So how is this any different from existing USB hardware implants like the Rubber Ducky, or keyloggers. Firstly, the devices I’ve seen can only achieve one or two attack classes such as eavesdropping or message fabrication. BadUSB2 can eavesdrop, replay, modify, fabricate, exfiltrate data and BadUSB in one device. Furthermore, when combining these attack classes really interesting attack scenarios begin to surface. Secondly, keyboard emulation devices register as an additional USB device making them easy to detect and block, i.e. why do I now have two keyboards attached!? Yes, such devices can be easily detected and blocked. The same can be said of BadUSB, it often needs to register as a secondary USB device to perform a malicious task. BadUSB2 is an INLINE hardware implant giving it the stealth of a hardware keylogger but far more capabilities as mentioned above. Finally, (law of 3’s), just cos…badUSB

x1 Linux build (tested on default install of Ubuntu 14.04)
x1 Windows XP/7 (our target)
x2 Facedancers
x3 USB type A-male to USB Mini-B cables
x1 USB Keyboard (tested on HP & Genius brands)

Implemented Proof of Concept Attacks:
+ Eavesdrop. Once the keyboard has been registered to the target all keystrokes are captured to the ‘/tmp’ folder.
+ Modify. Weaponised code could use regular expressions to modify user keystrokes in order to defeat one-time-passwords. In this POC we simply annoy the user 🙂
+ Replay. The POC code will automatically detect ‘ctrl-alt-delete’ and assume it is a login session. It stops recording once the ‘enter’ key is pressed. Ay any time the ‘replay’ command can be given to automatically authenticate to the workstation.
+ Fabricate. Start/Run or generic commands can be issued to the target operating-system just as if you were at the keyboard.
+ Exfiltrate. I’ve implemented a PowerShell exfiltration POC that uses the ‘morse code’ technique (LEDs) to exfiltrate data. Using custom HID output reports is faster but MS Windows restricts read/write access from Win 2K. In short, this is a very rudimentary POC, and did I mention very slow!

BadUSB. I did not actually implement a POC for this. The Facedancer has plenty of example code that can be used to fake USB peripherals to the host, but it would be nice to implement some of the BadUSB “Kali Nethunter” type attacks here.