A while back, I purchased an official USB Rubber Ducky from Hak5, the gold standard of commercial USB HID injectors. A couple of things quickly began to annoy me, however:
Only one payload per SD card.
If you wanted to carry multiple payloads, even for something as simple as the same payload for different OSes, you have to have to purchase a separate card for each, which can easily get expensive even for small SD cards. Plus, there's a lot of wasted space, as the
inject.binfile generated is typically only a handful of KB.
Long testing turnaround.
Since each iteration of testing a payload requires a sequence of modifying the payload, compiling it, transfering it to the SD card, and then finally testing it, even small changes to the payload can take a lot of effort. While there have been a couple of solutions to this (for example, my own small QuackTest project that seeks to provide a means of parsing and testing it immediately without a Ducky. But even then, a simulator can only come so close to the actual HID hardware.
Lack of variable script execution.
Once you put the compiled
inject.binfile on the card, there's simply no way to change what it will attempt to type. This means that small changes like changing a URL you want to use for exfiltration require a full rewrite and recompile of your ducky script.
No mouse emulation.
While not often useful, this can be helpful in certain attacks (e.g. Samy Kamkar's USBDriveBy attack, which uses mouse emulation to change a Mac's firewall status)
Maybe if you're a professional red teamer, you can buy these devices by the dozen. But if you're a poor college grad like me, $45 can be a bit pricy for a HID injector.
Fortunately, I had just recently started into Arduino, and realized that there are a lot of low-cost alternatives that can be used to accomplish essentially the same thing as the Rubber Ducky, sometimes even better. There are a handful of Arduino boards that use HID-compatible chipsets, like the ATTiny85 and the ATMega32U4. What is even better is that many of these boards plus additional components can be had for only a few bucks on Aliexpress or Ebay. Let's look at a few of the options:
1. The Digispark
- Low cost. This is one of the least expensive of all the alternatives, with non-official version going for less than $1.50 on Aliexpress. (However, note that if you buy unofficial clones, you'll likely to have a fraction of them not work. But for the price, this usually isn't too big a deal).
- USB-A interface. This means there's no need for an extra cable to plug it into a computer USB socket.
- Non-standard library. To use this board for HID injection, the Digispark Keyboard library is required. While it's not a terribly big deal, it does mean there's some extra overhead when dealing with these boards, and any existing Arduino HID programs will have to be modified to be used with it.
- No SD support. The ATTiny85 only has 8KB of ISP flash memory, which means that it doesn't have much space for code or memory-heavy libraries like the SD library.
- Few expansion pins. There are only 6 GPIO pins for expansion, two of which are used internally for the USB interface, and one of which is used by an on board LED. (Note, if you don't care about the on board LED, you can actually remove it to use the pin for input)
2 The Digispark Pro
- Low cost. Slightly more expensive than the original Digispark, it can still be had for less than $3.
- More GPIO pins. It has 13 compared to just the 3 of the Digispark.
- No SD support (same as above).
- Non-standard library (same as above).
3 The Arduino Pro Micro
4 The Teensy
5 The Beetle
6 The Plain Ol' Arduino Uno
7 The Raspberry Pi Zero
Obviously, this isn't an Arduino. But because of some excellent work by , this board can also be used for HID injection.
|Device||Cost||GPIO Pins||Wi-Fi||SD Support||USB Type|