Difference between revisions of "Exploiting the USB Ninja BLE Connection"
| Line 108: | Line 108: | ||
|- | |- | ||
|} | |} | ||
===== [1] [Device Name] [RW] handle: 0x0002, char properties: 0x0a, char value handle: 0x0003, uuid: 00002a00-0000-1000-8000-00805f9b34fb ===== | |||
char-read-hnd 3 | |||
Characteristic value/descriptor: 55 53 42 4e 69 6e 6a 61 2b | |||
55 53 42 4e 69 6e 6a 61 2b hex = USBNinja+ ASCII | |||
char-write-req 3 4861636b6564 | |||
Characteristic value was written successfully | |||
char-read-hnd 3 | |||
Characteristic value/descriptor: 48 61 63 6b 65 64 | |||
== Used Hardware == | == Used Hardware == | ||
Revision as of 15:04, 12 November 2020
Summary
This documentation is a summary how I exploited the USB Ninja BLE Connection, so that it is able to Control the Bad USB cable with a raspberry pi an a simple python script that is linked in the sources.
Used Hardware and Software
- The USB Ninja Pro-kit with Remote control
- Containing 3 Bad USB cables (only one is needed).
- Remote Control
- Hacking Hardware
- Hacking Software
- Hcitool (Linux preinstalled)
- Gatttool (Linux preinstalled)
- Ubertooth Tools (Too install them read: Bluetooth Sniffing with Ubertooth: A Step-by-step guide)
USB Ninja Pro-kit
The USB Ninja is a Rubberducky in a USB cable that comes in the flavours USB to USB micro, USB to USB-C and USB to Lightning. The bad USB cable can be programmed with two payloads. The payloads are developed under the usage of the Arduino IDE with the USBNinja libraries. During the attack phase its possible to start triggered payloads can be either by plugging the bad USB cable in or with the magnet or via the BLE 4.0 Remote. The trigger modes get defined by the way the c code is programmed.
The Remote itself has a leaver to turn it on and off and the button A and button B, which activate their corresponding payload. There is also a USB micro input to charge the Remote or to edit the shared secret.
The website states that the remote automatically connects to the bad USB cable if the defined passwords are the same. Where the Remote need a driver and a program to set the password, it can be directly done in the source code of the payload of the bad USB cable.
Sadly the developers require that the user uses Windows based Operating systems because its only possible to update the password of the Remote with a windows program that can be downloaded on the manufacturers website in the help tab. Furthermore, this software gets treated as malicious software form Windows because it doesn't have a manufacturer certificate. So the users have to click threw the warning from windows defender to change the password. I personally would much more like to see a simple shell script for Linux and a batch script for Windows to do the job.
Anyway, the standard password is 8.8.8.8 and as long as the user uses only one Remote at the same time it doesn't really matter. Enough background knowledge let's get to the pen testing.
Reverse Engeneering The Remote
Step one: Standard BLE Actions
As I started to test the USBNinja in a normal fashion, I got curios, how much information I can gather by using the standard the programmes that come with Linux. I shut down the Remote, so the bad USB Cable BLE Module can be found by devices. Then I run the hcitool lescan command that is used by the usual Linux BLE discovery function.
sudo hcitool lescan
LE Scan ... E1:F1:22:F6:28:B5 (unknown) E1:F1:22:F6:28:B5 Ninja XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX (unknown)
The Raspberry instantly found the BLE signal of the bad USB cable and i might be lucky to gather informaten with the gatttool. As I connected via the gatttool tho the USB cable it closed the connection after two seconds due to invalid file descriptor in the glib. This error makes the Interactive mode useless.
gatttool -I
[ ][LE]> connect E1:F1:22:F6:28:B5 Attempting to connect to E1:F1:22:F6:28:B5 Connection successful [E1:F1:22:F6:28:B5][LE]> (gatttool:32016): GLib-WARNING **: 13:54:39.135: Invalid file descriptor.
