ───── ───────────────────────────────────────────── ────── ─────┬───────────────────────┐
│ Connected │ User │ VID │ PID │ Product │ Manufacturer │ Serial number │ Port │ Not connected │
├───────────────────────────────────────────────── ── ──────────────────────────────────────────────── ──── ────────────────────────────────────────────── ───── ──────────────────────┤
2020-05-14 --------------- │ ------------------------------- │ - - --------------------- │ ---- │ ------------------- │
│ 2020-02-14 17:30:04 │ kubuntu │ 1d6b │ 0002 │ xHCI Host Controller │ Linux 5.0.0-25-generic xhci-hcd │ 0000: 00: 14.0 │ usb1 │ ∅ │
│ 2020-02-14 18:05:23 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-2 │ 2020-02-14 18:07:23 │
│ 2020-02-14 18:22:56 │ kubuntu │ 1c7a │ 0570 │ EgisTec Touch Fingerprint Sensor │ EgisTec │ 000253CD │ 1-6 │ 2020-02-14 18:24:45 │
│ 2020-02-14 18:32:16 │ kubuntu │ 1c7a │ 0570 │ EgisTec Touch Fingerprint Sensor │ EgisTec │ 000253CD │ 1-6 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 1d6b │ 0003 │ xHCI Host Controller │ Linux 5.0.0-25-generic xhci-hcd │ 0000: 00: 14.0 │ usb2 │ ∅ │
-0 2020-02-14 19:59:54 │ kubuntu │ 04ca │ 3016 │ -5 ∅ ∅ │ ∅ -5 1-5 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 1c7a │ 0570 │ EgisTec Touch Fingerprint Sensor │ EgisTec │ 000253CD │ 1-6 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 0bda │ 57f2 │ HD WebCam │ KS0HD050046430866CLM06 │ 200901010001 │ 1-7 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 046d │ c52b │ USB receiver │ Logitech │ -1 1-1 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 1d6b │ 0002 │ xHCI Host Controller │ Linux 5.0.0-25-generic xhci-hcd │ 0000: 00: 14.0 │ usb1 │ ∅ │
│ 2020-02-14 19:59:54 │ kubuntu │ 0bda │ 0129 │ USB2.0-CRW │ Generic │ 20100201396000000 │ 1-8 │ ∅ │
│ 2020-02-14 20:46:17 │ kubuntu │ 1d6b │ 0003 │ xHCI Host Controller │ Linux 5.0.0-25-generic xhci-hcd │ 0000: 00: 14.0 │ usb2 │ ∅ │
-0 2020-02-14 20:46:17 │ kubuntu │ 04ca │ 3016 │ -5 ∅ ∅ │ ∅ -5 1-5 │ ∅ │
│ 2020-02-14 20:46:17 │ kubuntu │ 1d6b │ 0002 │ xHCI Host Controller │ Linux 5.0.0-25-generic xhci-hcd │ 0000: 00: 14.0 │ usb1 │ ∅ │
│ 2020-02-14 20:46:17 │ kubuntu │ 046d │ c52b │ USB receiver │ Logitech │ -1 1-1 │ 2020-02-14 20:47:22 │
│ 2020-02-14 20:46:17 │ kubuntu │ 1c7a │ 0570 │ EgisTec Touch Fingerprint Sensor │ EgisTec │ 000253CD │ 1-6 │ 2020-02-14 20:48:17 │
│ 2020-02-14 20:46:17 │ kubuntu │ 0bda │ 0129 │ USB2.0-CRW │ Generic │ 20100201396000000 │ 1-8 │ ∅ │
│ 2020-02-14 20:46:17 │ kubuntu │ 0bda │ 57f2 │ HD WebCam │ KS0HD050046430866CLM06 │ 200901010001 │ 1-7 │ ∅ │
│ 2020-02-14 21:00:06 │ kubuntu │ 046d │ c52b │ USB receiver │ Logitech │ -1 1-1 │ 2020-02-14 21:04:08 │
│ 2020-02-14 21:20:15 │ kubuntu │ 046d │ c52b │ USB receiver │ Logitech │ ∅ 1-2 │ 2020-02-14 21:40:45 │
└───────────────────────────────────────────────── ── ──────────────────────────────────────────────── ──── ────────────────────────────────────────────── ───── ──────────────────────┘
[*] Shutdown on February 14th, 2020 at 10:18:08 pm
[*] Time spent: 0:00: 42.650509 

Step 4: Create a JSON file to filter trusted devices

Because most USB events affect devices you trust – mouse, keyboard, flash drive, and internal Devices such as webcams or fingerprint scanners – the event history can be crowded with USB events that are not of interest. Trying to track malicious activity on your computer creates clutter and makes it more difficult to identify a real threat.

One way to fix this is to whitelist devices that we trust so that we can suppress reports of trusted USB devices that we would otherwise have to ignore.

With USBRip we can easily create a JSON file with trusted devices. With the following command we can create a .json file called "auth.json" that contains every USB device that was connected to the computer on February 14, 2020.

  ~ # usbrip events gen_auth auth.json -d & # 39; 2020 -02-14 & # 39;

Usage: usbrip events [-h] {History, Open, Genauth, Violations} ... 

When we open the "auth.json" file in our USBRip directory, the following is displayed.

  {
"Manufact": [
        "EgisTec",
        "Generic",
        "KS0HD050046430866CLM06",
        "Linux 5.0.0-25-generic xhci-hcd",
        "Logitech"
    ],
"pid": [
        "0002",
        "0003",
        "0129",
        "0570",
        "3016",
        "57f2",
        "c52b"
    ],
"prod": [
        "EgisTec Touch Fingerprint Sensor",
        "HD WebCam",
        "USB Receiver",
        "USB2.0-CRW",
        "xHCI Host Controller"
    ],
"serial": [
        "0000:00:14.0",
        "000253CD",
        "200901010001",
        "20100201396000000"
    ],
"vid": [
        "046d",
        "04ca",
        "0bda",
        "1c7a",
        "1d6b"
    ]
} 

We can now restrict a USBRip search to any USB event that is not in auth.json by using the following:

  ~ # usbrip event violations auth.json --table

_ {{4}} {v2.2.1-1}
_ _ ___ | | _ ___ [e] ___
| | | _ - | , | _ [N]. |
| ___ | ___ | ___ | _ | [5] _ |
x [i] _ | https://github.com/snovvcrash/usbrip

[*] Started on February 14, 2020 at 11:06:02 p.m.
[22:20:08] [INFO]   Attempt to journalctl ...
[22:20:08] [INFO]   Journalctl was successfully executed
[22:20:08] [INFO]   Read journal edition
100% | █████████████████████████████████ | 2101/2101 [00:00<00:00, 296000.56line/s]
[22:20:08] [INFO]   Open the list of authorized devices: "/root/usbrip/auth.json"
[22:20:08] [INFO]   Looking for violations
100% | █████████████████████████████████████████ | 3/3 [00:00<00:00, 15534.46dev/s]
[?] How would you like your violation list to be generated?

    1. Terminal stdout
    2. JSON-file

[>] Please enter the number of your choice (Standard 1): 1

[22:20:12] [INFO]   Prepare Collected Events 

This returns a table of all devices that are not in the list of trusted devices.

  ┌USB Violation Events─┬────────────── ───┬───────────────────── ──────────────────────────── ────────────────────── ────────────────────────────── ──────────────────── ─┐
│ Connected │ User │ VID │ PID │ Product │ Manufacturer │ Serial number │ Port │ Not connected │
├───────────────────────────────────────────────── ── ──────────────────────────────────────────────── ──── ┼───────────────────────────────────────────── ────── ──────┤
2020-05-14 --------------- │ ---------------- │ ----------------- −−−−−−− │ −−−− │ −−−−−−−−−−−−−−−−−−−− │
│ 2020-02-14 22:29:11 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-1 │ 2020-02-14 22:33:55 │
│ 2020-02-14 22:38:55 │ kubuntu │ 03eb │ 2401 │ HID Keyboard │ ATMEL AVR │ ∅ 1-2 │ 2020-02-14 22:40:44 │
│ 2020-02-14 22:40:44 │ kubuntu │ 03eb │ 2401 │ HID Keyboard │ ATMEL AVR │ ∅ 1-2 │ ∅ │
-0 2020-02-14 22:41:18 │ kubuntu │ 1686 │ 0045 │ H5 │ ZOOM Corporation │ 000000000000 │ 1-2 │ 2020-02-14 22:44:48 │
│ 2020-02-14 22:44:51 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-2 │ 2020-02-14 22:54:51 │
│ 2020-02-14 22:46:10 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-2 │ 2020-02-14 22:57:10 │
│ 2020-02-14 22:50:54 │ kubuntu │ 1c7a │ 0570 │ EgisTec Touch Fingerprint Sensor │ EgisTec T 00253CD │ 1-6 │ ∅ │
│ 2020-02-14 22:51:33 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-2 │ 2020-02-14 22:59:39 │
│ 2020-02-14 23:05:23 │ kubuntu │ 0930 │ 6544 │ DataTraveler 2.0 │ Kingston │ 00241D8CE51BC16029500C03 │ 1-2 │ 2020-02-14 23:06:12 │
└───────────────────────────────────────────────── ── ──────────────────────────────────────────────── ──── ┴───────────────────────────────────────────── ────── ──────┘
[*] Shutdown on February 14th, 2020 at 23:06:12
[*] Time spent: 0: 01: 17.904624 

All devices in this list should be checked carefully to determine whether they are trustworthy or not.

Looking at the data above, it is clear that the HID keyboard would do so would be a suspicious device that was connected to a computer like a laptop without the need for an external keyboard. Research would show that Amtel is responsible for the chip in the USB Rubber Ducky, which means that this log entry is highly likely to indicate that a USB Rubber Ducky has been connected to the system.

Step 5: Sort by Manufacturer to Find Suspicious USB Events Quickly

Now that we know the manufacturer of the USB Rubber Ducky Atmel, we can quickly search the USB event history for devices that are may be a USB Rubber Ducky. To do this, enter the following command.

  ~ # usbrip events history –manufact ’ATMEL AVR’ 

This returns the list of USB devices with a chip made by Atmel. It is important to remember that not all devices made by Atmel will be USB rubber ducky. However, if you feel that your computer has been compromised, this is a good quick and dirty check for suspicious devices.

Logging suspicious USB events is easy with USBRip

While USBRip is not a tool for collecting past data, it can enable advanced logging of USB activity, making it easy to detect future HID attacks. If a hacker with a USB Rubber Ducky or Digispark unattendedly connects a payload to your computer, you can use the logs it left to identify the manufacturer and when the device was connected and removed. If you see a timestamp that matches the length of a USB Rubber Ducky payload, it can be obvious when a computer was compromised.

I hope you enjoyed this tutorial on catching USB Rubber Duckies with USBRip. If you have further questions or an idea for a future article, log on to Twitter @nickgodshall .

Don't miss: Steal macOS files with the USB Rubber Ducky

Start your white hat hacker journey with our zero-byte beginner's guide to a career in hacking.

Buy Now for $ 49.99>




Source link