BumpKey: A Hardware Swiss Knife for Red Teamers

[Music] [Applause] [Music] we are back from lunch and next speaker we have um mauro and rich uh he's a hacker he's a speaker and a founder of bca and dc5401 and uh he has a co-speaker as well lois angel and they are talking about bum key uh a red team swiss knife so over to them thank you welcome to our talk bamki a hardware swiss knife for red teamers by mauro eldridge and luis ramirez from dc5411 before we start i would like to give a brief introduction on this talk and introduce ourselves the speakers my name is mauro eldridge i'm the founder of bca and dc 5411 uruguayan argentina i spoke at many conferences around the

world including in the usa russia brazil colombia iran india united kingdom spain and pakistan among other places now my partner luis angel ramirez is going to introduce himself thank you mauro hi

welcome to our talk bum key a hardware swiss knife for red teamers by mauro eldridge and luis ramirez from dc5411 before we start i would like to give a brief introduction on this talk and introduce ourselves the speakers my name is mauro eldridge i'm the founder of bca and dc 5411 uruguayan argentina i spoke at many conferences around the world including in the usa russia brazil colombia iran india united kingdom spain and pakistan among other places now my partner luis angel ramirez is going to introduce himself thank you mauro hi my name is luis anger ramirez mendoza i am from colombia i'm an electroni in kenya working at the birmingham cyber art a member of dc5411

hiding a speaker in description villas beside newcastle yacon india beside islam pakistan dragon jar colombia greja usa and honeycomb espana so the point of this talk is to explain but usb attacks in a different way stepping aside from the classical but usb stick approach you know the pen drive or usb stick that it's classically used to depict this kind of attacks in this case we will explain this type of attack using one of our evil creations a hardware framework for bad usb plus attacks now you may say what is what usb plus so we labeled this framework as bad usb plus because as i said before we are trying to difference ourselves from the classical bad usb sticks

these attacks are started via bad usb via usb connection and are escalated or propagated via remote protocols such as wi-fi bluetooth or even gsm this is phone calls phone signal or sms as you may see in this picture this will be the framework that we will be presenting today it looks simple or rather simple and small well you shouldn't take any chances with this and we'll show you why during this talk now let's talk about the plan how did we get here our plan was to create a device capable of acting like a per system remotely managed by the usb this will obviously render any bad usb stick useless because this device has to be persistent

has to be able to keep the gate open for ourselves and should be able to be remotely managed it should remain simple and small and be able to be disguised as multiple domestic usb devices with ease changing only its external cover or attaching it to a functioning haas device as you have seen in the picture before this device was naked it has no cover this is intended since we intend to tamoflash it in various domestic devices and we will speak about this particular point in a while also this final product must be able to run a metasploit payload giving the attacker full access this product must also alert the attacker on success this product must be able to say

hey attacker i'm already live what should i do in a remote way this plan wasn't reached as new changes were introduced so this led to the creation of a framework rather than a one-use tool with different access points and features inside this unique device we will explain each one of them in detail now the interesting part my partner louise is going to explain the blueprints this is how to build this kind of machine so you can let your imagination fly and try to make your own or even improve this existing so now luis please go ahead thank you moro list material arduino micro c a having eca mode aec series c bluetooth module esp8266 wi-fi module

lithium battery and sim card relay pcb patient loss or patient here we can see the psp reselling finishing and ready to reuse on the left you can see the psv along with soldering on the ready cd you can see the psv finishing otps are small and the divided field perfectly inside the almost a knight up of fake keyboard modern external drive speaker powerbank all components are cheap and easy to acquire this divider can be attached to dometic hardware as the humans say about in that case it will add virtually no way to the host hardware in tp3 we can see the diagram this valve usb suite allows us to send and payload to the computer aster

connected to the usb this board has three activation method eca wi-fi bluetooth and hashing mouse training at attack and can be disguising on many domestic devices as mentioned before

