Difference between revisions of "Exploiting the USB Ninja BLE Connection"
Line 37: | Line 37: | ||
As I started to test the USBNinja in a normal fashion, I got curios, how much information I can gather by using the standard the programmes that come with Linux. I shut down the Remote, so the bad USB Cable BLE Module can be found by devices. Then I run the <code>hcitool lescan</code> command that is used by the usual Linux BLE discovery function. | As I started to test the USBNinja in a normal fashion, I got curios, how much information I can gather by using the standard the programmes that come with Linux. I shut down the Remote, so the bad USB Cable BLE Module can be found by devices. Then I run the <code>hcitool lescan</code> command that is used by the usual Linux BLE discovery function. | ||
sudo hcitool lescan | |||
LE Scan ... | |||
E1:F1:22:F6:28:B5 (unknown) | |||
E1:F1:22:F6:28:B5 Ninja | |||
XX:XX:XX:XX:XX:XX | |||
XX:XX:XX:XX:XX:XX (unknown) | |||
== Used Hardware == | == Used Hardware == |
Revision as of 14:02, 12 November 2020
Summary
This documentation is a summary how I exploited the USB Ninja BLE Connection, so that it is able to Control the Bad USB cable with a raspberry pi an a simple python script that is linked in the sources.
Used Hardware and Software
- The USB Ninja Pro-kit with Remote control
- Containing 3 Bad USB cables (only one is needed).
- Remote Control
- Hacking Hardware
- Hacking Software
- Hcitool (Linux preinstalled)
- Gatttool (Linux preinstalled)
- Ubertooth Tools (Too install them read: Bluetooth Sniffing with Ubertooth: A Step-by-step guide)
USB Ninja Pro-kit
The USB Ninja is a Rubberducky in a USB cable that comes in the flavours USB to USB micro, USB to USB-C and USB to Lightning. The bad USB cable can be programmed with two payloads. The payloads are developed under the usage of the Arduino IDE with the USBNinja libraries. During the attack phase its possible to start triggered payloads can be either by plugging the bad USB cable in or with the magnet or via the BLE 4.0 Remote. The trigger modes get defined by the way the c code is programmed.
The Remote itself has a leaver to turn it on and off and the button A and button B, which activate their corresponding payload. There is also a USB micro input to charge the Remote or to edit the shared secret.
The website states that the remote automatically connects to the bad USB cable if the defined passwords are the same. Where the Remote need a driver and a program to set the password, it can be directly done in the source code of the payload of the bad USB cable.
Sadly the developers require that the user uses Windows based Operating systems because its only possible to update the password of the Remote with a windows program that can be downloaded on the manufacturers website in the help tab. Furthermore, this software gets treated as malicious software form Windows because it doesn't have a manufacturer certificate. So the users have to click threw the warning from windows defender to change the password. I personally would much more like to see a simple shell script for Linux and a batch script for Windows to do the job.
Anyway, the standard password is 8.8.8.8
and as long as the user uses only one Remote at the same time it doesn't really matter. Enough background knowledge let's get to the pen testing.
Reverse Engeneering The Remote
Step one: Standard BLE Actions
As I started to test the USBNinja in a normal fashion, I got curios, how much information I can gather by using the standard the programmes that come with Linux. I shut down the Remote, so the bad USB Cable BLE Module can be found by devices. Then I run the hcitool lescan
command that is used by the usual Linux BLE discovery function.
sudo hcitool lescan LE Scan ... E1:F1:22:F6:28:B5 (unknown) E1:F1:22:F6:28:B5 Ninja XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX (unknown)
Used Hardware
Device to be used with this documentation Maybe another device to be used with this documentation
Courses
- A course where this documentation was used (2017, 2018)
- Another one (2018)
References
Category:Documentation[[]]