It is time to start using the Windows terminal - cmd. You can even use custom scripts and do some reverse engineering here.
and write the script the way we would do usually, or the way your victim's PC would write it. Keep in mind that we have to change the Windows layout to U.S. layout and Windows is set to DEU in my country. That's because our "keyboard" (Bad USB) has a U.S. In addition, you can clearly see that I wrote "/" instead of "-". If everything goes right, you will see a new folder with many different files inside.Īs you may suppose, the Bad USB will "press" Windows + R and cause windows to shut down immediately with this script. \Psychson\firmware\ directory and run build.bat. In this step, we simply have to go to our. Creating Custom FirmwareĪt this point, all our preparations are done and we can continue using the tools.
(Do not forget to install Java.) I saved it at E:\Documents\Bad_USB\DuckEncoder\. It is based upon the Bad-USB called "Rubber Ducky" by Hak5. The "Duck Encoder" is a Java-based cross-platform tool which converts scripts into HID payloads. I extracted the files in E:\Documents\BadUSB\Burner_Image\.Įvery burner image should do the job, but you can use the newest version which is indicated by the "Vyyy" part of the name. Even though the site is only available in Russian, you will find the download link if you scan the site for "BN03." BN implies burner image, and 03 corresponds to PS2251-03. Burner images for Phison controllers can be found here. These are typically named using the convention "BNxxVyyyz.BIN". If your drive uses the Phison 2303 (2251-03) controller, the output should look similar to this:Ī "burner image" is required for dumping and flashing firmware on your drive. Just open the tool and hit the "Get USB Flash Drive Information" button while you have your USB inserted into your PC. We can use a program called Flash Drive Information Extractor to gather the required information about our USB.
Determining the Microcontroller of Our USB Flash Driveīefore starting, we want to make sure our USB uses the supported controller. Please continue at your own risk there is no guarantee that your device will work, even though there shouldn't be any issues.
Please read the "Setting Our Device into "Boot Mode" Manually" section at the end of this article for help on opening it. One of my friends had to literally saw up his USB device because he was too hasty.
The process is kind of like compiling and flashing ROMs to your Android device.
In this tutorial, we are going to determine the microcontroller of your USB flash drive, compile the source code published in GitHub for the tools we need, and move over to building a custom firmware with an embedded HID payload that will turn our harmless USB flash drive into a malicious keyboard designed to help us compromise our victim machine. Even though almost every USB flash drive is exploitable, the only released reprogramming method is for "Phison" microcontrollers. This scenario is often called an "HID Payload Attack," since you have to hand over your script to the Bad USB for the execution (more on that later). This allows us hackers to reprogram the microcontroller in them to act as a human interface device (HID), e.g., a keyboard, and perform custom keystrokes on our target machine. Most common USB flash drives are exploitable due to the "BadUSB" vulnerability. In addition, it would be nice to have something related on our WonderHowTo world.
Recently, someone asked how to make your own "Bad USB," and I promised to make a how-to on this topic. Many of you don't even know about my existence here on Null Byte, so I thought of contributing something rather interesting.