Paensy 0.1 is released at the bottom of the post - I've decided to open-source it all. Check it out and let me know your thoughts!
I’ve followed Samy Kamkar (the man who created SkyJack, the drone that forcibly takes over other drones and assembles an army of controlled drones) and his developments for a while – that’s why when I saw he had published work regarding USB drive by attacks I was fairly intrigued. I’ve been trying to recreate BadUSB using the code Adam Caudill published on his GitHub from his BadUSB talk. For those unaware of what BadUSB is, BadUSB is an attack vector uncovered by srlabs.de which exploits a flaw in the USB structure in general. All USB drives are considered unmalicious by Windows and automatically trusts the content of a USB drive to be safe and secure and not an attempted attack. The USB protocol also allows devices to self-dictate or manipulate what they do – for example, a USB drive communicates to the operating system, when plugged in, that it is a USB storage device. This is how the USB port can appear universal – USB devices have surely become the universal port and plug of choice for our time, ranging from flight simulators to mice and keyboards to storage devices.
A USB thumb drive is simply a microcontroller and an SD card. Well, yes, I know there’s more involved, but I’m trying to illustrate this on a conceptual level and not an electrical-engineering-graduate-student level. Microcontrollers are in charge of all of the commanding, easily comparable to a brain or to your computer’s processor. Microcontrollers automatically tell the operating system what they are when they’re plugged in and the operating system simply accepts this – the only defense in Windows, at the moment, is the ability to blacklist a certain manufacturer ID. This would be helpful if it wasn’t easily circumvented by the faulty design and implementation of the USB protocol – as you may have been able to guess, we also supply the vendor ID and all of that information.
I was curious as to what I could do with this incredibly interesting ability so I decided to purchase the Teensy USB Development Board from PJRC for an inexpensive price of $19.80. When I received it, I have to admit that I was fairly shocked – the device is a little bit wider than the internal board of a USB drive but practically half the length of a typical USB board. I also noticed that the drive used a micro USB connection rather than a standard sized connection – crossover cables are inexpensive and easily purchasable elsewhere.
I immediately started work, basing my preliminary work off of Samy Kamkar’s USBDriveBy, but for Windows rather than his Mac’s OS. I realized that a lot of the system functions became redundant so I started writing a library for myself to use that simplified a lot of functions. It eventually started to resemble Hak5’s RubberDucky payload scripting – I then realized that I had created a platform that could create payloads and took out the majority of the mundane and annoying code that Teensy uses.
What is Paensy?
Paensy [pan-zee] is a combination of the word payload and Teensy – Paensy is an attacker-oriented, C-based library written for the development of Teensy devices. Paensy simplifies and optimizes mundane tasks and allows an easier platform for scripting.
Features of Paensy
Paensy has a delay that is programmatically controlled and factors into almost every action it does – the programmer sets a delay setting at the beginning of his program and then the program automatically offsets and compensates for this delay. This is to prevent having to spend hours changing each delay for an individual computer – change it on the fly with Paensy.
Paensy has methods for running a command, hiding windows, adding a new admin user, pressing keys for x number of times, typing quickly, ctrl + alt + shift + key combinations, LED control, LED Morse dashes and dots, and LED fluttering. Paensy is optimized for an attacker and saves developers lots of work.
A few different payloads I’ve created as of this article are:
- Add Admin User (adds a pre-programmed user with a programmatically-defined password)
- Download and Execute (downloads and executes a file of your choosing)
- Facebook Post (posts a Facebook status to the victim’s Facebook page)
- Hide Window (a proof-of-concept showing how to hide the current window)
- Lock Your Computer (opens up notepad and scolds the user on their inability to lock their computer)
I’m still in the process of writing more payloads – I hope to add a reverse shell payload sometime in the near future. Oh, and, all the payloads print out “pwn3d” in Morse code through the LED. All of the code is commented fully. If you have any questions, please feel free to drop a comment here or open a ticket on GitHub – I check both daily.
I’ve decided to release all of my code online and with documentation – read the README file and you should have no issues.
I’m not responsible for what you do with this library.