Hacking with Arduino: Build Your Own USB Payload

November 8, 2016 | Views: 31708

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Arduino is an open-source project that created micro-controller based kits for building digital devices and interactive objects that can sense and control physical devices.

Arduino boards are available commercially in preassembled form, or as do-it-yourself kits. Some of them are really small and have a built-in USB connector which makes sketch upload easier.

Some of you may be thinking, how can Arduino be used to hack something?

Well, since Arduino supports keyboard emulation we can build sketch which contains keyboard instruction to type command and executes it just like the popular USB Rubber Ducky (http://usbrubberducky.com/).

In this article, I will show you how to turn an Arduino Pro Micro into a USB Rubber Ducky, using a simple Arduino script.

You can execute almost anything using keyboard emulation and autorun, even with antivirus installed and updated. From just typing simple commands to coding an executable from scratch.

All of it will be done automatically, starting right after Arduino is installed on the target computer. This typically takes about 3 – 5 seconds.

First, let’s see it in action!

Preparation

Tools you’ll need:

  • Arduino Pro Micro ATMega32U4 5V/16MHz (or any Arduino with ATMega32U4 chip)
  • USB Micro Adapter Cable (you don’t need this one if the Arduino you use comes with builtin USB A male connector)

Software you’ll need:

  • https://www.arduino.cc/en/Main/Software

Sketch:

  • https://github.com/cdmsoftware/ArduinoDuckyScript/tree/master/AddAdmin_Payload

Step by step Instructions

How does it work?

A sketch file is just a regular script file with .ino extension. It contains 2 main procedures: setup() and loop(). Below is the basic structure for doing keyboard emulation:

#include <HID.h>

#include <Keyboard.h>

void setup() {

// put your setup code here, to run once:

}

void loop() {

// put your main code here, to run repeatedly:

}

setup() procedure will only be executed once when Arduino is powered on and initialized, while the loop() procedure will be executed repeatedly, over and over again until Arduino is powered off.

When giving instructions to type something, always add delay() command to let the computer process the instructions. You also need to add delay() command when pressing a key combination. For example, here are the commands to press the Windows Key.

Keyboard.press(KEY_LEFT_GUI);

delay(1000);  // the processor need time to register key press

Keyboard.press(‘x’);

Keyboard.releaseAll();

delay(500);  // approximate time needed to process our intruction

For complete list of modifier key, see this link https://www.arduino.cc/en/Reference/KeyboardModifiers

Prevention?

To prevent this kind of attack, you can hold down the Alt key while plugging in a suspicious device.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
16 Comments
  1. dude, is possible to do that using arduino r3? That’s need to put in dfu mode? I’m not a expert in eletronic, i’m trying to do ..

  2. Can I use this code with Digispark ATTiny85?
    Please help me..

  3. I’m guessing that this could be altered to work with a Raspberry Pi, am I correct?

  4. will this still work even if USB ports are disabled?

  5. Looks like the youtube videos is missing. Here is the corresponding youtube link:
    https://www.youtube.com/watch?v=MIXeYL1iCDA
    https://www.youtube.com/watch?v=Y1TsRxOQEl8

Page 1 of 212»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel