├── .gitignore ├── LICENSE ├── LINKS.md ├── README.md └── talk ├── DEMOS.md └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution 4.0 International Public License 58 | 59 | By exercising the Licensed Rights (defined below), You accept and agree 60 | to be bound by the terms and conditions of this Creative Commons 61 | Attribution 4.0 International Public License ("Public License"). To the 62 | extent this Public License may be interpreted as a contract, You are 63 | granted the Licensed Rights in consideration of Your acceptance of 64 | these terms and conditions, and the Licensor grants You such rights in 65 | consideration of benefits the Licensor receives from making the 66 | Licensed Material available under these terms and conditions. 67 | 68 | 69 | Section 1 -- Definitions. 70 | 71 | a. Adapted Material means material subject to Copyright and Similar 72 | Rights that is derived from or based upon the Licensed Material 73 | and in which the Licensed Material is translated, altered, 74 | arranged, transformed, or otherwise modified in a manner requiring 75 | permission under the Copyright and Similar Rights held by the 76 | Licensor. For purposes of this Public License, where the Licensed 77 | Material is a musical work, performance, or sound recording, 78 | Adapted Material is always produced where the Licensed Material is 79 | synched in timed relation with a moving image. 80 | 81 | b. Adapter's License means the license You apply to Your Copyright 82 | and Similar Rights in Your contributions to Adapted Material in 83 | accordance with the terms and conditions of this Public License. 84 | 85 | c. Copyright and Similar Rights means copyright and/or similar rights 86 | closely related to copyright including, without limitation, 87 | performance, broadcast, sound recording, and Sui Generis Database 88 | Rights, without regard to how the rights are labeled or 89 | categorized. For purposes of this Public License, the rights 90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 91 | Rights. 92 | 93 | d. Effective Technological Measures means those measures that, in the 94 | absence of proper authority, may not be circumvented under laws 95 | fulfilling obligations under Article 11 of the WIPO Copyright 96 | Treaty adopted on December 20, 1996, and/or similar international 97 | agreements. 98 | 99 | e. Exceptions and Limitations means fair use, fair dealing, and/or 100 | any other exception or limitation to Copyright and Similar Rights 101 | that applies to Your use of the Licensed Material. 102 | 103 | f. Licensed Material means the artistic or literary work, database, 104 | or other material to which the Licensor applied this Public 105 | License. 106 | 107 | g. Licensed Rights means the rights granted to You subject to the 108 | terms and conditions of this Public License, which are limited to 109 | all Copyright and Similar Rights that apply to Your use of the 110 | Licensed Material and that the Licensor has authority to license. 111 | 112 | h. Licensor means the individual(s) or entity(ies) granting rights 113 | under this Public License. 114 | 115 | i. Share means to provide material to the public by any means or 116 | process that requires permission under the Licensed Rights, such 117 | as reproduction, public display, public performance, distribution, 118 | dissemination, communication, or importation, and to make material 119 | available to the public including in ways that members of the 120 | public may access the material from a place and at a time 121 | individually chosen by them. 122 | 123 | j. Sui Generis Database Rights means rights other than copyright 124 | resulting from Directive 96/9/EC of the European Parliament and of 125 | the Council of 11 March 1996 on the legal protection of databases, 126 | as amended and/or succeeded, as well as other essentially 127 | equivalent rights anywhere in the world. 128 | 129 | k. You means the individual or entity exercising the Licensed Rights 130 | under this Public License. Your has a corresponding meaning. 131 | 132 | 133 | Section 2 -- Scope. 134 | 135 | a. License grant. 136 | 137 | 1. Subject to the terms and conditions of this Public License, 138 | the Licensor hereby grants You a worldwide, royalty-free, 139 | non-sublicensable, non-exclusive, irrevocable license to 140 | exercise the Licensed Rights in the Licensed Material to: 141 | 142 | a. reproduce and Share the Licensed Material, in whole or 143 | in part; and 144 | 145 | b. produce, reproduce, and Share Adapted Material. 146 | 147 | 2. Exceptions and Limitations. For the avoidance of doubt, where 148 | Exceptions and Limitations apply to Your use, this Public 149 | License does not apply, and You do not need to comply with 150 | its terms and conditions. 151 | 152 | 3. Term. The term of this Public License is specified in Section 153 | 6(a). 154 | 155 | 4. Media and formats; technical modifications allowed. The 156 | Licensor authorizes You to exercise the Licensed Rights in 157 | all media and formats whether now known or hereafter created, 158 | and to make technical modifications necessary to do so. The 159 | Licensor waives and/or agrees not to assert any right or 160 | authority to forbid You from making technical modifications 161 | necessary to exercise the Licensed Rights, including 162 | technical modifications necessary to circumvent Effective 163 | Technological Measures. For purposes of this Public License, 164 | simply making modifications authorized by this Section 2(a) 165 | (4) never produces Adapted Material. 166 | 167 | 5. Downstream recipients. 168 | 169 | a. Offer from the Licensor -- Licensed Material. Every 170 | recipient of the Licensed Material automatically 171 | receives an offer from the Licensor to exercise the 172 | Licensed Rights under the terms and conditions of this 173 | Public License. 174 | 175 | b. No downstream restrictions. You may not offer or impose 176 | any additional or different terms or conditions on, or 177 | apply any Effective Technological Measures to, the 178 | Licensed Material if doing so restricts exercise of the 179 | Licensed Rights by any recipient of the Licensed 180 | Material. 181 | 182 | 6. No endorsement. Nothing in this Public License constitutes or 183 | may be construed as permission to assert or imply that You 184 | are, or that Your use of the Licensed Material is, connected 185 | with, or sponsored, endorsed, or granted official status by, 186 | the Licensor or others designated to receive attribution as 187 | provided in Section 3(a)(1)(A)(i). 188 | 189 | b. Other rights. 190 | 191 | 1. Moral rights, such as the right of integrity, are not 192 | licensed under this Public License, nor are publicity, 193 | privacy, and/or other similar personality rights; however, to 194 | the extent possible, the Licensor waives and/or agrees not to 195 | assert any such rights held by the Licensor to the limited 196 | extent necessary to allow You to exercise the Licensed 197 | Rights, but not otherwise. 198 | 199 | 2. Patent and trademark rights are not licensed under this 200 | Public License. 201 | 202 | 3. To the extent possible, the Licensor waives any right to 203 | collect royalties from You for the exercise of the Licensed 204 | Rights, whether directly or through a collecting society 205 | under any voluntary or waivable statutory or compulsory 206 | licensing scheme. In all other cases the Licensor expressly 207 | reserves any right to collect such royalties. 208 | 209 | 210 | Section 3 -- License Conditions. 211 | 212 | Your exercise of the Licensed Rights is expressly made subject to the 213 | following conditions. 214 | 215 | a. Attribution. 216 | 217 | 1. If You Share the Licensed Material (including in modified 218 | form), You must: 219 | 220 | a. retain the following if it is supplied by the Licensor 221 | with the Licensed Material: 222 | 223 | i. identification of the creator(s) of the Licensed 224 | Material and any others designated to receive 225 | attribution, in any reasonable manner requested by 226 | the Licensor (including by pseudonym if 227 | designated); 228 | 229 | ii. a copyright notice; 230 | 231 | iii. a notice that refers to this Public License; 232 | 233 | iv. a notice that refers to the disclaimer of 234 | warranties; 235 | 236 | v. a URI or hyperlink to the Licensed Material to the 237 | extent reasonably practicable; 238 | 239 | b. indicate if You modified the Licensed Material and 240 | retain an indication of any previous modifications; and 241 | 242 | c. indicate the Licensed Material is licensed under this 243 | Public License, and include the text of, or the URI or 244 | hyperlink to, this Public License. 245 | 246 | 2. You may satisfy the conditions in Section 3(a)(1) in any 247 | reasonable manner based on the medium, means, and context in 248 | which You Share the Licensed Material. For example, it may be 249 | reasonable to satisfy the conditions by providing a URI or 250 | hyperlink to a resource that includes the required 251 | information. 252 | 253 | 3. If requested by the Licensor, You must remove any of the 254 | information required by Section 3(a)(1)(A) to the extent 255 | reasonably practicable. 256 | 257 | 4. If You Share Adapted Material You produce, the Adapter's 258 | License You apply must not prevent recipients of the Adapted 259 | Material from complying with this Public License. 260 | 261 | 262 | Section 4 -- Sui Generis Database Rights. 263 | 264 | Where the Licensed Rights include Sui Generis Database Rights that 265 | apply to Your use of the Licensed Material: 266 | 267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 268 | to extract, reuse, reproduce, and Share all or a substantial 269 | portion of the contents of the database; 270 | 271 | b. if You include all or a substantial portion of the database 272 | contents in a database in which You have Sui Generis Database 273 | Rights, then the database in which You have Sui Generis Database 274 | Rights (but not its individual contents) is Adapted Material; and 275 | 276 | c. You must comply with the conditions in Section 3(a) if You Share 277 | all or a substantial portion of the contents of the database. 278 | 279 | For the avoidance of doubt, this Section 4 supplements and does not 280 | replace Your obligations under this Public License where the Licensed 281 | Rights include other Copyright and Similar Rights. 282 | 283 | 284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 285 | 286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 296 | 297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 306 | 307 | c. The disclaimer of warranties and limitation of liability provided 308 | above shall be interpreted in a manner that, to the extent 309 | possible, most closely approximates an absolute disclaimer and 310 | waiver of all liability. 311 | 312 | 313 | Section 6 -- Term and Termination. 314 | 315 | a. This Public License applies for the term of the Copyright and 316 | Similar Rights licensed here. However, if You fail to comply with 317 | this Public License, then Your rights under this Public License 318 | terminate automatically. 319 | 320 | b. Where Your right to use the Licensed Material has terminated under 321 | Section 6(a), it reinstates: 322 | 323 | 1. automatically as of the date the violation is cured, provided 324 | it is cured within 30 days of Your discovery of the 325 | violation; or 326 | 327 | 2. upon express reinstatement by the Licensor. 328 | 329 | For the avoidance of doubt, this Section 6(b) does not affect any 330 | right the Licensor may have to seek remedies for Your violations 331 | of this Public License. 332 | 333 | c. For the avoidance of doubt, the Licensor may also offer the 334 | Licensed Material under separate terms or conditions or stop 335 | distributing the Licensed Material at any time; however, doing so 336 | will not terminate this Public License. 337 | 338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 339 | License. 340 | 341 | 342 | Section 7 -- Other Terms and Conditions. 343 | 344 | a. The Licensor shall not be bound by any additional or different 345 | terms or conditions communicated by You unless expressly agreed. 346 | 347 | b. Any arrangements, understandings, or agreements regarding the 348 | Licensed Material not stated herein are separate from and 349 | independent of the terms and conditions of this Public License. 350 | 351 | 352 | Section 8 -- Interpretation. 353 | 354 | a. For the avoidance of doubt, this Public License does not, and 355 | shall not be interpreted to, reduce, limit, restrict, or impose 356 | conditions on any use of the Licensed Material that could lawfully 357 | be made without permission under this Public License. 358 | 359 | b. To the extent possible, if any provision of this Public License is 360 | deemed unenforceable, it shall be automatically reformed to the 361 | minimum extent necessary to make it enforceable. If the provision 362 | cannot be reformed, it shall be severed from this Public License 363 | without affecting the enforceability of the remaining terms and 364 | conditions. 365 | 366 | c. No term or condition of this Public License will be waived and no 367 | failure to comply consented to unless expressly agreed to by the 368 | Licensor. 369 | 370 | d. Nothing in this Public License constitutes or may be interpreted 371 | as a limitation upon, or waiver of, any privileges and immunities 372 | that apply to the Licensor or You, including from the legal 373 | processes of any jurisdiction or authority. 374 | 375 | 376 | ======================================================================= 377 | 378 | Creative Commons is not a party to its public licenses. 379 | Notwithstanding, Creative Commons may elect to apply one of its public 380 | licenses to material it publishes and in those instances will be 381 | considered the “Licensor.” The text of the Creative Commons public 382 | licenses is dedicated to the public domain under the CC0 Public Domain 383 | Dedication. Except for the limited purpose of indicating that material 384 | is shared under a Creative Commons public license or as otherwise 385 | permitted by the Creative Commons policies published at 386 | creativecommons.org/policies, Creative Commons does not authorize the 387 | use of the trademark "Creative Commons" or any other trademark or logo 388 | of Creative Commons without its prior written consent including, 389 | without limitation, in connection with any unauthorized modifications 390 | to any of its public licenses or any other arrangements, 391 | understandings, or agreements concerning use of licensed material. For 392 | the avoidance of doubt, this paragraph does not form part of the public 393 | licenses. 394 | 395 | Creative Commons may be contacted at creativecommons.org. 396 | -------------------------------------------------------------------------------- /LINKS.md: -------------------------------------------------------------------------------- 1 | USB Hacking Links 2 | ================= 3 | 4 | All links have been moved [here](/). 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | USB Hacking 2 | =========== 3 | 4 | A collection of USB hacking–related links. 5 | 6 | For an overview of the state of things in the USB hacking field as of a few years ago, see: 7 | 8 | - My 5-hour ["Introduction to USB hacking"](/talk) talk (the talk is in Russian, the slides are in English); 9 | - The awesome ["USB Reverse Engineering: Down the rabbit hole"](https://devalias.net/devalias/2018/05/13/usb-reverse-engineering-down-the-rabbit-hole/) article and link collection by Glenn Grant. 10 | 11 | Follow [@andreyknvl](https://twitter.com/andreyknvl) on Twitter or [@xairy@infosec.exchange](https://infosec.exchange/@xairy) on Mastodon to be notified of updates. 12 | 13 | 14 | ## Contents 15 | 16 | - [Essentials](#essentials) 17 | - [Workshops](#workshops) 18 | - [Hardware](#hardware) 19 | - [Malicious hardware](#malicious-hardware) 20 | - [Rubbery Ducky](#rubber-ducky) 21 | - [Bash Bunny](#bash-bunny) 22 | - [Cactus WHID](#cactus-whid) 23 | - [Flipper Zero](#flipper-zero) 24 | - [Malicious cables](#malicious-cables) 25 | - [Keyloggers](#keyloggers) 26 | - [Other malicious hardware](#other-malicious-hardware) 27 | - [Sniffers and analyzers](#sniffers-and-analyzers) 28 | - [USB](#usb) 29 | - [USB Power Delivery](#usb-power-delivery) 30 | - [Facedancer boards](#facedancer-boards) 31 | - [Modern](#modern) 32 | - [Legacy](#legacy) 33 | - [Linux boards](#linux-boards) 34 | - [Raspberry Pi Zero](#raspberry-pi-zero) 35 | - [Beagle boards](#beagle-boards) 36 | - [USB Armory](#usb-armory) 37 | - [OpenStick](#openstick) 38 | - [Android](#android) 39 | - [Arduino boards](#arduino-boards) 40 | - [Teensy](#teensy) 41 | - [Digispark](#digispark) 42 | - [CJMCU BadUSB](#cjmcu-badusb) 43 | - [WiFi Duck](#wifi-duck) 44 | - [Other hardware](#other-hardware) 45 | - [Linux USB stack](#linux-usb-stack) 46 | - [Host subsystem](#host-subsystem) 47 | - [Gadget subsystem](#gadget-subsystem) 48 | - [ConfigFS and FunctionFS](#configfs-and-functionfs) 49 | - [GadgetFS](#gadgetfs) 50 | - [Raw Gadget](#raw-gadget) 51 | - [Testing](#testing) 52 | - [Software](#software) 53 | - [Libraries](#libraries) 54 | - [Capturing software](#capturing-software) 55 | - [Analyzers](#analyzers) 56 | - [Fuzzers](#fuzzers) 57 | - [Defensive](#defensive) 58 | - [Other software](#other-software) 59 | - [Research](#research) 60 | - [Attacking](#attacking) 61 | - [Fuzzing](#fuzzing) 62 | - [Defensive](#defensive) 63 | - [Reverse engineering](#reverse-engineering) 64 | - [Creating tools](#creating-tools) 65 | - [Other research](#other-research) 66 | - [Misc](#misc) 67 | 68 | 69 | ## Essentials 70 | 71 | ["USB 101: An Introduction to Universal Serial Bus 2.0" by Robert Murphy](https://www.cypress.com/file/134171/download) [book] 72 | 73 | ["USB in a NutShell" by Craig Peacock](https://www.beyondlogic.org/usbnutshell/usb1.shtml) [articles] 74 | 75 | [USB: Document Library](https://www.usb.org/documents) 76 | 77 | 78 | ## Workshops 79 | 80 | ["Hacking the USB World with FaceDancer" by Kate Temkin](https://usb.ktemkin.com/) [workshop] 81 | 82 | 83 | ## Hardware 84 | 85 | ### Malicious hardware 86 | 87 | Hardware (and related tools) developed specifically for executing USB attacks. 88 | Some hardware from other sections can also be used for this. 89 | 90 | 91 | #### Rubber Ducky 92 | 93 | Flash drive–looking device that pretends to be a USB keyboard and injects keystrokes. 94 | 95 | [Rubber Ducky](https://shop.hak5.org/products/usb-rubber-ducky) [hardware] 96 | 97 | [hak5 docs: USB Rubber Ducky](https://docs.hak5.org/hak5-usb-rubber-ducky) [docs] 98 | 99 | [usbrubberducky-payloads: Rubber Ducky payload repository](https://github.com/hak5/usbrubberducky-payloads) [github] 100 | 101 | 102 | #### Bash Bunny 103 | 104 | Can pretend a USB Ethernet, serial, mass storage, and HID device. 105 | 106 | [Bash Bunny](https://shop.hak5.org/products/bash-bunny) [hardware] 107 | 108 | [hak5 docs: Bash Bunny](https://docs.hak5.org/bash-bunny) [docs] 109 | 110 | [Bash Bunny wiki](https://wiki.bashbunny.com/#!index.md) [docs] 111 | 112 | [bashbunny-payloads: Bash Bunny payload repository](https://github.com/hak5/bashbunny-payloads) [github] 113 | 114 | 115 | #### Cactus WHID 116 | 117 | Rubber Ducky clone that can be triggered over Wi-Fi. 118 | 119 | [Cactus WHID: Wi-Fi HID Injector — USB Rubber Ducky / BadUSB On Steroids](https://github.com/whid-injector/WHID) [hardware] 120 | [[video](https://www.youtube.com/watch?v=ADqMCKtufNY)] 121 | 122 | [WHID Elite: GSM-enabled Open-Source Multi-Purpose Offensive Device](https://github.com/whid-injector/whid-31337) [hardware] 123 | 124 | [Cactus Micro Rev2](https://wiki.aprbrother.com/en/Cactus_Micro_Rev2.html) [hardware] 125 | 126 | [ESPloitV2: Wi-Fi Keystroke Injection Tool designed for Cactus WHID](https://github.com/exploitagency/ESPloitV2) [github] 127 | 128 | 129 | #### Flipper Zero 130 | 131 | A general-purpose hacking tool that includes support for emulating a USB HID device. 132 | 133 | [Flipper Zero](https://flipperzero.one/) [hardware] 134 | 135 | [Bad USB - Flipper Zero](https://docs.flipper.net/bad-usb) [docs] 136 | 137 | [Flipper-Zero-BadUSB: Flipper Zero BadUSB payloads](https://github.com/I-Am-Jakoby/Flipper-Zero-BadUSB) [github] 138 | 139 | [badusb: Flipper Zero BadUSB payload library](https://github.com/FalsePhilosopher/badusb) [github] 140 | 141 | 142 | #### Malicious cables 143 | 144 | [2020: "List of current USB cables with implants for keystroke injection attacks & more" by Marcus Mengs](https://x.com/mame82/status/1221093466463182849) [picture] 145 | 146 | [O.MG Cable](https://o.mg.lol/) [hardware] 147 | [[video review](https://www.youtube.com/watch?v=mPF9f-PLDPc)] 148 | [[payloads](https://github.com/hak5/omg-payloads)] 149 | 150 | [USBNinja](https://www.crowdsupply.com/rfid-research-group/usbninja) [hardware] 151 | 152 | [Evil Crow Cable](https://github.com/joelsernamoreno/EvilCrow-Cable) [hardware] 153 | 154 | [Evil Crow Cable Pro](https://github.com/joelsernamoreno/EvilCrowCable-Pro) [hardware] 155 | 156 | [USBSamurai](https://infosecwriteups.com/usbsamurai-a-remotely-controlled-malicious-usb-hid-injecting-cable-for-less-than-10-ebf4b81e1d0b) [hardware] 157 | [[article](https://infosecwriteups.com/usbsamurai-for-dummies-4bd47abf8f87)] 158 | 159 | [AirDrive Forensic Keylogger Cable & Module](https://www.keelog.com/forensic-keylogger/) [hardware] 160 | 161 | [KeyGrabber Forensic Keylogger Cable & Module](https://www.keelog.com/keygrabber-forensic/) [hardware] 162 | 163 | 164 | #### Keyloggers 165 | 166 | AirDrive: 167 | [Keylogger](https://www.keelog.com/hardware-keylogger/), 168 | [Forensic Keylogger](https://www.keelog.com/airdrive-keylogger/) 169 | [hardware] 170 | 171 | KeyGrabber: 172 | [Pico](https://www.keelog.com/keygrabber-pico/), 173 | [USB](https://www.keelog.com/usb-keylogger/), 174 | [TimeKeeper](https://www.keelog.com/timestamp-keylogger/), 175 | [Forensic Keylogger](https://www.keelog.com/keygrabber-keylogger/) 176 | [hardware] 177 | 178 | [Forensic Keylogger Keyboard](https://www.keelog.com/keylogger-keyboard/) [hardware] 179 | 180 | [Key Croc](https://shop.hak5.org/products/key-croc) [hardware] 181 | 182 | [KEYVILBOARDs](https://www.tindie.com/stores/keyvilboard/) [hardware] 183 | 184 | [Maltronics WiFi KeyLogger Internal](https://web.archive.org/web/20211023150651/https://maltronics.com/products/wifi-keylogger-internal) [hardware] [discontinued] 185 | 186 | 187 | #### Other malicious hardware 188 | 189 | [LAN Turtle](https://hak5.org/products/lan-turtle) [hardware] 190 | [[docs](https://docs.hak5.org/lan-turtle)] 191 | [[modules](https://github.com/hak5/lanturtle-modules)] 192 | 193 | [O.MG Plug](https://shop.hak5.org/products/omg-plug) [hardware] 194 | 195 | [USB Killer](https://usbkill.com/) [hardware] 196 | 197 | [rpk2: Evil Mass Storage](https://rootkit.es/buy_rpk2/) [hardware] 198 | [[github](https://github.com/therealdreg/evilmass_at90usbkey2)] 199 | [[article](https://web.archive.org/web/20211022034816/https://www.driverentry.com/node/104)] 200 | 201 | 202 | ### Sniffers and analyzers 203 | 204 | Hardware developed specifically for sniffing and analyzing USB communications. 205 | Some hardware from the [Facedancer boards](#facedancer-boards) and [Linux boards](#linux-boards) sections can also be used for this. 206 | 207 | 208 | #### USB 209 | 210 | Beagle: 211 | [USB 12](https://www.totalphase.com/products/beagle-usb12/), 212 | [USB 480](https://www.totalphase.com/products/beagle-usb480/), 213 | [USB 480 Ultimate](https://www.totalphase.com/products/beagle-usb480-power-ultimate/), 214 | [USB 5000 v2 Ultimate](https://www.totalphase.com/products/beagle-usb5000-v2-ultimate/) 215 | [hardware] 216 | 217 | [OpenVizsla](http://openvizsla.org/) [hardware] 218 | [[github](https://github.com/openvizsla/ov_ftdi)] 219 | [[shop](https://shop.sysmocom.de/OpenVizsla-v3.x-USB-Protocol-Analyzer-PCBA/openvizsla-pcba-v3.4)] 220 | [[articles](https://debugmo.de/tags/openvizsla/)] 221 | 222 | [LambdaConcept USB2 SNIFFER](https://shop.lambdaconcept.com/home/35-usb2-sniffer.html) [hardware] 223 | 224 | [PhyWhisperer-USB](https://www.crowdsupply.com/newae/phywhisperer-usb) [hardware] 225 | [[github](https://github.com/newaetech/phywhispererusb)] 226 | 227 | [Daisho: SuperSpeed USB 3.0 FPGA platform](https://greatscottgadgets.com/daisho/) [hardware] [decommissioned] 228 | [[article](https://ossmann.blogspot.com/2013/05/introducing-daisho.html)] 229 | [[github](https://github.com/greatscottgadgets/daisho)] 230 | 231 | [Low-cost USB Sniffer](https://github.com/ataradov/usb-sniffer) [hardware] 232 | 233 | [serialusb](https://github.com/matlo/serialusb) [hardware] [decommissioned] 234 | [[article](https://blog.gimx.fr/serialusb/)] 235 | [[wiki](https://gimx.fr/wiki/index.php?title=DIY_USB_adapter)] 236 | 237 | 238 | #### USB Power Delivery 239 | 240 | [Twinkie: USB-PD Sniffer](https://www.chromium.org/chromium-os/developer-library/guides/hardware-schematics/twinkie/) [hardware] 241 | 242 | [Twonkie: USB-PD sniffer/injector/sink based on Twinkie](https://github.com/dojoe/Twonkie) [hardware] 243 | [[shop](https://shop.3mdeb.com/shop/open-source-hardware/twonkie-usb-c-sniffer/)] 244 | 245 | [twebkie: USB Power Delivery analyzer directly from web](https://chromium.googlesource.com/chromiumos/twebkie/) [github] 246 | 247 | [usb.org: USB Power Delivery Compliance](https://www.usb.org/usbc#:~:text=download%20here.