Classic Bad USB
Last updated
Last updated
A classic Bad USB refers to a type of malicious USB device that is disguised as a regular USB flash drive or other USB peripheral. It leverages the inherent trust that users have in USB devices to exploit vulnerabilities and carry out unauthorized actions on the target system.
Typically, a classic Bad USB is programmed to emulate a human interface device (HID), such as a keyboard, to execute a series of preconfigured keystrokes or commands once connected to a computer. This allows it to bypass traditional security measures and execute malicious actions, such as injecting malware, stealing sensitive data, or performing unauthorized system changes.
This a list of the most known Bad USB in the market (such as how to built a DIY one):
The Rubber Ducky is a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard and accept pre-programmed keystroke payloads at over 1000 words per minute.
characteristics:
DEFENSE EVASION
OS DETECTION
HARDWARE ID CLONING
DYNAMIC ATTACK MODES
BRUTE-FORCE ATTACKS
FLASH DRIVE
EDUCATION & EXAMPLES
WIDE COMPATIBILITY
characteristics:
Scripts stored on a microSD card (not included)
Compatible with standard BadUSB script
Executes scripts at over 9000 characters per minute
USB A + C
Incognito USB case
Full Documentation
USB Nova is a cute little USB “drive” that acts as a keyboard, much like the USB Rubber Ducky, WiFi Duck, and other BadUSBs. What makes it special is that:
You can drag and drop scripts (no SD card or WiFi connection required)
Easily switch between attack and setup mode
Supports USB Mass Storage
Has cool new scripting functions
Supports a ton of keyboard layouts
Can act as a USB mouse
It’s affordable
Change USB VID & PID and other cool settings effortlessly
Has an RGB LED
It’s Open-Source
Comes in a variety of awesome-looking cases
This product is handmade, and the case is 3D printed, so please excuse some minor imperfections.
The Hak5 Bash Bunny is considered a classic bad USB device. It is a small, powerful tool designed for penetration testing and ethical hacking purposes. The Bash Bunny can be used to execute various payloads and carry out different attack vectors by emulating keyboard and storage devices. It leverages USB HID (Human Interface Device) capabilities to perform keystroke injection, exfiltrate data, and exploit vulnerabilities. With its flexible scripting language and customizable payloads, the Bash Bunny offers a versatile and effective way to perform targeted attacks on systems and networks.
Flipper Zero is a versatile open-source hacking tool that combines multiple functionalities, including being a Bad USB device. With its compact size and programmable features, Flipper Zero can emulate keyboards, execute pre-defined keystrokes, and perform malicious activities on target systems. Its Bad USB feature enables attackers to exploit vulnerabilities and gain unauthorized access to computers, making it a powerful tool for penetration testing and cybersecurity research.
The SB Components HackyPi is a versatile DIY project kit designed to help you build your own Raspberry Pi-based hacking device. It provides a platform for exploring various hacking and cybersecurity-related projects using the Raspberry Pi single-board computer.
SB Components HackyPi is a Bad USB device that allows you to perform keystroke injection and other hacking techniques. It is designed to look like a regular USB stick but has the ability to execute pre-programmed commands and scripts on a target system.
The Tinyduck is an ATTiny85-powered USB Rubber Ducky inspired by the original project from Hak5 with the smallest possible form factor. It executes keystroke injection attacks preprogrammed by the attacker using the Arduino IDE. Keystroke injection scripts can be converted to Arduino-compatible code for the digipack using this converter
μDuck is a stealth HID injector. It's a very small USB device that acts like a scripted keyboard. This can be used for automation and lulz and has obvious security implications. It's quite similar in functionality to the Hak5 Rubber Ducky and even uses the same syntax to define the scripted input.
To program an Arduino board into a Bad USB device using a Ducky Script converter, follow these steps:
Prepare the hardware: Connect your Arduino board to your computer using a USB cable and ensure that the necessary drivers are installed.
Install the Arduino IDE: Download and install the Arduino IDE (Integrated Development Environment) from the official Arduino website. This software allows you to write and upload code to your Arduino board.
Write the Ducky Script: Use a text editor to create a Ducky Script file. This file contains a series of commands that emulate keystrokes and actions. Write the desired payload, such as executing malicious commands or launching specific actions on the target system, using the Ducky Script language.
