Year 2024,
Volume: 8 Issue: 2, 199 - 212, 31.12.2024
Zeynep Rana Dönmez
Şeyma Atmaca
Yıldıray Yalman
Project Number
1919B012108374
References
-
[1] Thomas, T., Piscitelli, M. and Nahar, B.A. (2021). Duck Hunt: Memory forensics of USB attack platforms. DFRWS 2021 Virtual USA Conference.
-
[2] Falliere, N., Murchu, L. O. and Chie, E. (2011). W32.Stuxnet Dossier, Symantec Stuxnet Update. Version1.4:1-45.
-
[3] Nissim, N., Yahalom, R. and Elovici, Y. (2017). USB-Based attacks. Computers and Security, 70: 675-688.
-
[4] Cannoles, B. and Ghafarian, A. (2017). Hacking Experiment Using USB Rubber Ducky Scripting. Proceeding of The 8th Multi-Conference on Complexity (IMCIC), 73-76.
-
[5] Chillara, A. K., Saxena, P., Maiti, R. R., Gupta, M., Kondapalli, R., Zhang, Z., & Kesavan, K. (2024). Deceiving supervised machine learning models via adversarial data poisoning attacks: a case study with USB keyboards. International Journal of Information Security, 23(3), 2043-2061.
-
[6] Kamkar, S. (2024). USB Drive By. https://samy.pl/usbdriveby/ [Accessed: 15 April2024]
-
[7] Georgitzikis, V., Akribopoulos, O. and Chatzigiannakis, I. (2012). Controlling Physical Objects via the Internet using the Arduino Platform over 802.15.4 Networks. IEEE Latin America Transactions, 10(3):1686-1689.
-
[8] Karystinos, E. and Andreatos A. (2019). Spyduino: Arduino as a HID exploiting the BadUSB Vulnerability. International Conference on Distributed Computing in Sensor Systems (DCOSS), 1-4.
-
[9] Lin, Y.W., Lin, Y.B., Yang, M.T. and Lin, J. H. (2019). ArduTalk: An Arduino Network Application Development Platform Based on IoTtalk. IEEE Systems Journal, 13(11):468-476.
-
[10] Strobel, D., Oswald, D., Richter, B., Schellenberg, F. and Paar, C. (2014). Microcontrollers as (In)Security Devices for Pervasive Computing Applications. Proceedings of the IEEE, 102(8):1157-1173.
-
[11] Vouteva, S. (2015). Feasibility and Deployment of Bad USB. System and Network Engineering Master Research Project, University of Amsterdam, Amsterdam, Holland, 16
-
[12] Brandao, P. and Scanavez, R. (2021). Bad USB: why must we discuss this threat in companies. Higher Institute of Advanced Technologies, 3-6.
-
[13] Mazharul Amin, A.A.M. and Mahamud, M. S. (2019). An Alternative Approach of Mitigating ARP Based Man-in-the-Middle Attack Using Client Site Bash Script. 6th International Conference on Electrical and Electronics Engineering.
-
[14] Asokan, J., Rahuman, A. K., Suganthi, B., Fairooz, S., Balaji, M. S. P. and Elamaran, V. (2023). A Case Study Using Companies to Examine the Nmap Tool’s Applicability for Network Security Assessment. 12th International Conference on Advanced Computing (ICoAC), 2023.
-
[15] Kaushik, K., Punhani, I., Sharma, S. and Martolia, M. (2022). An Advanced Approach for performing Cyber Fraud using Banner Grabbing. 5th International Conference on Contemporary Computing and Informatics (IC3I).
-
[16] Tian, D., Bates, A. and Butler, K. (2015), Defending Against Malicious USB Firmware with GoodUSB, ACSAC’15, December 07-11: 1-5
Leaking Network Devices with Rubber Ducky Attack
Year 2024,
Volume: 8 Issue: 2, 199 - 212, 31.12.2024
Zeynep Rana Dönmez
Şeyma Atmaca
Yıldıray Yalman
Abstract
Social engineering is a psychological attack targeting individuals' vulnerabilities, often aimed at employees of targeted organizations. Unlike traditional electronic attacks, it relies on manipulating individuals to run malware-infected devices or share sensitive information willingly. This study uses the Arduino Digispark Attiny85 module to demonstrate the potential consequences of social engineering attacks on network devices. By placing the module in a device connected to the target network, a network scan was performed to determine the security status, IP addresses, port information, and version information of all devices. During the experimental studies, it was observed that the most suitable port was the FTP port, and the attack was carried out via msfconsole on the FTP port. Unlike similar studies that focus on a single device, our approach allows simultaneous infiltration of multiple devices within the network, obtaining control over multiple authorized devices, highlighting the significant advantage of our method.
