Key Stroke Injection

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

This document describes Keystroke Injection and it's different usecases. It lists a selection of tools and how to protect a system against such attacks.

Keystroke Injection describes the act of simulating keystrokes by a real person. In fact the keystrokes are generated by a script or other software. Thus wantet and unwanted inputs can be entered very fast. This works over the HID protocol (human interface device), with which every common keyboard works. Because computers trust human input in the form of keystrokes.

To show the actual danger by Keystroke Injection attacks, mostly done with rogue USB flash drives, the paper Users Really Do Plug in USB Drives They Find got published on IEEE in May 2016. It shows that 45-98% of the users plug in a found USB flash drive, mostly with the intention to find the drive's owner.

Usage

The ability to type over 9000 characters per minute opens a few use cases. Ethical correct ones and also not. Beside the probably best-known use as attack vector, also the automation of tasks benefits from this feature.

Automation

Even simple tasks like adding network shares or printers are much faster over commandline than over a GUI. Maybe these could also be typed manually, the benefit kicks in thinking of larger scripts to be automatically executed on single computers.

Penetration Testing

Penetration Testing is more or less the same use case as Hacking but with another purpose. Instead of really attacking a system you show and document open vulnerabilities.

Hacking

The most famous use case for Keystroke Injection is to attack systems over command line. With the command line all sorts of attacks are possible. From running a simple script, over downloading and running an exe file, up to opening a reverse shell and many many more. Attackers can just collect valuable informations or exploit the access. Enough examples can be found online.

Tools

There are a few different hardware tools, mostly disguised as simple USB falsh drives, also called BadUSB. They are in some sort programmable or loadable with a specific payload to execute.

Rubber Ducky

A well known example is the USB Rubberducky. A detailed description is available in the Elvis Wiki: USB_Rubber_Ducky.

Pocket Admin

Pocket Admin is an open source variant of Rubber Ducky to build by yourself. It states that it's cheaper and that it has a extended functionaloty. The projects description and manual can be found here.

USB Ninja

USB Ninja is a more expensive variant of BadUSB. It features different modules lika a bluetooth expansion and can also be built into normal keyboards. An overview is available here.

Bash Bunny

Bash Bunny is something like Rubber Duckys big brother. Its more expensive but also offers more tools like nmap, responder, impacket and metasploit, additional to the known Ducky Script. It's a small Linux machine on a USB drive mimicking multiple trusted devices. A full description can be found here.

Standard Hardware

many sources on internet show manipulated peripheral devices with built in keystroke injection hardware/software

Possible Protections

Text here

https://opensource.googleblog.com/2020/03/usb-keystroke-injection-protection.html

https://usbguard.github.io/

Duckhunt - Windows Defender

https://medium.com/@maarten.goet/defending-against-weaponized-hardware-windows-defender-atp-microsoft-intune-to-the-rescue-80aba28067fe http://konukoii.com/blog/2016/10/26/duckhunting-stopping-automated-keystroke-injection-attacks/

References

Retrieved from "https://wiki.elvis.science/index.php?title=Key_Stroke_Injection&oldid=4362"