A Malicious WiFi Backdoor In A Keyboard’s Clothing

The USB Rubber Ducky burst onto the scene a few years ago, and invented a new attack vector – keystroke injection. The malicious USB device presents itself as a keyboard to the target system, blurting out keystrokes at up to 1000 words per minute. The device is typically used to open a phishing site or otherwise enter commands to exfiltrate data from the victim. Now things have stepped up a notch, with ESPloitV2 – a WiFi-enabled take on the same concept.

Running on the Cactus WHID platform, the device is so named for the ESP12 WiFi microcontroller it employs, along with an Atmega 32u4 for USB HID device emulation. By virtue of its wireless connection, no longer does the aspiring hacker have to rely on pre-cooked routines. Various exploits can be stored in the ESP12’s spacious 4 megabytes of flash, and there’s even the potential to live type your attack if you’re feeling bold.

It goes to show that the trust we implicitly place in foreign USB devices is potentially our future downfall. BadUSB is another great example, and the USB Wrapper is a great way to get a charge if you’re stuck using an untrusted port.


Launchpad MIDI Controller Put to Work with Python

For Hackaday readers who might not spend their free time spinning electronic beats at raves, the Launchpad by Novation is a popular peripheral for creating digital music with tools such as Ableton Live. It’s 8×8 grid of RGB LED backlit buttons are used to trigger different beats and clips by sending MIDI commands to the computer over USB. While not a strict requirement for performing digital music, it also helps that it looks like you’re flying a spaceship when using it.

It’s definitely a slick piece of gear, but the limited stock functionality means you’re unlikely to see one outside of the Beat Laboratory. Though that might change soon thanks to LPHK, created by [Ella Jameson]. She’s created a program in Python that allows you to use the Novation Launchpad as a general purpose input device. But rather than taking the easy way out by just turning the hardware into a USB HID device or something along those lines, LPHK implements an impressive set of features including its own internal scripting language.

In the video after the break, [Ella] walks us through some basic use cases, such as launching programs or controlling the system volume with individual buttons. LPKH has a GUI which provides a virtual representation of the Launchpad, and allows configuring each button’s color and function as well as saving and loading complete layouts.

For more advanced functionality, LPHK utilizes a scripting language that was inspired by the Hak5 USB Rubber Ducky. Scripts are written with plain English commands and very simple syntax, meaning you don’t need to have any programming experience to create your own functions. There’s also a script scheduling system with visual feedback right on the board: if a button is pulsing red it means it has a script waiting for its turn to execute. When the key is rapidly flashing the script is actively running. A second tap of the button will either remove it from the queue or kill the running script, depending on what the status was when you hit it.

[Ella] makes it clear this software is still a work in progress; it’s not as polished as she’d like and still has bugs, but it’s definitely functional for anyone who’s looking to wring a bit more functionality out of their $150 Launchpad. She’s actively looking for beta testers and feedback, so if you’ve already got one of these boards give it a shot and let her know what you think.

In the past we’ve seen hackers fiddling with the open source API Novation released for their Launchpad controllers, but overall there hasn’t been a lot of work done with these devices. Perhaps that will soon change with powerful software like this in development.

Continue reading “Launchpad MIDI Controller Put to Work with Python”

DIY Rubber Ducky is as Cheap as its Namesake

The “Rubber Ducky” by Hak5 is a very powerful tool that lets the user perform rapid keystroke injection attacks, which is basically a fancy way of saying the device can type fast. Capable of entering text at over 1000 WPM, Mavis Beacon’s got nothing on this $45 gadget. Within just a few seconds of plugging it in, a properly programmed script can do all sorts of damage. Just think of all the havoc that can be caused by an attacker typing in commands on the local machine, and now image they are also the Flash.

But unless you’re a professional pentester, $45 might be a bit more than you’re looking to spend. Luckily for the budget conscious hackers out there, [Tomas C] has posted a guide on using open source software to create a DIY version of Hak5’s tool for $3 a pop. At that cost, you don’t even have to bother recovering the things when you deploy them; just hold on tight to your balaclava and make a run for it.

The hardware side of this hack is the Attiny85-based Digispark, clones of which can be had for as low as $1.50 USD depending on how long your willing to wait on the shipping from China. Even the official ones are only $8, though as of the time of this writing are not currently available. Encapsulating the thing in black shrink tubing prevents it from shorting out, and as an added bonus, gives it that legit hacker look. Of course, it wouldn’t be much of a hack if you could just buy one of these little guys and install the Rubber Ducky firmware on it.

In an effort to make it easier to use, the official Rubber Ducky runs scripts written in a BASIC-like scripting language. [Tomas C] used a tool called duck2spark by [Marcus Mengs], which lets you take a Rubber Ducky script (which have been released by Hak5 as open source) and compile it into a binary for flashing to the Digispark.

Not quite as convenient as just copying the script to the original Ducky’s microSD card, but what do you want for less than 1/10th the original’s price? Like we’ve seen in previous DIY builds inspired by Hak5 products, the trade-off is often cost for ease of use.

[Thanks to Javier for the tip.]

A Sneak Preview Of The Hacker Warehouse Badge

We were lucky enough to get our hands on a hand-soldered prototype of the new Hacker Warehouse badge, and boy is this one a treat. It’s fashionable, it’s blinky, and most impressively, it’s a very useful tool. This badge can replace the Google Authenticator two factor authentication app on your phone, and it’s a USB Rubber Ducky. It’s also a badge. Is this the year badges become useful? Check out the video below to find out more.

This is the time of year when hardware hackers from all across North America are busy working on the demoscene of hardware and manufacturing. This is badgelife, the celebration of manufacturing custom wearable electronics for one special weekend in Las Vegas. In just about a month from now, there will be thousands of independent badges flooding Caesar’s Palace in Vegas, complete with blinkies, custom chips, innovative manufacturing processes, and so many memes rendered in fiberglass and soldermask.

Continue reading “A Sneak Preview Of The Hacker Warehouse Badge”

Brute Forcing Passwords with a 3D Printer

Many of us use a 4 digit pin code to lock our phones. [David Randolph] over at Hak5 has come up a simple way to use a 3D printer to brute force these passwords. Just about every 3D printer out there speaks the same language, G-code. The same language used in CAD and CNC machines for decades.

[David] placed a numeric keypad on the bed of his printer. He then mapped out the height and positions of each key. Once he knew the absolute positions of the keys, it was easy to tell the printer to move to a key, then press and release. He even created a G-code file which would press every one of the 10,000 4 key pin combinations.

A file this large was a bit unwieldy though, so [David] also created a python script which will do the same thing — outputting the G-code and coordinates to brute force any 4 pin keypad. While a printer is quite a bit slower than Hak5’s own USB Rubber Ducky device (which acts as an automated keyboard), it will successfully brute force a password. Although most phones these days do limit the number of password attempts a user gets.

[David] admits this is probably useless in a clandestine/hacking application, but the video is still a great introduction to G-code and using 3D printers for non-printing functions.

Continue reading “Brute Forcing Passwords with a 3D Printer”

MalDuino — Open Source BadUSB

MalDuino is an Arduino-powered USB device which emulates a keyboard and has keystroke injection capabilities. It’s still in crowdfunding stage, but has already been fully backed, so we anticipate full production soon. In essence, it implements BadUSB attacks much like the widely known, having appeared on Mr. Robot, USB Rubber Ducky.

It’s like an advanced version of HID tricks to drop malicious files which we previously reported. Once plugged in, MalDuino acts as a keyboard, executing previous configured key sequences at very fast speeds. This is mostly used by IT security professionals to hack into local computers, just by plugging in the unsuspicious USB ‘Pen’.

[Seytonic], the maker of MalDuino, says its objective is it to be a cheaper, fully open source alternative with the big advantage that it can be programmed straight from the Arduino IDE. It’s based on ATmega32u4 like the Arduino Leonardo and will come in two flavors, Lite and Elite. The Lite is quite small and it will fit into almost any generic USB case. There is a single switch used to enable/disable the device for programming.

The Elite version is where it gets exciting. In addition to the MicroSD slot that will be used to store scripts, there is an onboard set of dip switches that can be used to select the script to run. Since the whole platform is open sourced and based on Arduino, the MicroSD slot and dip switches are entirely modular, nothing is hardcoded, you can use them for whatever you want. The most skilled wielders of BadUSB attacks have shown feats like setting up a fake wired network connection that allows all web traffic to be siphoned off to an outside server. This should be possible with the microcontroller used here although not native to the MalDuino’s default firmware.

For most users, typical feature hacks might include repurposing the dip switches to modify the settings for a particular script. Instead of storing just scripts on the MicroSD card you could store word lists on it for use in password cracking. It will be interesting to see what people will come up with and the scripts they create since there is a lot of space to tinker and enhanced it. That’s the greatness of open source.

Continue reading “MalDuino — Open Source BadUSB”

Hackaday Links: November 6, 2016

Here’s a life protip for you: get really, really good at one video game. Not all of them; you only want to be good – top 10% at least – at one video game. For me, that’s Galaga. It’s a great arcade game, and now it’s IoT. [justin] has been working on publishing high scores from a Galaga board to the Internet. The electronics are actually pretty simple – just a latch on a memory address, and an ESP8266 for comms.

On with the mergers and acquisitions! Lattice has been sold to Canyon Bridge, a Chinese private equity firm, for $1.3 Billion. Readers of Hackaday should know Lattice as the creators of the iCE40 FPGA platform, famously the target of the only Open Source FPGA toolchain.

The Internet of Chocolate Chip Cookies. Yes, it’s a Kickstarter for a cookie machine, because buying a tube of pre-made cookie dough is too hard. There is one quote I would like to point out in this Kickstarter: “Carbon Fiber Convection Heating Element (1300W) is more energy-efficient than traditional electric elements and heats up instantly.” Can someone please explain how a heating element can be more efficient? What does that mean? Aren’t all resistive heating elements 100% efficient by default? Or are they 0% efficient? The Internet of Cookies broke my brain.

The USB Rubber Ducky is a thumb-drive sized device that, when plugged into a computer, presents itself as a USB HID keyboard, opens up a CLI, inputs a few commands, and could potentially do evil stuff. The USB Rubber Ducky costs $45, a Raspberry Pi Zero and a USB connector costs $6. [tim] built his own USB Rubber Ducky, and the results are great.