-,USB%20Power%20Delivery%20Compliance,-The%20USB%20PD) [hardware] 248 | 249 | 250 | ### Facedancer boards 251 | 252 | Hardware and tools compatible with the [modern Facedancer framework](https://github.com/greatscottgadgets/facedancer) and its older versions. 253 | 254 | #### Modern 255 | 256 | [Cynthion: Multi-tool for building, analyzing, and hacking USB devices](https://www.crowdsupply.com/great-scott-gadgets/cynthion) [hardware] 257 | 258 | [GreatFET One](https://greatscottgadgets.com/greatfet/one/) [hardware] 259 | [[article](https://www.blackhat.com/docs/us-16/materials/us-16-Ossmann-GreatFET-Making-GoodFET-Great-Again-wp.pdf)] 260 | [[video](https://www.youtube.com/watch?v=4NIoAnsuFOQ)] 261 | 262 | [Hydradancer: HydraUSB3-based backend for Facedancer](https://github.com/HydraDancer/hydradancer_fw) [hardware] [upcoming] 263 | [[article](https://blog.quarkslab.com/hydradancer-faster-usb-emulation-for-facedancer.html)] 264 | 265 | [Facedancer: Modern framework for all Facedancer boards](https://github.com/greatscottgadgets/facedancer) [github] 266 | [[video](https://www.youtube.com/watch?v=L3Ug9591Vag)] 267 | 268 | [packetry: Fast, intuitive USB 2.0 protocol analysis application for use with Cynthion](https://github.com/greatscottgadgets/packetry) [github] 269 | 270 | [raw-gadget/Facedancer: Prototype of Raw Gadget–based Facedancer backend for Linux boards](https://github.com/xairy/raw-gadget?tab=readme-ov-file#facedancer-backend) [github] 271 | 272 | 273 | #### Legacy 274 | 275 | [Facedancer21](https://goodfet.sourceforge.net/hardware/facedancer21/) (and older) [hardware] 276 | [[article](https://travisgoodspeed.blogspot.com/2012/07/emulating-usb-devices-with-python.html)] 277 | 278 | [GoodFET42](https://goodfet.sourceforge.net/hardware/goodfet42/) (and older) [hardware] 279 | 280 | [Raspdancer: Facedancer21 expansion board for Raspberry Pi](https://wiki.yobi.be/index.php/Raspdancer) [hardware] 281 | 282 | [BeagleDancer: Facedancer21 expansion board for BeagleBone](https://github.com/dominicgs/BeagleDancer) [hardware] 283 | 284 | [facewhisperer: USB host add-on for the ChipWhisperer side-channel analysis tool](https://git.approximate.life/facewhisperer.git/) [hardware] 285 | [[video](https://www.youtube.com/watch?v=TeCQatNcF20)] 286 | [[article](https://blog.securityinnovation.com/glitching-firmware-over-usb-using-facewhisperer)] 287 | 288 | [goodfet: Legacy framework for Facedancer21 and GoodFET boards](https://github.com/travisgoodspeed/goodfet) [github] 289 | 290 | [umap: USB host security assessment tool for Facedancer21 and GoodFET boards](https://github.com/nccgroup/umap) [github] 291 | 292 | [umap2: Version 2 of umap](https://github.com/nccgroup/umap2) [github] 293 | 294 | [nu-map: Fork of umap2 based on modern Facedancer framework](https://github.com/usb-tools/nu-map)[github] 295 | 296 | [badusb2-mitm-poc: USB MitM with two Facedacer21 boards](https://github.com/withdk/badusb2-mitm-poc) [github] 297 | 298 | 299 | ### Linux boards 300 | 301 | A multitude of Linux boards can be used for USB device emulation; see the [Gadget subsystem](#gadget-subsystem) section. 302 | This section only mentions the somehow notable of them. 303 | 304 | 305 | #### Raspberry Pi Zero 306 | 307 | The cheapest and most compact of the Raspberry Pi boards. 308 | 309 | [Raspberry Pi Zero](https://www.raspberrypi.com/products/raspberry-pi-zero/) [hardware] 310 | 311 | [Turning your Raspberry PI Zero into a USB Gadget](https://learn.adafruit.com/turning-your-raspberry-pi-zero-into-a-usb-gadget) [article] 312 | 313 | [Raspberry Pi Zero OTG Mode](https://gist.github.com/gbaman/50b6cca61dd1c3f88f41) [article] 314 | 315 | [P4wnP1: Highly customizable USB attack platform based on Rasbperry Pi Zero](https://github.com/mame82/P4wnP1) [github] 316 | [[writeup](https://github.com/mame82/P4wnP1/blob/master/writeup_lockpicker.md)] 317 | [[Kali image](https://twitter.com/_binkybear/status/919324503020150784)] 318 | 319 | [poisontap: Malicious Ethernet USB devices based on Raspberry Pi Zero](https://github.com/samyk/poisontap) [github] 320 | 321 | [RaspberryPiZero_HID_MultiTool: Scripts for turning Raspberry Pi Zero into various USB devices](https://github.com/darrylburke/RaspberryPiZero_HID_MultiTool/) [github] 322 | 323 | [rspiducky: Turns Rasberry Pi Zero into Rubber Ducky](https://github.com/msjmeyer/rspiducky) [github] 324 | 325 | [sahara_emulator: Emulates Qualcomm Sahara using Raspberry Pi Zero](https://github.com/bkerler/sahara_emulator) [github] 326 | 327 | ([Raspdancer: Facedancer21 expansion board for Raspberry Pi](https://wiki.yobi.be/index.php/Raspdancer) [hardware]) 328 | 329 | 330 | #### Beagle boards 331 | 332 | These were the first Linux boards that were used for implementing USB-related tools. 333 | 334 | [BeagleBone Black](https://www.beagleboard.org/boards/beaglebone-black) [hardware] 335 | 336 | [BeagleBoard-xM](https://www.beagleboard.org/boards/beagleboard-xm) [hardware] 337 | 338 | [USBProxy-legacy: USB proxy for BeagleBone Black based on libusb and GadgetFS](https://github.com/usb-tools/USBProxy-legacy) [github] 339 | 340 | [bb_usb_sniffer: USB sniffer for BeagleBoard-xM based on custom gadget driver](https://github.com/matlo/bb_usb_sniffer) 341 | 342 | [usbq: Python framework for monitoring and modifying USB communications](https://github.com/ivision-research/usbq) [github] 343 | [[usbq_core](https://github.com/airbus-seclab/usbq_core)] 344 | [[usbq_userland](https://github.com/airbus-seclab/usbq_userland)] 345 | 346 | [2010: "BeagleBoard/GSoC/2010 Projects/USBSniffer"](https://www.elinux.org/BeagleBoard/GSoC/2010_Projects/USBSniffer) [docs] 347 | [[blog](https://beagleboard-usbsniffer.blogspot.com/)] 348 | 349 | [2014: "USBProxy: Building an Open and Affordable USB Man in the Middle Device" by Dominic Spill](https://github.com/dominicgs/dominicgs.github.io/blob/master/presentations/2014/Spill_USBProxy_ShmooCon_Slides.pdf) [slides] 350 | [[article](https://github.com/dominicgs/dominicgs.github.io/blob/master/presentations/2014/Spill_USBProxy_ShmooCon_paper.pdf)] 351 | [[video](https://www.youtube.com/watch?v=5JnAeakUBnU)] 352 | 353 | [2014: "USB write blocking with USBProxy" by Dominic Spill](https://dominicspill.com/presentations/2014/Spill_BSidesLV_USBProxy_slides.pdf) [slides] 354 | [[video](https://www.youtube.com/watch?v=rcfYgU-Be08)] 355 | 356 | [2015: "NSA Playset: USB Tools" by Dominic Spill](https://github.com/dominicgs/dominicgs.github.io/blob/master/presentations/2015/NSA%20Playset-USB%20Tools-ShmooCon.pdf) [slides] 357 | [[summary](https://shmoo.gitbook.io/2015-shmoocon-proceedings/build_it/01_nsa_playset_usb_tools)] 358 | [[video](https://www.youtube.com/watch?v=uDPxa5tcdnI)] 359 | 360 | [2016: "USBiquitous: USB intrusion toolkit" by Benoit Camredon](https://www.sstic.org/media/SSTIC2016/SSTIC-actes/usb_toolkit/SSTIC2016-Article-usb_toolkit-camredon.pdf) [article] 361 | 362 | ([BeagleDancer: Facedancer21 expansion board for BeagleBone](https://github.com/dominicgs/BeagleDancer) [hardware]) 363 | 364 | 365 | #### USB Armory 366 | 367 | [USB Armory](https://inversepath.com/usbarmory) [hardware] 368 | [[github](https://github.com/usbarmory/usbarmory)] 369 | 370 | [2015: "USB Armory as an Offensive Attack Platform"](https://docs.google.com/viewer?url=https://raw.githubusercontent.com/wiki/inversepath/usbarmory/contrib/USB%20Armory%20as%20an%20Offensive%20Attack%20Platform%20Jeroen_van_Kessel-and-Nick_Triantafyllidis.pdf) [paper] 371 | 372 | [2016: "Forging USB armory" by Andrea Barisani](https://www.blackhat.com/docs/asia-15/materials/asia-15-Barisani-Forging-The-USB-Armory.pdf) [slides] 373 | [[video](https://www.youtube.com/watch?v=MsK2V_iO9Z4)] 374 | 375 | [2016: "Snagging creds from locked machines" by Rob Fuller](https://room362.com/post/2016/snagging-creds-from-locked-machines/) [article] 376 | 377 | [2017: "How to Build a USB Analyzer with USB Armory? - Creating an Armory Sandbox" by Pedro Vilaca](https://www.sentinelone.com/blog/armory-sandbox-building-usb-analyzer-usb-armory/) [article] 378 | [[github](https://github.com/gdbinit/armorysandbox)] 379 | 380 | 381 | #### OpenStick 382 | 383 | [OpenStick](https://github.com/OpenStick/OpenStick) [github] 384 | [[wiki](https://www.kancloud.cn/handsomehacker/openstick/2636505)] 385 | [[blobs](https://github.com/OpenStick/stick-blobs)] 386 | 387 | [2022: "Hackable $20 Modem Combines LTE And Pi Zero W2 Powe" by Arya Voronova](https://hackaday.com/2022/08/03/hackable-20-modem-combines-lte-and-pi-zero-w2-power/) [article] 388 | 389 | [2022: "OpenStick: Some Preliminary Investigations"](https://www.zianet.com/jgray/openstick/) [article] 390 | 391 | [2023: "P4wnP1-LTE" by Rogan Dawes](https://sensepost.com/blog/2023/p4wnp1-lte/) [article] 392 | 393 | [2022: "OpenStick" by Zoltan Mizsei](https://extrowerk.com/2022-07-31/OpenStick.html) [article] 394 | 395 | [UF896 - Qualcomm MSM8916 LTE router ~384MiB RAM/2.4GiB flash, Android: OpenWrt?](https://forum.openwrt.org/t/uf896-qualcomm-msm8916-lte-router-384mib-ram-2-4gib-flash-android-openwrt/131712) [forum] 396 | 397 | [OpenStick WIP notes](https://github.com/colemickens/mobile-nixos/tree/openstick/devices/openstick) [github] 398 | 399 | [openstick-stuff](https://github.com/Mio-sha512/openstick-stuff/releases) [github] 400 | 401 | 402 | #### Android 403 | 404 | [android-keyboard-gadget: Convert Android device into USB keyboard/mouse](https://github.com/pelya/android-keyboard-gadget) [github] 405 | 406 | [DroidDucky: Simple DuckyScript interpreter in Bash](https://github.com/anbud/DroidDucky) [github] 407 | [[article](https://web.archive.org/web/20201108135130/http://zx.rs/6/DroidDucky---Can-an-Android-quack-like-a-duck/)] 408 | 409 | 410 | ### Arduino boards 411 | 412 | Many Arduino boards and their clones can be used for USB device emulation. 