BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keystrokes into plaintext protocols
- 1. Ducky-in-the-Middle Injecting keystrokes into plaintext protocols Esteban Rodriguez https://www.n00py.io
- 2. Who Am I • Penetration tester at Coalfire Labs • Part-time blogger and security researcher • Previous experience
- 3. Background • Title is a reference to the USB Rubber Ducky • This talk is about exploiting applications that: • send keystrokes within the protocol • are not encrypted • Research began from curiosity
- 4. Ducky Video
- 5. Analyzing Protocols • You don’t need much to do this, really! • Wireshark by itself is often enough • Wireshark is a protocol analyzer • Deep inspection of hundreds of different protocols • Live and offline analysis • Runs on Linux /Windows / MacOS • Powerful filtering • Totally free
- 7. TCP Session hijacking • Taking over an existing TCP connection • You must know the TCP sequence number • You can guess the right number • Read up on the “Mitnick Attack” • You can sniff the number from a connection • Requires Man-In-The-Middle • Can be done easily with ARP spoofing
- 8. TCP Session hijacking • This attack has been around for a long time • Old tools like “Shijack” and “Hunt” can accomplish this • This attack can be stopped by proper use of crypto • Encrypting the communication channel • Message Digest / Hashing
- 9. Hunt Demo
- 10. Last Word on TCP Hijacking • TCP Hijacking is cool, but often not necessary • Typically easier to sniff out credentials and start a new session • Easy to accidentally break the original connection between the host and the server • Not as easy to pull off on more complicated protocols
- 11. Virtual Network Computing • VNC has been around for a while • Used to remotely control another computer • uses the RFB protocol, which is not encrypted • VNC authentication uses DES • DES is extremely weak • passwords are often truncated to 8 characters
- 12. VNC Password Files • These are usually stored in the registry or in an .ini file • They are encrypted with DES • This doesn't even matter because VNC uses the same static key to encrypt all passwords • The key is in the source code, effectively public • {23,82,107,6,35,78,88,7}
- 14. Keystroke Monitoring • Keystrokes are easy to sniff out in Wireshark • VNCKeylogger • Python script for sniffing keystrokes out of a pcap • https://jon.oberheide.org/files/vnclogger.py • PHoss can sniff out the handshakes • http://www.phenoelit.org/phoss/
- 15. VNC Cracking • The handshake can be easily cracked • It’s DES, usually 8 character password maximum • Really old tools can do this quickly • VNCrack - self explanatory • http://www.phenoelit.org/vncrack/ • Cain and Abel can sniff as well as crack • http://www.oxid.it/ca_um/topics/sniffer.htm
- 16. Injecting Keystrokes • Once you crack the handshake you have the password • You can connect like normal person… • or you can start spraying keystrokes! • Metasploit • VNC Keyboard Remote Code Execution
- 17. Metasploit Video MITM not required
- 18. HippoRemote • Turns your iPhone into a wireless keyboard and mouse • Works with Windows, Mac, Linux • Password manager 😬 • Was pretty popular, but no no longer being actively maintained
- 20. HippoRemote protocol • Windows version has a VNC client that is basically UltraVNC • Linux version you use your own VNC client • OSX/MacOS version uses it’s own app called HippoConnect • We will move from VNC and focus on HippoConnect
- 21. Password Storage • The app has some issues with password storage • Uses LaunchDaemons and LaunchAgents to start the server on logon • The password is stored in a .plist (Like XML) • Password is not encrypted • This file is word-readable • Program executes as root
- 22. Password Storage
- 23. HippoConnect Protocol • Very similar to VNC • Uses VNC authentication • Everything is sent as JSON • Keystrokes • Mouse movement • All the same flaws as VNC
- 24. TCP Stream • Server identifies itself and sends a challenge • Client sends response • Server acknowledges successful auth • Client sends keystrokes / mouse movement MITM Required
- 26. Cracking Handshakes MITM Required to sniff, but not crack
- 27. Injecting Keystrokes MITM not required
- 28. Injecting Keystrokes MITM not required
- 29. Bonjour • Easy to spot HippoConnect in a network • The client will use Bonjour to advertise itself
- 30. Mitigation • Don’t use VNC • If you do, tunnel it over a secure protocol such as SSH • Don’t use the HippoConnect MacOS app • When using HippoRemote, use MacOS ScreenSharing (Apple Remote Desktop) • Similar to VNC but encrypted
- 31. Synergy • Synergy is a mouse and keyboard sharing software • Cross platform • Two Versions: Basic and Pro • Pro uses SSL encryption, basic doesn’t • Synergy 2 now uses SSL for Basic and Pro • Released after my exploit tool, unknown if this research was motivator
- 32. Synergy 1 vs Synergy 2
- 33. Synergy
- 34. Monitoring Keystrokes • Just like the other protocols, keystroke monitoring is super easy • 9 lines of Python with Scapy MITM Required
- 35. Synergy Hijacking • Different attack path - instead of impersonating a client, we will impersonate a server • The server sends the keystroke data to the clients • Client connects to the server to receive commands • Client configures the server to use via IP address, hostname, or Auto-config (via Bonjour) • Autoconfig will connect to any available Synergy server
- 36. Hijack (autoConfig) Rogue* MITM not required
- 37. Hijacking with ARP Spoofing • Identify the IP address of any Synergy clients and servers via Bonjour • Assume the IP of the real Synergy server • ARP spoof the victim to make it think you now have that IP • The connection will break, and attempt to re-connect • The victim will accept commands from the fake server
- 38. Hijacking with ARP Spoofing Rogue*
- 39. Mitigation • Use Synergy Pro, Or Synergy 2 • These encrypt the commands with SSL • Must verify the server fingerprint before connecting
- 40. Conclusion • Encrypt all the things • Don’t be afraid to do your own research • Attack Tools • Dissonance - Rogue Synergy Server • https://github.com/n00py/Dissonance • AngryHippo - HippoRemote Hacking Toolset • https://github.com/n00py/AngryHippo • All tools are made with Python - if you don’t know how to script, you should learn https://www.n00py.io