USB Hacking [Tutorial]

By July 10, 2017Tutorial, USB

Introduction

Most common USB flash drives are exploitable due to the “BadUSB” vulnerability. This allows us hackers to reprogram the microcontroller in them to act as a human interface device (HID), e.g., a keyboard, and perform custom keystrokes on our target machine. This scenario is often called an “HID Payload Attack,” since you have to hand over your script to the Bad USB for the execution (more on that later). Even though almost every USB flash drive is exploitable, the only released reprogramming method is for “Phison” microcontrollers.

In this tutorial, we are going to determine the microcontroller of your USB flash drive, compile the source code published in GitHub for the tools we need, and move over to building a custom firmware with an embedded HID payload that will turn our harmless USB flash drive into a malicious keyboard designed to help us compromise our victim machine. The process is kind of like compiling and flashing ROMs to your Android device.

Requirements

  • We need to work on Windows.
  • Also, we need to have an USB 3.0 flash drive with a Phison 2303 (2251-03) microcontroller. You can find a list of known supported devices on GitHub. I will use an 8 GB Toshiba TransMemory-MX USB 3.0 drive in this tutorial.

Sometimes owning a confirmed device doesn’t mean the PS2251-03 is actually being used, as manufacturers seem to use different controllers even within same device models.

  • Make sure you can open the case of your USB device without damaging it. One of my friends had to literally saw up his USB device because he was too hasty. Please read the “Setting Our Device into “Boot Mode” Manually” section at the end of this article for help on opening it.

Please continue at your own risk; there is no guarantee that your device will work, even though there shouldn’t be any issues.

Determining the Microcontroller of Our USB Flash Drive

Before starting, we want to make sure our USB uses the supported controller. We can use a program called Flash Drive Information Extractor to gather the required information about our USB.

It doesn’t require any installation. Just open the tool and hit the “Get USB Flash Drive Information” button while you have your USB inserted into your PC. If your drive uses the Phison 2303 (2251-03) controller, the output should look similar to this:

However, if your USB device has a different one, it is most likely that you cannot reprogram it to an HID device with this exploit. Make sure to check the known supported devices in order to get one that will work.

Setting Up the Build-Environment

The developer of the code recommends us to use any version of Microsoft Visual Studio 2012 or higher to compile the tools and SDCC for building custom firmware. Visual Studio will probably take multiple hours to download and cannot be paused, so make sure you have enough time available. It also claims multiple gigabytes on your primary drive, about 10 GB on my SSD, which is annoying.

Downloading & Compiling the Source Code

In order to modify our supported USB drive, we need to build the tools which interact with it. The source code is published on GitHub by Adam Caudill. Actually, Visual Studio comes with an neat feature that lets us clone the whole repository. You can even interact with VS from the GitHub site:

 

After cloning and opening the repository. You are most likely to see three solutions.

  • DriveCom
  • EmbedPayload
  • Injector

We will need DriveCom and EmbedPayload only. If opened, you can compile with Ctrl + Shift + B or Menu bar – Build – Build Solution.

If you cannot clone the repository through Visual Studio, download the .zip file from GitHub and open the .sln files in each folder of the solutions. DriveCom and EmbedPayload should be in the …\Psychson\tools directory now: E:\Documents\Bad_USB\Psychson\tools.

Obtaining a Burner Image

A “burner image” is required for dumping and flashing firmware on your drive. These are typically named using the convention “BNxxVyyyz.BIN”. Burner images for Phison controllers can be found here. Even though the site is only available in Russian, you will find the download link if you scan the site for “BN03.” BN implies burner image, and 03 corresponds to PS2251-03. I extracted the files in E:\Documents\BadUSB\Burner_Image\.

Every burner image should do the job, but you can use the newest version which is indicated by the “Vyyy” part of the name.

Dowload Duck Encoder

The “Duck Encoder” is a Java-based cross-platform tool which converts scripts into HID payloads. It is based upon the Bad-USB called “Rubber Ducky” by Hak5. You can download it here. (Do not forget to install Java.) I saved it at E:\Documents\Bad_USB\DuckEncoder\.

Creating Custom Firmware

At this point, all our preparations are done and we can continue using the tools. In this step, we simply have to go to our …\Psychson\firmware\ directory and run build.bat. If everything goes right, you will see a new folder with many different files inside.

The fw.bin file is the file we will use in the following payload.

Writing a Script

You may ask yourself in which language we are going to write our script. Since the Duck Encoder is based upon “Rubber Ducky,” we will use “Duckyscript” as the language. The syntax is rather easy. More detailed instructions can be found here.