But the not interactive mode did succeed fast enough to work before the Error occurs. So I used the characteristics command form gatttool to list all discoverable characteristics of the device.
gatttool -b E1:F1:22:F6:28:B5 --characteristics handle = 0x0002, char properties = 0x0a, char value handle = 0x0003, uuid = 00002a00-0000-1000-8000-00805f9b34fb handle = 0x0004, char properties = 0x02, char value handle = 0x0005, uuid = 00002a01-0000-1000-8000-00805f9b34fb handle = 0x0006, char properties = 0x02, char value handle = 0x0007, uuid = 00002a04-0000-1000-8000-00805f9b34fb handle = 0x0008, char properties = 0x02, char value handle = 0x0009, uuid = 00002aa6-0000-1000-8000-00805f9b34fb handle = 0x000b, char properties = 0x20, char value handle = 0x000c, uuid = 00002a05-0000-1000-8000-00805f9b34fb handle = 0x000f, char properties = 0x02, char value handle = 0x0010, uuid = 00002a29-0000-1000-8000-00805f9b34fb handle = 0x0011, char properties = 0x02, char value handle = 0x0012, uuid = 00002a24-0000-1000-8000-00805f9b34fb handle = 0x0013, char properties = 0x02, char value handle = 0x0014, uuid = 00002a25-0000-1000-8000-00805f9b34fb handle = 0x0015, char properties = 0x02, char value handle = 0x0016, uuid = 00002a27-0000-1000-8000-00805f9b34fb handle = 0x0017, char properties = 0x02, char value handle = 0x0018, uuid = 00002a26-0000-1000-8000-00805f9b34fb handle = 0x0019, char properties = 0x02, char value handle = 0x001a, uuid = 00002a28-0000-1000-8000-00805f9b34fb handle = 0x001b, char properties = 0x02, char value handle = 0x001c, uuid = 00002a23-0000-1000-8000-00805f9b34fb handle = 0x001d, char properties = 0x02, char value handle = 0x001e, uuid = 00002a50-0000-1000-8000-00805f9b34fb handle = 0x0020, char properties = 0x10, char value handle = 0x0021, uuid = 0000fff1-0000-1000-8000-00805f9b34fb handle = 0x0024, char properties = 0x0e, char value handle = 0x0025, uuid = 0000fff2-0000-1000-8000-00805f9b34fb handle = 0x0027, char properties = 0x1c, char value handle = 0x0028, uuid = 0000fff3-0000-1000-8000-00805f9b34fb handle = 0x002c, char properties = 0x28, char value handle = 0x002d, uuid = 8ec90003-f315-4f60-9fb8-838830daea50
So the characteristics are not encrypted and can be read without the key. Furthermore the first 13 of are well-known GATT Services defined by the Bluetooth Special Interest group. These handles and their values are listed in the table below:
| Handle | Privileges | Characteristic | Value |
|---|---|---|---|
| 0x0003 | Read and Write | Device Name | USBNinja+ |
| 0x0005 | Read | Appearance | Appearance Unknown |
| 0x0007 | Read | Pheripheral preffered connection Parameters | 08 00 08 00 00 00 f4 01 |
| 0x0009 | Read | Central Address Resolution | 01 |
| 0x0010 | Read | Manufacturer Name String | Proxgrind |
| 0x0012 | Read | Model Number String | Ninja |
| 0x0014 | Read | Serial Number String | 20190912 |
| 0x0016 | Read | Hardware Revision String | V2.0 |
| 0x0018 | Read | Firmware Revision String | V1.0 |
| 0x001a | Read | Software Revision String | v5.0 |
| 0x001c | Read | System ID | 64 00 00 00 00 9e 00 00 |
| 0x001e | Read | PnP ID | 01 d2 00 10 08 01 00 |
[1] [Device Name] [RW] handle: 0x0002, char properties: 0x0a, char value handle: 0x0003, uuid: 00002a00-0000-1000-8000-00805f9b34fb
char-read-hnd 3 Characteristic value/descriptor: 55 53 42 4e 69 6e 6a 61 2b 55 53 42 4e 69 6e 6a 61 2b hex = USBNinja+ ASCII char-write-req 3 4861636b6564 Characteristic value was written successfully char-read-hnd 3 Characteristic value/descriptor: 48 61 63 6b 65 64
Used Hardware
Device to be used with this documentation Maybe another device to be used with this documentation
Courses
- A course where this documentation was used (2017, 2018)
- Another one (2018)
References
Category:Documentation[[]]