Pierluigi Paganini May 01, 2017

Luca Bongiorni was working on a cheap and dedicated hardware that he could remotely control (i.e. over WiFi or BLE), that is how WHID was born.

Since the first public appearance of HID Attacks (i.e.  PHUKD, Kautilya, Rubberducky), many awesome researches and results have been published [i.e. Iron HID, Mousejack and the coolest USaBUSe].

Due this increased amount of nifty software, as Pentester and Red-Teamer, I wanted a cheap and dedicated hardware that I could remotely control (i.e. over WiFi or BLE). And this is how WHID was born.

Since the inception of my first HID injecting devices (based on Teensy boards, see photo below), I always faced the need to decide when to deliver a certain payload. This was partially achieved by using Irongeek’s photoresistor and dip-switch tricks [1].

However, I soon realized that would be cool the full remote control over a radio channel. At the beginning, years ago, I was thinking to use some cheap 433 MHz TRX modules connected to the Teensy board… sadly due to lack of time and other cool projects… this idea was dropped into my awesome pen testing-tools to-do-list. ?

What is WHID Injector?

At this point, you are wondering what is behind WHID Injector and what are its capabilities. ?

WHID stands for WiFi HID injector. It is a cheap but reliable piece of hardware designed to fulfill Red-Teamers & Pentesters needs related to HID Attacks, during their engagements.

The core of the WiFi HID injector is mainly an Atmega 32u4 (commonly used in many Arduino boards) and an ESP-12s (which provides the WiFi capabilities and is commonly used in IoT projects).

WHID’s Software

When I started to think about a remotely controlled HID injector and thus adding an ESP chipset to an Arduino-like board, I soon figured out that already exists some hardware that could fulfill my need: AprBrother’s Cactus Micro Rev2 (which was at EOL L).

Nonetheless, I started to read ESP specs and think how to create a simple PoC sketch that would let me upload remotely malicious payloads through the WiFi AP. And here it is [2] (I would like to thanks Corey from http://www.LegacySecurityGroup.com for his initial experiments).

Afterwards with a working software on my hands, I wanted to improve the EOL Cactus Micro rev2 hardware (considering that is also compatible with USaBUSe [3]).

Overall, this is how my simple GUI looks  (I know it looks awful, but works! ?):

Third-Party  Software Supported

• USaBUSe – Github Repo

This awesome tool has been created by @RoganDawes from @SensePost.

It is more than a simple remote HID injector! It permits to bypass air-gapped environments and have a side-channel C&C communication over WHID’s ESP wifi!

o   Further links:

• Defcon 24 Video
• Defcon 24 Slides
• https://sensepost.com/blog/2016/universal-serial-abuse/
• USaBUSe Video PoC
• Cyberkryption’s Tutorial

• WiFi Ducky – Github Repo

This is a nice project developed by @spacehuhn and it brings even further my simplistic WHID’s software, by adding cool features like: realtime injection, ESP fw OTA update, etc.

• WiDucky – Github Repo

An older-but-cool project, which has the pro feature to use the ESP’s wifi as C&C communication channel. It also has its own Android app for remote control.

Some Video Tutorials

I will leave here a couple of videos about WHID Injector’s installation and capabilities.

WHID Attack Simulation against Windows 10 Enterprise

Wifi Ducky on WHID device (WINDOWS)

How To Install WHID Injector Software on WINDOWS 

How To Install WHID Injector Software on OSX   

Possible Applications

• Classic – Remote Keystrokes Injection Over WiFi

Deploy WHID on Victim’s machine and remotely control it by accessing its WiFi AP SSID. (eventually, you can also setup WHID to connect to an existing WiFi network)

• Social Engineering – Deploy WHID inside an USB-enable gadget

The main idea behind it, is to test for Social Engineering weaknesses within your target organization (e.g. DLP policy violations) and to bypass physical access restrictions to the victim’s PC.

Usually, I create a fancy brochure (sample template https://github.com/whid-injector/WHID/tree/master/tools/Social_Engineering_Lures ) attached with a weaponized USB gadget and then use a common delivery carrier (e.g. UPS, DHL, FedEx).

Conclusion

As you noticed from the 3^rd Party Softwares above, WHID has a lot of potential. Not only to play the usual role of HID injector but also to bypass Air-Gapped environments.

If you would like to play with it… AprBrother opened the pre-orders here

 https://blog.aprbrother.com/product/cactus-whid

So far, beta testers already provided very precious feedbacks to improve the final version of WHID. I’d like to thank @RoganDawes for suggesting to add the Hall Sensor as reset switch!

1. http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
2. https://github.com/whid-injector/WHID/tree/master/sketches/cactus_micro_rev2
3. https://github.com/sensepost/USaBUSe

Stay tuned!

More Video PoCs are coming about USaBUSe and a Weaponized USB FAN and Mouse!

About the author: Luca Bongiorni

Senior Offensive Security Expert actively involved in IT Security, where his main fields of research are: Radio Networks, Reverse Engineering, Hardware Hacking, Internet of Things and Physical Security.

Broad international experience both as (under) graduate (Italy, Czech Republic, Luxembourg) and as Security Professional (Lithuania, Austria, Sweden, Italy).

[adrotate banner=”9″]

Edited by Pierluigi Paganini

(Security Affairs – hacking)

[adrotate banner=”13″]