Earlier I posted some instructions on setting up USB Switchblade. Even though it is a rather outdated piece of software as a few people have pointed out. I also talked about Hack5 releasing a new product called USB Rubber Ducky, the next generation of Switchblade. I will not be buying one because they are rather expensive for such a simple Arduino board and in my opinion it’s not very discreet. But if you wish to invest in one you can order one in the HakShop.
I did some work the other night and I found a tool called the LeoStick a arduino with USB-HID capability. I have have some more good news, seeing as LeoStick can pretend to be a USB-HID device, it can do the exact same thing Rubber Ducky can do but much cheaper. I happen to have a Arduino-Leonardo laying around (same thing as LeoStick but bigger). So I spent an hour or two writing a quick shell script which can convert ducky script payloads into a sketch suitable for uploading to the LeoStick (or any arduino that has USB-HID capability). The end result is a small bash script which can be downloaded from here.
Usage is fairly simple – you run the script with two options – the first being the payload file, and the second being the arduino script output.
./compile_payload lock_prank.txt lock_prank.ino
Various payloads can be found linked from the USB-Rubber-Ducky wiki
Also note that to get this working you need to edit the arduino libraries so that the sendReport function is marked as public.
To to this edit the USBAPI.h file which can be found in ${ARDUINO_DIR}/hardware/arduino/cores/arduino directory.
This may be /usr/share/arduino/hardware/arduino/cores/arduino/USBAPI.h or similar
If you installed the LeoStick board stuff from their website then it will be under your sketches directory as hardware/LeoStick/cores/arduino/USBAPI.h
Open that file and find
private:
KeyMap* _keyMap;
void sendReport(KeyReport* keys);
void setKeyMap(KeyMap* keyMap);
public:
Keyboard_();
virtual size_t write(uint8_t);
Then change that to
private: KeyMap* _keyMap; void setKeyMap(KeyMap* keyMap); public: void sendReport(KeyReport* keys); Keyboard_(); virtual size_t write(uint8_t);
I am working on duckSauce – a compilation of tools/payloads for the USB Rubber Ducky. With your permission, I would love to include this.
Ya go for it I would love to see this included in it.
Why don’t you use a Teensy? They cost like $16 and the software for USB rubber duckey is free and open source.
LeoStick is smaller than teensy and in my opinion more usable as a device for penetration testing.
I rewrote it in Python; it’s faster, and the diffs between outputs on sample payloads seem insignificant, so looks like it’d work equivalently. Unless you have any objections, I’d like to put this on Github:
import sys
import io
infile = sys.argv[1]
template = sys.argv[2]
outbuffer = io.StringIO()
with open(template) as InF:
outbuffer.write(InF.read())
with open(infile) as InF:
dscontents = InF.read()
for line in dscontents.splitlines():
cmdline = line.strip().split(None, 1)
if len(cmdline) > 1: command, options = cmdline[0], cmdline[1]
else: command, options = cmdline[0], ”
modifiers = ["0"]
key1 = “0″
key2 = “0″
if command == “REM”:
outbuffer.write(” // {0}\n”.format(options))
elif command == “STRING”:
options = options.replace(“\\”,”\\\\”).replace(‘”‘,’\\”‘)
ifs = ‘ ‘
outbuffer.write(‘ Keyboard.print(“{0}”);\n’.format(options))
elif command == “DELAY”:
delay = int(options) * 10
outbuffer.write(” delay({0});\n”.format(delay))
else:
modappends = {
“GUI”:” | KEY_MODIFIER_LEFT_GUI”, “WINDOWS”:” | KEY_MODIFIER_LEFT_GUI”,
“CONTROL”:” | KEY_MODIFIER_LEFT_CTRL”, “CTRL”:” | KEY_MODIFIER_LEFT_CTRL”,
“SHIFT”:” | KEY_MODIFIER_LEFT_SHIFT”,
“ALT”:” | KEY_MODIFIER_LEFT_ALT”}
keysubs = {
“MENU”:”PROPS”, “APP”:”PROPS”,
“LEFTARROW”:”LEFT”,
“RIGHTARROW”:”RIGHT”,
“UPARROW”:”UP”,
“DOWNARROW”:”DOWN”,
“ESCAPE”:”ESC”}
for token in line.strip().split():
key = “”
if token in modappends:
modifiers.append(modappends[token])
elif token in keysubs:
key = keysubs[token]
else:
key = token
if key:
key = key.upper()
if key1 == “0″:
key1 = “KEY_{0}”.format(key)
else:
key2 = “KEY_{0}”.format(key)
modifiers = ”.join(modifiers)
outbuffer.write(” sendKey({key1}, {key2}, {modifiers});\n”.format(key1=key1,key2=key2,modifiers=modifiers))
outbuffer.write(“}”)
print(outbuffer.getvalue())
By all means put it on github. Then send me a link so I can pull!