this method generates an ull that is going to be used to attack the vp the esp8266 is used and lost the arduino as a server to provide and that advantage point you can sheet this csu via different method or discover it using and map so pssid and the password can be hard coded to user and personal ap and telephone or t attacker machine as you can see these methods even use the if square our control and the attack panel is hosted

here we can see bad kid with c-u-i feature a wet interface for easier exploitation of speed target it survey by connecting to it on wi-fi hospital this method can be activated to see a cool or an sms depending on how you want to proceed here the arduino allows with the enz module send a test message to the attacker indicating that the divider having connected and if whiten to be activated now this dividing amplifies the attacker surface distance

example of alert sms receiver by the attacker tigo inform utah the user is now available divide connecting scissor full

as you can see here in the code to activate the payload which consists in invoking powersheet and load and activated in malware from and comma and control server

this configuration allows you to reset payload without having to recompiling or wait the arduino again now all config hat day avastasis and levastacy it depends on why you want to do

as you can see here this is the mobile application which you can use it to pair your phone with the divider to activate it

we have two different middles yuan on the left side sent the payload loaded in the arduino big one on the ready set houston payload

episode i said john on the flight used to payload we don't have it to burst the arduino once against

payload can be a weak and simple that on your phone even used to once

summary this is what we are able to do so far wi-fi accounts and service allows on the fly payload telephone call henry payload online sms allows on the fly payloads bluetooth plus apk are lost on the fly payload all of the above heavy multi-platform support okay thanks luis now your package is ready let's see a summary of everything that you can find out of the box upon unboxing this little device first of all i want you to see something that a lot of people ask is what is its real size its real size comparison with a laptop can be seen here this device is extensionally intentionally small enough to fit inside almost any domestic hardware device with ease

or to be concealed with a fake cover to simulate being another item yet it is powerful enough to be afraid of believe me let's see the next picture so you can get a better idea this is a portable dvd player and recorder on top of it you can find our bum key as you may see this is really small and really easily concealed inside almost any kind of domestic hardware just let your imagination fly as i said before as you might have seen in our previous talk and if you were unable to see them we invite you and encourage you to check them we were able to weaponize a lot of domestic items such as power banks usb

speakers keyboards and a bunch more some of them can be more complex than others but definitely you can weaponize almost anything at hand some fun facts for weaponizing domestic hardware which is one of the things uh that is one of our preferred topics at our dc we have two fun facts here first our only limit is the available empty space that any device has inside so keep it simple stupid or keep it minimally stupid the more simple you keep it the easier it will be to be concealed inside another device or to be faked into something else and taking this previous point as a starting point it is possible to weaponize any home device just with enough imagination again let

your imagination fly and with in no minimalistic view you can weaponize even the smallest and simplest divide out there so a summary what can this little small evil thing do it can act as a remotely activated wide usb as a hit as a human interface device it can use sms cellular network wi-fi and bluetooth for command and control you can raise a web interface for ease of access via wi-fi it can be controlled from an android apk uploaded to a via bluetooth you can run any bundled or hot custom pilot you can choose between meta ploy or metal protector compatible ones or a custom payload without having to burn the arduino again you can run it on the

fly and also this little bug can survive for long hours without power thanks to its battery now it's time to see one of the most interesting parts of this talk the demonstration videos i'm pretty sure that you will like them and we'll explain all of the protocols that we use on this device we'll use the classic metasploit reverse shell tcp payload so you can see this in a lab environment where the attack will always succeed so i hope you enjoy it okay first demo here we'll use the bluetooth activation method pay attention this is the victim machine with the bump key connected we'll use our own apk formally known as fallon stack it was a left over project

so now we're connected via bluetooth and we're going to send a common payload hello world this time in spanish olamundo in this case this will rise a notepad and write a specific message nothing from another world but in this case we can edit this payload in hat so on the fly we can change the script nature and start typing like if we were directly connecting a keyboard in this case you don't have to burn the arduino once again we only use this on the fly as you may see we're changing the payload we use it on the fly in hot and this is the final result you can manipulate bam key as if it were a bluetooth keyboard without too

much effort

this poses a greater danger since you don't have to tailor a specific exploit and study your target and hope that your exploit will be effective you can do trial and error directly again on the fly i imagine the possibilities that you may have by not having to try and burn over and over your script or your payload on the arduino now we'll build a reverse tcp a classic metasploit payload

now it should start

there will be obvious problems on the screen but this can be automated in different ways too let's go to the next one here we'll show the wi-fi case the wi-fi connection and obviously the web interface as you may see we have added a new laptop here which will be the attacker running a meta spray handle we'll use nmap to search where exactly on what address our bum key is listening once you find that address which bambke will probably mark with a specific banner you will be greeted by the simple but totally minimalist and direct web interface you can choose your platform windows linux and launch your attack via wi-fi how this is done well you will be sending your payload to

bam key via wi-fi and it will act via the arduino as a keyboard type in that's it simple fast and pretty minimalist if you ask me now using wi-fi doesn't lets you let's say block it to using only wi-fi you can choose any method and change it over the time there's no need to do anything you don't have to reboot you don't have to change any configuration file anything if you try one method and it doesn't work you can easily change to another one so this is why we call it bum key you will in the end you will end up opening that locket door you only need to try and try and try over and over

for example here luis is sending the payload bml exploit but you can also do it via clip point and click on the web interface as you might see the reverse handler has started and now will take over control of the infected machine obviously this is a valid declaration a valid clarification you won't use this device naked you will obviously fit in into any kind of cover i imagine the possibilities if you have a 3d printer for instance in which you can easily conceal this inside anything really anything

so okay let's go to the last one and my personal favorite gcm we always always always at this kind of activation method in our devices always we really are we are really fans of this little gsm chip the sim 800 l this is simple we connect it and we say okay we have to engage in communication with our bum key you may ask how well bamke will reach to us first and tell us hey boss i'm ready to do it i'm ready to attack then once we get this message from bamki we'll call him you see this is the message and it will say the following device is connected successfully now this means that the device is powered up

and that we can call it we'll call it we'll wait for a couple of seconds and until we are left in the voicemail once we are left in the voicemail this will trigger a specific piece of code that will check the number from which we are being called from which the bum key is being called if the number is the same as the one white listed it will start a reverse show if something is messed up somehow the phone is not ringing the phone is not connecting we can reach it via sms sms even if you had bad coverage but signal it's pretty much able to get there and to help us on bringing back this previous

show so you can rely on both methods call which is faster but sometimes may fail or sms which sometimes may be slower but you can still combat certain bad circumstances like poor signal as i said before

give it a couple of seconds as you may see there are lots of pieces and devices involved in this hack but again let your imagination fly if you have a 3d printer now what kind of cover would you prefer to print for this device think about it i'm all in for small routers or hard drives or even power banks

and this is the gsm method my favorite one now i have a last video a bonus track if we might say of the on the fly method a lot of people was curious about how we are using it well we are using a really strange programming practice and a polemic one which is executing obviously without sanitizing in this case because you will be the trusted user executing whatever the user types to bum key this is the way we take care of on the flight exploiting

using the bum key apk the one that i said before was formally known as phalanx dock you will have a really really intuitive and straightforward interface you will have a couple of buttons for windows and for linux so you can miss the target if one doesn't works you can try with the other one but you can even try your custom dilute your custom approach and you will have a really high rate of success if you are connected okay give it a couple of seconds and done once again

now you may say something that could be pretty fair you can say something like okay mauro okay luis who's going to connect such a device via usb that's a pretty good question and i encourage you guys to check our previous talks on how we convinced people on connecting our devices we resort to all kinds of social engineering like shipping keyboards with t-shirts and stickers faking on pretending to be a manufacturer we have even left abandoned boxes with apparently new brand new items to people to pick up and connect it at their homes or on their office so again you can only resort to letting your imagination fly on this okay i hope you really enjoyed these

videos as we enjoyed making them but it's time to say goodbye sadly these are our conclusions and we'll jump to questions and answers