Professional Documents
Culture Documents
E hi l HHacking
ki and
d
Countermeasures
V i 6
Version
Module XLI
Hacking USB Devices
News
Source: http://www.vnunet.com/
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• USB Devices
• USB attacks
• Viruses and worms
• USB Hacking Tools
• USB Security Tools
• Countermeasures
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to USB Devices
A pen drive is a compact, removable storage device just like a floppy disk or a
CD
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USB Attacks
k
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Electrical Attack
Changing
g g the ppassword value which is stored in an EEPROM
allows access to the device and extract all private information
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Software Attack
Attacker examines the communication channels between the USB device and
host computer
h
By sending
B di iincorrectt and
dkknown erroneous USB packets
k t tto th
the USB k
key, USB
may leak information such as the contents of protected memory areas
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USB Attack on Windows
Attacker havingg idea about the vulnerabilityy in a USB device driver can p
program
g
one USB device, known as portable memory stick, to pose as the kind of device
that uses the vulnerable driver
Attacker then plugs the device into the host system and triggers the exploit
when the host system loads the flawed driver
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Viruses And Worms
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Virus: W32/Madang-Fam
W32/Madang-Fam is a family of viruses for the
Windows platform, which spreads via Removable
storage devices
W32/Hasnot-A will hide files and folders, appending the original file or folder
name to a copy of itself
File <Root>\autorun.inf is designed to start the worm once the drive is mounted
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
W32/Fujacks-AK
It also creates the file autorun.inf to insure that the file setup.exe is
executed
t d
It attempts
p to op
periodically
od y copy
opy itself to
o removable
o b d drives,,
including floppy drives and USB keys
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
W32/Fujacks-E
W3 / ujac s iss a p
W32/Fujacks-E prepending
epe d g vvirus
us and
a d worm
o with
t
backdoor functionality for the Windows platform
It spreads
d iin network
t k computers
t th
through
h available
il bl
network shares and removable storage devices with the
filenames GameSetup.exe and setup.exe
correspondingly
It adds its 66048 Bytes of code at the end of the original file,
so whenever the file is executed, the virus is also executed
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
W32/SillyFD-AA
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
W32/SillyFDC-BK
File <Root>\autorun.inf
\ is designed
g to run the worm when
the removable drive is connected to an uninfected computer
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
W32/LiarVB-A
Once iinstalled,
O t ll d W32/Li
W32/LiarVB-A
VB A spreads
d
through network shares and removable storage
devices, including floppy drives and USB keys
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
W32/Hairy-A
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
W32/QQRob-ADN
W /QQR b ADN is
W32/QQRob-ADN i a worm for
f the
th Wi
Windows
d platform
l tf
W32/QQRob-ADN
3 /QQ attempts
p to block access to security-related
y
sites by modifying the HOSTS file
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
W32/VBAut-B
W32/VBAut-B
W /VBA t B has
h ffunctionality
ti lit tto spread
d via
i removable
bl storage
t d
devices
i
and Instant Messaging protocols and to download, install, and run new
software
This worm attempts to copy itself with the filename boot.exe to the
available removable storage device creating Autorun.inf to ensure that
the
h copy off the
h worm iis executed
d once d
device
i iis accessed
d
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
HTTP W32.Drom
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hacking Tools
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USB Dumper
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USB Switchblade
USB Switchblade is the outcome of community project to merge various tools and
techniques
tec ques that
t at take
ta e adva
advantage
tage of
o various
va ous Microsoft
c oso t Windows
W dows secu
security
ty
vulnerabilities, the majority of which are related to USB ports
P
Purpose off this
thi tool
t l iis tto:
• Silently recover information from Windows systems, such as password hashes, LSA
secrets, IP information, browser history, and auto fill information
• Create a backdoor to the target system for later access
If auto run or a U3
3 drive is not used,, the application
pp can still be started byy
executing a single script on the drive
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USB Hacksaw
USB Hacksaw uses a modified version of USB Dumper that once installed on
a system will run a process in the background whenever that computer starts,
starts
waiting for a USB thumb drive to be installed
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USB Security Tools
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
MyUSBonly
Stops files
St fil from
f walking
lki away on ththumb bd
drives,
i
mp3 players, flash cards, and portable USB hard
drives
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
MyUSBonly: Screenshot 2
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USBDeview
USBDeview is a small utility that lists all USB devices that are
currently connected to your PC or have been connected to it in
the past
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USBDeview: Screenshot 1
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USBDeview: Screenshot 2
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USBDeview: Screenshot 3
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USB Blocker
Seamlesslyy integrates
g with Active Directoryy
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USB Blocker: Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USB CopyNotify
USB CopyNotify
if is
i a software
f utility
ili that
h notifies
ifi when
h a USB Stick
i k iis
being used on any of the PCs on the network
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Remora USB File Guard
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Remora USB File Guard:
Screenshot 2
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Advanced USB Port Monitor
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Advanced USB Port Monitor:
Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Folder Password Expert USB
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Folder Password Expert USB:
Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USBlyzer
USBlyzer can view detailed information about all USB devices and
their child components
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USBlyzer: Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
USB PC Lock Pro
It turns any USB Flash Drive into a key that prevents unauthorized
people from using computer
Features:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Virus Chaser USB
Virus Chaser USB supports Anti-Virus Vaccine software based on USB Flash
Drive
It can scan, cure, delete, or monitor for virus infections of your computer
Features:
• Virus Scanning
• System Monitoring
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures
Disable
i bl autorun
Disable USB ports and CD-ROM’s use on Windows using Group Policy
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Primary goal was to attempt to access private data, which is supposed to be protected by
legitimate user's PIN number or password without detection by the legitimate user
US Dumper
USB u pe iss aan app
application
cat o up tthat
at when
e installed
sta ed oon a syste
system will run
u a bac
background
g ou d
process that will copy files from any USB flash drive installed to it silently
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited