One of my favorite attack vectors is the USB drop. At RSM, our two go-to drops are the Rubber Ducky and backdoored executable files on a normal USB flash drive. We will typically load a Ducky with an Empire script which executes a PowerShell one-liner when plugged into a victim machine. The executable-loaded drives require the victim to mount and open the USB drive and then execute the file on their own. The trick in both cases is to get victims to pick up the drives and plug them into their computers.
In this post, I will cover a couple of technique I undertook on a recent engagement to make a convincing USB dead drop.
- Rubber Duckies and/or USB flash drive
- Powershell Empire
- Veil Evasion Framework
- Key Rings
- Pocket knife
Your resources can vary depending on your target (and what you happen to have on hand). A college campus could necessitate a different scenario than a hospital. For this exercise, we will be using PowerShell Empire and Veil-Evasion to generate our payloads. Everything else on our list is purely for cosmetic purposes, or more precisely, for disguising the drop and convincing someone to pick it up. Let’s do a brief overview of generating the payloads before we get into the actually disguise.
To setup a ducky we will need the duckencoder.jar and a ducky script from Empire. Setup your desired listener in Empire and then generate a ducky stager. After loading up Empire, execute the following commands (obviously substituting IP addresses and ports appropriately):
set Name test
set Lhost <Your_IP_Address>
set Lport 8080
set Listener test
set OutFile </Your/File/Destination>
Using the duckencoder.jar we will encode the ducky stager and rename it to inject.bin. The new inject.bin file will be put onto the ducky and assembled.
Next is Veil-Evasion which we will use to generate meterpreter executables to be disguised as normal files. I used the
python/meterpreter/rev_https payload, which will be compiled as an exe. This payload will allow you to get creative. Whose flashdrive is this? What kind of files are on it? Is it business related or private? Renaming the flashdrive to a company’s CEO and putting a word document about potential layoffs would raise curiosity in almost anyone.
Or perhaps a careless IT help desk tech dropped their work flashdrive, leaving behind sensitive information.
You can have even more fun by putting legitimate files on the drives, and then put malicious macros on them. Perhaps an Excel sheet with contact information on it. Maybe a good Samaritan will open to try and return the drive and by giving you a shell.
Let it Age
Ultimately, the drops need to look believable, and, if you’re dropping multiple drives within relatively close proximity to each other, they can’t just all look the same. All the equipment used is new, but we need to make look as if it has been in someone’s possession for some time, so get some wear on it. Everyone carries their USBs on key rings, in pockets, and in backpacks. Some of us carry them with our keys, some on a lanyard, or some just solo in our pockets. The point being that these should all vary in appearance.
Adding some wear and tear to the drives is fairly simple. Take them out the parking lot and rub them on the pavement, scratching up any metal and scuffing the plastic, essentially whatever you can think of to make them not look shiny and new. Once we have that sufficiently worn down, it’s time to add in some keys, lanyards, and/or other accessories. If they have end caps, feel free to lose those since everyone does.
Dressed to Pwn
The lanyard is an opportunity to really sell the drop, I was able to pick up a pack of 12 from Office Max. However think about your target and its geolocation. Get lanyards of major sports teams in the area or even universities. Not to sound like Bob Ross, but give them some personality. Look around your office or out in public and observe what people put on their keychains. Of course, vary which drives get lanyards and keys and which do not. Feel free to mix and match too! The last thing we want to have are identical USB drops at the target site.
With the lanyards, we will want to add some fraying to them as well. An easy way I found is to use the serrated edge of a pocket knife and to gently go down the lanyard. Do this several times until you get the desired amount of fray. I also took one lanyard and used my knife to cut it, then knotting it back. A wire cutter will also work if you want to cut through some of the layers of the lanyard without actually cutting all the way through. If you’re short on tools, a sidewalk curb will work just as well.
Cherry On Top
All that’s left now is to add some finishing touches to the drops. Having a key-tag on the key-ring gives you a little more creativity.Write on it and beat it up. In one particular case, I splashed coffee on the tag to stain it. You can even buy the shell of a garage door openers or car fob to add that for a little extra pizzazz. Once everything is ready and looks good, the USBs are ready to drop. Just sit back and wait for your shells to roll in!
Device drops can be an effective way to gain access to systems on a target network. However the first hurdle is getting someone to pick up the drop. Knowing your target and their surrounding area will aid you in disguising your USB drops to be more believable to the average user. Use your imagination and put yourself in the victim’s perspective: would you pick up this drive? Take your time and have fun with it!