WHID Injector: How to Bring HID Attacks to the Next Level
1.5.2017 securityaffairs Hacking

Luca Bongiorni was working on a cheap and dedicated hardware that he could remotely control (i.e. over WiFi or BLE), that is how WHID was born.
Since the first public appearance of HID Attacks (i.e. PHUKD, Kautilya, Rubberducky), many awesome researches and results have been published [i.e. Iron HID, Mousejack and the coolest USaBUSe].

Due this increased amount of nifty software, as Pentester and Red-Teamer, I wanted a cheap and dedicated hardware that I could remotely control (i.e. over WiFi or BLE). And this is how WHID was born.

Since the inception of my first HID injecting devices (based on Teensy boards, see photo below), I always faced the need to decide when to deliver a certain payload. This was partially achieved by using Irongeek’s photoresistor and dip-switch tricks [1].

WHID

However, I soon realized that would be cool the full remote control over a radio channel. At the beginning, years ago, I was thinking to use some cheap 433 MHz TRX modules connected to the Teensy board… sadly due to lack of time and other cool projects… this idea was dropped into my awesome pen testing-tools to-do-list. 😋

What is WHID Injector?

At this point, you are wondering what is behind WHID Injector and what are its capabilities. 😎

WHID stands for WiFi HID injector. It is a cheap but reliable piece of hardware designed to fulfill Red-Teamers & Pentesters needs related to HID Attacks, during their engagements.

The core of the WiFi HID injector is mainly an Atmega 32u4 (commonly used in many Arduino boards) and an ESP-12s (which provides the WiFi capabilities and is commonly used in IoT projects).

WHID

WHID’s Software

When I started to think about a remotely controlled HID injector and thus adding an ESP chipset to an Arduino-like board, I soon figured out that already exists some hardware that could fulfill my need: AprBrother’s Cactus Micro Rev2 (which was at EOL L).

Nonetheless, I started to read ESP specs and think how to create a simple PoC sketch that would let me upload remotely malicious payloads through the WiFi AP. And here it is [2] (I would like to thanks Corey from http://www.LegacySecurityGroup.com for his initial experiments).

Afterwards with a working software on my hands, I wanted to improve the EOL Cactus Micro rev2 hardware (considering that is also compatible with USaBUSe [3]).

Overall, this is how my simple GUI looks (I know it looks awful, but works! 😁):

WHID

Third-Party Software Supported

USaBUSe – Github Repo
This awesome tool has been created by @RoganDawes from @SensePost.

It is more than a simple remote HID injector! It permits to bypass air-gapped environments and have a side-channel C&C communication over WHID’s ESP wifi!

o Further links:

Defcon 24 Video
Defcon 24 Slides
https://sensepost.com/blog/2016/universal-serial-abuse/
USaBUSe Video PoC
Cyberkryption’s Tutorial
WiFi Ducky – Github Repo
This is a nice project developed by @spacehuhn and it brings even further my simplistic WHID’s software, by adding cool features like: realtime injection, ESP fw OTA update, etc.

WiDucky – Github Repo
An older-but-cool project, which has the pro feature to use the ESP’s wifi as C&C communication channel. It also has its own Android app for remote control.

Some Video Tutorials

I will leave here a couple of videos about WHID Injector’s installation and capabilities.

WHID Attack Simulation against Windows 10 Enterprise

Wifi Ducky on WHID device (WINDOWS)

How To Install WHID Injector Software on WINDOWS

How To Install WHID Injector Software on OSX

Possible Applications

Classic – Remote Keystrokes Injection Over WiFi
Deploy WHID on Victim’s machine and remotely control it by accessing its WiFi AP SSID. (eventually, you can also setup WHID to connect to an existing WiFi network)

Social Engineering – Deploy WHID inside an USB-enable gadget
The main idea behind it, is to test for Social Engineering weaknesses within your target organization (e.g. DLP policy violations) and to bypass physical access restrictions to the victim’s PC.

Usually, I create a fancy brochure (sample template https://github.com/whid-injector/WHID/tree/master/tools/Social_Engineering_Lures ) attached with a weaponized USB gadget and then use a common delivery carrier (e.g. UPS, DHL, FedEx).

WHID

Conclusion

As you noticed from the 3rd Party Softwares above, WHID has a lot of potential. Not only to play the usual role of HID injector but also to bypass Air-Gapped environments.

If you would like to play with it… AprBrother opened the pre-orders here

https://blog.aprbrother.com/product/cactus-whid

So far, beta testers already provided very precious feedbacks to improve the final version of WHID. I’d like to thank @RoganDawes for suggesting to add the Hall Sensor as reset switch!

http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
https://github.com/whid-injector/WHID/tree/master/sketches/cactus_micro_rev2
https://github.com/sensepost/USaBUSe