Skip to content

0xnarwhal/BadUSB

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
img
img
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package_digistump_index.json
package_digistump_index.json
 
 

Repository files navigation

The Bad USB Framework

Project is EOL

Thanks for the support. I am officially closing this project. It will see a few clean ups here and there in the next few days, but once that's done, it's all done. You will still be able to use the framework and I don't foresee it being obsolete any time soon.

DISCLAIMER

This framework guide is intended for educational purposes only! Malicious use of this framework is NOT endorsed and is illegal. If you wish to perform of the actions shown on property that you do not own, ensure you have prior approval from the rightful owner.

Remember: Hack Responsibly.

Most of the payloads and scripts were not made by me. This is a collection of my favorite scripts out there and modified to suit this framework. To see the original creators, head over to the Credits section of this documentation.

About The Framework

This framework is your one-stop-shop to get you up and running to create malicious USBs.

This guide will walk you through on setting up and creating your very own USB using the ATTiny85 Micro Controller. At the end of the document, I will detail a phishing campaign you can set up using the provided script The-Go-To.ino. This is my personal favorite for demonstrations. I will not be guiding you on how to set that up as I feel it is your own duty to be ready and knowledgeable to take on the responsibility.

Pre-Requisites

You will need the following:

  1. ATTiny85 Micro Controller USB Device (You can purchase one online for cheap or make your own. There are countless sellers and tutorials out there)
  2. Fundamentals of Networking, USB, Computers, Powershell, Bash, and Ethical and Responsible Hacking
    1. DO NOT SKIP THIS! This will help you with troubleshooting and practicing safe ethical hacking. We are not here to build script-kiddies, but smart and responsible hackers.
    2. If you get stuck and come to me with "uHhh tHerE iS aN iSSuE with <insert basic issue>", you didn't get the fundamentals down and I will not entertain you.

Setting Up your PC

Firstly, we will set up your PC to program your ATTiny85.

  1. Download the latest version of Arduino IDE.
    1. WINDOWS ONLY! - Download and install the latest Digistump Arduino Driver Release by running Install Drivers.exe after installing Arduino IDE.
  2. After install, go to File > Preferences and under Additional boards manager URLs insert the following URL: https://raw.githubusercontent.com/0xnarwhal/BadUSB/refs/heads/main/package_digistump_index.json. If the link no longer works for some reason, I have included the file in this repository. If you can't troubleshoot something like this, please educate yourself first before continuing.
    1. File to Preference
    2. Additional Board Manager

    3. NOTE: If there is already a URL, you can insert multiple URLs by separating them with a semi-colon ;.

  3. Under Tools > Board: > Board Manager, select Digistump AVR Boards and install.
    1. Getting to Boards Manager
    2. Installing Digistump
  4. You're ready to program your ATTiny85!

A Simple Prank: Changing the Wallpaper

Now we can focus on programming your malicious USB. Under the scripts\ folder, it contains various Arduino scripts to get you started on your journey of programming bad USBs. For the sake of simplicity, we will be using Wallpaper_Change.ino file. It is a script sequence to change the current wallpaper to another of your own choosing.

  1. To begin, select the correct board by selecting Tools > Board > Digistump AVR Boards > Digispark (Default - 16.5mhz).
  2. Copy and paste the script into the Arduino IDE.
    1. You can change the URL where the image will be downloaded from if you'd like.
  3. Then click Upload and once prompted to plug in the USB, do so. It should take at most 5 seconds to program. Once done, remove the USB.
  4. Now it is primed to be used at your own discretion. All you have to do is plug it in to your victim's machine.

PLEASE READ THE SCRIPT AND UNDERSTAND IT FIRST TO KNOW WHAT IT IS DOING EXACTLY. DO NOT BLINDLY USE CODE YOU DON'T KNOW! PRACTICE RESPONSIBLE CODING!

The Attack

Just plug it in and watch the magic.

Moving On

This is just the start for you. Go crazy. But remember: Hack Responsibly. Educate yourself first before attempting anything. If you don't understand what you are doing or why you're doing it, stop and learn. It is also good practice for anything in the future.

Advance Project

Have a look at the The-Go-To.ino script. It is my favorite demonstration to show how devastating this USB can be. I am not going to show you how to do it. You will have to learn the following to make any remote sense and understand what it does. Only then, should you allow yourself to set the project up.

Things to Study

  1. Ethical and Responsible Hacking
  2. USB Protocol
  3. IP Addresses and Ports
  4. Networking
  5. HTTP & HTTPS
  6. Shells
    1. Netcat & Reverse Shells
  7. SSH
  8. Servers
    1. File Servers
  9. Encoding and Decoding
    1. Base64

DO NOT SKIP THIS!

I went through all that trouble on providing free resources, the least you could do is read and understand. Also, they are hints on how to set up the project.

Have fun suckers.

- narwhal

Credits

AFNordal - Persistant Reverse Shell

CedArctic - Various DigitSpark Scripts

About

A framework to kickstart yourself in making malicious USB devices using ATTiny85.

Topics

social-engineering-attacks bad-usb digispark-usb attiny85-payloads

Resources

Readme

License

MIT license
Activity

Stars

12 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages