Penetration Testing with Arduino: Build Your Own USB Payload

Arduino is an open-source project that created micro-controller based kits for building digital devices and interactive objects that can sense and control physical devices.

Arduino boards are available commercially in preassembled form, or as do-it-yourself kits. Some of them are really small and have a built-in USB connector which makes sketch upload easier.

Some of you may be thinking, how can Arduino be used to hack something?

Well, since Arduino supports keyboard emulation we can build sketch which contains keyboard instruction to type command and executes it just like the popular USB Rubber Ducky (http://usbrubberducky.com/).

In this article, I will show you how to turn an Arduino Pro Micro into a USB Rubber Ducky, using a simple Arduino script.

You can execute almost anything using keyboard emulation and autorun, even with antivirus installed and updated. From just typing simple commands to coding an executable from scratch.

All of it will be done automatically, starting right after Arduino is installed on the target computer. This typically takes about 3–5 seconds.

First, let’s see it in action!

Preparation

Tools you’ll need:

  • Arduino Pro Micro ATMega32U4 5V/16MHz (or any Arduino with ATMega32U4 chip)
  • USB Micro Adapter Cable (you don’t need this one if the Arduino you use comes with builtin USB A male connector)

Software you’ll need:

Sketch:

Step by step Instructions

How does it work?

A sketch file is just a regular script file with .ino extension. It contains 2 main procedures: setup() and loop(). Below is the basic structure for doing keyboard emulation:

#include <HID.h>
#include <Keyboard.h>
void setup() {
// put your setup code here, to run once:
}
void loop() {
// put your main code here, to run repeatedly:
}

setup() procedure will only be executed once when Arduino is powered on and initialized, while the loop() procedure will be executed repeatedly, over and over again until Arduino is powered off.

When giving instructions to type something, always add delay() command to let the computer process the instructions. You also need to add delay() command when pressing a key combination.

For example, here are the commands to press the Windows Key:

Keyboard.press(KEY_LEFT_GUI);
delay(1000); // the processor need time to register key press
Keyboard.press(‘x’);
Keyboard.releaseAll();
delay(500); // approximate time needed to process our intruction

For complete list of modifier key, see this link https://www.arduino.cc/en/Reference/KeyboardModifiers

Prevention?

To prevent this kind of attack, you can hold down the Alt key while plugging in a suspicious device.