Building a DarkDuino Tool

This tool is what can be referred to as a “Force Multiplier”. It is not itself an exploit. Nor does it take advantage of any security flaw which is likely to go away. In fact, it is really just a programmable keyboard. Computers trust keyboards, so by default computers trust the DarkDuino tool. The only security lapse needed is for someone to walk away, leaving their system unlocked for a minute.

I constructed my version from the Arduino “Micro” Microcontroller, but any Microcontroller that supports HID emulation will work as well. I chose this one because of it's small profile and relatively large EEPROM memory. The board can be expanded to read and write files to an SD or SDHC card. The board comes with a USB micro female connector which can be used to program the board as well as connect it to the target system.

My version uses two “buttons” to select which command you want to run. When button #1 (pin 2) is brought to GND the tool launches a Windows PowerShell based attack. When the second button (pin 12) is brought to GND the tool adds a cron job for the current user via crontab -e on a *nix system.

It also has the advantage of being able to emulate the Mouse as well as the Keyboard. So if you need to integrate clicking on something into you attack, you can.

The actual attack is a script which loads the native Arduino Keyboard library. Then it waits for a button press. Once a botton is pressed it starts to type the associated commands linearly  into the target machine. An example attack script may look like:

/*
 Press a button to write some text to target pc.
 See official and HID Project documentation for more info
 https://github.com/NicoHood/HID/wiki/Keyboard-API
*/

const int pinLed = LED_BUILTIN;
const int pinButton = 2;

void setup() {
  pinMode(pinLed, OUTPUT);
  pinMode(pinButton, INPUT_PULLUP);

  // Starts Serial debug output
  Serial.begin(115200);

  // Sends a clean report to the host. This is important on any Arduino type.
  Keyboard.begin();
}

void loop() {
  if (!digitalRead(pinButton)) {
        digitalWrite(pinLed, HIGH);

        Keyboard.press(KEY_LEFT_GUI);
        Keyboard.press('r');
        delay(100);
        Keyboard.releaseAll();

        Keyboard.println(F("notepad.exe"));

        Keyboard.press(KEY_TAB);
        Keyboard.releaseAll();  

        Keyboard.press(KEY_RETURN);
        Keyboard.releaseAll();  

        delay(500); 

        Keyboard.println(F("This message was typed with an Arduino."));
 
        // simple debounce
        delay(300);
        digitalWrite(pinLed, LOW);
    }
}

This simple example shows how you can open notepad using the buit-in Windows hot-key Win+R (Windows key is identified in the script as KEY_LEFT_GUI). You could run virtually any program using this dialog, including Cmd.exe, Powershell.exe, Python.exe, InternetExplorer.exe, etc.

 

A Side Note on Purpose Built Hardware

If you would rather buy a ready-made version, there is a tool from a company called Hak5, named the “USB Rubber Ducky”, which serves the same purpose. To my knowledge it does not also emulate the mouse, but that wouldn't be a problem in 90% of cases. The Rubber Ducky uses a it's own custom language for it's payload modules called Ducky Script. There are already a bunch of open source payloads written for the USB Rubber ducky so you don't have to create one from scratch.

There also exists a web based tool to help translate from Ducky Script into Arduino's HID library (https://github.com/dreilly369/Duckuino). Currently this tool is not fool proof . I have had to tweak some of the keyboard outputs to compile and upload my tests. Still it saves a lot of typing and is worth looking into if you decide to build your own version and want to take advantage of the existing payloads (again from Hak5 and it's great community).

 

This is only the start for Arduino hacking. There are numerous ideas on the Internet for ways to use an Arduino style microcontroller for security auditing. Becoming familiar with the different vectors it offers.