AirDrive USB Wifi Keylogger
I was recently reading a colleague's research proposal about access vulnerabilities with RFID authentication systems. This paper prompted me to think about what tactics, techniques and procedures I would use once I gained physical access to a protected computer network. While I know not all networks are protected equally, I decided to expect to find full disk encryption and an EDR / XDR product properly configured and working.
Years ago I owned a physical "KeyKatcher" PS/2 keyboard logger, in fact I still have it, I just don't have a PS/2 keyboard to try it out anymore.
I wondered, what's the latest USB keyboard logger, and a few minutes later found the USB AirDrive Forensic Keylogger.
This device exceeded my expectations in that it has a built in wifi hotspot, which would enable me to install once and remotely download the keyboard key strokes later, without the need to gain physical access again. If you look closely below, you will see the 4th bullet states, "100% Stealthy, undetectable for security software". Having read this type of marketing material before, I was excited to test this statement.
The idea here is that you plug the AirDrive Forensic Keylogger into someone's computer, then plug their keyboard into the AirDrive. You retrieve the users keystroke remotely by accessing the built-in wifi hotspot with a browser via your phone or computer.
I ordered my AirDrive Forensic Keylogger from the www.keelog.com website. It was shipped from overseas (Poland), and I was amazed at how quickly it arrived, actually two days prior to the promised date.
My first test was to see if the "100% stealthy" statement was factual. I could have attempted to check all the typical log locations, monitor the system with procmon, or perform a timeline analysis after plugging it in to see what changes were made. However, I'm lazy and I decided to start with monitoring the USB bus, after all, if there was nothing going across this bus, there is nothing going into a log [on the computer due to the plugged in device - other logging may be taking place]. Let's take a look.
This is what the USB bus looks like when nothing is plugged in:
Next I wanted to plug something in that should create some traffic on the bus. So this is what it looks like when you plug in a USB Keyboard.
The above showed me that my thought process is working correctly as I saw the keyboard generate traffic on the bus. My next check was with something that I knew was not supposed to generate any traffic, a USB SyncStop. The Syncstop prevents accidental data exchange when your device is plugged into someone else's computer or a public device for charging.
As you can see in the screenshot above, it looks exactly like the first screenshot of no devices installed. Now let's plug in the AirDrive Forensic Keylogger
Success! Once again, I was impressed. Nothing going across the USB bus. This doesn't mean nothing is being logged (anywhere) though, so you Blue teamer's keep reading, you're not completely out of luck!
I performed another check, plugging the keyboard into the AirDrive and into the computer should not look any different then when the keyboard is plugged directly into the computer.
No difference. I was now satisfied that it was stealthy. Last Gen - Next Gen - AntiVirus / EDR / XDR / can't alert on what it can't see.
MFA...
I logged into a few test accounts and the Airdrive captured the keystrokes as expected. Not all MFA is equal. Obviously, someone using push token technology during login will not have their second factor captured by the Airdrive. I tested several MFA PIN generating devices, and of course, the Airdrive captured them when entered on the keyboard.
Here's the interesting thing... "One-Time Password codes" are not "single use".
领英推荐
Granted, testing two MFA applications is not exhaustive, so more testing should be done. I tested Symantec VIP and Microsoft Authenticator and both allowed two separate devices to log in to the same account with a username/password and same PIN.
So here's your opportunity Blue Team...
#1 PINs should not be able to be used more than one time for login. If I use my PIN to login, it should immediately be unusable, not able to be used by a malicious actor should they capture it and use it with the 30-60 second time-frame.
#2 The SIEM should be monitoring and alerting for logins to the same account within a minute of each other coming from different IP addresses or using different OS/Browser/Hardware etc.
#3 Your "Impossible Travel" SIEM alert may or may not work, I could easily see a Red Team use a companies open wifi to log in the captured account. It may end up being the same IP or the same Geo Location as not to trip the alert.
Blue Team and Logs...
The AirDrive starts up a wifi hotspot. Windows logs wifi networks the device has connected to, but NOT wifi networks that were available (at least not to my knowledge). So here's something that the Blue Team can begin monitoring. By default the name begins with "Air_" so I would definitely be monitoring for wifi networks within range that use that naming convension.
Red Team and the hotspot name...
Any Red Team worth their salt (or malicious actor) is going to change the default name. My first thought was using a "Null" or "Newline" characters. I sent an email to keelog.com and once again received a professional response. Here it is:
1) Network name (SSID), case sensitive, minimum 2 chars, max 30 chars. The printable characters plus the space (ASCII 0x20) are allowed, but these six characters are not: ?, ", $, [, \, ], and +.
2) Password, case sensitive, minimum 8 chars, max 30 chars. The printable characters plus the space (ASCII 0x20) are allowed.
In both cases, localized and Unicode characters are not allowed. Care has also to be taken, when using long SSIDs and passowrds close to the 30 character limit in combination with special characters. Special characters are passed around the webpages using URL encoding mechanism, thus increasing the effective length..
If you name the AirDrive hotspot the same name as a wireless network in the area, there is a likelihood that someone will connect to it, it won't work properly and will likely generate calls to the Help Desk. If the targeted computers location is close to a parking lot, using a name like "MazdaWiFi" might be good. Otherwise, using the name of a typical phone hotspot (Barbs-iPhone) might be a good idea. You could always use a hidden SSID, but that might raise more suspicion. Any wifi hotspot created in a location where they are not allowed is an obvious clue.
Blue Team and the MAC...
Regardless of the name, the Blue Team should be monitoring for the AirDrive hotspot MAC. When I contacted keelog.com, they stated "It is not possible to change the MAC address." so I read this, "we don't provide a method to change the MAC". Depending on your skill, this may be possible - again, I'm not bricking the only one I have. Additionally they stated they use Espressif ESP processors. A list of MAC addresses can be found here: https://maclookup.app/vendors/espressif-inc
The above list did not contain my AirDrive's MAC [42:f5:20], which was interesting because when I used the same website to search for it, it appeared and was Espressif. https://maclookup.app/macaddress/40F520
Granted, I have no idea how many other devices use Espressif ESP Processors and how many false positives this will generate... good luck with that.
Blue Team capture the malicious actor...
While performing some scanning of the AirDrive with Wifite, I could see when the device had a client associated so you Blue Team owners of professional wifi monitoring software will likely have the same capability. Should you find a device like this in your environment, it might be worthwhile to monitor this so you know when a client is connecting. This might allow you to catch the malicious actor who installed it. Additionally, setting the device on a "honeypot" computer and then monitoring where the malicious actor logs in from, might also be worthwhile.
Work From Home...
Oh man, this is where it becomes really interesting. Having a party, your equipment accessible? Maybe your significant other doesn't trust you and has installed one of these? Maybe your kids are mad that you blocked something and installed it to get the credentials to unblock it (something I probably would have done). Now think about any of these happening to a less computer savvy user. They wouldn't even know what the AirDrive is if they saw it. How does the Blue Team guard against that - training? If one of your employee's finds one, what is the policy / procedure?
Found one at a personal residence, now what?
The data is saved on the device for download. It could have been "deleted" but that doesn't mean it's not recoverable. It can be attacked just like any wifi hotspot, so providing the malicious actor didn't use a "great" WPA2 password, you could probably brute force it. Why bother? It may help indicate when it was installed, providing you a time-frame to look at who could have installed it. Using the interface the only downloadable log is for keystrokes captured.
More research to come... let me know your thoughts.
Healthcare | Information Security
3 年I wonder how this device would work with wireless keyboards, commonly used in conference rooms. Those keyboards typically work with a small USB receiver plugged into the computer. I bet it an AirDrive would go unnoticed for a long time, especially where the computer is mounted behind the display. Best option might be to disable USB ports when there is no business need.
Instructor at Northwood Technical College at Northwood Technical College
3 年So, a few years back I did a proof of concept using a non-wifi RF, A thought for you!
"Maybe your kids are mad that you blocked something and installed it to get the credentials to unblock it (something I probably would have done)." Yes, definitely something you would have done.