AutoGadgetFS – USB Testing Made Easy

What’s AutoGadgetFS ?

AutoGadgetFS is an open source framework that allows users to assess USB devices and their associated hosts/drivers/software without an in-depth knowledge of the USB protocol. The tool is written in Python3 and utilizes RabbitMQ and WiFi access to enable researchers to conduct remote USB security assessments from anywhere around the globe. By leveraging ConfigFS, AutoGadgetFS allows users to clone and emulate devices quickly, eliminating the need to dig deep into the details of each implementation. The framework also allows users to create their own fuzzers on top of it.

Requirments:

The Setup:

Device testing only:
Minimal agfs in the middle setup:
Complete agfs in the middle setup with debugging support:

USB Device class support:

USB HID Devices fully supported (Man in the middle)

Device only testing .. All USB devices (NO Man in the middle)

Future releases… All USB devices (Man in the middle)


Capabilities:

  1. Find, Select and Attach to a USB device with ease.
  2. Emulate any USB HID device .
  3. Perform AGFS in the middle sniffing for HID devices ( save communication to disk ).
  4. Device sniffing ( Any device ).
  5. Multiple Fuzzers allow you to Fuzz a device or a host.
  6. Random fuzzers ( with fixed or random length packets ).
  7. Smart Fuzzers that learn from previous USB communications.
  8. Describe Fuzzer to tell the Fuzzer which bytes to Fuzz leaving the rest of the packet the same.
  9. Gadget Fuzzer.
  10. Sequential Fuzzer.
  11. Control transfer Enumerator.
  12. Replay of packets from a file.
  13. Replay of packets from a saved USBLyzer capture.
  14. Visual way of presenting packets to allow ease of reverse engineering of the communication.
  15. Alerts for device in DFU mode, or if the device leaks information.
  16. USB device and host can be anywhere on the internet.
  17. Monitor sudden interface changes.


RoadMap:

  1. Sniff control transfer requests to a device and reply to them.
  2. MITM and emulate all types of devices.
  3. Console/QT based interface.
  4. More Interfaces/endpoints support on the RPI zero W.
  5. Support more boards like the greatfet.
  6. Move to a custom board.
  7. Work on making raspberry pi have full support for usb device emulation with all interfaces.
  8. correlate sent and received packets via sequence numbers.


Installation:

Linux Machine:

Raspberry Pi Zero W:

  • Obtain a copy of Raspian Lite Edition

  • Mount the SD card on your machine and make the following changes:

    • In the /path/to/sdcard/boot/config.txt file add to the very end of the file:

      enable_uart=1
      dtoverlay=dwc2
    • In the /path/to/sdcard/boot/cmdline.txt add right after rootwait

      modules-load=dwc2
    • it should look like this make sure its on the same line:

      console=serial0,115200 console=tty1 root=PARTUUID=6c586e13-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait modules-load=dwc2
  • Enable ssh:

    • in the /path/to/sdcard/boot directory create an empty file name ssh:

      sudo touch /path/to/sdcard/boot/ssh
  • Enable Wifi:

    • in the /path/to/sdcard/boot directory create an file named wpa_supplicant.conf:

      sudo vim /path/to/sdcard/boot/wpa_supplicant.conf
    • Add the following contents:

      ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
      update_config=1
      country=US
      network={
      ssid="<your wifi SSID>"
      psk="<your wifi password>"
      key_mgmt=WPA-PSK
      }
  • Unmount the SD card and place it back into the Raspberry Pi Zero and power it on.

  • Copy the content of AutogadgetFS/Pizero/ to the Pi zero: username: pi & password: raspberry

    cd AutogadgetFS/Pizero/
    scp gadgetfuzzer.py removegadget.sh requirements.txt router.py [email protected]<pi-ipaddress>:/home/pi
  • SSH into the PI Zero and setup requirements for AutoGadgetFS:

    ssh [email protected]<pi-ip-address>
    chmod +x removegadget.sh
    sudo apt update
    sudo apt install python3 python3-pip
    sudo -H pip3 install -r requirements.txt
  • Upgrading the latest kernel and adding modules (* This step is optional for the current release): ( This will take a very long time compiling on the Pi Zero, unless you choose to cross compile the kernel see Compiling options)

    sudo bash
    apt install git bc bison flex libssl-dev make libncurses5-dev screen
    screen
    mkdir Downloads
    cd Downloads/
    git clone --depth=1 https://github.com/raspberrypi/linux
    cd linux/
    make bcmrpi_defconfig
    make menuconfig
    • Enable the Modules and save the config:

    • Build and use the kernel:
    make zImage modules dtbs
    make modules_install
    cp arch/arm/boot/dts/*.dtb /boot/
    cp arch/arm/boot/dts/overlays/*.dtb* /boot/overlays/
    cp arch/arm/boot/dts/overlays/README /boot/overlays/
    cp arch/arm/boot/zImage /boot/kernel.img
    reboot

And you’re done!

