you guys having a good day all right well hopefully hopefully you're in the right place you know one of the things that I do for a living I teach at a university and you know when you ever you go to school the first day of school the biggest question everyone's mind is did I go to the right classroom but thankfully we have nice big projector so if you're not here to learn about endpoint security and USB impersonation go somewhere else unless you're probably all really just here anyway because the other tracks you really wanted to go to wear fall but that's okay I can live with that all right so let's get started just a little bit of a road map oh why this talk who is this handsome guy up here a little bit of brief history USB how does USB work we'll talk about descriptors and endpoints in USB then we'll delve into mass storage devices how do they work and then we'll talk about the good stuff how do you bypass endpoint security anyway talk about some microcontrollers devices that you can build for twenty bucks or less as advertised and a little bit about some future directions that you might do all right so why this talk anyway well there are some organizations that are starting to use endpoint security programs in order to restrict portable media you know they're tired of everybody just bringing in their stuff and you know sucking things off of their networks you know in the movies what happens right someone is stolen all the secrets onto a flash drive and surprisingly nobody notices until after they've left the building do you ever notice that there's an alarm oh wait oh they just left darn it all right so a lot of software out there exists it's starting to come into market that does the equivalent of maxvill train but for USB and if you know anything about Wi-Fi you know Mac filtering doesn't work so basically what do they do they have device they have software it says are you on my good list are you on my white list your vendor ID and product ID and if you're not well guess what I'll show you how you can build something for cheap that makes your device look like it's on that list and why would you want to do that two reasons you want to inject something and you want to extract something so who is this handsome guy I teach security at a small private university in Iowa I like to hack hard word I've been known to fly and build airplanes and do other fun stuff and the last couple years I've been known to play with USB devices all right so USB something that's been around for quite a while 96 they released the first spec and then they quickly updated it a couple years later back in the olden days they had 1.5 and 12 megabit speeds 1.5 was called low speed and then 12 was called full speed and then in two thousand then came out with a new spec and they added high speed 480 megabits per second then they kind of took a break for a bit and they came out with USB 3 we're starting to see some USB 3 devices now that are really getting out there and they claim speeds of up to five gigabits per second it's kind of like my cable cable modem internet yeah up to 15 megabits per second why is it I always get three all right so how does this stuff work anyway well it's made to be very simple simple from a user standpoint so they have some nice idiot-proof hardware it's a pretty simple for wire protocol and it's set up so that you cannot screw it up unless you try right so you know if you're used to going old-school serial you know that you can very easily hook something up wrong and you're like oh that's the wrong kind of rs-232 cable or oh it's got the 25 pin I knee to the 9 and oh it's not a null modem cable and they got rid of all that hassle also made it hot pluggable and they use differential voltages which is good for noise and things like that on your lines and you can have some fairly long USB cables as much as 16 feet all right there's some software involved there's automatic configuration there's no jumpers or anything like that that you need to use there's a process called enumeration where it basically goes to the device and says tell me about yourself and within the standard we have some standard classes for our devices so we have human interface devices printers audio devices and then for today we want to talk about mass storage devices so how does this work well it's a 12-step process now of course I have some friends in the media and they tell me that all hackers are intimately familiar with 12-step programs all right so you know what happens you connect device than the hub detects it and the host which is usually a piece C says hey it's informed there's new device and then it starts talking to it says what are your speeds what are your capabilities then it resets it gives it an address etc etc etc all right so it all comes down to descriptors and end points so an end point is really a virtual wire or a pipe if you will it's a unidirectional virtual pipe right and by the way the endpoints have a direction and the direction is measured relative to the host so sometimes things might seem a little backwards when you're dealing with USB you might think but wait I'm sending stuff out no you're sending it stuff in to the host fortunately a lot of the things like pac-man fragmentation handshaking and all that is done in hardware you can get specialized controller chips to do this and the address for each endpoint has a meaning the high bit tells you whether it's in or out and there are various types of endpoints control end points or something that every device has to have you can have bulk endpoints which we'll talk about a bit today interrupt endpoints and also I so princess endpoints alright so control endpoints most devices use this to communicate with the host and every device has to have at least one we call it end point 0 na 10.1 because we don't program a basic and the devices must respond to standard request so these standard requests are things like hey get set your address give me descriptors change your power settings and what's your status anyway some of you may have gotten status input