Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking USB Devices Module XLI Page | 3225 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Version 6 Module XLI Hacking USB Devices Ethical Hacking and Countermeasures v6 Module XLI: Hacking USB Devices Exam 312-50 Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking USB Devices Module XLI Page | 3226 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News Source: http://www.vnunet.com/  News A worm named SillyFD-AA installs itself onto computer systems, puts a message in Internet Explorer as “Hacked by 1Byte”, and installs an autorun.inf file on removable devices such as USB and floppy diskettes. According to experts, this worm spreads through USB drives. This worm can act as a backdoor and may insert some malicious code in the computer. Once an infected USB device is connected to a computer, the worm automatically installs and spreads further on its own. Computer users should take care while plugging any unknown devices to their PC’s as it may contain any malicious code. The users are advised to turn off the autorun option in Window’s operating system so that this worm should not run automatically. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking USB Devices Module XLI Page | 3227 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • USB Devices • USB attacks • Viruses and worms • USB Hacking Tools • USB Security Tools • Countermeasures This module will familiarize you with: Module Objective This module will familiarize you with:  USB Devices  USB Attacks  Viruses and Worms  USB Hacking Tools  USB Security Tools  Countermeasures Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking USB Devices Module XLI Page | 3228 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow USB Devices USB attacks USB Security Tools USB Hacking Tools Countermeasures Viruses and worms Module Flow Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking USB Devices Module XLI Page | 3229 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Introduction to USB Devices Universal Serial Bus (USB) is a serial bus standard to interface devices It is pluggable, allowing device to be connected or removed while computer is running A pen drive is a compact, removable storage device just like a floppy disk or a CD A pen drive can be plugged into the USB port  Introduction to USB Devices A USB acts as an interface and add-on device, allowing peripheral devices and host communications. These devices can be connected or disconnected if the system is running as they are pluggable. When any device is connected to the system, it detects the device using a pull-up resistor. Pull-up resistors detect low speed and high speed devices on D- and D+ wire signals, respectively. The Human Interface Device is also one of the USB device types. It gives structure to the data transferred between the device and the system. These devices can describe the information of the data received and sent during the enumeration process. No more devices are required to handle the data received by the host system from the USB. These HID includes many devices such as mouse, keyboard, joystick, etc. USB Signaling The data transfer rates supported by the USB are as follows:  Low Speed (1.1, 2.0): It transfers date at the rate of 1.5Mbit/s (187kB/s)  Full Speed (1.1, 2.0): It transfers data at the rate of 12Mbit/s (1.5MB/s)  Hi Speed (2.0): It transfers data at the rate of 480Mbit/s (60MB/s)  Super Speed (3.0): It transfers data at the rate of 4.8Gbit/s (600MB/s) Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking USB Devices Module XLI Page | 3230 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Attacks Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking USB Devices Module XLI Page | 3231 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electrical Attack Electrical attacks mounted against the USB keys require physical access to the device circuit boards Primary goal is to access private data, which is supposed to be protected by legitimate user's PIN number or password without detection by the legitimate user A design flaw common to the USB keys is the improper storage of password values, which can allow the extraction of all data, including private information Changing the password value which is stored in an EEPROM allows access to the device and extract all private information  Electrical Attack An electrical attack can be performed on the USB keys when the device’s circuit board is physically accessed. This attack is done to steal the private data stored on the device with a legitimate user’s pin number and password. The USB device consists of the microprocessor with USB support, external memory, and glue circuitry. If the password is improperly stored, it will allow the attacker to steal the data easily. The password value stored in the Electrically Erasable Programmable Read Only Memory (EEPROM) can be changed and data can be easily extracted. The attacker can reset the password to the original one once the hack is performed on the USB, thus ensuring that the owner of the USB is not aware of any suspicious activity. Serial EEPROMs require minimal circuitry to read and write, hence they are used mostly in the engineering industry. But they are insecure; and do not provide security to the devices in which they are used. A device programmer is attached to the device where serial EEPROMs are used to provide security by restricting inappropriate access. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking USB Devices Module XLI Page | 3232 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Software Attack Attacker examines the communication channels between the USB device and host computer It analyzes and determines the possibility to brute-force a password which will give access to the USB key device By sending incorrect and known erroneous USB packets to the USB key, USB may leak information such as the contents of protected memory areas  Software Attack A software attack is a non-invasive attack. In this attack, the device is not tampered or harmed. The software attack makes use of the normal operating conditions of the device and its purpose is to find the flaws in the implementation of the software or firmware in the product. Once the attack is done, the results can be replicated to other devices. USB software attack can be chosen from two distinct areas: Examine the communication channels Custom device drivers and commercial USB protocol analyzers are used to examine the communication channels between USB device and the host computer. Analyze and determine the possibility to brute-force a password USB key device can be accessed by analyzing and determining the administrator’s MKEY value or the genuine user password or PIN. Vendor provided software development kits consists of source code, header files, and lot of information about the design and structure of the device. They contain bits and pieces of serial EEPROM contents of the key leaking the secret and private information. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking USB Devices Module XLI Page | 3233 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Attack on Windows Buffer-overflow vulnerabilities in USB device allow an attacker to bypass the Windows security and gain administrative privileges of the host machine Attacker having idea about the vulnerability in a USB device driver can program one USB device, known as portable memory stick, to pose as the kind of device that uses the vulnerable driver Attacker then plugs the device into the host system and triggers the exploit when the host system loads the flawed driver This allows an attacker to take control of host computer  USB Attack on Windows An attacker can reprogram a USB device using buffer overflow vulnerabilities. Attacker reprograms the devices to act as a memory stick to access the locked workstation. An attacker can gain administrative access by violating Windows security using the buffer over flow vulnerabilities. This is an example of danger posed by peripheral devices that use USBs, firewalls, and wireless networking connections. When USB devices are plugged into systems with Windows 32-bit operating systems such as Windows XP and 2000, the buffer overflow flaws occur in device drivers. An attacker, who has the idea of vulnerability in USB driver, can program one portable memory stick and plug the device into the host system and exploit the system while it is loading the flawed driver. This attack can be prevented, as these attacks need physical access to the system. Whenever any USB is plugged into the network, it can be determined using many USB security tools. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking USB Devices Module XLI Page | 3234 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viruses And Worms