Hack Any Computer in Seconds with the iMoPlant Cable

Mohammad Abdulaal
16/06/2021


Introduction:
This may seem as though it is an ordinary iPhone charging cable – (aka lightning cable). Well, it is not! The cable indeed resembles a genuine iPhone lightning cable but that is the idea behind its purpose. This cable, named the iMoPlant, can hack any computer in a matter of seconds. The evil mastermind resides in the connector plug of the USB-A end, within the enclosure, soldered onto the USB pads, where it cannot be seen nor detached. Throughout this article, I will walk you through how to come about programming the iMoPlant to attack both MacOS and Windows-based computers.
How Does It Work?

Within the USB-A male plug enclosure, there is an implant, a hardware implant. That is, a two-layer, extremely tiny board. The top layer of which has a chip and passive components soldered onto it. The bottom layer, however, has four-pad contacts that are soldered onto the USB. The implant can be programmed to execute various payloads. Once the USB is plugged into the target's computer, the implant will be powered on and will start executing pre-loaded commands.

Simply put, it acts as a keyboard. A super-fast one. A keyboard that is capable of injecting keystrokes at lightning speed. When plugged into a computer, the iMoPlant Cable will identify itself as a keyboard. As a matter of fact, it will identify itself as a Human Device Interface (HID), which makes it possible to emulate a mouse as well (depending on the code uploaded).

The Implant
Dimensions
As mentioned above, the implant is a remarkably small (7.8mm x 10mm x 0.6mm) two-layer Printed Circuit Board (PCB) with components soldered onto it.

Design Tool
The design of the implant was deliberately made small enough to fit the USB enclosure. The design was done through EasyEDA. EasyEDA is a web-based Electronic Design Automation tool that allows electronics engineers, educators, students, makers, and enthusiasts to design and share their projects. https://easyeda.com/

Note: I will be releasing the Gerber files on my GitHub repo soon.

Soldering
When it comes to soldering small components, it is considered best practice to use solder paste and heat-gun. Avoid using soldering iron with pb at all costs (frustrating!).

Zener Diodes
Due to the fact that the USB port is supplying +5V, and data lines (D+ and D-) cannot tolerate that high voltage, we need to come up with a way to buck-convert that +5V down to at least 3.6V (which D+ and D- can tolerate). We cannot use a voltage regulator (too bulky for our implant!). Here comes the role of the Zener diodes. If we set up the orientation of Zener diodes in reverse-biased mode, the voltage across the diode will remain constant for a wide range of currents. Let's test it out.
From the Figure above, let's assume the 5V power supply is coming from the USB port. If we add a resistor in series, and a reverse-biased 3V3 diode, we can have the voltage regulated at 3.3V (far right). Loads in parallel to the Zener diode will have the same voltage (those loads would be our D+/D- data lines). As such, we have made an easy, more compact, voltage regulator.
Implant First Look
Once all the necessary components are soldered onto the top layer of the implant, it is now time that the bottom layer is soldered onto the USB lower-end pads – (see Fig.5 and 6 below).

The figure above shows the two sides of the implant. The top side is where the chip is placed, whereas the bottom part of the implant contains four pads that perfectly match the spacing of the lower-end pads of the USB (5V D- D+ GND). The bottom side of the implant is soldered onto the lower end of the USB, like so in figure 6 below.
Implant Finish Ups
The insertion process is illustrated in the figure below.
Programming the iMoPlant
To program the iMoPlant using the tools provided on my GitHub repo, you will need to follow these steps on a Kali Linux machine.

Getting Started
While root user, execute the following:

Download the repo onto your kali machine and follow the steps bellow.
git clone https://github.com/moe-aal/iMoPlant/
cd iMoPlant
Change permissions
chmod 777 *.sh
Update package sources
apt-get update
Run the installer
./installer.sh
Building the Payload
The imoplanter.sh accepts one argument; that is the payload.txt. The payload file should have commands written in Rubber-Ducky Script format. Visit https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads to have a look at the different payload options already available. You can always make your own! You can also find a handful of other payloads for MacOS. For demonstration purposes, I will write my own payload that will open a terminal window on my MacOS and get my IP address by running ifconfig.
Uploading the Payload
Now, let us upload the payload using
./imoplanter.sh  payload.txt
You will have 59 seconds to plug in your iMoPlant Cable to have the code uploaded.

Execution Demo
Attacking MacOS
Attacker:
Building the Payload
Replace 192.168.8.149 with your IP.
Set Up Netcat Listener (Kali)
nc -nlvp 443
Victim's Machine:
Just plug the cable into the victim's macOS computer or persuade them to do it, and the reverse shell will call back to the attacker's listener and a shell will be received within seconds.

Bypassing Apple's Keyboard Setup Assistance Profiler:
If we insert any HID tool into the macOS computer that is not an Apple product, we are greeted by our nemesis (figure 15), the keyboard profiler, before the payload has a chance to execute.
The Keyboard Setup Assistance is supposed to help but it actually makes things harder. In this case, we do not want to profile our

keys. Instead, we want our preprogrammed commands to be executed. The reason why we are greeted with the Keyboard Assistance is because the HID device (the iMoPlant) is not an Apple product and therefore Apple does not trust it. Consequently, we are prompted by the Keyboard Assistance to profile our non-Apple keyboard keys. But we do not want that. We can in fact have the macOS believe that the iMoPlant is an Apple product.

Apple identifies its HID products by the Vendor ID (VID) and the Product ID (PID). And we can modify those values and make them match a legitimate Apple product. If we run the installer from the GitHub repo, it already takes care of that for us. The figure below shows how the iMoPlant is identified as an Apple product.

The Keyboard Setup Assistant will never be called into action because macOS will assume it's recognized as a fellow Apple product.

Attacking Windows Machines
Attacker:
Building the Payload
We will build a meterpreter '.exe' payload using msfvenom and then we will host it on a python server.
Now we build our script to write to the iMoPlant. The script should be able to do the following:

1. Start PowerShell
2. Download the rshell.exe from our server.
3. Execute the rshell.exe file

The script is as shown in the picture below.
Start msfconsole and then start a multi/handler listener.
Upload the Payload to the iMoPlant
Victim's Machine:
Just plug the cable into the victim's Windows computer or have them do it, and a reverse shell will call back to the attacker's listener within seconds.

Expected Output
Conclusion
In the final analysis, everything that can be done with a keyboard can be executed drastically faster using the iMoPlant Cable. Indeed, you can always make your payloads stealthier, and you can always be creative with your payloads. Although writing your own payload script is easy, there is a lot of payload options already available online. The software tools built to program the iMoPlant are on my GitHub repo, and they will make life easier. I will be publishing a continuation of this article in which I'll describe in detail how to make your own iMoPlant cable, from scratch.

Share this blog
Follow us
Advance your skills by reading the latest blog created by our team.
Other Blogs