Difference between revisions of "Key Stroke Injection"
Line 35: | Line 35: | ||
==== Standard Hardware ==== | ==== Standard Hardware ==== | ||
An emerging trend is to not use special hardware, but to built in keystroke injection hardware/software in common peripheral devices. Imagine a standard HP office mouse, nobody would expect any threat from it. Examples and manuals can be found online also. | |||
== Possible Protections == | == Possible Protections == |
Revision as of 15:00, 11 July 2020
Summary
This document describes Keystroke Injection and it's different usecases. It lists a selection of tools and how to protect a system against such attacks.
Keystroke Injection describes the act of simulating keystrokes by a real person. In fact the keystrokes are generated by a script or other software. Thus wantet and unwanted inputs can be entered very fast. This works over the HID protocol (human interface device), with which every common keyboard works. Because computers trust human input in the form of keystrokes.
To show the actual danger by Keystroke Injection attacks, mostly done with rogue USB flash drives, the paper Users Really Do Plug in USB Drives They Find got published on IEEE in May 2016. It shows that 45-98% of the users plug in a found USB flash drive, mostly with the intention to find the drive's owner.
Usage
The ability to type over 9000 characters per minute opens a few use cases. Ethical correct ones and also not. Beside the probably best-known use as attack vector, also the automation of tasks benefits from this feature.
Automation
Even simple tasks like adding network shares or printers are much faster over commandline than over a GUI. Maybe these could also be typed manually, the benefit kicks in thinking of larger scripts to be automatically executed on single computers.
Penetration Testing
Penetration Testing is more or less the same use case as Hacking but with another purpose. Instead of really attacking a system you show and document open vulnerabilities.
Hacking
The most famous use case for Keystroke Injection is to attack systems over command line. With the command line all sorts of attacks are possible. From running a simple script, over downloading and running an exe file, up to opening a reverse shell and many more. Attackers can just collect valuable informations or exploit the access. Enough examples can be found online.
Tools
There are a few different hardware tools, mostly disguised as simple USB falsh drives, also called BadUSB. They are in some sort programmable or loadable with a specific payload to execute.
Rubber Ducky
A well known example is the USB Rubberducky. A detailed description is available in the Elvis Wiki: USB_Rubber_Ducky.
Pocket Admin
Pocket Admin is an open source variant of Rubber Ducky to build by yourself. It states that it's cheaper and that it has a extended functionaloty. The projects description and manual can be found here.
USB Ninja
USB Ninja is a more expensive variant of BadUSB. It features different modules lika a bluetooth expansion and can also be built into normal keyboards. An overview is available here.
Bash Bunny
Bash Bunny is something like Rubber Duckys big brother. Its more expensive but also offers more tools like nmap, responder, impacket and metasploit, additional to the known Ducky Script. It's a small Linux machine on a USB drive mimicking multiple trusted devices. A full description can be found here.
Standard Hardware
An emerging trend is to not use special hardware, but to built in keystroke injection hardware/software in common peripheral devices. Imagine a standard HP office mouse, nobody would expect any threat from it. Examples and manuals can be found online also.
Possible Protections
Text here
https://opensource.googleblog.com/2020/03/usb-keystroke-injection-protection.html
Duckhunt - Windows Defender
https://medium.com/@maarten.goet/defending-against-weaponized-hardware-windows-defender-atp-microsoft-intune-to-the-rescue-80aba28067fe http://konukoii.com/blog/2016/10/26/duckhunting-stopping-automated-keystroke-injection-attacks/
References
- M. Tischer et al., "Users Really Do Plug in USB Drives They Find," 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, 2016, pp. 306-319, doi: 10.1109/SP.2016.26.
- https://www.electronics-lab.com/project/pocketadmin-keystroke-injection-device/
- https://usbninja.com/
- https://shop.hak5.org/