WHID Ninja – The wireless rubber ducky


Recently, an equivalent of the famous rubber ducky was released, but this one embed a WiFi module (ESP8266) with it. This module can be useful to dynamically upload, modify and execute payloads on the fly.
His name is WHID Ninja. This device is composed of two modules. First module is an ATMega32u4 board which can emulate a keyboard or any other HID devices. Second module is an ESP8266 board which provide the possibility to connect via WiFi and manage the payloads.

These two modules communicate between them via the Serial protocol. This is really two separate modules : for example, the WiFi module will not mount a wireless interface on the target machine.

Before using the device, it is necessary to flash the two modules. Because the ATMega32u4 and ESP8266 boards are two different boards inside the product, we cannot flash both at the same time. It is not possible to connect directly to the ESP8266 board to flash it. So it is necessary to use the ATMega32u4 board as an ESP programmer in first time.

 

Flashing

Flash stage 1 : Flash the ATMega32u4 to became an ESP programmer.

Open a new sketch in Arduino IDE and insert this code :

int program_pin = 12;
int enable_pin = 13;

void setup()
{
  Serial1.begin(115000);
  Serial.begin(115000);
  pinMode(enable_pin, OUTPUT);
  pinMode(program_pin, OUTPUT);
  digitalWrite(program_pin, LOW);
  digitalWrite(enable_pin,HIGH);

  Serial.println("ESP8266 programmer ready.");
}

void loop()
{
  while(Serial1.available())
  {
    Serial.write((uint8_t)Serial1.read());
  }

  if(Serial.available())
  {
    while(Serial.available())
    {
      Serial1.write((uint8_t)Serial.read());
    }
  }
}

Make sure your WHID Ninja is connected on an USB port, and select theses options :

  • Board : LilyPad Arduino USB
  • Programmer : AVRISP mkII

Now you can compile and transmit the sketch to the board.
Once finished you have now the possibility to use the ATMega32u4 as an ESP programmer for next step.

Flash stage 2 : Compile ESP binary firmware.

Download the sketch located at this URL : https://github.com/spacehuhn/wifi_ducky/tree/master/esp8266_wifi_duck
In the file 'esp8266_wifi_duck.ino' you can modify the ESSID and PASSWORD of the AP which will be mounted.

Before compiling the sketch set theses options :

  • Board : Generic ESP8266 Module
  • Flash Mode : DIO
  • Flash Size : 4M (3M SPIFFS)
  • Flash Frequency : 40MHz
  • CPU Frequency : 80MHz
  • Upload Speed : 115200
  • Programmer : AVRISP mkII

Now you can compile the sketch without transmit it.
Once compiled, go to 'Sketch'>'Export compiled Binary'. That will create a '.bin' file in the same folder as your sketch.

Flash stage 3 : Flash the ESP.

Open 'ESP8266Flasher.exe' (LINK).
In the 'Config' tab click on the gear and select the previously compiled binary. Be sure the checkbox in front of the line is checked. Set Offset at '0x00000'.

In the 'Advanced' tab use theses options :

  • Baudrate : 115200
  • Flash size : 4MByte
  • Flash speed : 40MHz
  • SPI Mode : DIO

Once ready just go to the 'Operation' tab and click on the 'Flash' button.
These will take approximately 30 seconds to flash.

Flash stage 4 : Flash the ATMega32u4.

Download the sketch located at this URL : https://github.com/spacehuhn/wifi_ducky/tree/master/arduino_wifi_duck

Before compiling the sketch set theses options :

  • Board : LilyPad Arduino USB
  • Programmer : AVRISP mkII

Now you can compile and transmit the sketch to the board.
At this time the ATMega32u4 is no longer an ESP programmer, his new role is to emulate a keyboard.

Usage

Connect the WHID Ninja on the USB port of the target machine. The WiFi access point (named in previous steps) appear. Connect a smartphone or a PC to this access point, set IP as 192.168.4.2 and navigate to http://192.168.4.1

The main page listing payloads are presented.

This version is compatible with the payloads from Hak5 Rubber Ducky. But there are some mistake in it. For example it will be necessary to add some commands like 'CTRL-ESCAPE', 'CTRL-SHIFT', 'CTRL-ATL', 'ESCAPE', ... to be fully compatible. To do that, just add the necessary lines in the file 'arduino_wifi_duck.ino'.

Another idea is to add the possibility to use commands like 'MOUSEMOVE X Y' and 'MOUSECLICK (LEFT|RIGHT|MIDDLE)'. This is not so difficult to do, just include the 'mouse' library and add some code.

Live script execution is useful to quickly test a payload without upload it.

Conclusion

This WHID Ninja has many advantage on the Hak5 Rubber Ducky :

  • his price (12$)
  • it is not necessary to stay near the target machine during the process
  • payload management

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Captcha *