from your badge as anybody how many of you have hook those up to USB yet really that's all okay just a little hint they'll talk to you tell you status okay alright so the devices can also respond to specific class requests for the class of device and optionally vendor requests so you can could in theory have a very special driver for your kind of mass storage device in practicality nobody does that because nobody wants to rewrite the drivers all right all right control endpoints you get three stages in the control endpoint transfer you have a setup stage a let's talk maybe a datastage depending on the kind of communication and then a status alright so the status stage you just sent it zero link packet back that says ACK yeah we're all good interrupt I so synchronous don't really want to talk about them but just so you know what they are interrupts for infrequent communications things like a miles keyboard stuff like that nice of synchronous is good for streaming media etc all right bulk endpoints the good stuff Vulcans points are used for mass storage devices they don't have any guarantees on latency but if their buses Idol which it usually is you have some pretty good performance it however if there are other kinds of transports on your bus it gets superseded by anything else if you're doing full speed communications you know that whopping 12 megabits per second you're allowed to 8 64 byte packets and keep that number in mind for later it'll be relevant if you're doing high-speed transfers you can use 512 byte packets and this is used pretty extensively and that flash drives also external hard drives so the transits transactions consists of a token packet and then some data possibly and then you send it back at the end so what's a descriptor well the write the script or these scribes describes things they all have a standard format the first byte says this is how big this descriptor is in other words hardware on the other side this is when you should stop reading information right this is when we're done the second byte is what kind of descriptor was this thing anyway and the rest of it is actual descriptor some common types of descriptors a device descriptor is what's gotten first and it tells you basic stuff like hey how can I talk to this device what's the repair requirements does it need things like that configurations I'm sorry configuration tells me how much power how many interfaces does it have huh you know how do I talk to it etc Center interface then goes on to further described about advice and then we have endpoint descriptors which tell us about each of the end points and then string descriptors which just give us strength in unicode all right so device descriptor what does it send you first thing it's going to send you the length and then the descriptor type in this case it's descriptor type 1 USB and BCD it's going to send 200 and hex and then it's going to send you a couple of important pieces of information namely the class subclass and protocol now in the spec in the USB spec you can send zeros which mean oh well I'm not going to tell you yet I will tell you in a ladder lower down descriptor alright so I'm not going to tell you in the device descriptor maybe I'll tell you in the configuration descriptor or the interface descriptor right and you know other things like packet sizes and then then we have a manufacturer ID and a product ID and in some cases a serial number that has to be filled out so this configuration descriptor is gotten next and again it starts with the length and then at the type it's type to their real creative right 1 2 etc and it gives you some information the last bit that it gives you is the maximum power right now if you're going to make a little device say something kind of like this a little preview that is going to fake another device obviously I have some electronics that are going to require a little bit of power of their own in addition to whatever my thumb drive takes some people might be tempted to just crank up that power don't do that all right the problem with that is if you crank up the power and your port cannot provide that much power it won't enumerate your device all right so usually a hundred milliamps is pretty safe and it's probably enough anyway all right so don't don't get lazy and get all gung-ho and like yeah I think I need a lot you'll power in our five watts of power here no don't don't do that all right just a little tip all right then we get an interface descriptor and again in the interface descriptor we can have the class subclass and protocol if we had zeros in the earlier descriptors then we eventually do have to say that this is what kind of device this is and then we have to describe our endpoints well in the case of a mass storage device as I'll say in a little bit you're going to have at least three endpoints the control end poit bulk and bulk out and each of those endpoints has an address and remember that the high-order bit tells you the direction and then it has an attribute bit field as well and the attribute bit field will tell you things like is this a bulk endpoint another thing you should keep in mind you know all this stuff you can get USB org etc a lot of these bits are reserved if they're not 0 things tend to crash on you all right so just zero out stuff if it's not specified all right and then we have string descriptors string descriptors give you unicode text again the first thing it's going to give you is the length then it's going to give you the type it's Type three it's a string descriptor and then it's going to give you a Unicode string which for most of us here is pretty much ASCII text where every other character every other bite is just 0 there is a special case and the special case is string descriptor 0 string descriptor 0 says what languages do you speak please write and here is proof that the USA has fixed and improved the English language that we got from the bridge because even devices you get from the UK report speaking US English which is by the way hex code 409 is that formula 409 hmm