Monday, 26 September 2011

PHUKDs - An Oldie but a Goodie!

A topic I’ve wanted to blog about for a while is the use of PHUKDs as an attack vector in Penetration testing. Firstly, I’d like to discuss the background of how these devices work and why they have come into being.

A PHUKD is a USB device, which is configured in such a way that it is presented to the victim machine as a USB Keyboard/mouse. The reason this has been developed is so that even when the autorun.inf and U3s are disabled on a machine, malicious inputs can be delivered to the victim quickly, accurately and in an automated fashion. Therefore, the key benefits of these devices as delivery systems are that it cannot be blocked by U3 and autorun process blocking and keystrokes can be precompiled and run quickly on the target machine.

The key benefits to a pen tester:

  • Extremely fast keystrokes, without errors. This is important when physical access time to the target is limited.
  • Works even if U3 autorun is turned off.
  • Draws less attention than sitting down in front of the terminal would. The target turns their head for a minute, the pen-tester plugs in the PHUKD.
  • The HID can also be set as a logic or time-bomb.
  • It is possible to embed a hub and a flash drive in your package so that you have storage and the programmable USB HID into a single package.
  • Embed your device in a USB toy or peripheral and give it to your target as a 'gift'. Packaging that looks like a normal thumb drive is also an option.
  • After your Trojan USB device is in place, program it to "wake up", mount on-board storage, run a program that fakes an error to cover what it is doing (fake BSOD for example).
I still think that these are completely relevant devices and really effective if you can penetrate the boarders of an organisation on a test.

A detailed guide on creating PHUKDs is available on the link provided above to irongeek’s blog post and a really interesting video from an old DefCON talk is included below. It’s also worth noting that it’s possible to integrate this attack using Metasploit. The full details of their Teensy USB HID Attack Vector are available here.

No comments:

Post a Comment