AutoGadgetFS tutorial:

Click to visit the tutorial

Screenshots:

Man in the Middle:

USB device fuzzing:

Host side fuzzing with code covereage:

Fuzzer based on a selection of bytes:

Smart fuzzer based on learning traffic:

In [44]: x.devSmartFuzz(engine="smart",samples=5,filename="/home/raindrop/PycharmProjects/AutoGadgetFs/binariesdb/Nud-Nuvoton-1046-20764-1590421333.5169587-Nuvoton-1046-20764-1590421600.8067
...: 274-device.bin") [+]General Statistics
Full charset : !"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Discarded charset : !"#$%&'()*+,-./:;<=>[email protected][\]^_`ghijklmnopqrstuvwxyz{|}~
Final charset : 0123456789abcdef
Word Length : 128
Lower Case index usage : 92%
Lower Case index locations : [1, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 121, 122, 124, 125, 127]Upper Case index usage : 0%
Upper Case index locations : []Digit index usage : 96%
Digit index locations : [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 12 3, 126]NonAN index usage : 0%
NonAN index locations : []Counter statistics : Uppercase: 0 , Lowercase: 133071, Digits:212017 , NonAlphaNumeric:0
All char Frequencies :
character:5 found:5012 times
character:2 found:22563 times
character:3 found:12197 times
character:8 found:15008 times
character:4 found:13275 times
character:0 found:98056 times
character:1 found:17861 times
character:f found:87823 times
character:d found:7221 times
character:7 found:9614 times
character:a found:11148 times
character:6 found:10472 times
character:b found:8189 times
character:9 found:7959 times
character:c found:9172 times
character:e found:9518 times
***********************
generated:5 Packets
***********************
Out[44]:
['5608305852bf2ffd61770e2c827542f20be0b0fcba09db916bd07e1734b04cb0352b1d278068064d19f033bfad6fa90e53d865693fd4fee0214f00000eb0aa2c',
'3b08 3595f276e2f1353a535c32f0f59516fc9328f7673bb80262c4da11c93683afe6dcff8a7a83018d78f41498a0da4d141ebd39c361b1724f2b00000eb0aa2c',
'0120961963495c4dab9470738b497eddde07b0d70b357795ad9554d7964761969a6d997205e17eada6fa84eb33dcfb11412f75e04c195001283900000eb0aa2c',
'091065d52127bbc6e840e02f8e1316f1c4d9c92a23931c00cdbb8c158368852ef8fabd461b98812b51ec84e1ccc5c04aaa366fbafabec623bd3500000eb0aa2c',
'7300cc61151b7af27a578e766f49bebb2de68c48b37a00df1030ae464f456928eedd035303e697208bf58217af728a2a346fda5c8aef0335b82e00000eb0aa2c'

In [46]: x.edap.packets
Out[46]:
['5608305852bf2ffd61770e2c827542f20be0b0fcba09db916bd07e1734b04cb0352b1d278068064d19f033bfad6fa90e53d865693fd4fee0214f00000eb0aa2c',
'3b083595f276e2f1353a535c32f0f59516fc9328f7673bb80262c4da11c93683afe6dcff8a7a83018d78f41498a0da4d141ebd3 9c361b1724f2b00000eb0aa2c',
'0120961963495c4dab9470738b497eddde07b0d70b357795ad9554d7964761969a6d997205e17eada6fa84eb33dcfb11412f75e04c195001283900000eb0aa2c',
'091065d52127bbc6e840e02f8e1316f1c4d9c92a23931c00cdbb8c158368852ef8fabd461b98812b51ec84e1ccc5c04aaa366fbafabec623bd3500000eb0aa2c',
'7300cc61151b7af27a578e766f49bebb2de68c48b37a00df1030ae464f456928eedd035303e697208bf58217af728a2a346fda5c8aef0335b82e00000eb0aa2c']

Help method:

AutoGadgetFS console. A much simpler way to use AGFS:

Youtube Playlist:

Youtube Playlist


Join Slack:

Visit AutogadgetFS Slack Channel

Contact:
[email protected]
https://twitter.com/0xRaindrop

Source: KitPloit

Leave a Reply