Difference between revisions of "Exploiting the USB Ninja BLE Connection"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
Line 32: Line 32:
Anyway, the standard password is <code>8.8.8.8</code> and as long as the user uses only one Remote at the same time it doesn't really matter. Enough background knowledge let's get to the pen testing.
Anyway, the standard password is <code>8.8.8.8</code> and as long as the user uses only one Remote at the same time it doesn't really matter. Enough background knowledge let's get to the pen testing.


=== Reverse Engeneering The Remote ===
== Reverse Engeneering The Remote ==


==== Step one: Standard BLE Actions ====
=== Step one: Standard BLE Actions ===


As I started to test the USBNinja in a normal fashion, I got curios, how much information I can gather by using the standard the programmes that come with Linux. I shut down the Remote, so the bad USB Cable BLE Module can be found by devices. Then I run the <code>hcitool lescan</code> command that is used by the usual Linux BLE discovery function.
As I started to test the USBNinja in a normal fashion, I got curios, how much information I can gather by using the standard the programmes that come with Linux. I shut down the Remote, so the bad USB Cable BLE Module can be found by devices. Then I run the <code>hcitool lescan</code> command that is used by the usual Linux BLE discovery function.

Revision as of 13:47, 12 November 2020

Summary

This documentation is a summary how I exploited the USB Ninja BLE Connection, so that it is able to Control the Bad USB cable with a raspberry pi an a simple python script that is linked in the sources.

Used Hardware and Software

  1. The USB Ninja Pro-kit with Remote control
    1. Containing 3 Bad USB cables (only one is needed).
    2. Remote Control
  1. Hacking Hardware
    1. Raspberry Pi 3, Model B+, WLAN, BT
    2. Ubertooth One, 2.4 GHz wireless development platform
  1. Hacking Software
    1. Hcitool (Linux preinstalled)
    2. Gatttool (Linux preinstalled)
    3. Ubertooth Tools (Too install them read: Bluetooth Sniffing with Ubertooth: A Step-by-step guide)

USB Ninja Pro-kit

USB Ninja

The USB Ninja is a Rubberducky in a USB cable that comes in the flavours USB to USB micro, USB to USB-C and USB to Lightning. The bad USB cable can be programmed with two payloads. The payloads are developed under the usage of the Arduino IDE with the USBNinja libraries. During the attack phase its possible to start triggered payloads can be either by plugging the bad USB cable in or with the magnet or via the BLE 4.0 Remote. The trigger modes get defined by the way the c code is programmed.

The Remote itself has a leaver to turn it on and off and the button A and button B, which activate their corresponding payload. There is also a USB micro input to charge the Remote or to edit the shared secret.

The website states that the remote automatically connects to the bad USB cable if the defined passwords are the same. Where the Remote need a driver and a program to set the password, it can be directly done in the source code of the payload of the bad USB cable.

Sadly the developers require that the user uses Windows based Operating systems because its only possible to update the password of the Remote with a windows program that can be downloaded on the manufacturers website in the help tab. Furthermore, this software gets treated as malicious software form Windows because it doesn't have a manufacturer certificate. So the users have to click threw the warning from windows defender to change the password. I personally would much more like to see a simple shell script for Linux and a batch script for Windows to do the job.

Anyway, the standard password is 8.8.8.8 and as long as the user uses only one Remote at the same time it doesn't really matter. Enough background knowledge let's get to the pen testing.

Reverse Engeneering The Remote

Step one: Standard BLE Actions

As I started to test the USBNinja in a normal fashion, I got curios, how much information I can gather by using the standard the programmes that come with Linux. I shut down the Remote, so the bad USB Cable BLE Module can be found by devices. Then I run the hcitool lescan command that is used by the usual Linux BLE discovery function.

Used Hardware

Device to be used with this documentation Maybe another device to be used with this documentation

Courses

References

Category:Documentation[[]]

Retrieved from "https://wiki.elvis.science/index.php?title=Exploiting_the_USB_Ninja_BLE_Connection&oldid=4784"