USB Army Knife: The Ultimate Close Access Penetest Tool

USB Army Knife: The Ultimate Close Access Penetest Tool

mhLeave a comment

Loading

USB Army Knife, a powerful tool designed to meet a wide range of red teaming needs. Whether you want to transform into a USB Ethernet adapter and capture network traffic, create custom user interface for your attacks, or use covert storage devices, the USB Army Knife has you covered.

What is USB Army Knife?

The USB Army Knife developed by @therealshodan is a multi-functional firmware that combines several attack vectors into one compact tool with color LCD screen display. Depending on the device it is running, it can support USB HID attacks that allow over Wi-Fi keystroke injection, mass storage emulation, network device impersonation, a USB Ethernet adapter, capture screen by deploying VNC server and view them via web interface, disconnect users from WiFi networks including other WiFi and Bluetooth offensive functionality thanks to its integration with the ESP32 Marauder. This makes it an indispensable asset for penetration testers looking to exploit physical access vulnerabilities.

Since we are mobile hackers, this tool provides a lot of handy features for smartphone users because once plugged in targeted machine and on the same WiFi network, we can control it using mobile device. On top of that, if we plug in using OTG adapter to smartphone, we can simply use Marauder features without any device modifications, such as creating custom rogue access point. Some of its features are demonstrated in the video below.

Supported Devices

  • LilyGo T-Dongle S3 (Recommended): This USB pen drive-shaped ESP32-S3 development board features a color LCD screen, physical button, hidden micro SD card adapter, and SPI adapter. It has 16MB of flash and supports a range of WiFi and Bluetooth attacks.
  • Waveshare ESP32-S3 1.47inch: Similar in design to the LilyGo T-Dongle S3, this device boasts a large high-quality screen and 8MB of additional RAM.
  • M5Stack AtomS3U: An ESP32-S3 development board with two external interfaces at the rear, an LED, and a button. It uses flash memory to store files and includes a digital microphone and IR LED.
  • ESP32 Udisk: The most basic device that can run USB Army Knife code, featuring an ESP32-S2 chip connected to a USB port. It lacks RAM, a screen, SD card, Bluetooth, LEDs, and a good hardware button.
  • ESP32 Key: Similar to the ESP32 Udisk, this is an ESP32-S2 on a circuit board. It is the cheapest device that can run USB Army Knife.
  • Waveshare-RP2040-GEEK: A development board with USB-A, a 1.14-inch LCD screen, an SD card, and external ports (SWD, UART, and I2C). It does not run the ESP32 chipset and has limited support for USB Army Knife features.

All of these devices can be purchased on AliExpress, Amazon (UK and US), and eBay.

Key Features

  • Covert Storage: Masquerade as two different USB mass storage devices. Initially, the device displays the full contents of the micro SD card. On subsequent connections, it appears as a different ‘benign’ drive.
  • HID: Can inject keystrokes by executing Rubber Ducky scripts over WiFi.
  • Marauder: It is a WiFi and Bluetooth analysis tool designed for capturing and analyzing wireless traffic. It offers capabilities such as frame capture, device enumeration, and frame transmission, making it a portable alternative to larger traffic capturing tools.
  • USB Ethernet PCAP: Transform the device into a USB network adapter to capture a PCAP of the initial network traffic.
  • VNC: Deploy the agent, which includes a tiny VNC server, allowing you to view the screen via the web interface.
  • Web Interface: A simple UI that allows a convenient control of USB Army Knife over WiFi to select scripts/images and execute them using.
  • Stream Microphone Audio Over WiFi: Use the M5Stack AtomS3U’s microphone to stream audio over WiFi.
  • Crash Linux Boxes: Deploy a malicious filesystem that causes Linux machines with automount enabled to panic.
  • EvilAP: Creates a fake Wi-Fi network set up by attackers to mimic a legitimate one, tricking users into connecting so they can steal sensitive information.
  • Self destruct: This example demonstrates how to use the LILYGO T Dongle S3’s QWIIC port for motion detection. When motion is detected nearby, the SELF_DESTRUCT() function is triggered. In our case, this function displays a graphic and resets the device, but you can customize it to suit your needs.
  • Evil USB CDROM/NIC: Pretend to be a USB NICs which requires a driver from a CDROM device that appears when you plug the NIC in.

Some of devices that support USB Army Knife firmware, such as LilyGo, have LCD screen that can be helpful for penetration testers used as decoy to take attention from its real intentions such as keystroke injection, and focus on animations or displayed text. On top of that, once plugged, it can display various text to falsely suggest its true purpose such as Bitcoin wallet, cryptocurrency miner, multi-factor authentication device or 5G internet module.

Figure 1. Custom image displayed on the screen

Bitcoin miner?

There are already a individuals selling the LilyGo as Bitcoin miner for $25. Most likely it isn’t a malicious, however this device is not able to mine Bitcoin or any other cryptocurrency by itself.

Figure 2. LilyGo being promoted as Bitcoin miner

Promotion videos from the same company have millions views on Instagram, however, we have to consider they could be from paid advertisement not only from organic reach. How much Bitcoin can be mined is never mentioned or answered in comment section, they always suggest to move the conversation into direct messages. Make sure not to fall for this scam.

Figure 3. Promotion videos of Bitcoin miner on Instagram

Installation

One of the standout features of the USB Army Knife is its ease of installation, particularly through the web browser. This method simplifies the flashing process, making it accessible even for those with minimal technical expertise.

Figure 4. Flashing over web browser

The whole installation process is described here.

Command Execution and Scripting

The USB Army Knife offers a robust command execution feature, allowing users to run a variety of commands on the target machine over HID or on itself such as Rubber Ducky scripts, Marauder and control the display and led light. The complete list of commands is available on the GitHub.

Prevention

Spotting HID attacks can be tricky because these devices look like regular flash drives, and the harmful keystrokes they send might not be obvious. However, you can take some steps to help notice and stop these attacks:

  1. Avoid Unknown USB Devices: Never plug in USB drives from unknown or untrusted sources. This includes USB drives found in public places or received from unverified individuals.
  2. Use Security Software: In case when USB Army Knife behaves as storage and first drops a malicious payload before execution, up-to-date antivirus software should detect and remove it.
  3. Employ Physical Security Measures: Physically secure USB ports and devices to prevent unauthorized access.
  4. Educate Users: Conduct regular training sessions to educate users about the risks of bad USB attacks and the importance of following security protocols.

Conclusion

The USB Army Knife is a cool looking multi-functional toolkit for penetration testers and red teamers for exploiting physical access vulnerabilities. With its extensive features, robust agent capabilities, and easy installation process, it’s a must-have in your cybersecurity arsenal.

Leave a Reply

Your email address will not be published. Required fields are marked *