Skip to content
WiFi HID Injector - An USB Rubberducky / BadUSB On Steroids.
C++ Objective-C HTML PowerShell
Branch: master
Clone or download
whid-injector Merge pull request #48 from joelsernamoreno/master
FingerprintUSBHost implementation to detect OS
Latest commit f53d533 Aug 5, 2019

WHID Injector

Black Hat Arsenal Europe Black Hat Arsenal USA ToolsWatch Best Tools

WiFi HID Injector for Fun & Profit
Hardware Design Author: Luca Bongiorni -
Initial sw based on ESPloit by Corey Harding of
WHID Mobile Connector by Paul

For Sale at:**

** The Author has no profit out of the Cactus WHID sales. But you can always buy him an Italian Coffee :) Buy Me a Coffee at

Generic Overwiev

WHID's Talk @ HackInParis 2018

Here the Video: HiP 2018 Video

Here its slides: HiP 2018 Slides

WHID Injector has an Official Android App and guess what, we open sourced it. WHID Mobile Connector
WHID Mobile Connector is Open/Source! Wanna contribute?
Look at


HOW TO START [Newbies Edition]

Since July 2017 all Cactus WHID are delivered with pre-loaded ESPloitV2 and are ready to Plug-n-Hack ✌

Thus, even if you are not an Arduino expert, you can immediately have fun!

Just plug it in an USB port and connect to the WiFi network:

SSID "Exploit"

Password "DotAgency"

Open a web browser pointed to ""

The default administration username is "admin" and password "hacktheplanet".

For cool payloads or more info check the Wiki or the Payloads directory.

The Hardware

USB Pinouts

In order to make easier the process of weaponizing USB gadgets, you can solder the USB wires to the dedicated pinouts.

The pin closer to USB-A is GND. The pins are:

  • GND
  • D+
  • D-
  • VCC

[ In case an USB HUB is needed (i.e. to weaponize some USB gadget or mouse), usually, I do use this one or this]

Documentation WIKI


Third-Party Softwares Compatible with WHID's Hardware (Improved version of WHID GUI, installed by default on Cactus WHID hardware) (Dedicated software for AirGap bypass Vs Windows) (old software similar to ESPloitV2)

Possible Applications

  • Classic: Remote Keystrokes Injection Over WiFi

Deploy WHID on Victim's machine and remotely control it by accessing its WiFi AP SSID. (eventually you can also setup WHID to connect to an existing WiFi network)

  • Social Engineering: Deploy WHID inside an USB gadget

The main idea behind it is to test for Social Engineering weaknesses within your target organization (e.g. DLP policy violations) and to bypass physical access restrictions to Target's device. Usually, I create a fancy brochure (sample template ) attached with a weaponized USB gadget and then use a common delivery carrier (e.g. UPS, DHL, FedEx).

Video Tutorials

WHID's Attack Simulation

More Video on WHID's Youtube Channel:

Blogposts about WHID

Forensics Analysis of HID Offensive Implants from Societe Generale's CERT

You can’t perform that action at this time.