cleaning up the language I don't know alright so now that we've learned a little bit about general devices and such without further delay let's talk a little bit about bulk only mass storage devices how does this stuff work right so we're talking about flash drives primarily you know what kind of hardware do they have software file systems how do you talk to them things like that here's a picture i shamelessly pulled off of Wikipedia all right of a flash drive so you can see the different components you know you see things such as a big NAND flash chip a little controller chip etc by the way the little silver can you probably know this from looking at your badges for the conference here is a crystal oscillator but some of the newer drives by the way I have taken apart a few of these and some of the new ones they come in this big case you have this big case you're looking at it and you're thinking okay it probably looks like this inside I mean after all Phil got this picture off on Wikipedia and it's never wrong so sometimes you will actually pull one of these apart and you'll find out that it's a big empty case and they have one integrated circuit it's really integrated it's the little spacer in the USB connector it's literally a chip that's got the four leads built on to it and you know like really I have this thing that was you know a couple inches long there was absolutely nothing inside of it it even had a little sliding case and everything but just FYI not so typically these thumb drives use NAND flash storage you get about 10,000 write cycles on these if you're writing to them in particular you'd only get anywhere close to that 480 megabits per second by the way again it's like the cable modem up to this but not even close you can only write to it in blocks typical block sizes are 512 bytes you can have other larger block sizes although honestly I have a whole stack of these sitting on my desk at home and I haven't seen a single one of them with these large blocks maybe I just don't buy the right drives but I guess I like the cheap ones maybe that's what it is but um and you can you can have some forensic fund with those as well so how does this work these flash drives present themselves as a scuzzy device so they really look like a scuzzy hard drive to your computer and then you have typically 512 bytes sectors and they use the scuzzy control set most of these devices are pre-formatted as one partition wait we don't call them partitions for flash drives to call them logical units and call them lund logical unit numbers by the way here's a little tip I have found that some versions of windows do not see other than the first logical unit so if you want to hide something on a thumb drive put it on other than the first partition and don't use a windows compatible file system alright that'd be another good way sometimes the reported sizes don't match the actual sizes is you know you can use that to hide some information a few years ago there was a big batch of cheap Chinese thumb drives that would kind of went out in the market I see some head shaking did you buy one of those now okay but and what they did is they over advertised they said hey this is a four gig drive and it was really only two and they figured by the time you filled it up past the tube then it would just start generating errors and there'd be like well I'm long gone by then it's like buying something in the you know in the flea market oh sorry it wasn't a real Rolex but other things to keep in mind typically each 512 byte block needs 16 bytes for error correction so you might wonder why is the software why is the size not exactly what it's reported to be software usually implemented in a controller chip has to detect communications respond to requests check for errors manage power of things like that right what kind of file systems can you put on these things well it's a block device whatever you want now most of the time they come pre format it as fat or fat32 for external hard drives I've seen those pre format is ntfs or for a thumb drive if you want to you can put the true flash file system the extreme flash Powell system the journaling flash file system are my personal favorite favorite yet another flash file system right it's kind of like yeah Mille again if you want to maybe potentially hide some information from Windows users a higher order lun with a non-windows IE linux only file system can work really well alright so how do you talk to this flash drive anyway you have this bulk only mass storage protocol sometimes it's called BBB because it's all bulk and unlike many devices instead of using the control endpoints you use the bulk endpoints and there are three phrases there's a command block rapper phase where you send a command block in a rapper data transport depending on the command and then a command status rapper where you say hey to this succeed or not alright so most of these drives use that reduce scuzzy instruction sets and you know if you have to send a receive data you use a bulk endpoint for that so what does this look like here's a little see structure for a command block wrapper it starts with a signature the signature is really creative incidentally kind of a funny story I was reading a book on USB stuff a couple years ago and they just had in hex here is this code and I'm looking at it and they actually had it reversed and like wow that's just kind of obscure well if you look at it it types us b/c for USB command it's not so obscure but and then there's a tag that associates you know the packet it's like a sequence number for TCP IP and you know how long is it going to be and some flags etc and then finally a command block rapper you have 16 bytes in this wrapper and real commands are going to use six to 16 of those so for example if I wanted to format a unit I'm going to have a command block it looks kind of like this the first byte is always going to be a command code again what am I supposed to do I have to know what the command is to know how much more I should really be looking at anyway what's the