So you think your phone or iPad are safe? Rubber Ducky script for mobile targets and Hak5 OMG cables

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- This video is part of my series showing you how to use O.MG cables to hack networks. In this first video, I'm gonna show you how to hack an Android phone, as well as an iOS device, in this case, an iPad using an O.MG cable. This is a USB-C to USB-C O.MG cable. Now the scariest thing about these O.MG cables is that you can't see the difference between a traditional USB cable, or lightening cable, and these O.MG cables. They look exactly the same, but they have access points within them, they allow you to run scripts on devices, such as Android devices and iOS devices. They also now are key loggers, so you can log keystrokes using these O.MG cables. So in this first video, I'm gonna show you how to Rickroll a person using an O.MG cable. I'll show you how to make a telephone call using an O.MG cable and an Android device. - [Phone] 4, 3, 7, 3, double 4, double 4 from another phone. - And I'll show you how to take photographs using the O.MG cable. It's extremely worrying and extremely scary what you can do with these cables. Never just trust any cable. Don't just plug in your devices into some random cable or into some random USB port, because you never know what's going to happen. As always, what I'm demonstrating in this video is for educational purposes only. Do not go and use this information and get into trouble. Make sure that you use this information to make people aware of the vulnerabilities in the USB standard. Don't just trust any USB cable. Don't just trust any device. You need to act with security in mind. Don't just trust anyone. Don't just trust any device or cable. (bouncy music) Now before we continue, I'm really happy to announce that MG and Darren from Hak5 are sponsoring a giveaway. One person is gonna win a $180 Hak5 gift card. That will allow you to purchase an O.MG cable such as this or one of the others. So one person is gonna win a $180 Hak5 gift card, but you need to use a secret code to enter this competition. So make sure that you watch the entire video so that you can get to the secret code to enter the competition. In this example, I've plugged the cable into an Android phone. Nothing else is connected, but what I can do is on my iPhone as an example, connect to a access point running within that cable. So in this example, I've configured it as the fbi network. You, when you set up this cable can configure it with any kind of access point name that you want to, any kind of security. I've previously connected to this network, so the password has been stored. I'm automatically connected to the device. By default, it uses an address 192.168.4.1. I can connect to that network. And as you can see, I'm now connected to the O.MG cable connected to this Android phone. So what I could do is load a script. I'll load a script from slot 1. There are various slots here, you can preload scripts ready to deploy, or you can simply copy and paste a script remotely onto the O.MG cable. So before I do anything, notice I'm not touching the phone, not touching the cable, but what I'll do is press run and hopefully the phone will do something. Notice it's opening up a URL. And I'll unmute the phone. We get the famous Rickroll. So that's an example of opening up a website. Now I can get it to do all kinds of things. I could get that to go to a malicious website if I wanted to. But in this example, let's try and get it to do something else. So let's run this script and see what it does. - [Phone] This call can't be completed as your account balance is too low. - So what I got to do there is make a phone call. This phone has a SIM card in that doesn't have enough credit to make any phone calls. I need to top it up. It's just a top up SIM card. It doesn't have any credit on it, so it can't actually make the phone call, but notice it tries to dial a number, and I'll run that again. - [Phone] Could not be completed as your account balance is too low. To top up, purchase a 3 voucher and dial 444 from your 3 handset, 0843-373-4444 from another phone. - Okay, so it tried to make a phone call. Quite scary that. Let's try one last test with an Android phone, and then I'll show you with iOS. So I'll load another script here. Press run. And what that just did was take a photo. So if I press here, notice it's just taken two photos. Run that again as an example. So run that. What it should do, hopefully, is take two photographs. And there you go, it just took two extra photographs. So that's quite worrying because this cable looks just like a normal USB-C to USB-C cable, but I can get it to do all kinds of malicious things. So let's do it with an iPad. Now what I'll do in this example is copy a script. Instead of loading a script, I'll simply copy a new script, and I'll paste it in to the O.MG cable. So I've connected my Mac to the O.MG cable using the fbi network. I've opened up a browser to the O.MG cable. I've pasted in a script. Now, before I run, it I'll change this string so it doesn't go to the O.MG website, but to a YouTube page so that I can Rickroll the person using this iPad. So I'll run the payload. And what you'll notice there is an ad is playing. ("Never Gonna Give You Up" by Rick Astley) And there you go. So I've been able to Rickroll both an iPad, as well as an Android phone using the O.MG cable. Really scary what you can do with the O.MG cable. Now _MG_, the creator of the O.MG cable, gave me the scripts to open up a web browser on Android, as well as iOS. I created the call script, as well as the take photo script. I did those very, very quickly in a short amount of time. So they're not perfect. They may not necessarily always work. If you're going to use them, you're probably gonna want to fix them and iterate them and make them better. But that was sort of a quick test to see if I could get it to work and I did. As always, please don't use the information that I'm sharing here for malicious purposes, but be aware of the issues of trusting cables. Don't just trust any cable from your friends or from some random stranger, because it could be an O.MG cable such as this. Again, the only way to identify this as an O.MG cable, rather than a standard USB cable is by this little tag. So if I took that off, I wouldn't be able to differentiate between this cable and a standard USB cable. Now in this video, I simply wanted to demonstrate some of the options with the O.MG cable. I've put links to the scripts below this video if you want to try this yourself. Again, use it at your own risk. I'll cover the setup of the O.MG cable in a separate video. I have discussed the setup of the O.MG cable in a previous video, which I've linked here and below, but I'll do an updated version of that video. Process is very similar. The language used here is very similar to the Rubber Ducky language. I'll also create some additional videos on the Rubber Ducky language, because some of you have asked for that. This video does cover some of the basics if you're interested in learning how to set up the Rubber Ducky as an example. Okay, so the secret code that you need is OMGCABLEHACKS. Use the code OMGCABLEHACKS to enter the competition using the link below. I want to wish you all the very best for the competition, but more importantly, all the very best for your career. Go out there and make a success of your life. (bouncy music)
Info
Channel: David Bombal
Views: 348,394
Rating: undefined out of 5
Keywords: omg, omg cable, android, android phone, ios, apple ios, apple ipad, apple iphone, samsung, hak5, hak5 omg, kali linux, kali linux tutorial, ceh, oscp, kali, rubber ducky, hak5 rubber ducky, rubber ducky usb, rubber ducky hak5, usb rubber ducky, usb rubber ducky tutorial, usb rubber ducky unboxing, usb rubber ducky payloads, hak5 omg cable, hak5 bash bunny, hak5 omg cable tutorial, hak5 cloud c2
Id: 7YpJQT55_Y8
Channel Id: undefined
Length: 9min 1sec (541 seconds)
Published: Fri Sep 10 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.