Skip to content
Stuff about emulation keyboard
Branch: master
Clone or download
cervoise Update README.md
Add Ubertooth.
Latest commit f588543 Jan 29, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
boards/gamebuino Create README.md Nov 5, 2018
payloads Update README.md Oct 29, 2018
LICENSE Initial commit Oct 25, 2018
README.md Update README.md Jan 29, 2019

README.md

They told me I could be anything I wanted, so I became a keyboard

This repository contains my work about keyboard emulation, mostly for offensive security. There is also links to other projects.

Why being a keyboard

Because you can!

This can be used to inject payload on an unlock computer or to cheat on some video game.

Main issues

Main issues are:

  • the lack of feedback (even if there is some way to have feedback).
  • keyboard layout used by the target.
  • the speed used.

About keyboard layout

When you want to inject a key you have to send its position on the keyboard. This will be different on a QWERTY and AZERTY keyboard. Keyboard for Apple is different than a "normal" keyboard.

The speed

Your payload may work on your test computer but failed because your target is slower. For example, for creating a payload on windows:

  • Windows+R
  • type notepad
  • Press enter
  • Type you payload
  • Save it
  • Run it

If the computer is to slow to open Notepad between the time you press enter et the time you start to write your payload, you'll have a corrupted payload and this will not work.

Hardware

Arduinos

Some Arduino can emulates keyboard. Available boards are

Using these libs:

Teensy

Teensy are able to switch the keyboard layout, can be more thant a keyboard and a mouse (SD Storage, Internal disk, MTP device...).

Using these libs:

Arduino likes

Some Arduino likes are available, with the Arduino Keyboard lib or other libs.

Fruit Pi

Raspberry Pi Zero (https://www.raspberrypi.org/products/raspberry-pi-zero/ & https://www.raspberrypi.org/products/raspberry-pi-zero-w/) or equivalent (like some Orange Pi (http://www.orangepi.org/))

Other projects

At last, some devices are available in a fake USB Stick branding like Ruber Duckey (https://shop.hak5.org/products/usb-rubber-ducky-deluxe) and WHID (https://github.com/whid-injector/WHID).

There is also a way to turn your old Ubertooth into a BLE Keyboard: https://blog.ice9.us/2018/12/uberducky-ble-wireless-usb-rubber-ducky.html.

Why Arduinos and related are more efficient

Arduinos are not only keyboards. First, they can be programed. The main usage is to be able to detect when the user press on CAPS LOCK. The scenario is easy, the attacker plug the Arduino/Teensy on the lock computer, press CAPS LOCK. When the user come back in order to unlock is computer, he will CAPS unlock. The Arduino/Teensy just need to waits few seconds before to launch the payload.

Another advantage is being able to be a keyboard and another device (USB Stick for example). See https://github.com/offensive-security/hid-backdoor-peensy or https://github.com/cervoise/so-i-became-a-keyboard/tree/master/payloads/make-autorun-great-again.

Protection

Hiding fake HID device into a normal USB device is a way to attack. Detection of compromising can be done be monitoring power consumption of your device. Indeed, adding this kind of component to an existing device will increase power consumption.

Note that if you're using a wireless device, hiding a Teensy or equivalent into you device will be pretty hard. On the other hand, you shall trust the wireless communication: http://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html

It is possible to filter USB for specific ID (MISC n°50 - Juillet/Août 2010 - Créer un pare-feu pour contrôler l'accès aux clés USB (FR)), this can be bypass if one valid ID is known by the attacker (https://forum.pjrc.com/threads/23523-Change-device-name).

How to hide

I have done presentation about this at BeeRump 2016 and PassTheSalt 2018. See links below.

[IDEA] You can also use device that are Arduino base and changed the code. This can be done with a GameBuino (https://gamebuino.com/).

Presentations

Projects of mine

Other Projects

IDEA

  • Change GameBuino sketch in order to be able to inject keyboard while charging.
  • Use Tempest in order to get some feedback of the injections.
You can’t perform that action at this time.