logical unit number etc etc another example if I want to do a read there are different formats for read and write this one's called read 10 and it's based on how long the command block is all right so what are some common scuzzy commands a format unit is it good one because you can in one atomic operation just format the unit and erase it inquiry how's it going mode select mode sense read read format capacity re capacity all those other things right command status rapper comes at the end so you send a command block something happens maybe some data is transferred and at the end you send a command status wrapper and it looks kind of like this and again real creative USB s first status right by the way if you're cheap and you want to view all this lovely USB traffic and you have a linux machine if you don't know this you can use USB mod so if you just do a modprobe USB mon and you fire up wireshark guess what all sudden you have a bunch of USB buses available for you to trace the stuff on comes in handy of course hardware USB tracer would be nicer but they're a little bit more expensive than free all right enough of this background stuff let's talk about the good stuff how do i bypass the security in any way so essentially what we're doing is impersonation or social engineering USB stop if you will alright so if we know what an authorized bid pit is we can use that fact to mount a device and then inject some code get some stuff off of our device also the device that I design optionally allows you to do some right blocking so we'll use some microcontrollers because they're fun and they're cheap so you know when you're going to use microcontroller you can look at the different possibilities and say which one should I use well ABR is pretty popular it's using the Arduino family a lot of code out there unfortunately doesn't do us be very well even the you series chips that yeah you don't need the FTD I chip anymore but they don't do mass storage they will do hid stuff but they don't do the mass storage stuff same thing is true with the pic family a lot of people like them I like them they're fine but just not good for this purpose so though the winner is neither of those a couple years ago ftdi you know the people that make those little USB interface chips came up with a microcontroller of their own maybe they got tired of just making the interface chips it's a little faster 48 megahertz and unlike the arduino 'he's it has sort of a proper real-time operating system it's got threads and semaphores and cool stuff like that and more importantly USB classes so how does this work these thing column two chips allow for two full speed USB 2.0 interfaces which can be host or slave interfaces the chip also has a whopping 256k a flash memory which if you don't do microcontrollers doesn't sound like a lot and if you do it does 16k of RAM and normal microcontroller kind of stuff they have several development modules available which is a good thing because they only provide their chips and surface mount technology no so it can be a real pain in the butt for prototyping things like that they also have their yet another Arduino clone make although binko let's get the Arduino format sort of that extra row of pins that you can use so they come in the surface mount packages you know here's a basic diagram of the block diagram of the chip which i'm sure you guys can't read anyway but it's in the slides it does have it a fairly decent IDE it's not eclipse or anything like that but it gets the job done it has some debugging facilities and and such so it does it does work and in there they do have this nice ability where you can pull up the chip that you're going to target and you can point and click and say this pin it's going to do this and this paint is going to do that right and again one other difference between the AVR series say and these ftdi chips is that in the AVR is when you go from one size chip to the next it changes the amount of ram and flash we're here it's consistent so the only thing that changes if I go from a 32 pin to a 64 pin is the amount of i/o pins I have available to me so that that can be nice and useful you can develop something and then you can scale it up and down is required all right okay so what's the small package look like you know if I just want something tiny I can get something i'm sure you guys can't see this so well but looks about like this alright so it's a little 32 pin development board and i only have four pins to solder i can sacrifice an old USB printer cable solder it on there and the disclaimer only four pins with solder if you're not fond of things like LCD displays and blinky lights and stuff like that okay but so if you want to add that stuff then okay maybe dude have to solder a little bit more if you're really not in the soldering you could use one of those Arduino clones like this bingo board shown here now you don't have to solder on a cable because it's got a host and slave port built into it again same disclaimer all right so how does this microcontroller based impersonator work anyway what it does is it allows you to insert your your flash drive and it enumerates it and then when the pc when you plug this device in the pc it says oh I see there's a new device let me enumerate it and it tries to get an authorized bid pit combination right if it's not successful it tries the next one alright so there are two basic modes of operation and the device you can either say oh well I know what the vid pit is and I'll just set it or you can try automatic mode so automatic mode I have 500 of the most common vid pit combinations and it will just scan through those so high level design it's a multi-threaded app you know get apps to say hey let's talk to this thumb drive another thread that talks to your computer some management threads and things like that also there's a timer thread and what's the what the timer threat does is if you're in the automatic mode whenever the pc asks for a device descriptor it says oh someone's trying to talk to me and it starts a timer if they stop talking to you after a second and they don't ask for additional descriptors it says Oh someone's blocking I'll go to the next one and that's how that works and there's also a thread for reading the buttons they come in all right so main thread sits round waits for packets to come in if it's a white listed command it forwards it on fords on things like command block wrappers performs the data transport phase does a little man in the middle action and does the csw passing all right if you're right blocking if there are non-white listed commands it just says hey yeah I got your command and then it does any sort of data transport phase and then it says you're good it worked all right and now initially an early design of this I actually returned a unsupported command status if you try to do things like format my drive or write to it and what I found is strangely enough windows does not handle it correctly so you tell windows unsupportive command what do you think windows does tries again and again and again and it never gives up right it's really obnoxious so all right so the main loop you know to sits around waiting for stuff and then I have a bunch of handlers so this is just a quick example for the inquiry command it gets a command block rapper allocates a little space for words the device gets a response sends it back and waits for a command status rapper sends it back you know it's not rocket science here timer thread as I said we'll get started and that will wait for a additional queries for descriptors and it will get reset if the device actually got fully enumerated by the way I don't currently have this set up this way but you could start to brute force the vid pit if you got to the end of the list and pay the source codes available if you want to do it other complications windows and linux do treat these devices a little bit differently one thing I found is that linux sucks in a whole lot of information at the start whereas windows sucks in a lot less it's one of the few cases where windows sucks less but alright so what did i do for my testing primarily i used you dev rules if you're not familiar with you dev rules on linux they're a really powerful tool and they're a little bit addictive they're kind of fun to play with so what i did was set up some you dev rules to say here's my white list of mass storage devices and if it's not on the list you can't mount it all right my open source solution is a better value it's equally ineffective but it a better price so why waste thousands of dollars when you can be just as insecure for free that's the way okay all right enough it's demo time some of the gamers might get the reference there well Evan that was just for you know so yeah here's a one version of the device I realize you can't see it so well I hold it up here but this is the slightly bigger device as far as the board on the right it's just a programming board and then I have an LCD display and I have the actual development board this in this case there's a thumb drive plugged into it the pot you see there is just for adjusting the LCD and then I have a red light and a green light for the right blocking status alright so it comes on initially right blocking so the green light should be on the left mouse button can be used to toggle that status and then the other buttons are used in order to set the bid in the pit so by the way is Javed Javed are you here somewhere ok this this video is dedicated to Javed Malik Javed made a comment recently how there seem to be a lot of videos out there on the internet for hacking and security that are nothing but people typing and clicking with music so I dedicate this actual silent video with no music to job it if it plays if it doesn't play I dedicate to Microsoft they work great in the speaker room earlier I'd Sorenson wait it was already there please stand by if it helps you can imagine old-time music the death of God we get lucky today that's our easy of course if they have us BW can look in the registry to make the demo quicker I did so here you see the welcome screen and then it gives you an opportunity to set it or it goes into automatic and notice that the green lights on and I did time work by the way it didn't instantly mount my driving I should have said insert Monty Python music here Oh I get lucky this guy had a payroll file on his desktop all right all right just to just a little food for thought how can we go where could we go from here well we could possibly speed it up again if you look in the registry and try to find an authorized vid pit that's more previously loaded by the way if you're not familiar with USB dev view it's a nice little tool it tells you all kinds of useful information on previously attached USB devices not just mass storage we could use the the larger device here to divine the vid pit and then possibly pre-program a bunch of smaller devices if we're going to like in mass go and attempt to do something maybe say an organization we knew what was authorized like everything else you can thwart this device it does only operate at full speed if you order to detect that you could possibly say oh I know that somebody's doing something bad and you could use proprietary drivers but you don't really see a lot of that out there it's kind of even if you did that's security through obscurity which we all knows most security at all one other thing remember who remembers what's the maximum packet size for a full speed USB endpoint 64 bytes what is the default block size 512 so what happens is it has to fragment and unfragmented locks so that does give you a little bit of a performance penalty unfortunately but I don't know how you could do anything better other than find something that supports full speed right just a couple of references these are in the conference DVD you can go to my github in a couple days since I kind of forgot to update it before I came out here or you can feel free to email me I'm also available on Twitter just at peephole straw and it's not real creative but people can find me so thanks guys
0 Comments