#pentestips: Know your "BadUSB"

"BadUSB" devices are innocent-looking USB-based devices that have ulterior motives and are typically found in every pentester's toolkit.

Today’s #pentestips episode is called: Know your BadUSB Devices

When you plug hardware into a computer, it typically needs to be manually approved and installed.

But if you're trying to install a device like a keyboard or a mouse - how do you install it if you're unable to click or type?

To solve this paradox, a new class of devices was designed : the "HID", or "Human Interface Devices"
Specific types of hardware automatically install without any interaction from the user: Input Devices (Keyboard, Mouse), Storage (Hard-drives, USB-Drives), Network (Ethernet adaptors).

Getting Devious
The "BadUSB" family of devices takes advantage of this system by emulating HID devices.
When plugged in, they can pretend to be a keyboard, a mouse, a storage device, etc - simultaneously. And because they're not limited by fingers, they can "type" and "click" incredibly quickly.

BadUSB devices are used for multiple purposes: from delivering 'payloads' to exfiltrate or gain access to data during red-team assessments to automating boring tasks for sys-admins.

At Lab401, we've got multiple types of BadUSB devices, each with different characteristics.

Rubber Ducky

https://lab401.com/products/rubber-ducky

Conceived in 2010, the Rubber Ducky is the grandfather of BadUSB devices. It can emulate both storage and keyboard strokes, allowing for payloads to exfiltrate data from computers.

The Rubber Ducky is easily programmed with "Ducky Script", a simple scripting language, and enjoys an active community with hundreds of pre-made Payloads.

USBNinja

https://lab401.com/products/usbninja

The USBNinja is a highly miniaturized, highly covert version of the Rubber Ducky.
Inspired by the NSA Project "COTTONMOUTH", the entire device is hidden inside a USB cable and controlled wirelessly.

Besides avoiding suspicion during red-team assessments, it also allows for long-term implants - how often do you change your keyboard's USB cable?

The USBNinja has iOS/Android apps, can be updated over the air, used in real-time mode, exfiltrate data, self-destruct, and more importantly - acts as a real USB cable, supporting USB-3, Lightning, USB-C, QuickCharge technologies, etc.

InputStick RAT

https://lab401.com/products/inputstick-rat

The InputStick takes a different approach from the other devices. It's designed as a wireless, real-time keyboard and mouse tool. Once the InputStick is plugged in, the user can control the host device via the included Windows/Android/iOS applications.

The 'real-time' / non-payload nature of the device allows for situations where timing is important (waiting for a specific situation), or simply remote administration of devices.

It also supports macros for an 'entry-level' payload system.

Summing up
Which device is perfect for you depends completely on your task and budget.

• If you need automation, but don't need wireless control

• If you don't need to make permanent implants

• Want to benefit from hundreds of pre-written payloads
  We recommend the RUBBER DUCKY

• If you need automation and wireless control.

• If you need highly covert implants and advanced options such as over-the-air updates.
  We recommend the USBNINJA PROFESSIONAL

• If you don't need to exfiltrate data

• If you need real-time control/mouse control

• If you're on a limited budget
  We recommend the InputStick

If you need more information or have any questions, please reach out to us via our awesome customer support: support@lab401.com