Supporting Institution
TÜBİTAK
Project Number
1919B012108374
Thanks
This work has been supported in part by The Scientific and Technological Research Council of Turkey (TUBITAK) research grant 2209-A, No:1919B012108374
References
-
[1] Thomas, T., Piscitelli, M. and Nahar, B.A. (2021). Duck Hunt: Memory forensics of USB attack platforms. DFRWS 2021 Virtual USA Conference.
-
[2] Falliere, N., Murchu, L. O. and Chie, E. (2011). W32.Stuxnet Dossier, Symantec Stuxnet Update. Version1.4:1-45.
-
[3] Nissim, N., Yahalom, R. and Elovici, Y. (2017). USB-Based attacks. Computers and Security, 70: 675-688.
-
[4] Cannoles, B. and Ghafarian, A. (2017). Hacking Experiment Using USB Rubber Ducky Scripting. Proceeding of The 8th Multi-Conference on Complexity (IMCIC), 73-76.
-
[5] Chillara, A. K., Saxena, P., Maiti, R. R., Gupta, M., Kondapalli, R., Zhang, Z., & Kesavan, K. (2024). Deceiving supervised machine learning models via adversarial data poisoning attacks: a case study with USB keyboards. International Journal of Information Security, 23(3), 2043-2061.
-
[6] Kamkar, S. (2024). USB Drive By. https://samy.pl/usbdriveby/ [Accessed: 15 April2024]
-
[7] Georgitzikis, V., Akribopoulos, O. and Chatzigiannakis, I. (2012). Controlling Physical Objects via the Internet using the Arduino Platform over 802.15.4 Networks. IEEE Latin America Transactions, 10(3):1686-1689.
-
[8] Karystinos, E. and Andreatos A. (2019). Spyduino: Arduino as a HID exploiting the BadUSB Vulnerability. International Conference on Distributed Computing in Sensor Systems (DCOSS), 1-4.
-
[9] Lin, Y.W., Lin, Y.B., Yang, M.T. and Lin, J. H. (2019). ArduTalk: An Arduino Network Application Development Platform Based on IoTtalk. IEEE Systems Journal, 13(11):468-476.
-
[10] Strobel, D., Oswald, D., Richter, B., Schellenberg, F. and Paar, C. (2014). Microcontrollers as (In)Security Devices for Pervasive Computing Applications. Proceedings of the IEEE, 102(8):1157-1173.
-
[11] Vouteva, S. (2015). Feasibility and Deployment of Bad USB. System and Network Engineering Master Research Project, University of Amsterdam, Amsterdam, Holland, 16
-
[12] Brandao, P. and Scanavez, R. (2021). Bad USB: why must we discuss this threat in companies. Higher Institute of Advanced Technologies, 3-6.
-
[13] Mazharul Amin, A.A.M. and Mahamud, M. S. (2019). An Alternative Approach of Mitigating ARP Based Man-in-the-Middle Attack Using Client Site Bash Script. 6th International Conference on Electrical and Electronics Engineering.
-
[14] Asokan, J., Rahuman, A. K., Suganthi, B., Fairooz, S., Balaji, M. S. P. and Elamaran, V. (2023). A Case Study Using Companies to Examine the Nmap Tool’s Applicability for Network Security Assessment. 12th International Conference on Advanced Computing (ICoAC), 2023.
-
[15] Kaushik, K., Punhani, I., Sharma, S. and Martolia, M. (2022). An Advanced Approach for performing Cyber Fraud using Banner Grabbing. 5th International Conference on Contemporary Computing and Informatics (IC3I).
-
[16] Tian, D., Bates, A. and Butler, K. (2015), Defending Against Malicious USB Firmware with GoodUSB, ACSAC’15, December 07-11: 1-5