413 | This section provides only a few notable links; there is too many to list all. 414 | 415 | [Arduino Classic boards](https://www.arduino.cc/en/hardware#classic-family) [hardware] 416 | 417 | [BadUSB DIY](https://www.youtube.com/playlist?list=PL2YepVFF1azFjaLd5PYCYg2lKeB6t1xcj) [playlist] 418 | 419 | 420 | #### Teensy 421 | 422 | [Teensy 3.2](https://www.pjrc.com/store/teensy32.html) [hardware] 423 | 424 | [Teensy 2.0](https://www.pjrc.com/store/teensy.html) [hardware] 425 | 426 | Teensy docs: 427 | [USB Serial](https://www.pjrc.com/teensy/td_serial.html), 428 | [USB Keyboard](https://www.pjrc.com/teensy/td_keyboard.html), 429 | [USB Mouse](https://www.pjrc.com/teensy/td_mouse.html), 430 | [USB Joystick](https://www.pjrc.com/teensy/td_joystick.html), 431 | [USB MIDI](https://www.pjrc.com/teensy/td_midi.html), 432 | [USB Flight Sim](https://www.pjrc.com/teensy/td_flightsim.html) 433 | [docs] 434 | 435 | [Getting started with Teensy](https://spuder.wordpress.com/2010/10/21/getting-started-with-teensy-usb-rubber-ducky/) [article] 436 | 437 | [cores: Teensy Core Libraries for Arduino](https://github.com/PaulStoffregen/cores) [github] 438 | 439 | [Pateensy: Rubber Ducky–like payload for Teensy](https://github.com/Screetsec/Pateensy) [github] 440 | 441 | [Brutal: Various payloads for Teensy](https://github.com/Screetsec/Brutal) [github] 442 | 443 | [USBdriveby: DNS spoofer payload for Teensy](https://github.com/samyk/usbdriveby) [github] 444 | 445 | [Kautilya: HID payloads for Teensy](https://github.com/samratashok/Kautilya) [github] 446 | 447 | 448 | #### Digispark 449 | 450 | [Digispark: Tiny, Arduino-enabled, USB development board](https://www.kickstarter.com/projects/digistump/digispark-the-tiny-arduino-enabled-usb-dev-board) [hardware] 451 | [[aliexpress](https://aliexpress.com/w/wholesale-Digispark.html)] 452 | 453 | [Configuring Digispark for Arduino IDE and upgrading bootloader](https://gist.github.com/Ircama/22707e938e9c8f169d9fe187797a2a2c) [article] 454 | 455 | [Attiny85: Rubber Ducky payloads for Digispark ATtiny85](https://github.com/MTK911/Attiny85) [github] 456 | 457 | [Duckyspark: Translator from USB Rubber Ducky payloads to Digispark code](https://github.com/toxydose/Duckyspark) [github] 458 | 459 | [micronucleus: ATtiny USB bootloader with strong emphasis on bootloader compactness](https://github.com/micronucleus/micronucleus) [github] 460 | 461 | 462 | #### CJMCU BadUSB 463 | 464 | [CJMCU BadUSB](https://aliexpress.com/w/wholesale-CJMCU-BadUSB.html) [hardware] 465 | 466 | [bad_ducky: Instructions for CJMCU BadUSB](https://github.com/mharjac/bad_ducky) [github] 467 | [[wiki](https://github.com/mharjac/bad_ducky/wiki)] 468 | 469 | [CJMCU_ATMEGA32U4_BADUSB: Guide on using DuckyScript with CJMCU BadUSB](https://github.com/asciiterminal/CJMCU_ATMEGA32U4_BADUSB) [github] 470 | 471 | 472 | #### WiFi Duck 473 | 474 | [Malduino](https://maltronics.com/collections/malduinos) [hardware] 475 | 476 | [DSTIKE WiFi Duck](https://dstike.com/collections/frontpage/products/dstike-wifi-duck) [hardware] 477 | 478 | [WiFiDuck: Wireless keystroke injection attack platform](https://github.com/SpacehuhnTech/WiFiDuck) [github] 479 | 480 | 481 | ### Other hardware 482 | 483 | [Tomu: An ARM board that fits inside your USB connector](https://www.crowdsupply.com/sutajio-kosagi/tomu) [hardware] 484 | 485 | [USB 2.0 Hi-Speed Isolator](https://intona.eu/en/products/7054) [hardware] 486 | 487 | [PortaPow blockers](https://portablepowersupplies.co.uk/) [hardware] 488 | 489 | [USG](https://github.com/robertfisk/USG) [hardware] 490 | 491 | [C2C caberQU: USB C cable tester](https://www.kickstarter.com/projects/electr/c2c-caberqu-usb-c-cable-tester) [hardware] 492 | 493 | 494 | ## Linux USB stack 495 | 496 | kernel.org documentation: 497 | [all](https://www.kernel.org/doc/Documentation/usb/), 498 | [HTML index](https://www.kernel.org/doc/html/latest/usb/index.html), 499 | [USB API](https://www.kernel.org/doc/html/latest/driver-api/usb/index.html) 500 | [docs] 501 | 502 | [linux-usb.org](http://www.linux-usb.org/) [docs] 503 | 504 | [Bootstrap Yourself with Linux-USB Stack: Design, Develop, Debug, and Validate Embedded USB](https://www.goodreads.com/book/show/11292815-bootstrap-yourself-with-linux-usb-stack) [book] 505 | 506 | 507 | ### Host subsystem 508 | 509 | kernel.org documentation: 510 | [all](https://www.kernel.org/doc/Documentation/usb/), 511 | [HTML index](https://www.kernel.org/doc/html/latest/usb/index.html), 512 | [USB Host API](https://www.kernel.org/doc/html/latest/driver-api/usb/usb.html) 513 | [docs] 514 | 515 | [2009: "Linux USB drivers" by Michael Opdenacker](https://bootlin.com/doc/legacy/linux-usb/linux-usb.pdf) [slides] 516 | 517 | [2007: "What actually happens when you plug in a USB device?"](https://www.technovelty.org/linux/what-actually-happens-when-you-plug-in-a-usb-device.html) [article] 518 | 519 | 520 | ### Gadget subsystem 521 | 522 | kernel.org documentation: 523 | [all](https://www.kernel.org/doc/Documentation/usb/), 524 | [HTML index](https://www.kernel.org/doc/html/latest/usb/index.html), 525 | [USB Gadget API](https://www.kernel.org/doc/html/latest/driver-api/usb/gadget.html) 526 | [docs] 527 | 528 | [linux-usb.org: Linux-USB Gadget API Framework](http://www.linux-usb.org/gadget/) [docs] 529 | 530 | [2021: "USB On-The-Go (OTG)"](https://trac.gateworks.com/wiki/linux/OTG) [article] 531 | 532 | [2023: "A tour of USB Device Controller (UDC) in Linux" by Herve Codina](https://bootlin.com/pub/conferences/2023/eoss/codina-a-tour-of-usb-device-controller/codina-a-tour-of-usb-device-controller.pdf) [slides] 533 | [[video](https://www.youtube.com/watch?v=LJuE2RhfgnA)] 534 | 535 | [2024: "A comprehensive list of all ConfigFS, FunctionFS, USB Gadget API, etc. tools and libraries on Github"](https://www.reddit.com/r/linux/comments/1annx0u/a_comprehensive_list_of_all_configfs_functionfs/) [article] 536 | 537 | 538 | #### ConfigFS and FunctionFS 539 | 540 | [2010: "The USB composite framework" by Michal Nazarewicz](https://lwn.net/Articles/395712/) [article] 541 | 542 | [2014: "Make your own USB gadget: Kernel and userspace"](https://events.static.linuxfound.org/sites/events/files/slides/LinuxConNA-Make-your-own-USB-gadget-Andrzej.Pietrasiewicz.pdf) [slides] 543 | 544 | [2014: "Kernel USB Gadget Configfs Interface" by Amit Pundir](https://elinux.org/images/e/ef/USB_Gadget_Configfs_API_0.pdf) [slides] 545 | 546 | [2015: "ConfigFS Gadgets: An Introduction" by Amit Pundir](https://static.linaro.org/connect/sfo15/Presentations/09-23-Wednesday/SFO15-311-%20ConfigFS%20Gadgets-%20An%20Introduction.pdf) [slides] 547 | 548 | [2019: "Modern USB gadget on Linux & how to integrate it with systemd" by Andrzej Pietrasiewicz](https://www.collabora.com/news-and-blog/blog/2019/02/18/modern-usb-gadget-on-linux-and-how-to-integrate-it-with-systemd-part-1/) [article] 549 | [[part 2](https://www.collabora.com/news-and-blog/blog/2019/03/27/modern-usb-gadget-on-linux-and-how-to-integrate-it-with-systemd-part-2/)] 550 | [[video](https://www.youtube.com/watch?v=3aNlLec9YqY)] 551 | 552 | [2020: "Modern USB Gadget with Custom USB Functions" by Andrzej Pietrasiewicz](https://ostconf.com/system/attachments/files/000/001/708/original/Andrzej_Pietrasiewicz_LinuxPiter-2019.pdf) [slides] 553 | [[video](https://www.youtube.com/watch?v=mQYh4xYG5a4)] 554 | 555 | [libusbgx: New USB gadget ConfigFS library](https://github.com/linux-usb-gadgets/libusbgx) [github] 556 | 557 | [libusbg: Old USB gadget ConfigFS library](https://github.com/libusbg/libusbg) [github] 558 | 559 | [gt: Command-line tool for creating USB gadgets via ConfigFS](https://github.com/linux-usb-gadgets/gt) [github] 560 | 561 | [ptp-gadget: FunctionFS-based gadget for PTP (Picture Transfer Protocol)](https://github.com/linux-usb-gadgets/ptp-gadget) [github] 562 | 563 | [gadgetd: System-wide USB gadgets and FunctionFS–based services manager](https://github.com/gadgetd/gadgetd) [github] 564 | [[motivation](https://github.com/gadgetd/gadgetd/wiki/Motivation)] 565 | 566 | [keyboard-gadget: Simple HID keyboard gadget via ConfigFS](https://github.com/qlyoung/keyboard-gadget) [github] 567 | 568 | 569 | #### GadgetFS 570 | 571 | [linux-usb.org](http://www.linux-usb.org/gadget/): 572 | [usb.c](http://www.linux-usb.org/gadget/usb.c), 573 | [usbstring.c](http://www.linux-usb.org/gadget/usbstring.c), 574 | [usbstring.h](http://www.linux-usb.org/gadget/usbstring.h) 575 | [examples] 576 | 577 | [2016: "Create your own USB gadget with GadgetFS" by Gregory Soutade](https://blog.soutade.fr/post/2016/07/create-your-own-usb-gadget-with-gadgetfs.html) [article] 578 | 579 | [libusb-gadget: Simple wrapper library to access GadgetFS](https://github.com/ueno/libusb-gadget) [github] 580 | 581 | 582 | #### Raw Gadget 583 | 584 | [raw-gadget: Low-level interface for the Linux USB Gadget subsystem](https://github.com/xairy/raw-gadget) [github] 585 | 586 | [usb-proxy: USB proxy based on Raw Gadget and libusb](https://github.com/AristoChen/usb-proxy) [github] 587 | 588 | 589 | #### Testing 590 | 591 | [linux-usb.org: USB Testing on Linux](http://www.linux-usb.org/usbtest/) [docs] 592 | 593 | [2019: "Using dummy-hcd to play with USB gadgets" by Andrzej Pietrasiewicz](https://www.collabora.com/news-and-blog/blog/2019/06/24/using-dummy-hcd/) [article] 594 | 595 | [2023: "Test a Linux kernel USB Device Controller driver with testusb" by Herve Codina](https://bootlin.com/blog/test-a-linux-kernel-usb-device-controller-driver-with-testusb/) [article] 596 | 597 | 598 | ## Software 599 | 600 | Assorted software that doesn't specifically belong to the sections above. 601 | 602 | ### Libraries 603 | 604 | [libusb: Cross-platform library for accessing USB devices](https://github.com/libusb/libusb) [github] 605 | 606 | [pyusb: Python library for accessing USB devices](https://github.com/pyusb/pyusb) [github] 607 | 608 | [linux/tools/usbip: USB/IP tools for Linux](https://github.com/torvalds/linux/tree/master/tools/usb/usbip) [github] 609 | 610 | [usbipd-win: USB/IP tools for Windows](https://github.com/dorssel/usbipd-win) [github] 611 | 612 | [python-usb-protocol: USB Protocol Library for Python](https://github.com/greatscottgadgets/python-usb-protocol) 613 | 614 | 615 | ### Capturing software 616 | 617 | [usbmon: USB packet capture for Linux](https://www.kernel.org/doc/html/latest/usb/usbmon.html) [docs] 618 | 619 | [USBPcap: USB packet capture for Windows](https://github.com/desowin/usbpcap) [github] 620 | 621 | [Ubuntu wiki: Debugging USB Problems](https://wiki.ubuntu.com/Kernel/Debugging/USB) [article] 622 | 623 | 624 | ### Analyzers 625 | 626 | [Wireshark: USB capture setup](https://wiki.wireshark.org/CaptureSetup/USB) [docs] 627 | 628 | [ViewSB: Open-source USB analyzer toolkit for variety of capture hardware](https://github.com/greatscottgadgets/ViewSB) [github] 629 | 630 | [vusb-analyzer: Virtual USB Analyzer](https://github.com/a-sf-mirror/vusb-analyzer) [github] 631 | [[sourceforge](https://vusb-analyzer.sourceforge.net/)] 632 | 633 | [hidviz: Tool for in-depth analysis of USB HID devices communication](https://github.com/hidviz/hidviz) [github] 634 | 635 | 636 | ### Fuzzers 637 | 638 | Also see nu-map, umap2, and umap in the [Facedancer boards](#facedancer-boards) section. 639 | 640 | [syzkaller/usb: Coverge-guided Raw Gadget–based Linux USB host fuzzer](https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_usb.md) [github] 641 | [[slides](https://docs.google.com/presentation/d/1z-giB9kom17Lk21YEjmceiNUVYeI6yIaG5_gZ3vKC-M/edit)] 642 | [[video](https://www.youtube.com/watch?v=1MD5JV6LfxA)] 643 | 644 | [USBFuzz: Coverage-guided QEMU-based USB host fuzzer](https://github.com/HexHive/USBFuzz) [github] 645 | [[paper](https://www.usenix.org/conference/usenixsecurity20/presentation/peng)] 646 | 647 | [vUSBf: QEMU-based USB host fuzzer](https://github.com/schumilo/vUSBf) [github] 648 | [[slides](https://www.blackhat.com/docs/eu-14/materials/eu-14-Schumilo-Dont-Trust-Your-USB-How-To-Find-Bugs-In-USB-Device-Drivers.pdf)] 649 | [[paper](https://www.blackhat.com/docs/eu-14/materials/eu-14-Schumilo-Dont-Trust-Your-USB-How-To-Find-Bugs-In-USB-Device-Drivers-wp.pdf)] 650 | [[video](https://www.youtube.com/watch?v=OAbzN8k6Am4)] 651 | 652 | [UDEFuzz: UDE-based Windows USB host fuzzer](https://github.com/0x123456789/UDEFuzz) [github] 653 | 654 | [FuzzUSB: Dummy HCD/UDC–based Linux USB gadget fuzzer](https://github.com/purseclab/fuzzusb) [github] 655 | [[paper](https://lifeasageek.github.io/papers/kyungtae-fuzzusb.pdf)] 656 | 657 | [usb-device-fuzzing: Some tools for fuzzing USB devices](https://github.com/ollseg/usb-device-fuzzing) [github] 658 | 659 | [FrisbeeLite: GUI-based USB device fuzzer](https://github.com/nccgroup/FrisbeeLite) [github] 660 | [[article](https://research.nccgroup.com/wp-content/uploads/2020/07/fuzzing_usb_devices_using_frisbee_lite.pdf)] 661 | 662 | 663 | ### Defensive 664 | 665 | [usbguard: Software framework for implementing USB device authorization policies](https://github.com/USBGuard/usbguard) [github] 666 | 667 | [usb-canary: Linux/OSX tool that uses psutil to monitor devices while your computer is locked](https://github.com/errbufferoverfl/usb-canary) [github] 668 | 669 | [usbkill: Anti-forensic kill-switch that waits for change on USB ports and then immediately shuts down computer](https://github.com/hephaest0s/usbkill) [github] 670 | 671 | [usbwall: Control LDAP users access to USB devices](https://github.com/Turanic/usbwall) [github] 672 | 673 | [ukip: USB Keystroke Injection Protection](https://github.com/google/ukip) [github] 674 | 675 | [usbsas: Tool and framework for securely reading untrusted USB mass storage devices](https://github.com/cea-sec/usbsas) [github] 676 | 677 | 678 | ### Other software 679 | 680 | [usbrip: Simple CLI forensics tool for tracking USB events on GNU/Linux](https://github.com/snovvcrash/usbrip) [github] 681 | 682 | [uhubctl: USB hub per-port power control](https://github.com/mvp/uhubctl) [github] 683 | 684 | [hub-ctrl.c: Control USB power on port by port basis on some USB hubs](https://github.com/codazoda/hub-ctrl.c) [github] 685 | 686 | [webcam-tools: Update of the UVC webcam tools](https://github.com/cshorler/webcam-tools) [github] 687 | 688 | [USBDescriptorKitchen: USB Descriptor creation and maintainance tool](https://github.com/zonque/USBDescriptorKitchen) [github] 689 | 690 | [usbrply: Replay USB messages from Wireshark (.cap) files](https://github.com/JohnDMcMaster/usbrply) [github] 691 | 692 | [virtual-fido: Virtual FIDO2 USB Device](https://github.com/bulwarkid/virtual-fido) [github] 693 | 694 | [LOGITacker: Tool to enumerate and test vulnerabilities of Logitech Wireless Input devices via RF](https://github.com/RoganDawes/LOGITacker) [github] 695 | [[branch](https://github.com/RoganDawes/LOGITacker/blob/USB_host_enum/fingerprint_os.md)] 696 | 697 | [Psychson: Phison 2251-03 (2303) Custom Firmware & Existing Firmware Patches (BadUSB)](https://github.com/brandonlw/Psychson) [github] 698 | [[article](https://vivibit.net/psychson2307final-en/)] 699 | 700 | [MTPwn: PoC exploit for arbitrary file read/write in locked Samsung Android device via MTP (SVE-2017-10086)](https://github.com/smeso/MTPwn) [github] 701 | 702 | [usb_cdc: Single/Multi-channel Full Speed USB interface for FPGA and ASIC designs](https://github.com/ulixxe/usb_cdc) [github] 703 | 704 | [apple-hid-read-flash.py: Reading Apple HID flash over USB](https://gist.github.com/marcnewlin/bbdecb8c01746f267cdd187ff6ce36c1) [github] 705 | [[tweet](https://x.com/marcnewlin/status/1771568442564309151)] 706 | 707 | [usbrevue: Suite of tools for reverse-engineering USB devices](https://github.com/wcooley/usbrevue) [github] 708 | 709 | 710 | ## Research 711 | 712 | Articles, talks, and research papers. 713 | 714 | 715 | ### Attacking 716 | 717 | [2023: "Physical Attacks Against Smartphones" by Christopher Wade](https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Christopher%20Wade%20-%20Physical%20Attacks%20Against%20Smartphones.pdf) [slides] 718 | [[video](https://www.youtube.com/watch?v=31xrNuH1RV4)] 719 | 720 | [2023: "Intel BIOS Advisory – Memory Corruption in HID Drivers"](https://research.nccgroup.com/2023/08/08/intel-bios-advisory-memory-corruption-in-hid-drivers/) [article] 721 | 722 | [2023: "REUnziP: Re-Exploiting Huawei Recovery With FaultyUSB" by Lorant Szabo](https://labs.taszk.io/articles/post/reunzip/) [articl 723 | 724 | [2023: "The Impostor Among US(B): Off-Path Injection Attacks on USB Communications" by Robert Dumitru et al.](https://www.usenix.org/conference/usenixsecurity23/presentation/dumitru) [paper] 725 | [[github](https://github.com/0xADE1A1DE/USB-Injection)] 726 | 727 | [2022: "Exploiting the Wii U's USB Descriptor parsing"](https://garyodernichts.blogspot.com/2022/06/exploiting-wii-us-usb-descriptor-parsing.html) [article] 728 | 729 | [2022: "Hacking Some More Secure USB Flash Drives" by Matthias Deeg](https://blog.syss.com/posts/hacking-usb-flash-drives-part-1/) [article] 730 | [[part 2](https://blog.syss.com/posts/hacking-usb-flash-drives-part-2/)] 731 | 732 | [2022: "Keystroke Reflection: Inside a Side-Channel Exfiltration Technique"](https://cdn.shopify.com/s/files/1/0068/2142/files/hak5-whitepaper-keystroke-reflection.pdf) [article] 733 | 734 | [2022: "Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu" by Frederic Basse](https://fredericb.info/2022/06/breaking-secure-boot-on-google-nest-hub-2nd-gen-to-run-ubuntu.html) [article] 735 | 736 | [2022: "CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers" by Max Van Amernngen](https://www.sentinelone.com/labs/cve-2021-45608-netusb-rce-flaw-in-millions-of-end-user-routers/) [article] 737 | 738 | [2021: "Achieving Linux Kernel Code Execution Through a Malicious USB Device" by Martijn Bogaard and Dana Geist](https://i.blackhat.com/EU-21/Thursday/EU-21-Bogaard-Geist-Achieving-Linux-Kernel-Code-Execution-Through-A-Malicious-USB-Device.pdf) [slides] 739 | 740 | [2020: "Cheating in eSports: How to cheat at virtual cycling using USB hacks" by Brad Dixon](https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Brad-Dixon-Cheating-in-eSports-How-to-cheat-at-virtual-cycling-using-USB-hacks.compressed.pdf) [slides] 741 | [[video](https://www.youtube.com/watch?v=pq9t0VEIMio)] 742 | 743 | [2019: "BadUSB in Routers"](https://docs.google.com/viewer?url=https://github.com/tenable/router_badusb/raw/master/slides.pdf) [slides] [[github](https://github.com/tenable/router_badusb)] 744 | 745 | [2019: "eyeDisk. Hacking the unhackable. Again"](https://www.pentestpartners.com/security-blog/eyedisk-hacking-the-unhackable-again/) [article] 746 | 747 | [2019: "Simple AV Evasion Symantec and P4wnP1 USB"](https://initroot.me/advance-av-evasion-symantec-and-p4wnp1-usb) [article] 748 | 749 | [2019: "Hacking microcontroller firmware through a USB"](https://securelist.com/hacking-microcontroller-firmware-through-a-usb/89919/) [article] 750 | 751 | [2019: "Virtual Media Vulnerability in BMC Opens Servers to Remote Attack"](https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/) [article] 752 | [[github](https://github.com/eclypsium/USBAnywhere)] 753 | 754 | [2019: "Command Injection With USB Peripherals" by Danny Rosseau](https://research.ivision.com/command-injection-with-usb-peripherals.html) [article] 755 | 756 | [2019: "Technical analysis of the checkm8 exploit"](https://habr.com/en/companies/dsec/articles/472762/) [article] 757 | 758 | [2018: "ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem"](https://www.usenix.org/conference/usenixsecurity18/presentation/tian) [paper] 759 | 760 | [2018: "USB Hub Bug Hunting & Lessons Learned"](https://www.pjrc.com/usb-hub-bug-hunting-lessons-learned/) [article] 761 | 762 | [2018: "Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems"](https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/) [article] 763 | 764 | [2018: "Advanced USB key phishing"](https://blog.sevagas.com/?Advanced-USB-key-phishing) [article] 765 | 766 | [2018: "Android: directory traversal over USB via injection in blkid output"](https://bugs.chromium.org/p/project-zero/issues/detail?id=1583) [article] 767 | 768 | [2018: "Opening Black Box Systems with GreatFET+FD"](https://greatscottgadgets.com/slides/TR18_AR_RE-Black-Box-Systems-GreatFET-Facedancer.pdf) [slides] 769 | 770 | [2018: "Here's a List of 29 Different Types of USB Attacks" by Catalin Cimpanu](https://www.bleepingcomputer.com/news/security/heres-a-list-of-29-different-types-of-usb-attacks/) [article] 771 | 772 | [2018: "OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB"](https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html) [article] 773 | 774 | [2018: "Oh No, Where's FIDO? - A Journey into Novel Web-Technology and U2F Exploitation"](https://www.youtube.com/watch?v=pUa6nWWTO4o) [video] 775 | 776 | [2017: "USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs" by Yang Su et al.](https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/su) [paper] 777 | 778 | [2017: "Exploiting USB/IP in Linux" by Ignat Korchagin](https://www.blackhat.com/docs/asia-17/materials/asia-17-Korchagin-Exploiting-USBIP-In-Linux.pdf) [slides] 779 | 780 | [2016: "A Monitor Darkly: Reversing and Exploiting Ubiquitous OSD Controllers" by Ang Cui](https://redballoonsecurity.com/presentation/DEFCON24_A_Monitor_Darkly.pdf) [slides] 781 | [[video](https://www.youtube.com/watch?v=zvP2FEfOSsk)] 782 | [[code](https://github.com/RedBalloonShenanigans/MonitorDarkly)] 783 | 784 | [2016: "Universal Serial aBUSe: Remote Physical Access Attacks" by Rogan Dawes and Dominic White](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Rogan-Dawes-Dominic-White-Universal-Serial-aBUSe-Remote-Attacks.pdf) [slides] 785 | [[video](https://www.youtube.com/watch?v=QLEpwra_9o8)] 786 | [[article](https://sensepost.com/blog/2016/universal-serial-abuse/)] 787 | [[code](https://github.com/sensepost/USaBUSe)] 788 | 789 | [2016: "CVE-2016-2384: Exploiting a double-free in the Linux kernel USB MIDI driver" by Andrey Konovalov](https://xairy.github.io/blog/2016/cve-2016-2384) [article] 790 | 791 | [2015: "USB Armory as an Offensive Attack Platform"](https://docs.google.com/viewer?url=https://raw.githubusercontent.com/wiki/inversepath/usbarmory/contrib/USB%20Armory%20as%20an%20Offensive%20Attack%20Platform%20Jeroen_van_Kessel-and-Nick_Triantafyllidis.pdf) [paper] 792 | 793 | [2015: "USB Attack to Decrypt Wi Fi Communications" by Jeremy Dorrough](https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Jeremy-Dorrough-USB-Attack-to-Decrypt-Wi-Fi-Communications.pdf) 794 | [[video](https://www.youtube.com/watch?v=UWOxzfRUwis)] 795 | 796 | [2015: "USB - An Attack Surface of Emerging Importance"](https://tubdok.tub.tuhh.de/bitstream/11420/1286/1/USB%20-%20An%20Attack%20Surface%20of%20Emerging%20Importance.pdf) [thesis] 797 | 798 | [2014: "BadUSB - On Accessories that Turn Evil" by Karsten Nohl and Jakob Lell](https://assets-global.website-files.com/6098eeb4f4b0288367fbb639/62bc77a987dd057cc3e28599_SRLabs-BadUSB-Pacsec-v2.pdf) 799 | [[video](https://www.youtube.com/watch?v=nuruzFqMgIw)] 800 | [[wiki](https://opensource.srlabs.de/projects/badusb/wiki)] 801 | 802 | [2014: "USB Attacks Need Physical Access Right? Not Any More..." by Andy Davis](https://www.blackhat.com/docs/asia-14/materials/Davis/Asia-14-Davis-USB-Attacks-Need-Physical-Access-Right-Not-Any-More.pdf) 803 | [[video](https://www.youtube.com/watch?v=90MIjgh5ESU)] 804 | 805 | [2014: "USB for All!!1" by Jesse Michael and Mickey Shkatov](https://www.defcon.org/images/defcon-22/dc-22-presentations/Michael-Shkatov/DEFCON-22-Jesse-Michael-Mickey-Shkatov-USB-for-All!!-UPDATED.pdf) [slides] 806 | 807 | [2014: "Mouse Trap: Exploiting Firmware Updates in USB Peripherals" by Jacob Maskiewicz et al.](https://www.usenix.org/conference/woot14/workshop-program/presentation/maskiewicz) [paper] 808 | 809 | [2014: "HubCap: pwning the ChromeCast"](https://fail0verflow.com/blog/2014/hubcap-chromecast-root-pt1/) [article] 810 | 811 | [2014: "USB connection vulnerabilities on Android smartphones" by Andre Fernando Lopes Pereira](https://repositorio-aberto.up.pt/bitstream/10216/76109/2/32399.pdf) [thesis] 812 | 813 | [2013: "iSeeYou: Disabling the MacBook Webcam Indicator LED"](https://jscholarship.library.jhu.edu/bitstream/handle/1774.2/36569/camera.pdf) [paper] 814 | 815 | [2012: "Emulating USB DFU to Capture Firmware" by Travis Goodspeed](https://travisgoodspeed.blogspot.com/2012/10/emulating-usb-dfu-to-capture-firmware.html) [article] 816 | 817 | [2011: "Exploiting USB Devices with Arduino"](https://media.blackhat.com/bh-us-11/Ose/BH_US_11_Ose_Exploiting_USB_Devices_WP.pdf) [article] 818 | [[slides](https://www.irongeek.com/downloads/defcon-phid.pdf)] 819 | 820 | [2009: "USB Attacks: Fun with Plug and 0wn" by Rafael Dominguez Vega](https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-rafael_vega-usb_attacks.pdf) [slides] 821 | 822 | [2009: "USB Device Drivers: A Stepping Stone into your Kernel" by Moritz Jodeit and Martin Johns](http://jodeit.org/research/DeepSec2009_USB_Device_Drivers.pdf) [slides] 823 | 824 | 825 | ### Fuzzing 826 | 827 | [2023: "Automotive USB Fuzzing" by Euntae Jang et al.](https://www.youtube.com/watch?v=W_vQ5s1bB30) [video] 828 | 829 | [2022: "Fuzzing USB with Raw Gadget" by Andrey Konovalov](https://docs.google.com/presentation/d/1sArf2cN5tAOaovlaL3KBPNDjYOk8P6tRrzfkclsbO_c/edit?usp=sharing) [slides] 830 | [[video](https://www.youtube.com/watch?v=AT3PQjKxa_c)] 831 | 832 | [2022: "PrIntFuzz: Fuzzing Linux Drivers via Automated Virtual Device Simulation" by Zheyu Ma et al.](https://dl.acm.org/doi/pdf/10.1145/3533767.3534226) [paper] 833 | 834 | [2022: "FuzzUSB: Hybrid Stateful Fuzzing of USB Gadget Stacks" by Kyungtae Kim et al.](https://lifeasageek.github.io/papers/kyungtae-fuzzusb.pdf) [paper] 835 | [[github](https://github.com/purseclab/fuzzusb)] 836 | 837 | [2020: "USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation" by Hui Peng and Mathias Payer](https://www.usenix.org/conference/usenixsecurity20/presentation/peng) [paper] 838 | [[github](https://github.com/HexHive/USBFuzz)] 839 | 840 | [2019: "Coverage-Guided USB Fuzzing with Syzkaller" by Andrey Konovalov](https://docs.google.com/presentation/d/1z-giB9kom17Lk21YEjmceiNUVYeI6yIaG5_gZ3vKC-M/edit) [slides] 841 | [[video](https://www.youtube.com/watch?v=1MD5JV6LfxA)] 842 | [[docs](https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_usb.md)] 843 | 844 | [2019: "USB Fuzzing: A USB Perspective" by Dave Jing Tian](https://davejingtian.org/2019/07/17/usb-fuzzing-a-usb-perspective/) [article] 845 | 846 | [2018: "Massive scale usb device driver fuzz without device"](https://www.slideshare.net/mobile/MSbluehat/bluehat-v18-massive-scale-usb-device-driver-fuzz-without-device) [slides] 847 | 848 | [2017: "POTUS: Probing Off-The-Shelf USB Drivers with Symbolic Fault Injection" by James Patrick-Evans et al.](https://www.usenix.org/conference/woot17/workshop-program/presentation/patrick-evans) [paper] 849 | 850 | [2015: "Introduction to USB and Fuzzing" by Matt DuHarte](https://github.com/CryptoMonkey/Conference-Presentations/blob/master/Defcon%2023%20(2015)%20-%20Introduction%20to%20USB%20and%20Fuzzing/Matt%20DuHarte%20-%20HHV%20-%20Introduction%20to%20USB%20and%20Fuzzing.pdf) 851 | [[video](https://www.youtube.com/watch?v=KWOTXypBt4E)] 852 | 853 | [2015: "Don't Trust Your USB! How to Find Bugs in USB Device Drivers" by Sergej Schumilo et al.](https://www.blackhat.com/docs/eu-14/materials/eu-14-Schumilo-Dont-Trust-Your-USB-How-To-Find-Bugs-In-USB-Device-Drivers.pdf) 854 | [[paper](https://www.blackhat.com/docs/eu-14/materials/eu-14-Schumilo-Dont-Trust-Your-USB-How-To-Find-Bugs-In-USB-Device-Drivers-wp.pdf)] 855 | [[video](https://www.youtube.com/watch?v=OAbzN8k6Am4)] 856 | [[github](https://github.com/schumilo/vUSBf)] 857 | 858 | [2014: "Lowering the USB Fuzzing Barrier by Transparent Two-Way Emulation" by Rijnard van Tonder and Herman Engelbrecht](https://www.usenix.org/conference/woot14/workshop-program/presentation/van-tonder) [paper] 859 | 860 | [2014: "Implementing an USB Host Driver Fuzzer" by Daniel Mende](https://www.troopers.de/media/filer_public/66/27/6627d987-0de1-4e1a-97a1-9acaa696253f/troopers14-implementing_an_usb_host_driver_fuzzer-daniel_mende.pdf) [slides] 861 | 862 | [2014: "USB Fuzzing Basics: From fuzzing to bug reporting" by Jordan Bouyat](https://blog.quarkslab.com/usb-fuzzing-basics-from-fuzzing-to-bug-reporting.html) [article] 863 | 864 | [2012: "Fuzzing the USB in your devices" by Olle Segerdahl](https://olle.nxs.se/software/usbdevfuzz/fuzzing-usb-devices.pdf) [slides] 865 | 866 | [2011: "USB Fuzzing for the Masses"](https://labs.withsecure.com/publications/usb-fuzzing-for-the-masses) [article] 867 | 868 | [2011: "Fuzzing USB devices using Frisbee Lite" by Andy Davis](https://research.nccgroup.com/wp-content/uploads/2020/07/fuzzing_usb_devices_using_frisbee_lite.pdf) [article] 869 | [[github](https://github.com/nccgroup/FrisbeeLite)] 870 | 871 | [2010: "USB – Undermining Security Barriers" by Andy Davis](https://cs.uno.edu/~dbilar/BH-US-2011/materials/Davis/BH_US_11-Davis_USB_WP.pdf) [article] 872 | [[slides](https://media.blackhat.com/bh-us-11/Davis/BH_US_11-Davis_USB_Slides.pdf)] 873 | [[video](https://www.youtube.com/watch?v=sCtPFpG4_i4)] 874 | 875 | [2009: "Assessment of Software & Hardware Approaches to Building a USB Fuzzer"](https://docs.google.com/viewer?url=https://wikileaks.org/hbgary-emails/fileid/64995/17596) [article] 876 | 877 | 878 | ### Defensive 879 | 880 | [2020: "A file system for safely interacting with untrusted USB flash drives" by Ke Zhong et al.](https://www.usenix.org/conference/hotstorage20/presentation/zhong) [paper] 881 | 882 | [2019: "DeviceVeil: Robust Authentication for Individual USB Devices Using Physical Unclonable Functions" by Kuniyasu Suzaki et al.](https://users.encs.concordia.ca/home/m/mmannan/publications/DeviceVeil-dsn2019.pdf) [paper] 883 | 884 | [2018: "Discovering and Plotting Hidden Networks created with USB Devices"](https://www.exploit-db.com/docs/english/44947-discovering-and-plotting-hidden-networks-created-with-usb-devices.pdf) [paper] 885 | 886 | [2018: "Preventing USB Attacks with linux-hardened"](https://blog.lizzie.io/preventing-usb-attacks-with-linux-hardened.html) [article] 887 | 888 | [2018: "SoK: “Plug & Pray” Today – Understanding USB Insecurity in Versions 1 through C" by Dave (Jing) Tian et al.](https://par.nsf.gov/servlets/purl/10085547) [paper] 889 | 890 | [2017: "USBGuard: authorization for USB" by Nur Hussein](https://lwn.net/Articles/738306/) [article] 891 | 892 | [2017: "FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution"](https://arxiv.org/pdf/1708.09114.pdf) [paper] 893 | 894 | [2017: "How to Build a USB Analyzer with USB Armory? - Creating an Armory Sandbox" by Pedro Vilaca](https://www.sentinelone.com/blog/armory-sandbox-building-usb-analyzer-usb-armory/) [article] 895 | [[github](https://github.com/gdbinit/armorysandbox)] 896 | 897 | [2016: "Preventing USB Attacks with Grsecurity"](https://blog.lizzie.io/preventing-usb-attacks-with-grsecurity.html) [article] 898 | 899 | [2016: "Making USB Great Again with USBFILTER"](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/tian) [paper] 900 | 901 | [2015: "Defending Against Malicious USB Firmware with GoodUSB"](https://www.cise.ufl.edu/~butler/pubs/acsac15.pdf) [paper] 902 | 903 | [2011: "USB Security Challenges" by Joanna Rutkowska](https://blog.invisiblethings.org/2011/05/31/usb-security-challenges.html) [article] 904 | 905 | 906 | ### Reverse engineering 907 | 908 | [2023: "Hardware investigation of wireless keyloggers" by Antoine Cervoise](https://www.synacktiv.com/en/publications/hardware-investigation-of-wireless-keyloggers.html) [article] 909 | 910 | [2023: "Driver adventures for a 1999 webcam" by Ben Cox](https://blog.benjojo.co.uk/post/quickcam-usb-userspace-driver) [article] 911 | [[code](https://github.com/benjojo/qc-usb-userspace)] 912 | 913 | [2022: "USB: Reverse Engineering and Writing Drivers"](https://www.youtube.com/watch?v=is9wVOKeIjQ) [video] 914 | 915 | [2020: "Reverse Engineering Firmware (in Mice)"](https://8051enthusiast.github.io/2020/04/14/001-USB_Firmware.html) [article] 916 | [[part 2](https://8051enthusiast.github.io/2020/04/14/002-Sensor_Firmware.html)] 917 | [[part 3](https://8051enthusiast.github.io/2020/04/14/003-Stream_Video_From_Mouse.html)] 918 | 919 | [2019: "Reverse Engineering USB Devices" with Kate Temkin and Mikaela Szekely](https://unnamedre.com/episode/25) [podcast] 920 | 921 | [2019: "Writing userspace USB drivers for abandoned devices" by Ben Cox](https://blog.benjojo.co.uk/post/userspace-usb-drivers) [article] 922 | [[code](https://github.com/benjojo/userspace-vga2usb/)] 923 | 924 | [2019: "Making Pioneer DDJ-RB USB audio work on Linux"](https://www.youtube.com/watch?v=cUVuTBH51GY) 925 | [[part 2](https://www.youtube.com/watch?v=nevJHGFx0yA)] 926 | 927 | [2017: "Reverse Engineering USB Protocol"](https://github.com/openrazer/openrazer/wiki/Reverse-Engineering-USB-Protocol) [article] 928 | 929 | [2013: "Reverse engineering a Windows USB driver" by Matt Cutts](https://www.mattcutts.com/blog/reverse-engineering-a-windows-usb-driver/) [article] 930 | 931 | [2012: "Hacking the Kinect"](https://learn.adafruit.com/hacking-the-kinect) [articles] 932 | 933 | [2008: "Learning how to reverse engineer a Windows USB driver: the Luxeed LED keyboard" by Kurt Stephens](https://web.archive.org/web/20180729111955/http://www.jespersaur.com/drupal/book/export/html/21) [article] 934 | [[github](https://github.com/kstephens/luxeed)] 935 | 936 | 937 | ### Creating tools 938 | 939 | [2024: "Hydradancer: Faster USB Emulation for Facedancer" by Thiebaud Fuchs](https://blog.quarkslab.com/hydradancer-faster-usb-emulation-for-facedancer.html) [article] 940 | 941 | [2024: "Unlocking secret ThinkPad functionality for emulating USB devices" by Andrey Konovalov](https://xairy.io/articles/thinkpad-xdci) [article] 942 | 943 | [2023: "Facedancer with Antoine"](https://www.youtube.com/watch?v=kjxvIssPN7Y) [video] 944 | 945 | [2019: "Making USB Accessible: Developing Ultra-low-cost, Open USB Tools"](https://greatscottgadgets.com/slides/making-usb-accessible-teardown-2019.pdf) [slides] 946 | [[video](https://greatscottgadgets.com/2019/06-26-making-usb-accessible-teardown-2019/)] 947 | 948 | [2018: "How To Bring HID Attacks To The Next Level" by Luca Bongiorni](https://www.youtube.com/watch?v=ADqMCKtufNY) [video] 949 | 950 | [2017: "FaceDancer 2.0" by Dominic Spill and Kate Temkin](https://dominicspill.com/presentations/2017/Temkin_Spill_FaceDancer2_slides.pdf) [slides] 951 | [[video](https://www.youtube.com/watch?v=L3Ug9591Vag)] 952 | 953 | [2016: "GreatFET: Making GoodFET Great Again" by Michael Ossmann](https://www.blackhat.com/docs/us-16/materials/us-16-Ossmann-GreatFET-Making-GoodFET-Great-Again-wp.pdf) [article] 954 | [[video](https://www.youtube.com/watch?v=4NIoAnsuFOQ)] 955 | 956 | [2016: "Forging USB armory" by Andrea Barisani](https://www.blackhat.com/docs/asia-15/materials/asia-15-Barisani-Forging-The-USB-Armory.pdf) [slides] 957 | [[video](https://www.youtube.com/watch?v=MsK2V_iO9Z4)] 958 | 959 | [2016: "USBiquitous: USB intrusion toolkit" by Benoit Camredon](https://www.sstic.org/media/SSTIC2016/SSTIC-actes/usb_toolkit/SSTIC2016-Article-usb_toolkit-camredon.pdf) [article] 960 | 961 | [2014: "USBProxy: Building an Open and Affordable USB Man in the Middle Device" by Dominic Spill](https://github.com/dominicgs/dominicgs.github.io/blob/master/presentations/2014/Spill_USBProxy_ShmooCon_Slides.pdf) [slides] 962 | [[article](https://github.com/dominicgs/dominicgs.github.io/blob/master/presentations/2014/Spill_USBProxy_ShmooCon_paper.pdf)] 963 | [[video](https://www.youtube.com/watch?v=5JnAeakUBnU)] 964 | 965 | [2016: "IRON-HID: Create Your Own Bad USB Device" by Seunghun Han](https://archive.conference.hitb.org/hitbsecconf2016ams/sessions/iron-hid-create-your-own-bad-usb-device/) [paper] 966 | [[github](https://github.com/kkamagui/IRON-HID)] 967 | 968 | [2014: "OpenVizsla OV3" by Felix Domke](https://debugmo.de/tags/openvizsla/) [articles] 969 | 970 | [2013: "Introducing Daisho" by Michael Ossmann and Dominic Spill](https://troopers.de/media/filer_public/ed/13/ed137202-b363-47fc-ad48-4ee14c55b4f4/troopers13-introducing_daisho-monitoring_multiple_communication_technologies_at_the_physical_layer-michael_ossmanndominic_spill.pdf) [slides] 971 | [[video](https://www.youtube.com/watch?v=hhiIHMx198w)] 972 | [[article](https://ossmann.blogspot.com/2013/05/introducing-daisho.html)] 973 | 974 | [2012: "Emulating USB Devices with Python" by Travis Goodspeed](https://travisgoodspeed.blogspot.com/2012/07/emulating-usb-devices-with-python.html) [article] 975 | 976 | [2010: "BeagleBoard - USB Sniffer"](https://beagleboard-usbsniffer.blogspot.com/) [articles] 977 | [[docs](https://www.elinux.org/BeagleBoard/GSoC/2010_Projects/USBSniffer)] 978 | 979 | [2010: "Programmable HID USB Keystroke Dongle: Using the Teensy as a pen testing device"](https://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle) [article] 980 | 981 | 982 | ### Other research 983 | 984 | [2024: "iOS: a journey in the USB networking stack" by Florian Le Minoux](https://www.synacktiv.com/publications/ios-a-journey-in-the-usb-networking-stack) [article] 985 | 986 | 987 | ## Misc 988 | 989 | [USB Complete: Everything You Need to Develop USB Peripherals](https://www.goodreads.com/book/show/122692.USB_Complete) [book] 990 | 991 | [Attacks via physical access to USB (DMA...?)](https://security.stackexchange.com/questions/118854/attacks-via-physical-access-to-usb-dma) [stackexchange] 992 | 993 | [Can webcams be turned on without the indicator light?](https://security.stackexchange.com/questions/6758/can-webcams-be-turned-on-without-the-indicator-light) [stackexchange] 994 | 995 | [Turning off the blue status LED on the logitech C920 usb camera?](https://raspberrypi.stackexchange.com/questions/43118/turning-off-the-blue-status-led-on-the-logitech-c920-usb-camera) [stackexchange] 996 | 997 | [USB 3.x SS enumeration](https://electronics.stackexchange.com/questions/297031/usb-3-x-ss-enumeration/297373#297373) [stackexchange] 998 | 999 | [2024: "Adding a USB Port to the ThinkPad X1 Nano (the Hard Way)" by Joshua Stein](https://jcs.org/2024/05/29/x1usb) [article] 1000 | 1001 | [2024: Clearing up misinformation about USB-C](https://x.com/_MG_/status/1797461630437241318) [thread] 1002 | 1003 | [2024: "Making USB devices - end to end guide to your first gadget" by Uros Popovic](https://popovicu.com/posts/making-usb-devices/) [article] 1004 | 1005 | [2024: Notes on why USB hubs suck by Michael Ossmann](https://mastodon.social/@mossmann/112514231563904529) [tweet] 1006 | 1007 | [2023: "Getting JTAG on the iPhone 15" by Thomas Roth](https://www.youtube.com/watch?v=D8UGlvBubkA) [video] 1008 | 1009 | [2023: "See the minimum needed for a USB device to list in Device Manager"](https://www.youtube.com/watch?v=VG5bWzEPfsg) [video] 1010 | 1011 | [2022: "Tech Stuff - USB and Firewire"](http://www.zytrax.com/tech/pc/serial.html) [article] 1012 | 1013 | [2022: "All About USB-C: Introduction For Hackers" by Arya Voronova](https://hackaday.com/2022/12/06/usb-c-introduction-for-hackers/) [article] 1014 | 1015 | [2022: "Illegal USB Type-C" by Sergey Korablin](https://brs.im/weird-usb-type-c/) [article] 1016 | 1017 | [2022: "A Chip To Bridge The USB 2 – USB 3 Divide" by Arya Voronova](https://hackaday.com/2022/03/07/a-chip-to-address-the-fundamental-usb-3-0-deficiency/) [article] 1018 | 1019 | [2021: "USB On-The-Go (OTG) Basics"](https://www.cypress.com/file/44851/download) [article] 1020 | 1021 | [2021: "USB-C Cable Colour Codes (alpha)"](https://sa.lj.am/usbccccc/) [article] 1022 | 1023 | [2021: "How does USB device discovery work?" by Ben Eater](https://www.youtube.com/watch?v=N0O5Uwc3C0o) 1024 | 1025 | [2021: "How does a USB keyboard work?" by Ben Eater](https://www.youtube.com/watch?v=wdgULBpRoXk) 1026 | 1027 | [2021: "How does n-key rollover work?" by Ben Eater](https://www.youtube.com/watch?v=2lPzTU-3ONI) 1028 | 1029 | [2020: "USB Type-C is Coming: 3 Things You’ve Just Gotta Know"](https://web.archive.org/web/20201020204043/https://www.diodes.com/design/support/technical-articles/pericoms-articles/usb-type-c-is-coming-3-things-youve-just-gotta-know/) [article] [archive] 1030 | 1031 | [2020: "USB3: why it's a bit harder than USB2" by Kate Temkin](https://lab.ktemkin.com/post/why-is-usb3-harder/) [article] 1032 | 1033 | [2020: "USB PHY on FPGA" by Andrew Strokov](https://docs.google.com/viewer?url=https://github.com/glitchcore/usbproxy/releases/download/1/USB.PHY.on.FPGA.pdf) [slides] 1034 | [[code](https://github.com/glitchcore/usbproxy)] 1035 | 1036 | [2019: "Now how many USB-C™ to USB-C™ cables are there?" by Benson Leung](https://people.kernel.org/bleung/now-how-many-usb-c-to-usb-c-cables-are-there-usb4-update-september-12) [article] 1037 | 1038 | [2018: "Understanding HID report descriptors"](https://who-t.blogspot.com/2018/12/understanding-hid-report-descriptors.html) [article] 1039 | 1040 | [2016: "Alternate Mode for USB Type-C: Going beyond USB"](http://www.ti.com/lit/wp/slly021/slly021.pdf) [article] 1041 | 1042 | [2016: "Understand USB (in Linux)" by Opasiak Krzysztof](https://elinux.org/images/a/aa/Understand_USB_in_Linux_Opasiak_Krzysztof.pdf) [slides] 1043 | 1044 | [2013: "What is the difference between /dev/ttyUSB and /dev/ttyACM?" by Samuel Tardieu](https://rfc1149.net/blog/2013/03/05/what-is-the-difference-between-devttyusbx-and-devttyacmx/) [article] 1045 | 1046 | [2008: "USB Made Simple: A Series of Articles on USB"](http://www.usbmadesimple.co.uk/index.html) [articles] 1047 | -------------------------------------------------------------------------------- /talk/DEMOS.md: -------------------------------------------------------------------------------- 1 | # Demos 2 | 3 | Snippets for some of the demos. 4 | 5 | ## Common setup 6 | 7 | ``` bash 8 | sudo apt install python3-venv 9 | python3 -m venv p3env 10 | source p3env/bin/activate 11 | 12 | pip install wheel 13 | 14 | sudo apt-get install python-dev python3-dev 15 | ``` 16 | 17 | 18 | ## Part 1: USB 101 19 | 20 | ### Sniffing USB with usbmon 21 | 22 | Based on [kernel.org/doc/Documentation/usb/usbmon.txt](https://www.kernel.org/doc/Documentation/usb/usbmon.txt). 23 | 24 | ``` bash 25 | mount -t debugfs none /sys/kernel/debug/ 26 | modprobe usbmon 27 | cat /sys/kernel/debug/usb/usbmon/0u 28 | cat /dev/usbmon0 | xxd 29 | ``` 30 | 31 | ### Sniffing USB via usbmon with wireshark 32 | 33 | Follow [How to install Wireshak on Linux and capture USB traffic?](https://stackoverflow.com/questions/31054437/how-to-install-wireshak-on-linux-and-capture-usb-traffic). 34 | 35 | ``` 36 | # Wireshark filter to see Control transfers 37 | usb.transfer_type == 2 38 | ``` 39 | 40 | ### Sending USB control messages to a hub with USB PPPS support 41 | 42 | ``` bash 43 | git clone https://github.com/mvp/uhubctl 44 | sudo apt-get install libusb-1.0-0-dev 45 | make 46 | ``` 47 | 48 | ``` bash 49 | $ cat /etc/udev/rules.d/98-hub.rules 50 | SUBSYSTEM=="usb", ATTR{idVendor}=="05e3", ATTR{idProduct}=="0608", MODE="0664", GROUP="plugdev" 51 | $ sudo udevadm control --reload-rules 52 | ; replug hub 53 | ``` 54 | 55 | ### Sending USB control messages to a Logitech web camera 56 | 57 | Based on [Turning off the blue status LED on the logitech C920 usb camera?](https://raspberrypi.stackexchange.com/questions/43118/turning-off-the-blue-status-led-on-the-logitech-c920-usb-camera). 58 | 59 | ``` bash 60 | sudo apt-get install uvcdynctrl cheese 61 | cheese & 62 | sudo uvcdynctrl -i /usr/share/uvcdynctrl/data/046d/logitech.xml 63 | sudo uvcdynctrl -s 'LED1 Mode' 0 64 | ``` 65 | 66 | ## Part 3: Linux USB subsystem 67 | 68 | `ctrl.py`: 69 | 70 | ``` python 71 | #!/usr/bin/env python3 72 | 73 | import array 74 | import binascii 75 | import sys 76 | import time 77 | 78 | import usb.core 79 | import usb.util 80 | 81 | VENDOR_ID = 0x046d 82 | PRODUCT_ID = 0xc077 83 | 84 | dev = usb.core.find(idVendor=VENDOR_ID, idProduct=PRODUCT_ID) 85 | 86 | if dev is None: 87 | raise ValueError('Device not found') 88 | 89 | def log(write, bRequest, wValue, wIndex, msg, e): 90 | print('%s, request = 0x%02x, value = 0x%02x, index = 0x%02x' % \ 91 | ('write' if write else 'read', bRequest, wValue, wIndex)) 92 | if msg: 93 | if write: 94 | print(' => success: %d' % (msg,)) 95 | else: 96 | print(' => success: %d' % (len(msg),)) 97 | print(' ', binascii.hexlify(msg)) 98 | if e: 99 | print(' => %s' % (str(e),)) 100 | 101 | write = False 102 | bmRequestType = usb.util.CTRL_TYPE_STANDARD | \ 103 | usb.util.CTRL_RECIPIENT_DEVICE | \ 104 | (usb.util.CTRL_OUT if write else usb.util.CTRL_IN) 105 | bRequest = 0x6 # Get Descriptor 106 | wValue = 0x100 # Device Descriptor 107 | wIndex = 0x0 108 | wLength = 18 109 | 110 | try: 111 | msg = dev.ctrl_transfer(bmRequestType=bmRequestType, bRequest=bRequest, 112 | wValue=wValue, wIndex=wIndex, 113 | data_or_wLength=wLength) 114 | log(write, bRequest, wValue, wIndex, msg, None) 115 | except usb.core.USBError as e: 116 | log(write, bRequest, wValue, wIndex, None, e) 117 | ``` 118 | 119 | ``` bash 120 | ./ctrl.py 121 | strace ./ctrl.py 122 | ``` 123 | 124 | 125 | ## Part 4: BadUSB 126 | 127 | ### Rubber Ducky 128 | 129 | ``` bash 130 | wget https://github.com/hak5darren/USB-Rubber-Ducky/raw/master/duckencoder.jar 131 | java -jar duckencoder.jar -i payload.txt -o inject.bin 132 | # copy inject.bin to SD card 133 | ``` 134 | 135 | ``` 136 | DELAY 1000 137 | CTRL-ALT t 138 | DELAY 1000 139 | STRING echo pwned! 140 | ENTER 141 | ``` 142 | 143 | ### Bash Bunny 144 | 145 | https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/LinuxInfoGrabber 146 | 147 | ``` 148 | ... 149 | #RUN UNITY xterm 150 | Q CTRL-ALT t 151 | ... 152 | Q STRING export bunnydir=/media/\$USER/BashBunny 153 | Q ENTER 154 | ... 155 | Q STRING sync 156 | Q ENTER 157 | Q STRING umount \$bunnydir 158 | Q ENTER 159 | Q STRING exit 160 | Q ENTER 161 | ``` 162 | 163 | https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/phishing/Captiveportal 164 | 165 | ### ATtiny85 board 166 | 167 | Based on [1$ Rubber Ducky – Hack any PC within seconds MR.Robot style using Attiny85](http://www.khromozome.com/rubber-ducky-hack-pc-within-seconds-mr-robot-style-attiny85/). 168 | 169 | 1. Download and install [Arduino IDE](https://www.arduino.cc/en/Main/Software). 170 | 2. Follow [Connecting and Programming Your Digispark](http://digistump.com/wiki/digispark/tutorials/connecting). 171 | 3. Don't forget to add the [udev rule](https://github.com/micronucleus/micronucleus/wiki/Ubuntu-Linux). 172 | 4. Select Tools -> Programmer -> USBtinyISP. 173 | 5. Select Tools -> Board -> Digispark (default). 174 | 6. Select File -> Examples -> DigisparkKeyboard -> Keyboard. 175 | 7. Upload (plug in the device after you press the Upload button in Arduino IDE). 176 | 8. Run. 177 | 178 | ### CJMCU BadUSB 179 | 180 | Based on [bad_ducky/wiki/Getting-Started](https://github.com/mharjac/bad_ducky/wiki/Getting-Started). 181 | 182 | Format SD card as FAT32 and put `payload.txt` on it: 183 | 184 | ``` 185 | DELAY 1000 186 | CTRL ALT t 187 | DELAY 1000 188 | STRING echo pwned! 189 | ENTER 190 | ``` 191 | 192 | 1. Download and install [Arduino IDE](https://www.arduino.cc/en/Main/Software). 193 | 2. Clone [bad_ducky](https://github.com/mharjac/bad_ducky) and open `bad_ducky.ino` in Arduino IDE. 194 | 3. Select Tools -> Board -> Arduino Leonardo. 195 | 4. Select Tools -> Port - > ttyACM0 (choose the right one). 196 | 5. Select Tools -> Programmer -> AVRISP mkII. 197 | 6. Upload. 198 | 7. Select Tools -> Serial Monitor. 199 | 8. Input mode: `a`. 200 | 9. Input language: `en`. 201 | 10. Input payload: `PAYLOAD.TXT`. 202 | 11. Replug the board. 203 | 204 | ### Cactus WHID 205 | 206 | Based on [github.com/whid-injector/WHID](https://github.com/whid-injector/WHID). 207 | 208 | 1. Plug in Cactus WHID. 209 | 2. Connect to WiFi network `Exploit` with password `DotAgency`. 210 | 3. Go to http://192.168.1.1/duckuino. 211 | 4. Enter payload, convert to ESPloit format and copy. 212 | 5. Go to http://192.168.1.1/livepayload. 213 | 6. Paste and run payload. 214 | 215 | ### Teensy 3.2 216 | 217 | Based on [Getting started with Teensy](https://spuder.wordpress.com/2010/10/21/getting-started-with-teensy-usb-rubber-ducky/). 218 | 219 | 1. Download and install [Arduino IDE](https://www.arduino.cc/en/Main/Software). 220 | 2. Download and install [Teensyduino](https://www.pjrc.com/teensy/td_download.html). 221 | 3. Run Arduino IDE. 222 | 4. Select Tools -> Board -> Teensy 3.2 / 3.1. 223 | 5. Select Tools -> USB Type -> Keyboard. 224 | 6. Select File -> Examples -> Teensy -> USB_Keyboard -> Simple. 225 | 7. Upload and run. 226 | 227 | Note: LED pin is pin #13 on Teensy 3.2. 228 | 229 | 230 | ## Part 5: Facedancer 231 | 232 | ### Emulating USB keyboard with Facedancer 233 | 234 | ``` bash 235 | pip install greatfet pyserial 236 | git clone https://github.com/greatscottgadgets/Facedancer 237 | cd Facedancer 238 | pip install . 239 | ``` 240 | 241 | #### Facedancer21 242 | 243 | To flash: https://github.com/travisgoodspeed/goodfet#firmware 244 | 245 | ``` bash 246 | BACKEND=goodfet ./legacy-applets/facedancer-keyboard-interactive.py 247 | ``` 248 | 249 | #### GreatFET One 250 | 251 | ``` bash 252 | BACKEND=greatfet ./legacy-applets/facedancer-keyboard-interactive.py 253 | ``` 254 | 255 | ### USB reconnaissance 256 | 257 | #### Facedancer21 258 | 259 | Device driver scanning: 260 | 261 | ``` bash 262 | git clone https://github.com/nccgroup/umap2.git 263 | cd ./umap2/ 264 | pip install . 265 | umap2scan -P fd:/dev/ttyUSB0 266 | ``` 267 | 268 | OS fingerprinting: 269 | 270 | ``` bash 271 | git clone https://github.com/nccgroup/umap.git 272 | cd ./umap/ 273 | python umap.py -P /dev/ttyUSB0 -O 274 | ``` 275 | 276 | 277 | ## Part 6: Linux USB Gadget subsystem 278 | 279 | ### Raspberry Pi Zero 280 | 281 | #### Setup 282 | 283 | ``` bash 284 | echo "dtoverlay=dwc2" | sudo tee -a /boot/config.txt 285 | echo "dwc2" | sudo tee -a /etc/modules 286 | sync 287 | reboot 288 | ``` 289 | 290 | #### Emulating mass storage device through `g_mass_storage` 291 | 292 | Based on [Raspberry Pi Zero OTG Mode](https://gist.github.com/gbaman/50b6cca61dd1c3f88f41). 293 | 294 | ``` bash 295 | dd if=/dev/zero of=image.bin bs=512 count=2880 296 | mkdosfs ./image.bin 297 | mkdir mnt 298 | sudo mount ./image.bin ./mnt -o loop 299 | echo hi | sudo tee ./mnt/file 300 | sudo umount ./mnt 301 | sudo modprobe g_mass_storage file=./image.bin stall=0 302 | sudo modprobe -r g_mass_storage 303 | ``` 304 | 305 | #### Emulating keyboard with ConfigFS 306 | 307 | Based on [RaspberryPiZero_HID_MultiTool](https://github.com/darrylburke/RaspberryPiZero_HID_MultiTool/blob/master/gadget/hid/mkdevice.sh) and [Linux USB HID gadget driver](https://www.kernel.org/doc/Documentation/usb/gadget_hid.txt). 308 | 309 | ``` bash 310 | ./start.sh 311 | ls /dev/hidg0 312 | gcc hid_gadget_test.c -o hid 313 | ./hid /dev/hidg0 keyboard 314 | ./stop.sh 315 | ``` 316 | 317 | `start.sh`: 318 | ``` bash 319 | #!/bin/bash 320 | 321 | set -eux 322 | 323 | modprobe libcomposite 324 | 325 | mkdir -p /sys/kernel/config/usb_gadget/my_gadget 326 | cd /sys/kernel/config/usb_gadget/my_gadget 327 | 328 | echo 0x1d6b > idVendor # Linux Foundation 329 | echo 0x0104 > idProduct # Multifunction Composite Gadget 330 | echo 0x0100 > bcdDevice # v1.0.0 331 | echo 0x0200 > bcdUSB # USB2 332 | echo 0xEF > bDeviceClass 333 | echo 0x02 > bDeviceSubClass 334 | echo 0x01 > bDeviceProtocol 335 | 336 | mkdir -p strings/0x409 337 | echo "fedcba9876543210" > strings/0x409/serialnumber 338 | echo "wtfwasthat" > strings/0x409/manufacturer 339 | echo "Linux USB Device" > strings/0x409/product 340 | mkdir -p configs/c.1/strings/0x409 341 | 342 | echo "Config 1: ECM network" > configs/c.1/strings/0x409/configuration 343 | echo 250 > configs/c.1/MaxPower 344 | 345 | mkdir -p functions/hid.usb0 346 | echo 1 > functions/hid.usb0/protocol 347 | echo 1 > functions/hid.usb0/subclass 348 | echo 8 > functions/hid.usb0/report_length 349 | echo -ne "\\x05\\x01\\x09\\x06\\xA1\\x01\\x05\\x07\\x19\\xE0\\x29\\xE7\\x15\ 350 | \\x00\\x25\\x01\\x75\\x01\\x95\\x08\\x81\\x02\\x95\\x01\\x75\\x08\\x81\\x03\ 351 | \\x95\\x05\\x75\\x01\\x05\\x08\\x19\\x01\\x29\\x05\\x91\\x02\\x95\\x01\\x75\ 352 | \\x03\\x91\\x03\\x95\\x06\\x75\\x08\\x15\\x00\\x25\\x65\\x05\\x07\\x19\\x00\ 353 | \\x29\\x65\\x81\\x00\\xC0" > functions/hid.usb0/report_desc 354 | ln -s functions/hid.usb0 configs/c.1/ 355 | 356 | ls /sys/class/udc > UDC 357 | ``` 358 | 359 | `stop.sh`: 360 | ``` bash 361 | #!/bin/bash 362 | 363 | set -eux 364 | 365 | cd /sys/kernel/config/usb_gadget/my_gadget 366 | 367 | echo "" > UDC 368 | 369 | rmdir configs/c.1/strings/0x409/ 370 | rmdir strings/0x409/ 371 | rm configs/c.1/hid.usb0 372 | rmdir configs/c.1/ 373 | rmdir functions/hid.usb0/ 374 | cd .. 375 | rmdir my_gadget/ 376 | 377 | modprobe -r usb_f_hid 378 | modprobe -r libcomposite 379 | ``` 380 | 381 | #### Emulating a simple device through GadgetFS 382 | 383 | Based on [Create your own USB gadget with GadgetFS](http://blog.soutade.fr/post/2016/07/create-your-own-usb-gadget-with-gadgetfs.html). 384 | 385 | ``` bash 386 | mkdir /dev/gadget 387 | mount -t gadgetfs gadgetfs /dev/gadget 388 | ``` 389 | 390 | Get sources from the article linked above. 391 | 392 | Patch `USB_DEV`: 393 | 394 | ``` c 395 | #define USB_DEV "/dev/gadget/20980000.usb" 396 | ``` 397 | 398 | ``` bash 399 | gcc -g -o usb device.c -lpthread 400 | ./usb 401 | umount /dev/gadget 402 | modprobe -r gadgetfs 403 | ``` 404 | 405 | 406 | ## Part 7: USB fuzzing 407 | 408 | ### Fuzzing USB with Facedancer21 409 | 410 | ``` bash 411 | mkdir sandbox && cd sandbox/ 412 | umap2stages -P fd:/dev/ttyUSB0 -C keyboard -s keyboard.stages 413 | umap2kitty -s keyboard.stages & 414 | umap2fuzz -P fd:/dev/ttyUSB0 -C keyboard 415 | ``` 416 | 417 | ### vUSBf 418 | 419 | ``` bash 420 | sudo apt-get install qemu-system-x86 qemu-kvm qemu-utils 421 | git clone https://github.com/schumilo/vUSBf.git 422 | mkdir workdir 423 | ... 424 | ``` 425 | 426 | 427 | ## Part 8 428 | 429 | ### Sniffing USB with USBProxy on BeagleBone Black 430 | 431 | Get a shell on the BBB following [this](http://blog.tonywall.com/2013/11/beaglebone-black-serial-debug-connection/). 432 | 433 | (Note: to boot from micro-SD card hold the button when applying power.) 434 | 435 | #### Preimaged 436 | 437 | Get the image from [USBProxy releases](https://github.com/dominicgs/USBProxy/releases/) and flash onto an SD card. 438 | 439 | Boot BBB, build USBProxy, run `sudo ./usb-mitm -l`. 440 | 441 | #### Rebuild image 442 | 443 | https://beagleboard.org/latest-images 444 | 445 | http://gimx.fr/wiki/index.php?title=Bbb_sniffer 446 | 447 | https://github.com/dominicgs/USBProxy/tree/master/doc 448 | 449 | https://github.com/dominicgs/USBProxy/issues/50 450 | 451 | ### Sniffing USB with USBProxy 'Nouveau' with GreatFET One 452 | 453 | https://github.com/usb-tools/Facedancer.git 454 | 455 | ``` bash 456 | pip install greatfet pyserial 457 | git clone https://github.com/greatscottgadgets/Facedancer.git 458 | cd Facedancer 459 | pip install . 460 | # BACKEND=greatfet ./legacy-applets/facedancer-keyboard-interactive.py 461 | BACKEND=greatfet ./facedancer-usbproxy.py -v 046d -p c077 462 | ``` 463 | 464 | ### Sniffing USB with OpenVizsla 465 | 466 | https://github.com/openvizsla/ov_ftdi#getting-started 467 | 468 | ``` bash 469 | sudo apt-get install libusb-1.0-0-dev 470 | pip3 install crcmod 471 | ``` 472 | 473 | ``` 474 | diff --git a/software/host/fastftdi.c b/software/host/fastftdi.c 475 | index c2bb6ab..398af7c 100644 476 | --- a/software/host/fastftdi.c 477 | +++ b/software/host/fastftdi.c 478 | @@ -97,7 +97,7 @@ FTDIDevice_Open(FTDIDevice *dev) 479 | return err; 480 | } 481 | 482 | - libusb_set_option(dev->libusb, LIBUSB_OPTION_LOG_LEVEL, 2); 483 | + // libusb_set_option(dev->libusb, LIBUSB_OPTION_LOG_LEVEL, 2); 484 | 485 | dev->handle = libusb_open_device_with_vid_pid(dev->libusb, 486 | OV_VENDOR, 487 | ``` 488 | 489 | ``` bash 490 | ./software/host/ovctl.py sniff ls 491 | ``` 492 | 493 | ### Sniffing USB with OpenVizsla and ViewSB 494 | 495 | https://github.com/usb-tools/ViewSB 496 | 497 | https://github.com/usb-tools/pyopenvizsla 498 | 499 | ``` bash 500 | git clone https://github.com/usb-tools/pyopenvizsla.git 501 | pip install -r ./requirements.txt 502 | pip install . 503 | ``` 504 | 505 | ``` 506 | diff --git a/libov/fastftdi.c b/libov/fastftdi.c 507 | index c2bb6ab..398af7c 100644 508 | --- a/libov/fastftdi.c 509 | +++ b/libov/fastftdi.c 510 | @@ -97,7 +97,7 @@ FTDIDevice_Open(FTDIDevice *dev) 511 | return err; 512 | } 513 | 514 | - libusb_set_option(dev->libusb, LIBUSB_OPTION_LOG_LEVEL, 2); 515 | + // libusb_set_option(dev->libusb, LIBUSB_OPTION_LOG_LEVEL, 2); 516 | 517 | dev->handle = libusb_open_device_with_vid_pid(dev->libusb, 518 | OV_VENDOR, 519 | ``` 520 | 521 | ``` bash 522 | git clone https://github.com/usb-tools/ViewSB.git 523 | git checkout 04048292ff0b1113b6cc5dbfe5744deaad50c402 524 | pip install -r ./requirements.txt 525 | ./viewsb.sh openvizsla --speed=low 526 | ``` 527 | 528 | ### Sniffing USB with USBProxy 'Nouveau' 529 | 530 | ``` bash 531 | ./facedancer-usbproxy.py -v 046d -p c077 532 | ``` 533 | -------------------------------------------------------------------------------- /talk/README.md: -------------------------------------------------------------------------------- 1 | Introduction to USB hacking 2 | =========================== 3 | 4 | Materials for my "Introduction to USB hacking" talk ([slides](https://docs.google.com/presentation/d/1yeQigRsWQLko3TXNg8zsKT_45aHrcZgYhsKJvFc2yQk/edit?usp=sharing), [video](https://www.youtube.com/watch?v=fZCSmwJQedc)) and a [collection of USB hacking–related links](/). 5 | 6 | Snippets for demos shown during the talk are [here](DEMOS.md). 7 | 8 | Also see [xairy/dma-attacks](https://github.com/xairy/dma-attacks) for my "Introduction to PCIe and DMA attacks" talk. 9 | 10 | 11 | ## Hardware 12 | 13 | Demonstrated during the talk. 14 | 15 | [USB Kill](https://usbkill.com/) (90$) 16 | 17 | [Rubber Ducky](https://hakshop.com/products/usb-rubber-ducky-deluxe) (45$) 18 | 19 | [Bash Bunny](https://hakshop.com/products/bash-bunny) (100$) 20 | 21 | [LAN Turtle](https://hakshop.com/products/lan-turtle) (55$) 22 | 23 | [Digispark ATtiny85](https://www.aliexpress.com/item/Free-shipping-1pcs-Digispark-kickstarter-development-board-ATTINY85-module-for-Arduino-usb/32697283942.html) (1.3$) 24 | 25 | [CJMCU BadUSB](https://www.aliexpress.com/item/CJMCU-virtual-Keyboard-Badusb-USB-TTF-memory-Keyboard-ATMEGA32U4-module/32817551271.html) (10$) 26 | 27 | [Cactus WHID](https://www.aliexpress.com/item/Cactus-Micro-compatible-board-plus-WIFI-chip-esp8266-for-atmega32u4/32318391529.html) (16$) 28 | 29 | [Cactus Micro Rev2](https://www.aliexpress.com/item/Cactus-Micro-Rev2-Pro-Micro-atmega32u4-WIFI-ESP8266-module-ESP-11-ESP-03/32804236925.html) (35$) 30 | 31 | [Teensy 3.2](https://www.pjrc.com/store/teensy32.html) (20$) 32 | 33 | [Facedancer21](http://goodfet.sourceforge.net/hardware/facedancer21/) (85$) 34 | 35 | [GreatFET One](https://greatscottgadgets.com/greatfet/one/) (110$) 36 | 37 | [Raspberry Pi Zero](https://www.raspberrypi.org/products/raspberry-pi-zero/) (5$) 38 | 39 | [Raspberry Pi Zero W](https://www.raspberrypi.org/products/raspberry-pi-zero-w/) (10$) 40 | 41 | [BeagleBone Black](https://beagleboard.org/black) (70$) 42 | 43 | [Nexus 7 2013 (Wi-Fi) tablet](https://en.wikipedia.org/wiki/Nexus_7_(2013)) (150$) 44 | 45 | [USB Armory](https://inversepath.com/usbarmory) (150$) 46 | 47 | [EC3380-AB](http://www.bplus.com.tw/Adapter/EC3380-AB.html) (180$) 48 | 49 | [OpenVizsla](http://openvizsla.org/) (140$) 50 | 51 | [AirDrive Keylogger Max](http://www.keelog.com/hardware-keylogger/) (100$) 52 | 53 | [Maltronics WiFi KeyLogger Internal](https://maltronics.com/products/wifi-keylogger-internal) (45$) 54 | 55 | 56 | ## Agenda 57 | 58 | ### Part 1: USB 101 59 | 60 | * Follow [USB 101](http://www.cypress.com/file/134171/download) 61 | 62 | #### Demos 63 | 64 | 1. Looking at syslog (`dmesg`) when a new USB device is connected. 65 | 2. Checking connected devices and their descriptors with `lsusb`. 66 | 3. Sniffing and decoding USB packets with a logic analyzer. 67 | 4. Sniffing USB via usbmon with wireshark. 68 | 69 | ### Part 2: USB attack surface 70 | 71 | * Device -> host: electrical, firmware, kernel, logical 72 | * Host -> device: firmware, android, ios 73 | * Host -> device -> host: original BadUSB 74 | * Remote: USB/IP, WebUSB, USBAnywhere 75 | 76 | ### Part 3: Linux USB subsystem 77 | 78 | * Linux USB stack 79 | * USB sysfs, usbfs 80 | * libusb, pyusb 81 | 82 | ### Part 4: BadUSB 83 | 84 | * BadUSB: consumer-ready vs self-designed 85 | * BadUSB: microcontroller-based vs Facedancer vs Linux-based 86 | 87 | #### Demos 88 | 89 | Consumer-ready: 90 | 91 | 1. Rubber Ducky. 92 | 2. Bash Bunny. 93 | 3. Lan Turtle. 94 | 95 | Microcontroller-based: 96 | 97 | 1. Teensy 3.2. 98 | 2. ATtiny55 board. 99 | 3. CJMCU BadUSB. 100 | 4. Cactus WHID. 101 | 102 | ### Part 5: Facedancer 103 | 104 | * Facedacer software overview 105 | * Facedancer21 and GreatFET One 106 | 107 | #### Demos 108 | 109 | 1. Emulating USB keyboard with Facedancer. 110 | 2. USB reconnaissance with Facedancer. 111 | 112 | ### Part 6: Linux USB Gadget subsystem 113 | 114 | * Linux USB Gadget subsystem 115 | * Legacy Gadget Modules 116 | * USB Gadget ConfigFS 117 | * GadgetFS 118 | * Raw Gadget 119 | 120 | #### Demos 121 | 122 | 1. Emulating mass storage drive through `g_mass_storage.ko` on Raspberry Pi Zero. 123 | 2. Emulating keyboard with ConfigFS on Raspberry Pi Zero. 124 | 3. Emulating keyboard through GadgetFS on Raspberry Pi Zero. 125 | 4. Emulating keyboard through Raw Gadget on Raspberry Pi Zero. 126 | 5. Emulating keyboard from an Android device. 127 | 128 | ### Part 7: USB fuzzing 129 | 130 | * Fuzzing, hardware vs virtual 131 | * vUSBf, QEMU and usbredir 132 | * syzkaller, Raw Gadget and `dummy_hcd.ko` 133 | 134 | #### Demos 135 | 136 | 1. Fuzzing USB with Facedancer. 137 | 2. Fuzzing USB with vUSBf. 138 | 3. Fuzzing USB with syzkaller. 139 | 4. Crashing a Linux machine via a bug in a USB driver. 140 | 5. Crashing a Windows machine via a bug in a USB driver. 141 | 142 | ### Part 8: USB sniffing 143 | 144 | * Hardware vs software sniffers 145 | * "Low-level" vs "high-level" sniffers 146 | * Beagle analyzers 147 | * USBProxy, USBProxy 'Nouveau' 148 | * OpenVizsla 149 | * Hardware keyloggers (AirDrive, Maltronics) 150 | 151 | #### Demos 152 | 153 | 0. Sniffing with usbmon already demoed in part 1. 154 | 1. Sniffing with a logic analyzer already demoed in part 1. 155 | 2. Sniffing USB with USBProxy on BeagleBone Black. 156 | 3. Sniffing USB with USBProxy 'Nouveau' with Facedancer. 157 | 4. Sniffing USB with OpenVizsla. 158 | 5. Sniffing keyboard via AirDrive Keylogger. 159 | --------------------------------------------------------------------------------