Convert Ducky Script to Arduino code: Use a Ducky Script converter tool, such as the Arduino DuckyScript Converter library, to convert the Ducky Script file into Arduino-compatible code. This conversion process translates the Ducky Script commands into Arduino language.
Upload the code to the Arduino board: Open the Arduino IDE and copy the converted code into a new Arduino sketch. Select the correct board type and COM port in the Arduino IDE's settings. Then, upload the sketch to the Arduino board.
Test the Bad USB functionality: Disconnect the Arduino board from the computer and connect it to the target system you want to exploit. The Arduino board, now programmed as a Bad USB device, will execute the actions defined in the Ducky Script, potentially performing malicious activities or simulating keyboard input.
Some Ducky script convertors ( convert from Ducky script to arduino compatible code ) :
for more details on how to built a DIY Arduino Bad USB , you can watch this YouTube Video/Tutorial created by spacehuhn or this YouTube Playlist/Tutorial created by Seytonic .
To build a Bad USB using a Raspberry Pi Pico with the Pico Ducky project, you can follow these steps:
Obtain the necessary hardware: You will need a Raspberry Pi Pico microcontroller, a USB-A male connector, and some jumper wires.
Set up the Raspberry Pi Pico: Connect the Raspberry Pi Pico to your computer using a USB cable. Install the required software, such as the Pico SDK and the Thonny IDE, to program the microcontroller.
Download the Pico Ducky project: Visit the Pico Ducky GitHub repository and download the project files. This project provides a framework for emulating a USB keyboard and executing Ducky Script payloads.
Modify the Ducky Script payload: Edit the Ducky Script file to customize the keystrokes and actions you want the Bad USB to perform. This can include simulating key presses, launching applications, or executing commands.
Upload the code to the Raspberry Pi Pico: Open the modified Ducky Script file in the Thonny IDE. Connect the Raspberry Pi Pico to your computer and upload the code to the microcontroller.
Connect the USB-A connector: Solder the necessary wires to the USB-A male connector, following the pinout provided in the Pico Ducky project. Connect the USB-A connector to the Raspberry Pi Pico.
Test the Bad USB: Connect the Bad USB to a target system, and it will simulate the keystrokes and actions specified in the Ducky Script payload.
GitHub repository:
The DIY USB Nova project utilizes either an Adafruit Trinkey QT2040 or a Raspberry Pico microcontroller to create a USB device capable of keystroke injections and other Bad USB functionalities. By programming the microcontroller, users can emulate keyboard inputs, making it an ideal tool for ethical hacking and cybersecurity learning. It's essential to use this project responsibly and legally, understanding that similar devices can be misused for malicious purposes. Always exercise caution and adhere to ethical guidelines when working with such tools.
Turning a USB flash drive into a Bad USB by utilizing the autorun feature involves the following steps:
Prepare the USB flash drive: Connect the USB flash drive to your computer and ensure it is formatted and ready for use. Make sure you have a backup of any existing data on the drive as it will be overwritten.
Create an autorun.inf file: Open a text editor and create a new file named "autorun.inf". This file will serve as the configuration file for the autorun feature.
Customize the autorun.inf file: In the autorun.inf file, specify the actions you want the Bad USB to perform when inserted into a computer. This can include executing malicious scripts, launching applications, or performing other malicious activities. You can use commands such as "open", "shell", or "shellexecute" to specify the actions.
Save the autorun.inf file: Save the autorun.inf file in the root directory of the USB flash drive. Make sure the file extension is ".inf" and not ".txt".
Add the payload files: If your Bad USB requires additional files or scripts to carry out its malicious activities, add them to the USB flash drive. These files will be referenced in the autorun.inf file.
Safely remove the USB flash drive: Eject the USB flash drive from your computer to ensure all changes are saved.
Deploy the Bad USB: Insert the USB flash drive into the target computer. The autorun feature will automatically execute the commands specified in the autorun.inf file, carrying out the intended malicious actions.
Or Simply we use a auto run software
auto run software:
for more details on how to Turning a USB flash drive into a Bad USB, you can watch this YouTube Video/Tutorial created by Electronic Tech Show or this YouTube Video/Tutorial created by SL Hydra .