Add to collection(s) Add to saved
  1. Math

USB Attacks - Guidance Software

advertisement 
USB Attacks: Analysis and Methodology
5/24/2016
USB Attacks:
Analysis and Methodology
James Habben - Verizon RISK Team
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
1
Agenda
1. Scenario
2. Types of Attacks
3. Demo of Attack
4. Analysis Steps
5. Tools
2
James Habben, Verizon RISK Team
1
USB Attacks: Analysis and Methodology
5/24/2016
Scenario
1. Receive USB drive, unexpected
2. USPS, no return shipping
3. Target high level employee
3
Types of Attacks
File-based attacks



PDF Files

Allows JavaScript and ActionScript

Allows font manipulation

Allows writing to file system

Allows pulling live data

Triggers such as: Open, Close, Focus, etc

Exploits!
XLS/X, DOC/X Files

Allows VBScript

Many same as PDF
LNK Files

Easy to fake real file

Stuxnet (Exploit!)
4
James Habben, Verizon RISK Team
2
USB Attacks: Analysis and Methodology
5/24/2016
Types of Attacks
Physical Attacks
• USB Human Interface Device (HID)
• Does not require admin
• Full permission of user
• Devices can be scripted
• USB CD-ROM
• U3 like function
• CD-ROM can autorun
5
Demo of Attack
6
James Habben, Verizon RISK Team
3
USB Attacks: Analysis and Methodology
5/24/2016
Analysis Steps
1. Collect image
2. Collect volatile data
3. Analyze file contents
4. Analyze volatile data
5. Collect firmware
7
Analysis Steps
1. Physical machine
2. Linux forensic boot cd
1.
2.
3.
4.
5.
Collect image
Collect volatile data
Analyze file contents
Analyze volatile data
Collect firmware
3. Hardware USB write-blocker
4. dd, dcfldd, linen, etc
8
James Habben, Verizon RISK Team
4
USB Attacks: Analysis and Methodology
Analysis Steps
1. Physical machine
2. Windows OS
3. Software USB write-blocker
5/24/2016
1.
2.
3.
4.
5.
Collect image
Collect volatile data
Analyze file contents
Analyze volatile data
Collect firmware
4. Small HDD, forensic wipe (0x00)
5. Collect image: HDD & RAM
6. Prep volatile collection tools & scripts
7. Start PowerShell diff-pnp-devices.ps1*
8. Insert USB, wait for a minute
9. Finish diff-pnp-devices.ps1
10. Finish volatile tools & scripts
11. Collect image: HDD & RAM
9
Analysis Steps
1. Automated AV scans
2. IOC Searches
1.
2.
3.
4.
5.
Collect image
Collect volatile data
Analyze file contents
Analyze volatile data
Collect firmware
3. File format specific tools
10
James Habben, Verizon RISK Team
5
USB Attacks: Analysis and Methodology
Analysis Steps
1. Compare disk images
2. Compare RAM images
5/24/2016
1.
2.
3.
4.
5.
Collect image
Collect volatile data
Analyze file contents
Analyze volatile data
Collect firmware
3. Review new devices from PowerShell
4. Look for evil
11
Analysis Steps
1. Only needed if device has CD or HID
2. Identify controller chip
1.
2.
3.
4.
5.
Collect image
Collect volatile data
Analyze file contents
Analyze volatile data
Collect firmware
3. Acquire correct tool to dump firmware
4. Reverse engineer firmware
12
James Habben, Verizon RISK Team
6
USB Attacks: Analysis and Methodology
5/24/2016
Tools
PDF File Analysis
•
Didier Stevens Suite
http://blog.didierstevens.com/didier-stevens-suite
•
•
PDFid
Quick triage with keyword search
•
Pdf-parser
Full format parsing of PDF structure
PeePDF
http://eternal-todo.com/tools/peepdf-pdf-analysis-tool
•
Full format parsing
•
Interactive shell
13
Tools
XLS/X, DOC/X File Analysis
•
Decalage Oletools
https://bitbucket.org/decalage/oletools
•
•
OleVba
Full parsing of document structure
Decode and decompress
Recognize malicious code and strings
Didier Stevens Suite
http://blog.didierstevens.com/didier-stevens-suite
•
Oledump
Full parsing of document structure
Decode and decompress
Plugins to expand functionality
14
James Habben, Verizon RISK Team
7
USB Attacks: Analysis and Methodology
5/24/2016
Tools
Diff-pnp-devices
• Collects device list before and after USB insert
• Performs diff to identify devices from USB
• Dumps full properties about devices
15
Tools
16
James Habben, Verizon RISK Team
8
USB Attacks: Analysis and Methodology
5/24/2016
Tools
17
Devices
Marketing USB devices
HID to open IE and type URL
18
James Habben, Verizon RISK Team
9
USB Attacks: Analysis and Methodology
5/24/2016
Devices
USB Rubber Ducky
Programmable USB storage and HID
19
Devices
Any USB flash drive with a Phison controller
Firmware can be modified to use CD or HID
20
James Habben, Verizon RISK Team
10
USB Attacks: Analysis and Methodology
5/24/2016
Thank You
James Habben | Investigator | Verizon Enterprise Solutions
james.habben@verizon.com
21
James Habben, Verizon RISK Team
11
Related documents
File
File
USB Card Scanner Driver Patrick Tully Steven Bronson
USB Card Scanner Driver Patrick Tully Steven Bronson
Hi-pro - Hearing Aid
Hi-pro - Hearing Aid
Download
advertisement