The components of a HID attack
Gabriele Biondo
Abstract
In the first article of this series, we introduced hotplug attacks. Here we will dwell more in detail, and make a few considerations on how these attacks should be mounted.
A few considerations on how the attack should be done
Consider that a successful and lucky hotplug attack would resolve the intrusion, or at least a large part of it. The attack should be mounted like any other Pentest probe, starting from the information gathering phase, all the way up to the deployment of sticks and the social engineering attack that should eventually lead to plugging the dongle.
Perhaps you have seen that episode of Mr. Robot in which such an attack is mounted - the key is left on purpose in the parking lot of the company that the main character wanted to violate. The rest is all luck.
You don't have the certainty that a viable target would plug the dongle in - and actually, if the company has a decent Security Policy and the users are diligent, this kind of situation won't ever happen.
However, it's all about shooting in a barrel - chances are that sooner or later there will be a (l)user doing what you hope for. Or you can trick the secretary, or anyone else into that.
Human Engineering is more an art than a science, and we have heard dozens of manners to mount such an attack. Just go for the most credible one.
The components
Hey, here we talk about real components. I read somewhere that hardware is what you can kick and software is what you can curse. We'll curse and kick things around - but that's what we like.
Shortly put, there are only four components to such kind of attacks:
the human factor: we have already spoken about this element, but just a note: be a little psychologist. Try to see what your targets exposure are. If your target happens to be a guy who asks you to download a few nintendo games for his kids, then do that, and store them in your evil USB key. I think it's pretty clear what I mean: play dirty, play rough. Fuck rules.
The human factor is important, but not so important. If you find an unattended device, just try and plug the stick in. Chances are that someone will log into the device and your payload gets executed.
Shortly put, be creative. I am not a good "Human engineer", but this is quite a cheap skill nowadays.
(Your) hardware. Millions of different options. Flipper 0, Bash Bunny, Rubber Ducky, your own (we'll buy one, fear not!). Not a lot to say here. In principle, it'd be nice having also a USB C object - at the very moment, the nearest thing is the Flipper 0.
(Their) hardware not a lot you can do here, apart from a good reconnaissance
The payloads. We'll be back on this shortly, for they are the most important element of the whole attack. Payloads are the code that is executed (or, more precisely, the keystrokes that will be injected) in the target system.
Now, all the components should be reasonably clear, and so should the concept of HotPlug attack be.
The next step is understanding how to build a payload.
Subscribe to my newsletter
Read articles from Gabriele Biondo directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Gabriele Biondo
Gabriele Biondo
Math guy who's into Cryptography, into iOS/MacOS development, and obviously into hacking/pentesting. Writing stuff in C/C++/ObjectiveC/Swift/Python/Assembly.