USBArmyKnife is a unique tool designed to test the security of USB devices. It combines several important functions that allow you to quickly identify vulnerabilities and protect your system from potential threats via USB. In this article, you will learn how USBArmyKnife can help in testing the security of USB devices, the main features of this threat protection tool, and how to configure and use it for pentesting and vulnerability detection.
Disclaimer: This article is for informational purposes only. All information presented in the material is based on open sources and is not intended for use for illegal or unethical purposes.
This device is compact and versatile, offering a wide range of features such as USB HID attacks, drive emulation, network device emulation, and Wi-Fi/Bluetooth exploits (based on ESP32 Marauder).
Controlling the launch of payloads can be done in a variety of ways: connect and run immediately, delayed launch via Wi-Fi, a timer, or through a custom-built user interface. Thanks to the Bootstrap web interface, managing and deploying attacks is easy, even with a phone.
Additionally, an agent can be deployed to execute commands even on locked systems. The serial interface output is difficult to detect, and viewing the victims’ screen is via the devices’ dedicated Wi-Fi connection.
Army USB Knife is a powerful tool to enhance your local access toolkit.
Today there is a problem with physical access/USB attacks. By itself, each attack does not provide a sufficient solution to most objectives.
USB keyboard attacks (Ducky, HID&Run) require login and even the best tools cannot solve this problem.
Network attacks (poison faucet, etc.) can get the password hash, but it often takes something complicated hanging over the ethernet port to get it back for offline hacking.
When you get to the box, what options do you still have for stealing data when everything that opens a socket is sent to the VT.
What was needed was a physical access platform that would allow the fraudster to take the best parts of each attack and solve their respective problems with another attack. Ideally, this platform would be so cheap and hidden that its loss would not be a problem.
Want to become a PCAP USB Ethernet adapter interface and go out over Wi-Fi? USB army knife.
Want to wrap your attacks in your own UI or just show the Hollywood UI when your attack works? USB army knife
Want a hidden drive? USB army knife
Want to disable all Wi-Fi user authentication, PCAP, renegotiation, and email yourself when the machine is left unlocked for offline hacking? USB army knife
Want your attack to self-destruct when found? USB army knife
What to connect to other hardware, motion sensors, etc.? USB army knife.
Want to see what’s on your victim’s screen over Wi-Fi? USB army knife.
This video shows how it works.
This video shows how USB PCAP works and includes a brief peek at the web interface.
This video shows the process of gaining access to the victim’s machine after successfully installing the agent.
This project allows for a variety of attacks based on the use of USB, Wi-Fi and Bluetooth, with the ability to hide the device. Attacks include sending commands via BadUSB (USB HID using DuckyScript), emulating mass storage devices and USB network devices, and attacking Wi-Fi and Bluetooth using the ESP32 Marauder. The attacks are implemented on the basis of the DuckyScript language, extended by additional user commands and the full capabilities of the ESP32 Marauder.
Attacks include:
USB HID Attacks: Send custom HID commands with DuckyScript, supports BadUSB and USB HID and launcher-style attacks.
Storage Device: Emulate a USB stick.
Network USB Device: Shows as a network USB device.
Wi-Fi and Bluetooth Attacks: Use ESP32 Marauder for Wi-Fi and Bluetooth attacks.
LilyGo T-Dongle S3 is an ESP32-S3-based development board in the form factor of a USB flash drive. It has a color LCD screen, a physical button, a hidden adapter for a microSD card (built into the USB-A connector), as well as an SPI adapter. The device is equipped with 16 MB of flash memory. Thanks to the ESP32-S3 chipset, the T-Dongle S3 can work as a WiFi base station and supports a range of WiFi and Bluetooth attacks. The fee is extremely affordable. There are two versions of the device: with a screen and without, but only the version with a screen was tested.
This device is similar in design, size and features to the LilyGo T-Dongle S3 and uses the same chipset. It’s clearly a developer board as it doesn’t come with a case and has an open circuit on the underside. Where this device beats the T-Dongle S3 is that it has a very large, high-quality screen and 8MB of additional RAM.
Equipment:
A supported device, ideally a LilyGo T-Dongle S3 with a screen.
For an SD card device, you will need a FAT32 formatted micro SD card. (For larger cards, this should be at most one 32GB partition).
USB Army Knife may have difficulty working with large SD cards or new file systems. For maximum compatibility, it is recommended to use a FAT32 partition on a card with a capacity of up to 32 GB or smaller. If you need to partition your SD card, you can use the instructions on how to partition an SD card in Windows in this article.
Note: On first launch, if the device cannot find an SD card with a supported file system, it will prompt you to format it. However, after that, the file system created on the SD card may not be compatible with Windows. Therefore, it is recommended to format the SD card directly through the device itself to avoid problems.
1. Clone the repository:
git clone https://github.com/i-am-shodan/USBArmyKnife.git
2. You have now cloned the repo you need to extract the submodules. Run this command in the directory you just cloned. If you don’t, you will get ESP32Maurauder related errors
git submodule update --init
3. Open the project in Visual Studio Code
4. Optional: Add the additional keyboard layouts you need by editing the platform.ini file
5. Click the PlatformIO icon (alien icon)
6. (Remove the key if inserted) Press and hold the hardware button, insert the device, wait 1 second and release the button. You should now see a new COM port/serial device connected to your machine
7. In the menu, expand the device to be flashed.
For T-Dongle S3, you should expand “LILYGO-T-Dongle-S3”
For Generic ESP32-S2 you should expand “Generic-ESP32-S2”
After selecting a device, it may take a few seconds for the build menu to populate
8. Click “Download”
9. Only if your device does NOT have an SD card.
Edit the flash file system files, they are stored in the “data” directory.
Expand the Platform folder in the build menu from the previous step.
Click Download File System Image.
10. After successful download, remove the dongle and insert the micro SD card if present.
If you want to upgrade an existing installation, you need to:
Use git pull to get the latest changes to this repository
Run git submodule update –recursive to make sure all submodules are updated
Click “Full Cleanup” in the PlatformIO build menu. At this point, all your code and dependencies will be updated and you can continue with the build steps above.
Connect the USB key to the computer.
Connect to WiFi hotspot (iPhone14) with ‘password’
Access the web interface (http://4.3.2.1:8080) by following the URL in your browser.
Make sure the web interface is loaded correctly. You should see the current status and uptime. If not, refresh the page.
Use the web interface to create and manage attacks with DuckyScript.
ESP-S2-based devices support Wi-Fi but do not have a web interface. Attacks are managed through DuckyScript files.
There is no reason why the USB Army Knife cannot operate in USB host mode. This is the same mode in which the computer works. This way the USB Army Knife can issue commands as if it were a computer. Since most smartphones support PTP (Picture Transfer Protocol), this means that in theory you could connect the USB Army Knife (with a USB adapter) to your phone to take pictures.
Espressif has documentation on USB host mode as well as sample code. They don’t have an example for the PTP protocol. You can harvest your phone’s PCAP using PTP with USB PCAP, there’s even a WireShark dissector