Category Archives: arduino

Installing USB Rubber Ducky On 3rd Party Devices

Earlier I posted some instructions on setting up USB Switchblade. Even though it is a rather outdated piece of software as a few people have pointed out. I also talked about Hack5 releasing a new product called USB Rubber Ducky, the next generation of Switchblade. I will not be buying one because they are rather expensive for such a simple Arduino board and in my opinion it’s not very discreet. But if you wish to invest in one you can order one in the HakShop.

I did some work the other night and I found a tool called the LeoStick a arduino with USB-HID capability. I have have some more good news, seeing as LeoStick  can pretend to be a USB-HID device, it can do the exact same thing Rubber Ducky can do but much cheaper. I happen to have a Arduino-Leonardo laying around (same thing as LeoStick but bigger). So I spent an hour or two writing a quick shell script which can convert ducky script payloads into a sketch suitable for uploading to the LeoStick (or any arduino that has USB-HID capability). The end result is a small bash script which can be downloaded from here.

Usage is fairly simple – you run the script with two options – the first being the payload file, and the second being the arduino script output.

 ./compile_payload lock_prank.txt lock_prank.ino

Various payloads can be found linked from the USB-Rubber-Ducky wiki

Also note that to get this working you need to edit the arduino libraries so that the sendReport function is marked as public.

To to this edit the USBAPI.h file which can be found in ${ARDUINO_DIR}/hardware/arduino/cores/arduino directory.
This may be /usr/share/arduino/hardware/arduino/cores/arduino/USBAPI.h or similar
If you installed the LeoStick board stuff from their website then it will be under your sketches directory as hardware/LeoStick/cores/arduino/USBAPI.h

Open that file and find

private:
    KeyMap* _keyMap;
    void sendReport(KeyReport* keys);
    void setKeyMap(KeyMap* keyMap);
public:
    Keyboard_();
    virtual size_t write(uint8_t);

Then change that to

private:
KeyMap* _keyMap;
void setKeyMap(KeyMap* keyMap);
public:
void sendReport(KeyReport* keys);
Keyboard_();
virtual size_t write(uint8_t);

Breaking Hotel Rooms Wide Open with Only a Ardunio

At the Black Hat Security conference Cody Brocious demonstrated how you can easiy open an Onity hotel room lock, the standard system used in many hotel chains, with an Arduino but it was bulky setup and comletely obvious if anyone saw him pull out a lot of electronics. Here’s how you can fit that system in a dry erase marker.

The weblog of ethical hacker group Trustwave Spiderlabs found that the key to hiding the electronic lockpicking setup was to cut down a prototyping breadboard and move the necessary Arduino internals, a battery, a switch, and a DC coaxial barrel connector there. A dry erase marker is great for this since the barrel plug is built into the tip of the marker and be covered with the marker cap. The guys at Spiderlabs moved Cody’s Arduino sketch for duplicating the master key to the Arduino and tested that it worked on an Onity lock they purchased from eBay before cutting down the components.

The full details including the circuit diagram can be found at the source link below. Unfortunately there aren’t too many ways to use this evil hack for good other than being aware that your hotel room lock may not be providing as much security as you would expect so plan for that and don’t leave valuables behind unless using an in-room safe or other means of security