Materials for my "Introduction to USB hacking" talk (slides, video) and a collection of USB hacking–related links.
Snippets for demos shown during the talk are here.
Also see xairy/dma-attacks for my "Introduction to PCIe and DMA attacks" talk.
Demonstrated during the talk.
USB Kill (90$)
Rubber Ducky (45$)
Bash Bunny (100$)
LAN Turtle (55$)
Digispark ATtiny85 (1.3$)
CJMCU BadUSB (10$)
Cactus WHID (16$)
Cactus Micro Rev2 (35$)
Teensy 3.2 (20$)
Facedancer21 (85$)
GreatFET One (110$)
Raspberry Pi Zero (5$)
Raspberry Pi Zero W (10$)
BeagleBone Black (70$)
Nexus 7 2013 (Wi-Fi) tablet (150$)
USB Armory (150$)
EC3380-AB (180$)
OpenVizsla (140$)
AirDrive Keylogger Max (100$)
Maltronics WiFi KeyLogger Internal (45$)
- Follow USB 101
- Looking at syslog (
dmesg
) when a new USB device is connected. - Checking connected devices and their descriptors with
lsusb
. - Sniffing and decoding USB packets with a logic analyzer.
- Sniffing USB via usbmon with wireshark.
- Device -> host: electrical, firmware, kernel, logical
- Host -> device: firmware, android, ios
- Host -> device -> host: original BadUSB
- Remote: USB/IP, WebUSB, USBAnywhere
- Linux USB stack
- USB sysfs, usbfs
- libusb, pyusb
- BadUSB: consumer-ready vs self-designed
- BadUSB: microcontroller-based vs Facedancer vs Linux-based
Consumer-ready:
- Rubber Ducky.
- Bash Bunny.
- Lan Turtle.
Microcontroller-based:
- Teensy 3.2.
- ATtiny55 board.
- CJMCU BadUSB.
- Cactus WHID.
- Facedacer software overview
- Facedancer21 and GreatFET One
- Emulating USB keyboard with Facedancer.
- USB reconnaissance with Facedancer.
- Linux USB Gadget subsystem
- Legacy Gadget Modules
- USB Gadget ConfigFS
- GadgetFS
- Raw Gadget
- Emulating mass storage drive through
g_mass_storage.ko
on Raspberry Pi Zero. - Emulating keyboard with ConfigFS on Raspberry Pi Zero.
- Emulating keyboard through GadgetFS on Raspberry Pi Zero.
- Emulating keyboard through Raw Gadget on Raspberry Pi Zero.
- Emulating keyboard from an Android device.
- Fuzzing, hardware vs virtual
- vUSBf, QEMU and usbredir
- syzkaller, Raw Gadget and
dummy_hcd.ko
- Fuzzing USB with Facedancer.
- Fuzzing USB with vUSBf.
- Fuzzing USB with syzkaller.
- Crashing a Linux machine via a bug in a USB driver.
- Crashing a Windows machine via a bug in a USB driver.
- Hardware vs software sniffers
- "Low-level" vs "high-level" sniffers
- Beagle analyzers
- USBProxy, USBProxy 'Nouveau'
- OpenVizsla
- Hardware keyloggers (AirDrive, Maltronics)
- Sniffing with usbmon already demoed in part 1.
- Sniffing with a logic analyzer already demoed in part 1.
- Sniffing USB with USBProxy on BeagleBone Black.
- Sniffing USB with USBProxy 'Nouveau' with Facedancer.
- Sniffing USB with OpenVizsla.
- Sniffing keyboard via AirDrive Keylogger.