We will go ahead and create a .txt file in our preferred directory

(E:\Documents\Bad_USB\DuckEncoder\script.txt). I thought of showing you something more interesting than a “Hello World” script, so I made this one:

As you may suppose, the Bad USB will “press” Windows + R and cause windows to shut down immediately with this script. In addition, you can clearly see that I wrote “/” instead of “-“. That’s because our “keyboard” (Bad USB) has a U.S. layout and Windows is set to DEU in my country. Keep in mind that we have to change the Windows layout to U.S. and write the script the way we would do usually, or the way your victim’s PC would write it. Don’t be confused of the input.

You can even use custom scripts and do some reverse engineering here.

Converting It into an HID Payload

It is time to start using the Windows terminal – cmd.

java -jar “PATH to \duckencode.jar” -i “PATH to \script.txt”-o “\payload.bin Path”

Example:

java -jar E:\Documents\BadUSB\DuckEncoder\duckencode.jar -i E:\Documents\Bad_USB\DuckEncoder\script.txt -o E:\Documents\Bad_USB\DuckEncoder\inject.bin

We won’t get any output, but inject.bin should be created in E:\Documents\Bad_USB\DuckEncoder\, in my instance.

Embed the Payload in the Firmware

Now we need to use the tools we built with Visual Studio. Obviously, EmbedPayload is to embed payloads. We simply have to execute it in cmd:

“Path to EmbedPayload.exe” “PATH to payload” “PATH to the firmware we built”

For me, it is:

E:\Documents\BadUSB\Psychson\tools\EmbedPayload.exe E:\Documents\Bad_USB\DuckEncoder\inject.bin E:\Documents\Bad_USB\Psychson\firmware\bin\fw.bin

Note that fw.bin includes the payload now. You can also overwrite the firmware by executing build.bat again.

Dumping the Current Firmware of the USB Flash Drive

I strongly advise you to make a copy of the current firmware on your USB flash drive in case you want to restore it. For any action we want to take on our USB, we have to use DriveCom, which is in our “tools” folder.

“PATH to DriveCom.exe” /drive=”Drive Letter of our USB” /action=DumpFirmware /burner=”PATH to our burner image” /firmware=”PATH of the output.bin”

In my instance:

E:\Documents\Bad_USB\Psychson-master\tools\DriveCom.exe /drive=F /action=DumpFirmware /burner=E:\Documents\Bad_USB\Firmware\BN03V117M.BIN /firmware=E:\Documents\Bad_USB\originalfw.bin

Flashing Firmware

Finally, we can hand over the very malicious shut-down payload embedded into the firmware to our USB flash drive:

“PATH to DriveCom.exe” /drive=”Drive Letter” /action=SendFirmware /burner=”PATH to our burner image” /firmware=”PATH to the firmware”

In my instance:

E:\Documents\BadUSB\Psychson\tools\DriveCom.exe /drive=F /action=SendFirmware /burner=E:\Documents\Bad_USB\Firmware\BN03V117M.BIN /firmware=E:\Documents\Bad_USB\Psychson\firmware\bin\fw.bin

A successful output should look like this:

Notice that DriveCom is switching the mode of our USB to boot mode automatically to flash the firmware. Now that our USB flash drive has become a keyboard, we cannot switch modes any more with our tools, nor access to the memory, but that is a minor problem. In the next section, I will focus how to resolve this issue.

Setting Our Device into “Boot Mode” Manually

If you want to take further actions to your Bad USB, you will notice that neither DriveCom nor Windows nor any other operating system can access it, because it is a keyboard after all. We need to open the case of our USB drive and connect two pins of the micro controller while plugging the drive into our PC. Since the circle is on the top left corner of my controller (from this perspective), I have to connect the two pins of the left bottom side:

I usually use the edge of a USB connector to connect these two pins. In addition, a USB extension cable can be very useful in this scenario. It seems to be difficult, but you will get used to this. Use whatever you feel most comfortable with, without damaging your USB flash drive. If you do it correctly, the drive will show up in Windows again:

And we can modify our drive or flash the original firmware again. If not, your PC will shut down—try harder next time.

Notes

  • The Bad USB may not work on every Windows PC, including mine, since it may be incompetent at loading drivers.
  • Keep in mind that you won’t be able to access the memory while your USB drive is faking an HID device.

Final Thoughts

The Bad USB is a very powerful tool if you have access to your victim’s PC, even though Windows can be crap at loading the USB drivers. In addition, it avoids AV detection since it is a keyboard rather than a virus.

If you’re considering to do a simple pretext to insert our USB into one PC at the company of your choice, please note to have a real USB flash drive for the case that you will most likely get caught, so you can escape easily.

Join the discussion One Comment

Leave a Reply