WHID Injector: How to Bring HID Attacks to the Next Level

Luca Bongiorni
Aug 16, 2017 · 6 min read

Since the first public appearance of HID Attacks (i.e. PHUKD, Kautilya, Rubberducky), many awesome researches and results have been published [i.e. Iron HID, Mousejack and the coolest USaBUSe].

Due this increased amount of nifty software, as Pentester and Red-Teamer, I wanted a cheap and dedicated hardware that I could remotely control (i.e. over WiFi or BLE). And this is how WHID was born.

Since the inception of my first HID injecting devices (based on Teensy boards, see photo below), I always faced the need to decide when deliver a certain payload. This was partially achieved by using Irongeek’s photoresistor and dip-switch tricks [1].

However, I soon realized that would be cool the full remote control over a radio channel. At the beginning, years ago, I was thinking to use some cheap 433 MHz TRX modules connected to the Teensy board… sadly due lack of time and other cool projects… this idea was dropped into my awesome-pentesting-tools to-do-list. 😋

What is WHID Injector?

At this point you are wondering what is behind WHID Injector and what are its capabilities. 😎

WHID stands for WiFi HID injector. It is a cheap but reliable piece of hardware designed to fulfill Red-Teamers & Pentesters needs related to HID Attacks, during their engagements.

The core of WHID is mainly an Atmega 32u4 (commonly used in many Arduino boards) and an ESP-12s (which provides the WiFi capabilities and is commonly used in IoT projects).

WHID’s Software

When I started to think about a remotely controlled HID injector and thus adding an ESP chipset to an Arduino-like board, I soon figured out that already exists some hardware that could fulfill my need: AprBrother’s Cactus Micro Rev2 (which was at EOL).

Nonetheless, I started to read ESP specs and think how to create a simple PoC sketch that would let me to upload remotely malicious payloads through the WiFi AP. And here it is [2] (I would like to thanks Corey from http://www.LegacySecurityGroup.com for his initial experiments).

WHID’s Github Repo

Afterwards, with a working software on my hands, I wanted to improve the EOL Cactus Micro rev2 hardware (considering that is also compatible with USaBUSe [3]).

Overall, this is how my simple GUI looks (I know it looks awful, but works! 😁):

Third-Party Software Supported

· ESPloit V2 — https://github.com/exploitagency/ESPloitV2

This is the upgraded version of my WHID GUI, which was developed by Corey from Exploit Agency! (Since July it is the default software you will find pre-installed into Cactus WHID!)

· USaBUSe Github Repo

This awesome tool has been created by @RoganDawes from @SensePost.

It is more than a simple remote HID injector! It permits to bypass air-gapped environments and have a side-channel C&C communication over WHID’s ESP wifi!

o Further links:

§ Defcon 24 Video

§ Defcon 24 Slides

§ https://sensepost.com/blog/2016/universal-serial-abuse/

§ USaBUSe Video PoC

§ Cyberkryption’s Tutorial

· WiFi Ducky — Github Repo

This is a nice project developed by @spacehuhn and it brings even further my simplistic WHID’s software, by adding cool features like: realtime injection, ESP fw OTA update, etc.

· WiDucky — Github Repo

An older-but-cool project, which has the pro feature to use the ESP’s wifi as C&C communication channel. It also has its own Android app for remote control.

Some Video Tutorials

I will leave here a couple of videos about WHID Injector’s installation and capabilities.

WHID Attack Simulation against Windows 10 Enterprise

Wifi Ducky on WHID device (WINDOWS)

How To Install WHID Injector Software on WINDOWS

How To Install WHID Injector Software on OSX

Possible Applications

  • Classic — Remote Keystrokes Injection Over WiFi

Deploy WHID on Victim’s machine and remotely control it by accessing its WiFi AP SSID. (eventually, you can also setup WHID to connect to an existing WiFi network)

  • Social Engineering — Deploy WHID inside an USB-enable gadget

The main idea behind it, is to test for Social Engineering weaknesses within your target organization (e.g. DLP policy violations) and to bypass physical access restrictions to the victim’s PC.

Usually, I create a fancy brochure (sample template https://github.com/whid-injector/WHID/tree/master/tools/Social_Engineering_Lures ) attached with a weaponized USB gadget and then use a common delivery carrier (e.g. UPS, DHL, FedEx).

Conclusion

As you noticed from the 3rd Party Softwares above, WHID has a lot of potential. Not only to play the usual role of HID injector but also to bypass Air-Gapped environments.

If you would like to play with it… is FOR SALE on:

Aliexpress or eBay

So far, beta testers already provided very precious feedbacks to improve the final version of WHID. I’d like to thank @RoganDawes for suggesting to add the Hall Sensor as reset switch!

How To Weaponize USB Gadgets!

Finally I had some spare time to Weaponize a new Mouse, in order to show you how easy is possible to create malicious HID devices.

Materials Needed:

  • WHID Injector [x1]
  • Mini USB HUB [x1]
  • Wired USB Mouse [1]
  • Soldering Kit (Iron, Flux, etc.)
  • Wires
  • Rubber Tape
  • Bit of Hot Glue

First of all let’s start ripping a part one mini USB HUB.

Usually I do use one of these two:

For this project I have used the first one, since was cheaper and already available in my lab.

Next step is to desolder all those wires, while keeping notes of its pinouts (i.e. GND, D+, D-, Vcc) since we will have to match the USB pinouts with the WHID Injector.

Afterwards, we will have to solder the wires to the WHID Injector as explained in its Wiki.

GND D+ D- Vcc

At this point, we need to solder back the wires in the USB HUB and connect WHID Injector to it.

In my case the colors were:

Here below how it looks like once everything is assembled:

Now the tricky part is to put everything back into the plastic case… and voila’ the final result!

Now we test if everything work properly and start thinking of which payloads we can deploy, on-demand and remotely, into the targeted machines. 😎

Here below I recorded a couple of PoCs about some useful payloads I am used to use during engagements. Enjoy!

You will see how WHID can easily help pentesters to exfiltrate domain credentials with both Phishing Technique and Mimikatz (FUDed) In-Memory.

P.S. These payloads are available at:

https://github.com/whid-injector/WHID/tree/master/payloads

[1] http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

[2] https://github.com/whid-injector/WHID/tree/master/sketches/cactus_micro_rev2

[3] https://github.com/sensepost/USaBUSe

Luca Bongiorni

Written by

Non aetate verum ingenio apiscitur sapientia / Omnia silendo ut audeam nosco / There is no deduction for excellence / Tweets are my own

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade