Background:

The USB fuzzing does not require special hardware, since instead it uses a software driver for Windows that allows sending out raw and malformed USB packets. Once the WinUSB driver is installed on the target machine, beSTORM uses a special standalone “router” that runs on the target machine and can receive the payload over the network, from the beSTORM client installed on a separate machine.

This separation is not mandatory (both can run on the same machine if wanted) but it is highly recommended, since one of the side-effects of a successful USB-fuzzing attack may be a complete failure of the USB hardware which is often attached to the PC motherboard, resulting in a complete computer failure.

Set up:

Run the beSTORM USB Router application. Depending on your environment, you may need additional libraries such as the VS 2015 Redistribute 32bit. Try to run beSTORM USB Router on the target computer, and if you receive an error about a missing DLL file, download and install the VS 2015 32 bit version from here:

https://www.microsoft.com/en-us/download/details.aspx?id=52982

To install the WinUSB driver, use the “Zadig” helper application. You can download Zadig here:

https://github.com/pbatard/libwdi/releases/tag/b721

Open Zadig, click on Options→List all devices to show all USB devices and choose the device you want to fuzz from the drop down menu.

In the “Driver” row you will see the current USB driver for this device, and on the right side make sure “WinUSB” is selected. Now, click “Replace driver”. You should now see “WinUSB” as the driver on both sides:

USB Fuzzing Zadig Reinstall Driver

Restart your computer. This only needs to be done once for the device you are fuzzing. Once the device driver for this device is “WinUSB”, beSTORM will have access to it. Also, write down the first 4 digits of the USB ID, as this will be used later to identify this device for the fuzzing.

NOTE: Zadig does not uninstall the USB driver after it has been installed. To revert back to the original Windows version of the USB driver, open the device manager, find the device, open the “Properties” and go to the device tab. You will have an option to roll back to the original Windows version of the driver.

Setting up the USB Router:

On the machine connected to the device, run beSTORM USB Router. From the WinUSB devices list, choose the one that you would like to test:

Setting up the beSTORM USB Router

Click on Ping to make sure the device is available and the beSTORM USB Router is able to communicate with it. An error may indicate that the USB device is in use by some other program or that a restart is needed.

beSTORM USB Router ping function with result: success

If the device is answering the ping correctly, choose the IP beSTORM USB Router will listen on. This will be the IP beSTORM will connect and communicate with. Note that this IP needs to be selected even if the beSTORM Client is on the same machine as the beSTORM USB Router:

beSTORM Injection Engine

Click Start to have the beSTORM USB Router listen for injection requests from beSTORM.

Monitoring:

The beSTORM USB Router can monitor the USB device automatically. To use this function, tell the beSTORM USB Router where the beSTORM client is located, and it will periodically 

beSTORM monitoring host

‘ping’ the USB device and notify the beSTORM Client if there are any issues:

“Monitoring Host” is where the beSTORM Client is located (in this case, the same computer as the USB device) and “Monitoring Frequency” is how often you want the USB Router to ‘ping’ the device (default: once per second).

Starting the test:

On a separate machine (this isn’t mandatory, but highly recommended) run the beSTORM Client. Open the USB Request Block module on the client.

In the “Hostname or IP” field put the IP address that the beSTORM USB Router is listening on (in the example above, that is “192.168.127.128”).

Click Next to see the environment variables screen.

beSTORM new project wizard

The only environment variables are the “remote hostname” which is the IP where the USB Router is listening on, and the port the USB router is listening on (default: 1521). Make sure to use the IP address the USB Router is listening on. 

The protocol is always UDP since the USB router communicates with the beSTORM client using UDP. 
Click Next and to configure the monitoring.

beSTORM new project wizard extra configuration

In this screen, unselect ARP and ICMP echo: these are only useful if you expect the machine you are testing to completely crash. But even if it does happen (quite possible if the USB is a part of the motherboard and a USB error brings down the entire device) the USB Router component will stop responding as well. So the additional ARP and ICMP pings are unnecessary.

To use the USB Router as monitor, select External Monitor and enter the IP of the computer where the USB Monitor is installed. In the example above, it is on the same computer.

Click Next and beSTORM will be ready to start testing. You can leave the “Auto-start beSTORM scan now” box checked to start immediately, or uncheck the box to view the configuration before starting. In the latter case, clicking Finish will look as follows:

beSTORM test progress

Clicking on the URB Request Block on the top right side of the screen will show the protocol tree that will be tested:

beSTORM module browser

Click Start to start the fuzzing session. BeSTORM will send fuzzed USB requests to the USB Router which will inject it to the device via the WinUSB driver. The USB Router will send a ping to the USB device periodically and report to beSTORM any issues that may indicate a weakness. If the USB Router stops functioning (usually, due to the USB subsystem crashing following a bug in the USB device) beSTORM will stop the fuzzing and raise an exception.

The following is an example of a failed ping request:

failed ping request

The following is an example of a possible exception:

beSTORM exception information

Generating the report:

When finished, generate a report by clicking on “Report→Generate Report” from the menu.