October 17, 2017, 06:06:34 AM
Welcome, Guest. Please login or register.

THS Promising Student Scholarship has been introduced! Full and partial scholarships available. See http://www.top-hat-sec.com/scholarships.html for more details

Author Topic: Teensy 3.2 + kautilya = Rubberducky clone  (Read 5322 times)

Offline outofstep

  • Top Hat Member
  • Enthusiast
  • ********
  • Posts: 85
  • Internets: +19/-2
    • Dorkfeast
Teensy 3.2 + kautilya = Rubberducky clone
« on: December 30, 2015, 05:02:46 PM »
*** disclaimer - myself and ths are not responsible for use of this guide as it is intended for educational purposes!!! ***
This was tested on my own personal devices!!

This is something new i have been messing around with that i thought was fun and pretty simple to get started with. i have been wanting to get into more ardurino type stuff and got a Teensy 3.2 as a holiday gift. if you don't know about teensy, it's a tiny microcontroller that can be picked up fairly cheap and made into a rubby ducky like device. i set mine up on linux so that is what this guide will cover, but it is possbile in windows as well,  take note of the links provided for other OS instructions...

What you will need:


Teensy 3.2 - https://www.pjrc.com/store/teensy32.html   (the hardware)

Kautilya - https://github.com/samratashok/Kautilya  (Ruby-based Payload Generator)
   *Kautilya needs colored, highline and artii (and win32console on Windows) gems. Use bundle install! and obviously you need ruby installed...

Arduino 1.6.6 - https://www.arduino.cc/en/Main/OldSoftwareReleases#previous (converts the payload to hex so it runs on teensy)

Teensyduino - https://www.pjrc.com/teensy/td_download.html (arduino teensy plugin)

UDEV rules - http://www.pjrc.com/teensy/49-teensy.rules  (This is required to use Teensy as non root user.)

Now that you have what you will need install it all in the listed order.
Once your all installed launch Kautilya by browsing to that dir, then type-   sudo ruby kautilya.rb 



Here you can pick your desired OS you are making the payload for, works for Windows, Linux, and Mac. In this walk-thru we will be making a payload for windows. so choose option 1. which takes us to the next screen.



Here you can choose which type of payload you would like to make, the list is fairly obvious. We will be doing info gathering here, so pick option 1. which takes us to the next screen where we choose what we want to gather.



We are going after login creds so choose option 6. Next you can pick how you want to receive the gathered info, i started with gmail. i made a new gmail account, you will need to go into the security settings and allow unsafe apps to access this account. Pick option 1 for gmail, it will then ask for your username/password for that account. once entered you will need to enter your teensy board version, since we are on teensy 3.2 choose the option for teensy 3, which is option 3. Then it will generate the payload in and provide the path where it saved to (in the Kautilya sub folder called output). That is it for the payload, now to convert it for the teensy using Arduino, so fire up that application and open the .ino file you created and you will get something like this. (ignore the version on the header, i loaded it in 1.6.8 on accident, it will need to be in 1.6.6 for the teensy plugin)



Now we just need to set it up to write to the teensy chip. Click on Tools>Board>and select your Teensy version i used 3.2. Then go back to tools and choose usb type> mouse, keyboard, joystick, avoid the serial version as we are doing a usb attack. You can also set the clock speed if desired. Then you need to go back to tools and choose keyboard type, im in the US so i picked us. I hear some keyboards may vary as keys can be different. i believe the author was working on a fix for this to be more universal, but until then trial and error till you get it right i guess lol. Then just hit the upload button, and the payload will begin to write to your device shouldn't take very long. Once done you are ready to test! you will plug it in to the pc you plan to pwn.



allow time for the device driver to load, then sit back and watch it work its magic.. i tested this on a win10 laptop, a DOS prompt comes up and you will see lots of stuff happening. what is nice is he used some of the peensy (offsecs payload generator) which will make it persistant, meaning if the attack is interupted it can detect it and start over until it completes. eventually the user will be presented a login prompt, similar to an admin rights prompt for say a software update. once the user enters the login creds you will have an email waiting for you with them!



The author of Kautilya is working on an update that will allow multiple payloads to be combined if needed which will be awesome, until then, you might be able to combine the code on the arduino step to get the same results, i haven't attempted this yet, but surely possible. There are many other payload options such as keyloggers, backdoors, etc. you will have to play around with them as i haven't had a chance to dig that deep or lack the skills to properly use some of them. but that's it, hope it helps some of use get started in the world of teensy like me! There are other payload generators out there for teensy, such as peensy, usbdriveby, and i believe badusb can be applied as well. They seem to be sharing the work and making improvements back and forth to advance what can be achieved. So it is like a rubbyducky, but i think it has a little more freedom then ducky since you can have larger sized payloads. there is even add-ons using micro sd cards and dipswitches to take it even further like:

peensy
https://www.offensive-security.com/offsec/advanced-teensy-penetration-testing-payloads/
https://github.com/offensive-security/hid-backdoor-peensy

usbdriveby
https://www.youtube.com/watch?v=aSLEq7-hlmo
https://github.com/samyk/usbdriveby

i take no credit for this, as i am mostly just compiling the works of others, i just explained the process which i was able to do.

« Last Edit: December 31, 2015, 09:42:15 AM by outofstep »

Offline ch3rn0byl

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 187
  • Internets: +1337/-0
  • Grumpy Old Man with Mounds of Salt
Re: Teensy 3.2 + kautilya = Rubberducky clone
« Reply #1 on: December 30, 2015, 05:06:54 PM »
Nicely done, man :) I need to get one of these myself
The quieter you become, the more you are unlikely to sound stupid.

Offline outofstep

  • Top Hat Member
  • Enthusiast
  • ********
  • Posts: 85
  • Internets: +19/-2
    • Dorkfeast
Re: Teensy 3.2 + kautilya = Rubberducky clone
« Reply #2 on: December 30, 2015, 05:20:22 PM »
yes please do, would love to share payloads and ideas! some of the options were over my head lol maybe like dropping a bot for botnet purposes, or gathering all the system creds as possible to dump. i think it can even pull code from github, and compile on the local machine too.

Offline 0E 800

  • If something can corrupt you, you're corrupted already.
  • Top Hat Member
  • Elite
  • ********
  • Posts: 961
  • Internets: +154/-0
  • ??? ???????? ?s ?? ??c?c??-???
Re: Teensy 3.2 + kautilya = Rubberducky clone
« Reply #3 on: December 30, 2015, 05:38:33 PM »
Nice tut!

I wonder if kautilya would work with the nethunters dirtyusb attack.

Gonna save up for a teensy.

+1
"He who passes not his days in the realm of dreams is the slave of the days."

Offline outofstep

  • Top Hat Member
  • Enthusiast
  • ********
  • Posts: 85
  • Internets: +19/-2
    • Dorkfeast
Re: Teensy 3.2 + kautilya = Rubberducky clone
« Reply #4 on: December 30, 2015, 05:53:23 PM »
i still havent gotten a nexus for nethunter, but i believe that is just a badusb variant if im not mistaken, how are those payloads done?

Offline H4v0K

  • Administrator
  • Elite
  • *****
  • Posts: 1019
  • Internets: +986/-1
Re: Teensy 3.2 + kautilya = Rubberducky clone
« Reply #5 on: December 31, 2015, 06:06:49 AM »
Sweet  , thanks for putting up the tut have a cookie :o

Offline zerocool

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 223
  • Internets: +26/-3
Re: Teensy 3.2 + kautilya = Rubberducky clone
« Reply #6 on: December 31, 2015, 07:13:58 AM »
nice job on the tutorial, So do you think the Teensy is better than the ducky ?


Offline outofstep

  • Top Hat Member
  • Enthusiast
  • ********
  • Posts: 85
  • Internets: +19/-2
    • Dorkfeast
Re: Teensy 3.2 + kautilya = Rubberducky clone
« Reply #7 on: December 31, 2015, 09:30:06 AM »
i haven't really messed with it enough to say, but straight out the gate, i'd say the ducky seemed faster, the scripting was simple and is a better usb stick  as far as covert goes having a standard usb drive, while the teensy is smaller, and can prob deliver larger more complex payloads, will require a micro usb cable to plug in like a phone charger. i think you could get a small adapter to replace that cable. to me that's a pro and con, because say someone left there phone charging plugged into the pc, you could take their phone off the cable plug on teensy and get the job done with out even being seen directly on the system. Might be less suspicious then directly plugin in a usb port on the system itself On the other hand you will need to bring your own cable or hope they have the right one. i also haven't added the microsd card and dip switch option, that could prob prove useful. so i'm torn to say which is better, honestly i think they would be equally valuable in your toolkit.
« Last Edit: December 31, 2015, 09:32:27 AM by outofstep »

Offline GalaxyNinja

  • Global Moderator
  • Elite
  • *****
  • Posts: 1728
  • Internets: +96/-0
  • My password is **********
Re: Teensy 3.2 + kautilya = Rubberducky clone
« Reply #8 on: December 31, 2015, 04:49:33 PM »
Great tut OOS! +1  :)
A computer is only as strong as its user! -R4v3n

Offline 3rd3y3

  • Top Hat Member
  • Enthusiast
  • ********
  • Posts: 60
  • Internets: +5/-0
Re: Teensy 3.2 + kautilya = Rubberducky clone
« Reply #9 on: December 31, 2015, 09:57:04 PM »
it's cool what these little things can do 8)
wh1te tux with the hat to match.....