The Penetration Testing team at OKIOK developed a habit of trying to hack each other’s computer. It all started as a joke when an intern forgot to lock his Windows session before going to the restroom. To teach the intern a lesson, I sent an email from his computer to pentest@okiok.com letting everybody know that he was going to pay everybody’s beer next Friday.
After that, we started to look at different ways in which we could gain access to the other pentesters’ session or impersonate them to send out the “next round’s on me” email. These types of client-side attacks are a common theme in the different penetration testing engagements that we do, but clients usually tell us to stop as soon as we have evidence that we gained access to a desktop or laptop computer. Having this internal hacking competition pushed us to research and execute hacking scenarios from start to finish, with a very precise purpose: beer.
My latest target in the Hacking for Beer contest was Michael. For my attack, the plan was to use wait until he logs on to his laptop and then use the Rubber Ducky to trigger the email that states that the beer is on him next Friday.
The Rubber Ducky is a device that disguises itself as a USB thumb stick but is a preprogrammed keyboard. The way it works is that you prepare a list of keystrokes in a text file, compile the text file into a binary format and put the binary file on a micro SD card that goes inside the Rubber Ducky.
When the Rubber Ducky is inserted in the victim’s computer, the operating system will detect a new keyboard and then the Rubber Ducky will send out the keystrokes it was preprogrammed to do. The main idea behind the Rubber Ducky is that if you find a computer with an unlocked session, you insert the Rubber Ducky which will then quickly trigger the execution of preprogrammed commands, such as to write a .vbs file to the disk and execute that file.
However, Michael knows better than to leave his Windows session unlocked while not at the computer. So, I programmed the Rubber Ducky to send a list of keys, wait 5 minutes, and then try again. The key list starts with an Escape key so that if the Windows session is locked, the keys are not typed in the password field. If the 5 minutes trigger occurs when Michael is logged in, the keys will copy an email template from a public share, open the template in Outlook and send out the email. So in theory, I could connect the Rubber Ducky to his laptop when he is away and just wait for him to log in and the Rubber Ducky to trigger the email.
Before going any further, I have to tell you that Michael pays close attention to his desk and. If, for example, I were to change the position of his laptop screen with even a few degrees he would notice it and enter panic mode – he then basically checks every single device and cable to see if anything has been tampered with. He does not keep a lot of peripherals connected to his laptop either. As you can see from the photo below all that he has connected is a blue USB smartcard, a rather old mouse and a network cable. His laptop has USB ports on the left and right side but none in the back. If I were to connect the Rubber Ducky directly to one of the USB ports, he would notice it right away and the attack would be over.
The solution that came to mind was to connect the mouse to a USB hub that I would hide behind his laptop and connect the USB hub to his laptop. But there’s a problem with that. It turns out the old mouse that Michael uses has a cable with a tint of grey that is different than regular cables. I didn’t want to take any chances with him noticing that the cable that came out of the mouse was different than the one that was connected to the computer. So, I cut the mouse cable in half: I attached another USB plug to the end connected to the mouse and I used the end with the connecter to replace the connector on a USB extender.
So how did everything turn out? All I can tell you is that Michael is paying rounds this Friday.