New and improved Beamgun now defends against USB network adapters and mass storage!
Over the past few months, security researchers like Rob Fuller andSamy Kamkar have been exploring vulnerabilities associated with the implicit trust Windows gives to USB network adapters. Wielding devices like the USB Armory, the LAN Turtle, and even the $5 Raspberry Pi Zero, Rob and Samy have demonstrated how simply inserting one of these rogue USB devices into a Windows machine–whether it’s locked or not–can affect serious compromise of logged in users, including:
- storing HTTP cookies and sessions,
- persistence to an attacker as an internal router,
- gives persistent HTTP cache poisoning,
- forcing the user to make HTTP requests and proxy back responses
Aside from logging out of a computer each time you step away or epoxy-gluing your USB ports shut, there aren’t very many good options for mitigating against this kind of attack.
Last month I released Beamgun, an open-source Windows application that mitigates against another kind of rogue USB device, the USB Rubber Ducky. In principle, both of these devices rely on the implicit trust Windows gives to physical machine access. With the Ducky, Windows gives full trust to a newly-inserted USB keyboard. The Ducky then blasts the target computer with a rapid volley of pre-programmed keystrokes (you can imagine how bad that is). Windows administrators are not able to disable USB devices without physically disabling ports (note that you are able to disable USB mass storage–more on that later).
I replaced the Win32-API-based RegisterDeviceNotification
approach with Windows Management
Instrumentation approach. We first construct a WqlEventQuery
:
varkeyboardQuery=newWqlEventQuery("__InstanceCreationEvent",newTimeSpan(0,0,1),"TargetInstance isa \"Win32_Keyboard\"");
and then we pass this query to a ManagementEventWatcher
:
_watcher=newManagementEventWatcher(keyboardQuery);
This new _watcher
has an EventArrived
event handler where we can register arbitrary callbacks. A major improvement to the WMI approach is that we only get callbacks for keyboards rather than all USB devices!
The upshot of this is that there are far fewer false-positives. Before, Beamgun would alert on any USB device,
now it’s just keyboards.
Registering for new network adapters (as in ALL network adapters, not just USB!) is as simple as changing theWQL to our new target:
varnetworkQuery=newWqlEventQuery("__InstanceCreationEvent",newTimeSpan(0,0,1),"TargetInstance isa \"Win32_NetworkAdapter\"");
The new challenger here is that just locking the workstation is no longer a sufficient mitigation. With rogue keyboard devices, locking the workstation blocks the attack (unless the attacker knows your password). PoisonTap is a particularly nasty attack because it can work even when your computer is locked.
Fortunately, we can disable the new network adapter immediately upon receiving notification via WMI:
_watcher.EventArrived+=(caller,args)=>{varobj=(ManagementBaseObject)args.NewEvent["TargetInstance"];varquery=$"SELECT * FROM Win32_NetworkAdapter WHERE DeviceID = \"{obj["DeviceID"]}\"";varsearcher=newManagementObjectSearcher(query);foreach(variteminsearcher.Get()){varmanagementObject=(ManagementObject)item;try{vardisableCode=(uint)managementObject.InvokeMethod("Disable",null);// ...return;}catch(ManagementExceptione){// ...}}};
So again, while we cannot tell Windows to block these new devices explicitly, we can listen for the new devices with callbacks and take action when they are detected.
Things can get particularly crappy for the target when an attacker adds storage into the mix.Darren Kitchen recently demonstrated some methods for slurping files directly off a target with the USB Rubber Ducky. This kind of attack completely bypasses any kind of firewall/perimeter monitoring that may be in place. All of the document stealing happens right on the spot.
Supposing that Beamgun’s workstation lock was evaded somehow, there’s an added layer of protection we can add basically for free. The one USB policy that Windows does support is to disable USB Mass Storage devices with the following registry key:
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\usbstor\\Start
If it’s set to three, USB is enabled–four, and it’s disabled. You can even set it with group policy. Since it’s just tweaking a registry entry, I’ve added it to Beamgun as an option. Hey–it’s the one rogue-USB-device-mitigation that Windows actually ships with, so why not use it?
Beamgun can now check to see if new versions have been released by periodically polling
https://s3.amazonaws.com/net.lospi.beamgun/version.json
If it finds it’s out of date, it will write a friendly message into the log. If you don’t want this, just set this registry entry to “False”:
HKEY_CURRENT_USER\\SOFTWARE\\Beamgun\\CheckForUpdates
You can get links to install beamgun, clone the repo, etc. at https://github.com/JLospinoso/beamgun.
Please post any issues or bugs you find!